From a8b15ba8910941c434068d354f708563c673733e Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Mon, 26 Aug 2024 03:12:42 +0100 Subject: [PATCH] unified iomem=relaxed instructions Signed-off-by: Leah Rowe --- site/devmem.md | 79 ++++++++++++++++++++++++++++++ site/docs/install/dell_internal.md | 31 ++++-------- site/docs/install/ich9utils.md | 5 +- site/docs/install/index.md | 58 +++------------------- site/faq.md | 33 ++++--------- 5 files changed, 105 insertions(+), 101 deletions(-) create mode 100644 site/devmem.md diff --git a/site/devmem.md b/site/devmem.md new file mode 100644 index 0000000..cdcbf16 --- /dev/null +++ b/site/devmem.md @@ -0,0 +1,79 @@ +--- +title: Disabling /dev/mem protections +x-toc-enable: true +... + +This section applies to any program that makes use of lower memory +below 1MB. This applies to `flashprog` and `dell-flash-unlock` plus any other +tool that uses lower memory and/or port I/O + +Port I/O is up to you, BUT it is recommended that you re-disable lower memory +access once you no longer need it, as this is a useful security layer against +any wrongful operations that you may later inadvertently run as root. + +Also disable SecureBoot +======================= + +If you're using a UEFI setup, it's probably because you're using +a latter Intel platform and want to flash Canoeboot internally, from +the factory firmware to Canoeboot. + +If the factory firmware implements UEFI, and this is how you boot when +using the factory firmware, please ensure that *SecureBoot* is disabled, +because it will interfere with lower memory accesses if left enabled. + +FLASH ERRORS (and workarounds) +======================= + +**NOTE: Canoeboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog) +now, which is a fork of flashrom.** + +This section relates to installing Canoeboot on supported targets. + +Right out of the gate, some users may experience errors with flashprog when +using the internal programmer. They are: + +/dev/mem access error +--------------------- + +NOTE: if running `flashprog -p internal` for software based flashing, and you +get an error related to `/dev/mem` access, you should reboot with +`iomem=relaxed` kernel parameter before running flashprog, or use a kernel that +has `CONFIG_STRICT_DEVMEM` not enabled. + +On NetBSD and OpenBSD systems, the equivalent to `iomem=relaxed` in this case +is `kernel.securelevel=-1`; see [NetBSD securelevel +manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/) +and [OpenBSD securelevel manual](https://man.openbsd.org/securelevel). + +ERROR: Could not get I/O privileges +------------------------------------ + +Error message: `ERROR: Could not get I/O privileges (Function not implemented)` + +If you get this while running `flashprog -p internal -w filename.rom` (or any +internal flash operation), note: flashprog heavily uses ioperm/iopl functions +to operate the internal flasher, at least on x86 machines. + +See: + +Yeah, just enable `CONFIG_X86_IOPL_IOPERM` in your Linux kernel. This is +a *build-time* option, so you must re-compile your kernel, or find a build that +has this option enabled (IOPL emulation). Many default kernel configurations +now disable this option. + +Here's a handy-dandy guide for building a kernel from source: + + +**BSD users:** On OpenBSD and NetBSD if you get similar errors, note that it +should work here, but you need to boot with `kern.securelevel=-1`. +See: [NetBSD securelevel manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/) +and [OpenBSD securelevel manpage](https://man.openbsd.org/securelevel). + +Otherwise, if you get such errors, it may just be that you're not root. You +must run flashprog as root, at least to use the internal flasher (using external +USB flashing dongles doesn't normally require root). + +NOTE: BSD kernels seem to still enable IOPL by default. However, many modern +Linux setups disable it by default these days, so it may be in teh future +that most users will start needing to compile their own kernels. (go BSD!) diff --git a/site/docs/install/dell_internal.md b/site/docs/install/dell_internal.md index 15c34c1..1d82ca7 100644 --- a/site/docs/install/dell_internal.md +++ b/site/docs/install/dell_internal.md @@ -7,6 +7,14 @@ Make sure SecureBoot is disabled, if you're running a UEFI-based Latitude. Other steps also required, described on this page and in the `README.md` file included with `dell-flash-unlock`. +Disable security before flashing +================================ + +Before internal flashing, you must first disable `/dev/mem` protections. Make +sure to re-enable them after you're finished. + +See: [Disabling /dev/mem protection](devmem.md) + Internal flashing ================= @@ -14,29 +22,8 @@ You can simply boot GNU+Linux or BSD, on the Dell Latitude you wish to flash, an run `flashprog` from there, for Canoeboot installation. Certain other steps are also required, documented in the steps below: -Flashing from BSD ------------------ - -Basically identical to GNU+Linux, except that you must -set `kern.securelevel` to -1 on boot, which is equivalent to `iomem=relaxed` -under GNU+Linux, for this purpose. - -The `dell-flash-unlock` utility will compile and run just fine. It has been -tested on OpenBSD, NetBSD and FreeBSD. With this in mind, simply follow the -GNU+Linux instrucctions but adapt accordingly. - -If unsure, just boot a live GNU+Linux distro via USB and run it all there. - -Flashing from GNU+Linux -------------------- - -MAKE SURE you boot with this Linux kernel parameter: `iomem=relaxed` - this -disables memory protections, permitting `/dev/mem` access needed by flashprog. -The flash is memory mapped and flashprog accesses it via `/dev/mem`. - You can flash Canoeboot directly from the vendor (Dell) BIOS, without taking -the machine apart. It can be done entirely from GNU+Linux. It will probably also -work on BSD systems, but it has only been testing on GNU+Linux thus far. +the machine apart. It can be done entirely from GNU+Linux or BSD. **NOTE (15 October 2023): The util is now called `dell-flash-unlock`, but it was previously called `e6400-flash-unlock`. Links have been updated.** diff --git a/site/docs/install/ich9utils.md b/site/docs/install/ich9utils.md index ef8d993..601da13 100644 --- a/site/docs/install/ich9utils.md +++ b/site/docs/install/ich9utils.md @@ -202,10 +202,7 @@ Read on for more information. Use the `ro` files mentioned below, and your flash will be read-only in software (you can still externally re-flash and read the contents of flash). -For ease of use, Canoeboot provides ROMs that are read-write by default. In -practise, you can boot a GNU+Linux kernel with access to lower memory disabled -which will make software re-flashing impossible (unless you reboot with such -memory protections disabled, e.g. `iomem=relaxed` kernel parameter). +For ease of use, Canoeboot provides ROMs that are read-write by default. ICH9 deblob utility {#ich9deblob} =================== diff --git a/site/docs/install/index.md b/site/docs/install/index.md index fbdfeab..2052a18 100644 --- a/site/docs/install/index.md +++ b/site/docs/install/index.md @@ -11,52 +11,13 @@ now, as of 3 May 2024, which is a fork of flashrom.** This section relates to installing canoeboot on supported targets. -FLASH ERRORS (and workarounds) -+======================= +**Disable security before flashing** +================================ -Right out of the gate, some users may experience errors with flashprog when -using the internal programmer. They are: +**Before internal flashing, you must first disable `/dev/mem` protections. Make +sure to re-enable them after you're finished.** -/dev/mem access error ---------------------- - -NOTE: if running `flashprog -p internal` for software based flashing, and you -get an error related to `/dev/mem` access, you should reboot with -`iomem=relaxed` kernel parameter before running flashprog, or use a kernel that -has `CONFIG_STRICT_DEVMEM` not enabled. - -On NetBSD and OpenBSD systems, the equivalent to `iomem=relaxed` in this case -is `kernel.securelevel=-1`; see [NetBSD securelevel -manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/) -and [OpenBSD securelevel manual](https://man.openbsd.org/securelevel). - -ERROR: Could not get I/O privileges ------------------------------------- - -Error message: `ERROR: Could not get I/O privileges (Function not implemented)` - -If you get this while running `flashprog -p internal -w filename.rom` (or any -internal flash operation), note: flashprog heavily uses ioperm/iopl functions -to operate the internal flasher, at least on x86 machines. - -See: - -Yeah, just enable `CONFIG_X86_IOPL_IOPERM` in your Linux kernel. This is -a *build-time* option, so you must re-compile your kernel, or find a build that -has this option enabled (IOPL emulation). Many default kernel configurations -now disable this option. - -Here's a handy-dandy guide for building a kernel from source: - - -**BSD users:** On OpenBSD and NetBSD if you get similar errors, note that it -should work here, but you need to boot with `kern.securelevel=-1`. -See: [NetBSD securelevel manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/) -and [OpenBSD securelevel manpage](https://man.openbsd.org/securelevel). - -Otherwise, if you get such errors, it may just be that you're not root. You -must run flashprog as root, at least to use the internal flasher (using external -USB flashing dongles doesn't normally require root). +**See: [Disabling /dev/mem protection](devmem.md)** PRECAUTIONS =========== @@ -475,14 +436,7 @@ Your flash chip is in an unknown state. If you see this, rejoice! It means that the flash was successful. Please do not panic. Shut down now, and wait a few seconds, then turn back on again. -**WARNING: if flashprog complains about `/dev/mem` access, please -run `sudo ./bucts 0`. If flashprog is complaining about `/dev/mem`, it means -that you have `CONFIG_STRICT_DEVMEM` enabled in your kernel. Reboot with the -following kernel parameter added in your bootloader: `iomem=relaxed` and try -again with the above instructions. DO NOT continue until the above works, and -you see the expected flashprog output as indicated above.** - -If you *did* run flashprog and it failed to flash, but you set bucts to 1 and +If you *did* run flashrom and it failed to flash, but you set bucts to 1 and shut down, don't worry. Just remove the yellow coin-cell battery (it's underneath the keyboard, connected to the mainboard), wait a minute or two, reconnect the coin-cell and try again from scratch. In this instance, if flashprog didn't do diff --git a/site/faq.md b/site/faq.md index 8278744..c06f5e6 100644 --- a/site/faq.md +++ b/site/faq.md @@ -5,6 +5,14 @@ x-toc-enable: true AKA Frequently Questioned Answers +Disable security before flashing +================================ + +Before internal flashing, you must first disable `/dev/mem` protections. Make +sure to re-enable them after you're finished. + +See: [Disabling /dev/mem protection](install/devmem.md) + Important issues ================ @@ -36,29 +44,8 @@ Testing involves minimal effort and really helps out the project. See the [board maintainers documentation](/docs/maintain/testing.md) if you are interested in testing roms before they are released. -Flashprog complains about DEVMEM access --------------------------------------- - -If running `flashprog -p internal` for software based flashing, and -you get an error related to /dev/mem access, you should reboot with -`iomem=relaxed` kernel parameter before running flashprog, or use a kernel -that has `CONFIG_STRICT_DEVMEM` and `CONFIG_IO_STRICT_DEVMEM` not enabled. - -Example flashprog output with both `CONFIG_STRICT_DEVMEM` and `CONFIG_IO_STRICT_DEVMEM` enabled: -``` -flashprog v0.9.9-r1955 on GNU+Linux 4.11.9-1-ARCH (x86_64) -flashprog is free software, get the source code at https://flashprog.org - -Calibrating delay loop... OK. -Error accessing high tables, 0x100000 bytes at 0x000000007fb5d000 -/dev/mem mmap failed: Operation not permitted -Failed getting access to coreboot high tables. -Error accessing DMI Table, 0x1000 bytes at 0x000000007fb27000 -/dev/mem mmap failed: Operation not permitted -``` - -Backlight darker on the left side of the screen ---------------------------------------------------------------------------------------------------------------- +Uneven backlight on GM45 ThinkPads +---------------------------------- We don't know how to detect the correct PWM value to use in coreboot, so we just use the default one in coreboot which has