VP66?0: enabling BIOS Lock is noop

[pkubaj]

Component

Dasharo firmware

Device

Protectli VP6650, Protectli VP6670

Dasharo version

0.9.0rc2

Dasharo Tools Suite version

No response

Brief summary

enabling BIOS Lock on VP6?0 doesn't enforce the lock

How reproducible

No response

How to reproduce

flashrom -p internal

Expected behavior

PR0: Warning: 0x.{8}-0x.{8} is read-only.

Actual behavior

flashrom v1.2-1033-g24b8fcf-dirty on Linux 6.5.0-27-generic (x86_64)            
flashrom is free software, get the source code at https://flashrom.org          
                                                                                
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).               
Cannot open file stream for /dev/mtd0                                           
coreboot table found at 0x768d5000.                                             
Found chipset "Intel Alder Lake-P".                                             
Enabling flash write... Warning: Setting BIOS Control at 0xdc from 0x8b to 0x89.
New value is 0x8b.                                                              
SPI Configuration is locked down.                                               
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.           
FREG1: BIOS region (0x00580000-0x00ffffff) is read-write.                       
FREG2: Management Engine region (0x00001000-0x004c0fff) is read-write.          
OK.                                                                             
Found Programmer flash chip "Opaque flash chip" (16384 kB, Programmer-specific).
No operations were specified.                                                   

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

[miczyg1]

Probably a bug in the test. On the VP6670 in lab, there is no such issue:

flashrom -p internal -w /tmp/protectli_vp66xx_v0.9.0-rc1.rom --fmap -i COREBOOT
flashrom v1.2-1037-g5b4a5b4 on Linux 5.15.36-yocto-standard (x86_64)
flashrom is free software, get the source code at https://flashrom.org 
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). 
coreboot table found at 0x768d5000.
Found chipset "Intel Alder Lake-P". 
Enabling flash write... Warning: Setting BIOS Control at 0xdc from 0x8b to 0x89 failed.
New value is 0x8b.
SPI Configuration is locked down.
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
FREG1: BIOS region (0x00580000-0x00ffffff) is read-write.
FREG2: Management Engine region (0x00001000-0x004c0fff) is read-write.
PR0: Warning: 0x00b00000-0x00ffffff is read-only.
At least some flash regions are write protected. For write operations,
you should use a flash layout and include only writable regions. See 
manpage for more details.
OK.
Found Programmer flash chip "Opaque flash chip" (16384 kB, Programmer-specific) on internal.
Using region: "COREBOOT". 
Reading old flash chip contents... done.
Erasing and writing flash chip... Transaction error between offset 0x00b08000 and 0x00b07fff (= 0x00b08000 + -1)! 
Reading current flash chip contents... done. Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
No usable erase functions left.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Good, writing to the flash chip apparently didn't do anything.
This means we have to add special support for your board, programmer or flash 
chip. Please report this to the mailing list at [email protected] or on 
IRC (see https://www.flashrom.org/Contact for details), thanks!
------------------------------------------------------------------------------- 
You may now reboot or simply leave the machine running.

[pkubaj]

OK, so we shouldn't test by running flashrom -p internal, but actually attempt to flash some binary?

[miczyg1]

flashrom -p internal will print the protected ranges too. I just showed an attempt that PR0 block the access actually

[miczyg1]

I just did a cycle of disabling BIOS lock and then reenabling BIOS lock:

bash-5.1# flashrom -p internal
flashrom v1.2-1037-g5b4a5b4 on Linux 5.15.36-yocto-standard (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
coreboot table found at 0x768d5000.
Found chipset "Intel Alder Lake-P".
Enabling flash write... Warning: Setting BIOS Control at 0xdc from 0x8b to 0x89 failed.
New value is 0x8b.
SPI Configuration is locked down.
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
FREG1: BIOS region (0x00580000-0x00ffffff) is read-write.
FREG2: Management Engine region (0x00001000-0x004c0fff) is read-write.
PR0: Warning: 0x00b00000-0x00ffffff is read-only.
At least some flash regions are write protected. For write operations,
you should use a flash layout and include only writable regions. See
manpage for more details.
OK.
Found Programmer flash chip "Opaque flash chip" (16384 kB, Programmer-specific) on internal.
No operations were specified.
bash-5.1# 

[pkubaj]

OK, I'm not sure what happened. Is power-cycling necessary? 6650 has the same issue and I just manually confirmed that there's no information about the lock.

[miczyg1]

No, PR0 is reset to 0 with platform reset, so BIOS has to program it on each Boot and S3 resume.

[mkopec]

Power cycle is needed after changing pretty much any Dasharo config option.

[miczyg1]

Power cycle is needed after changing pretty much any Dasharo config option.

Changing any setup option will force a reset, so the board will always boot with the desired PR0 state, yes

[mkopec]

Changing any setup option will force a reset

It should, but it's possible to boot without resetting via the boot manager...

[miczyg1]

It should, but it's possible to boot without resetting via the boot manager...

How?

1. If I change a setting, save it, go to One Time Boot and try to select something, I get a pop up to reset the board.
2. If I change a setting, save it, go to Boot Maintenance Manager, choose to boot from file and try to select something from an EFI partition, like grubx64.efi, I get a pop up to reset the board.

I think it is not possible to exit the setup without a reset if a setting has been changed @mkopec

[mkopec]

The save settings reminder only appears when exiting via "Reset" or "Continue". If someone forgets to save the setting (because they're usually prompted to do so when exiting), the reminder won't appear when booting something via boot maintenance manager

[miczyg1]

The save settings reminder only appears when exiting via "Reset" or "Continue". If someone forgets to save the setting (because they're usually prompted to do so when exiting), the reminder won't appear when booting something via boot maintenance manager

Aha! So for unsaved changes. It means they are not applied, so all fine. I though you can change and apply a setting and boot something without resetting.

[macpijan]

@pkubaj Can you either confirm and close, or provide reproduction scenario?

[pkubaj]

I'm not sure how to reproduce it. Our 6650 already has BIOS Lock enabled:

It had been enabled already when I entered setup, so I assume that it's already saved.
However, executing flashrom -p internal yields only:

flashrom v1.2-1033-g24b8fcf-dirty on Linux 6.5.0-27-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Cannot open file stream for /dev/mtd0
coreboot table found at 0x768d5000.
Found chipset "Intel Alder Lake-P".
Enabling flash write... Warning: Setting BIOS Control at 0xdc from 0x8b to 0x89 failed.
New value is 0x8b.
SPI Configuration is locked down.
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
FREG1: BIOS region (0x00580000-0x00ffffff) is read-write.
FREG2: Management Engine region (0x00001000-0x004c0fff) is read-write.
OK.
Found Programmer flash chip "Opaque flash chip" (16384 kB, Programmer-specific) on internal.
No operations were specified.

[macpijan]

@pkubaj Perhaps it happens only after first flashing? Have you tried switch off -> save -> switch on - > save? Can you try to narrow it a bit more?

[pkubaj]

After reflashing and cycling that option, I am getting the required warning.

[miczyg1]

The lock is default true: https://github.com/Dasharo/coreboot/blob/dasharo/src/vendorcode/dasharo/options.c#L166

It should work straight away after flashing.

[pkubaj]

I can't reproduce it anymore. The lock is enabled by default and it seems to work correctly. I'm not sure what happened before that made it not to work.