firmware-open icon indicating copy to clipboard operation
firmware-open copied to clipboard
verified publisher icon system76

Lock firmware by default, require manual confirmation to boot unlocked

Open jackpot51 opened this issue 4 years ago • 1 comments

  • The EC resets in LOCK security state
  • The firmware updater is written to the EFI partition, and set as the next boot option
  • Upon reboot, the firmware updater prompts for an enter keypress to confirm firmware flashing
  • The firmware updater tells the EC to enter the PREPARE_UNLOCK security state
  • The system reboots, which will unlock the SPI flash as well as setting the EC to UNLOCK security state
  • The firmware security driver detects this condition prior to booting code outside of firmware and prompts for the user to enter a guaranteed (by hardware) random 8-digit number in order to continue
  • If the code is entered, the firmware updater is booted, the firmware is flashed, and upon the final EC reset that shuts everything down, the EC security state will go back to locked
  • In the case that the code is not entered, the EC will be told to prepare to lock and will be rebooted, which will make the SPI flash and the EC enter the PREPARE_LOCK security state

jackpot51 avatar Feb 16 '21 15:02 jackpot51

Is it planned to include this feature in a official firmware update for the galp4?

JanZerebecki avatar Oct 07 '21 10:10 JanZerebecki

EC locking is enabled on TGL and later.

crawfxrd avatar Jun 06 '24 15:06 crawfxrd