Hi,
Am 13.12.24 um 11:05 schrieb Richard Hughes:
On Thursday, 12 December 2024 at 19:01, Mario Limonciello <mario.limonciello@xxxxxxx> wrote:
Sadly fwupd/LVFS does not support executing arbitrary efi binaries/
nsh scripts which still is the main form ODMs provide bios updates.
Of course fwupd can't do this; it would be a huge security hole as the nsh script isn't signed.
It sounds like some bugs in the implementation of the capsule handler
for this system.
I've seen this with AmiFlash + BIOS.ROM, but never from a capsule. I'm pretty sure Aptio builder is more than capable of constructing a capsule file with the correct DMI data.
The DMI data also includes a serial number that cannot be baked into the
capsule. And I don't have access to the Aptio builder or other AMI dev tools,
just the Afu* flash tools.
The command provided by the ODM:
AfuEfix64.efi <bios>.bin /p /b /n /r /x /l /k /capsule
with <bios>.bin being a capsule and:
/p Program Main BIOS -- With recovery flash this does not include DMI strings,
but does with capsule flash. -> Does flash some /k regions in /capsule flash
(but not, for example, the logo region).
/b Program Boot Block
/n Programm NVRAM
/r Preserve ALL SMBIOS structure during programming
/x Don't check ROM ID
/l Programm all ROM Holes
/k Programm all non-critical Blocks -- No effect in /capsule flash, does include
both the logo and the DMI string region.
/capsule Flash using the capsule update process (without it the bios is flashed
directly by AfuEfix64.efi)
I played around with the command with the conclusion:
- AfuEfix64.efi <bios>.bin /p /capsule -> overwrites DMI strings
- AfuEfix64.efi <bios>.bin /p /r /capsule -> overwrites nothing
I also flashed with fwupd with the result:
- DMI strings where overwritten
- Main BIOS was flashed
- I don't know if Boot Block was flashed
- I don't know if NVRAM was flashed
- I don't know if ROM Holes were flashed
- I don't know if non-critical Blocks were flashed
I tried to explain fwupd and the requirements to our contact at the ODM, but
just got the unhelpful reply to use the command above.
Do you know how these AfuEfix64.efi flags are passed over to the capsule flash
process? Then it might be possible to implement them in fwupd too.
It's not an Insyde problem. I use Insyde capsules regularly myself from
fwupd. I also know several other OEMs that ship capsules to LVFS that
use Insyde.
100% agreed; Insyde firmware makes up more than 20% of the updates on the LVFS now.
Good to know. Sadly the ODM does not care :(.
To be fair all my work I described here is now 2 or 3 years old. I didn't start
a second try since.
Kind regards,
Werner
Richard.
