libreboot
/
lbwww
1
0
Fork 0
Code Packages Projects Releases Activity

unified iomem=relaxed instructions 

Signed-off-by: Leah Rowe <info@minifree.org>
master
Leah Rowe 2024-08-26 03:12:42 +01:00
parent d2e8cda2d1
commit 1a330900d4
7 changed files with 120 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
site/devmem.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Disabling /dev/mem protections
x-toc-enable: true
...
This section applies to any program that makes use of lower memory
below 1MB. This applies to `flashprog` and `dell-flash-unlock` plus any other
tool that uses lower memory and/or port I/O
Port I/O is up to you, BUT it is recommended that you re-disable lower memory
access once you no longer need it, as this is a useful security layer against
any wrongful operations that you may later inadvertently run as root.
Also disable SecureBoot
=======================
If you're using a UEFI setup, it's probably because you're using
a latter Intel platform and want to flash Libreboot internally, from
the factory firmware to Libreboot.
If the factory firmware implements UEFI, and this is how you boot when
using the factory firmware, please ensure that *SecureBoot* is disabled,
because it will interfere with lower memory accesses if left enabled.
FLASH ERRORS (and workarounds)
=======================
**NOTE: Libreboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
now, as of 27 January 2024, which is a fork of flashrom.**
This section relates to installing libreboot on supported targets.
Right out of the gate, some users may experience errors with flashprog when
using the internal programmer. They are:
/dev/mem access error
---------------------
NOTE: if running `flashprog -p internal` for software based flashing, and you
get an error related to `/dev/mem` access, you should reboot with
`iomem=relaxed` kernel parameter before running flashprog, or use a kernel that
has `CONFIG_STRICT_DEVMEM` not enabled.
On NetBSD and OpenBSD systems, the equivalent to `iomem=relaxed` in this case
is `kernel.securelevel=-1`; see [NetBSD securelevel
manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/)
and [OpenBSD securelevel manual](https://man.openbsd.org/securelevel).
ERROR: Could not get I/O privileges
------------------------------------
Error message: `ERROR: Could not get I/O privileges (Function not implemented)`
If you get this while running `flashprog -p internal -w filename.rom` (or any
internal flash operation), note: flashprog heavily uses ioperm/iopl functions
to operate the internal flasher, at least on x86 machines.
See: <https://lwn.net/Articles/804143/>
Yeah, just enable `CONFIG_X86_IOPL_IOPERM` in your Linux kernel. This is
a *build-time* option, so you must re-compile your kernel, or find a build that
has this option enabled (IOPL emulation). Many default kernel configurations
now disable this option.
Here's a handy-dandy guide for building a kernel from source:
<https://www.cyberciti.biz/tips/compiling-linux-kernel-26.html>
**BSD users:** On OpenBSD and NetBSD if you get similar errors, note that it
should work here, but you need to boot with `kern.securelevel=-1`.
See: [NetBSD securelevel manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/)
and [OpenBSD securelevel manpage](https://man.openbsd.org/securelevel).
Otherwise, if you get such errors, it may just be that you're not root. You
must run flashprog as root, at least to use the internal flasher (using external
USB flashing dongles doesn't normally require root).
NOTE: BSD kernels seem to still enable IOPL by default. However, many modern
Linux setups disable it by default these days, so it may be in teh future
that most users will start needing to compile their own kernels. (go BSD!)

14
site/docs/hardware/hp8200sff.md
View File

@ -49,6 +49,14 @@ P*: Partially works with blobs
| **SeaBIOS with GRUB** | Works |
</div>
Disable security before flashing
================================
Before internal flashing, you must first disable `/dev/mem` protections. Make
sure to re-enable them after you're finished.
See: [Disabling /dev/mem protection](../install/devmem.md)
Introduction
============
@ -138,10 +146,6 @@ between the pins until you can see the normal BIOS boot screen.
![](https://av.libreboot.org/hp8200sff/fdo\_screwdriver.jpg)
Boot into an OS supported by flashprog. On Linux, make sure you add the
kernel parameter **iomem=relaxed** which disables memory protections that
prevent BIOS flashing.
NOTE: Libreboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
now, as of 27 January 2024, which is a fork of flashrom.
@ -179,7 +183,7 @@ Power off the computer. Make sure to power off, rebooting is not enough!
Power on the computer.
Now we can flash the full 8 MiB image. Boot to an OS with flashprog
again. On linux, remember the **iomem=relaxed** kernel parameter.
again.
NOTE: Libreboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
now, as of 27 January 2024, which is a fork of flashrom.

11
site/docs/hardware/hp8300usdt.md
View File

@ -24,6 +24,14 @@ OR YOU MIGHT BRICK YOUR MACHINE: [SAFETY PRECAUTIONS](../../news/safety.md)**
| **Intel ME/AMD PSP** | Present, neutered |
| **Flash chip** | SOIC-16 16MiB |
Disable security before flashing
================================
Before internal flashing, you must first disable `/dev/mem` protections. Make
sure to re-enable them after you're finished.
See: [Disabling /dev/mem protection](../install/devmem.md)
# Introduction
This is a small but powerful desktop using Sandy or Ivy Bridge CPUs
@ -71,8 +79,7 @@ crystal (small metal cylinder) and the power cable for the optical drive.
![](https://av.libreboot.org/hp8300usdt/jumper_to_fdo.jpg)
Boot into an OS of your choice (that has flashprog support). When using Linux,
you need to supply the kernel parameter `iomem=relaxed`.
Boot into an OS of your choice (that has flashprog support).
NOTE: Libreboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
now, as of 27 January 2024, which is a fork of flashrom.

31
site/docs/install/dell_internal.md
View File

@ -7,6 +7,14 @@ Make sure SecureBoot is disabled, if you're running a UEFI-based Latitude.
Other steps also required, described on this page and in the `README.md`
file included with `dell-flash-unlock`.
Disable security before flashing
================================
Before internal flashing, you must first disable `/dev/mem` protections. Make
sure to re-enable them after you're finished.
See: [Disabling /dev/mem protection](devmem.md)
Internal flashing
=================
@ -14,29 +22,8 @@ You can simply boot Linux/BSD, on the Dell Latitude you wish to flash, and
run `flashprog` from there, for Libreboot installation. Certain other steps
are also required, documented in the steps below:
Flashing from BSD
-----------------
Basically identical to Linux, except that you must
set `kern.securelevel` to -1 on boot, which is equivalent to `iomem=relaxed`
under Linux, for this purpose.
The `dell-flash-unlock` utility will compile and run just fine. It has been
tested on OpenBSD, NetBSD and FreeBSD. With this in mind, simply follow the
Linux instrucctions but adapt accordingly.
If unsure, just boot a live Linux distro via USB and run it all there.
Flashing from Linux
-------------------
MAKE SURE you boot with this Linux kernel parameter: `iomem=relaxed` - this
disables memory protections, permitting `/dev/mem` access needed by flashprog.
The flash is memory mapped and flashprog accesses it via `/dev/mem`.
You can flash Libreboot directly from the vendor (Dell) BIOS, without taking
the machine apart. It can be done entirely from Linux. It will probably also
work on BSD systems, but it has only been testing on Linux thus far.
the machine apart. It can be done entirely from Linux/BSD.
**NOTE (15 October 2023): The util is now called `dell-flash-unlock`, but it
was previously called `e6400-flash-unlock`. Links have been updated.**

5
site/docs/install/ich9utils.md
View File

@ -196,10 +196,7 @@ Read on for more information. Use the `ro` files mentioned below, and your
flash will be read-only in software (you can still externally re-flash and read
the contents of flash).
For ease of use, libreboot provides ROMs that are read-write by default. In
practise, you can boot a Linux kernel with access to lower memory disabled
which will make software re-flashing impossible (unless you reboot with such
memory protections disabled, e.g. `iomem=relaxed` kernel parameter).
For ease of use, libreboot provides ROMs that are read-write by default.
ICH9 deblob utility {#ich9deblob}
===================

62
site/docs/install/index.md
View File

@ -22,57 +22,13 @@ if you want to send your machine in to have Libreboot installed for you.
Leah Rowe, the founder and lead developer of Libreboot, also owns and
operates Minifree Ltd; sales provide funding for the Libreboot project.
FLASH ERRORS (and workarounds)
=======================
**Disable security before flashing**
================================
**NOTE: Libreboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
now, as of 27 January 2024, which is a fork of flashrom.**
**Before internal flashing, you must first disable `/dev/mem` protections. Make
sure to re-enable them after you're finished.**
This section relates to installing libreboot on supported targets.
Right out of the gate, some users may experience errors with flashprog when
using the internal programmer. They are:
/dev/mem access error
---------------------
NOTE: if running `flashprog -p internal` for software based flashing, and you
get an error related to `/dev/mem` access, you should reboot with
`iomem=relaxed` kernel parameter before running flashprog, or use a kernel that
has `CONFIG_STRICT_DEVMEM` not enabled.
On NetBSD and OpenBSD systems, the equivalent to `iomem=relaxed` in this case
is `kernel.securelevel=-1`; see [NetBSD securelevel
manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/)
and [OpenBSD securelevel manual](https://man.openbsd.org/securelevel).
ERROR: Could not get I/O privileges
------------------------------------
Error message: `ERROR: Could not get I/O privileges (Function not implemented)`
If you get this while running `flashprog -p internal -w filename.rom` (or any
internal flash operation), note: flashprog heavily uses ioperm/iopl functions
to operate the internal flasher, at least on x86 machines.
See: <https://lwn.net/Articles/804143/>
Yeah, just enable `CONFIG_X86_IOPL_IOPERM` in your Linux kernel. This is
a *build-time* option, so you must re-compile your kernel, or find a build that
has this option enabled (IOPL emulation). Many default kernel configurations
now disable this option.
Here's a handy-dandy guide for building a kernel from source:
<https://www.cyberciti.biz/tips/compiling-linux-kernel-26.html>
**BSD users:** On OpenBSD and NetBSD if you get similar errors, note that it
should work here, but you need to boot with `kern.securelevel=-1`.
See: [NetBSD securelevel manual](https://wiki.netbsd.org/tutorials/kernel_secure_levels/)
and [OpenBSD securelevel manpage](https://man.openbsd.org/securelevel).
Otherwise, if you get such errors, it may just be that you're not root. You
must run flashprog as root, at least to use the internal flasher (using external
USB flashing dongles doesn't normally require root).
**See: [Disabling /dev/mem protection](devmem.md)**
PRECAUTIONS
===========
@ -564,14 +520,6 @@ Your flash chip is in an unknown state.
If you see this, rejoice! It means that the flash was successful. Please do not
panic. Shut down now, and wait a few seconds, then turn back on again.
**WARNING: if flashrom (from Libreboot 20160907 utils) complains
about `/dev/mem` access, please
run `sudo ./bucts 0`. If flashrom is complaining about `/dev/mem`, it means
that you have `CONFIG_STRICT_DEVMEM` enabled in your kernel. Reboot with the
following kernel parameter added in your bootloader: `iomem=relaxed` and try
again with the above instructions. DO NOT continue until the above works, and
you see the expected flashrom output as indicated above.**
If you *did* run flashrom and it failed to flash, but you set bucts to 1 and
shut down, don't worry. Just remove the yellow coin-cell battery (it's underneath
the keyboard, connected to the mainboard), wait a minute or two, reconnect the

29
site/faq.md
View File

@ -8,6 +8,14 @@ now, as of 27 January 2024, which is a fork of flashrom.
AKA Frequently Questioned Answers
Disable security before flashing
================================
Before internal flashing, you must first disable `/dev/mem` protections. Make
sure to re-enable them after you're finished.
See: [Disabling /dev/mem protection](install/devmem.md)
Buy Libreboot pre-installed
==========
@ -55,27 +63,6 @@ Testing involves minimal effort and really helps out the project.
See the [board maintainers documentation](/docs/maintain/testing.md)
if you are interested in testing roms before they are released.
Flashrom complains about DEVMEM access
--------------------------------------
If running `flashprog -p internal` for software based flashing, and
you get an error related to /dev/mem access, you should reboot with
`iomem=relaxed` kernel parameter before running flashprog, or use a kernel
that has `CONFIG_STRICT_DEVMEM` and `CONFIG_IO_STRICT_DEVMEM` not enabled.
Example flashprog output with both `CONFIG_STRICT_DEVMEM` and `CONFIG_IO_STRICT_DEVMEM` enabled:
```
flashprog v0.9.9-r1955 on Linux 4.11.9-1-ARCH (x86_64)
flashprog is free software, get the source code at https://flashprog.org
Calibrating delay loop... OK.
Error accessing high tables, 0x100000 bytes at 0x000000007fb5d000
/dev/mem mmap failed: Operation not permitted
Failed getting access to coreboot high tables.
Error accessing DMI Table, 0x1000 bytes at 0x000000007fb27000
/dev/mem mmap failed: Operation not permitted
```
Uneven backlight on GM45 ThinkPads
----------------------------------