cbwww/site/docs/install/devmem.md

80 lines
3.3 KiB
Markdown

---
title: Disabling /dev/mem protections
x-toc-enable: true
...
This section applies to any program that makes use of lower memory
below 1MB. This applies to `flashprog` and `dell-flash-unlock` plus any other
tool that uses lower memory and/or port I/O
Port I/O is up to you, BUT it is recommended that you re-disable lower memory
access once you no longer need it, as this is a useful security layer against
any wrongful operations that you may later inadvertently run as root.
Also disable SecureBoot
=======================
If you're using a UEFI setup, it's probably because you're using
a latter Intel platform and want to flash Canoeboot internally, from
the factory firmware to Canoeboot.
If the factory firmware implements UEFI, and this is how you boot when
using the factory firmware, please ensure that *SecureBoot* is disabled,
because it will interfere with lower memory accesses if left enabled.
FLASH ERRORS (and workarounds)
=======================
**NOTE: Canoeboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
now, which is a fork of flashrom.**
This section relates to installing Canoeboot on supported targets.
Right out of the gate, some users may experience errors with flashprog when
using the internal programmer. They are:
/dev/mem access error
---------------------
NOTE: if running `flashprog -p internal` for software based flashing, and you
get an error related to `/dev/mem` access, you should reboot with
`iomem=relaxed` kernel parameter before running flashprog, or use a kernel that
has `CONFIG_STRICT_DEVMEM` not enabled.
On NetBSD and OpenBSD systems, the equivalent to `iomem=relaxed` in this case
is `kernel.securelevel=-1`; see [NetBSD securelevel
manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/)
and [OpenBSD securelevel manual](https://man.openbsd.org/securelevel).
ERROR: Could not get I/O privileges
------------------------------------
Error message: `ERROR: Could not get I/O privileges (Function not implemented)`
If you get this while running `flashprog -p internal -w filename.rom` (or any
internal flash operation), note: flashprog heavily uses ioperm/iopl functions
to operate the internal flasher, at least on x86 machines.
See: <https://lwn.net/Articles/804143/>
Yeah, just enable `CONFIG_X86_IOPL_IOPERM` in your Linux kernel. This is
a *build-time* option, so you must re-compile your kernel, or find a build that
has this option enabled (IOPL emulation). Many default kernel configurations
now disable this option.
Here's a handy-dandy guide for building a kernel from source:
<https://www.cyberciti.biz/tips/compiling-linux-kernel-26.html>
**BSD users:** On OpenBSD and NetBSD if you get similar errors, note that it
should work here, but you need to boot with `kern.securelevel=-1`.
See: [NetBSD securelevel manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/)
and [OpenBSD securelevel manpage](https://man.openbsd.org/securelevel).
Otherwise, if you get such errors, it may just be that you're not root. You
must run flashprog as root, at least to use the internal flasher (using external
USB flashing dongles doesn't normally require root).
NOTE: BSD kernels seem to still enable IOPL by default. However, many modern
Linux setups disable it by default these days, so it may be in teh future
that most users will start needing to compile their own kernels. (go BSD!)