Skip to content

Descriptor lockdown #274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
filipleple merged 6 commits into from
Sep 2, 2025
Merged

Descriptor lockdown #274

filipleple merged 6 commits into from
Sep 2, 2025

Conversation

@mkopec
Copy link
Member

@mkopec mkopec commented Sep 1, 2025
edited
Loading

@mkopec
DasharoVariablesLib/DasharoVariablesLib.c: Always allow capsule if de…
009e00d 
…scriptor is locked

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
@mkopec
Copy link
Member Author

mkopec commented Sep 1, 2025

Does not work yet, it seems that reading the DescriptorWriteable EFI variable fails.

@mkopec mkopec requested a review from SergiiDmytruk September 1, 2025 16:36
@mkopec mkopec mentioned this pull request Sep 1, 2025
Merged
@mkopec mkopec marked this pull request as ready for review September 2, 2025 08:35
@mkopec mkopec requested a review from filipleple September 2, 2025 08:36
@mkopec
Copy link
Member Author

mkopec commented Sep 2, 2025
edited
Loading

Tested: Booted V540TU to the setup menu and verified that the HAP option does not appear anymore - except on first boot, where coreboot cannot set the variable due to the EFI store not being initialized.

Managed to succesfuly initiate Capsule Update twice without setting the ME to HAP mode, too, however the actual update got stuck at a black screen both times and the laptop got bricked. @SergiiDmytruk do you have some ideas?

@mkopec
DasharoVariablesLib/DasharoVariablesLib.c: Always allow capsule if de…
4d28c9a 
…scriptor is locked

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
@mkopec
DasharoSystemFeaturesUiLib/DasharoSystemFeatures.c: Hide HAP if descr…
d3d9ca0 
…iptor is locked

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
@mkopec
DasharoModulePkg: Add define for DescriptorWriteable EFI variable
af85ff6 
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
@mkopec
DasharoModulePkg/Library: Use correct GUID for DescriptorWriteable EF…
e8894be 
…I var

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
@mkopec
DasharoModulePkg/Library/DasharoSystemFeaturesUiLib/DasharoSystemFeat…
09b49b3 
…ures.c: correct logic for descriptor writeability

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
@mkopec mkopec force-pushed the descriptor_lockdown branch from 3f3e17e to 09b49b3 Compare September 2, 2025 09:30
@SergiiDmytruk
Copy link
Member

SergiiDmytruk commented Sep 2, 2025 via email

@mkopec
Copy link
Member Author

mkopec commented Sep 2, 2025

Ahh now that the ME is not in HAP mode, the code tries to enable HMRFPO, which causes a global reset and corrupts the capsule data... Need to remove the HMRFPO enabling code at least until capsule on disk is introduced

@filipleple filipleple merged commit 09b49b3 into dasharo Sep 2, 2025
2 checks passed
@filipleple filipleple deleted the descriptor_lockdown branch September 2, 2025 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macpijan macpijan macpijan approved these changes

@SergiiDmytruk SergiiDmytruk SergiiDmytruk approved these changes

@filipleple filipleple filipleple approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mkopec @SergiiDmytruk @macpijan @filipleple