Hacker News new | ask | show | jobs
by jackpot51 2956 days ago
I am the engineer at System76 that has been working on the low-level firmware update procedure.

The only alternative is to reverse engineer the SPI flashing method. We have switched to using FPT, the Intel Flash Programming tool, on new models. This means that we need to reverse engineer the SPI update method, which is something the flashrom project has had success in doing for older Intel chipsets.
2 comments
amluto 2955 days ago
Can’t you add a bit of code to your firmware to accept a special EFI capsule that’s really just an EFI program (or a firmware volume containing an AFUEFI and the payload)? This wouldn’t work for UpdateCapsule, but it should work as a UEFI 2.4+ capsule-on-disk.

If fwupd won’t support a capsule-on-disk, I personally volunteer to nudge them. But I bet they already support it or would be very willing to add support.

link
patrickg_zill 2956 days ago
SPI is a standard, right? What is the problem in using SPI?
link
jackpot51 2956 days ago
SPI is easy, and well understood. For firmware editing I often use an external flasher for updating the ROM, and use flashrom to do so. Accessing the SPI bus on the Intel chipset, from the computer itself, is undocumented and usually requires reverse engineering.
link
monocasa 2956 days ago
Which chipset? It was documented (albeit not super well) in the handful of Intel chipsets I've had to support for firmware updates.
link
jackpot51 2956 days ago
Kaby Lake and Kaby Lake R, for example
link
monocasa 2956 days ago
OK, neat, it looks like they haven't changed it in eons. It's PCI device 00:1f.5 and is documented in all of the PCH docs (so Vol 1 for overview, Vol 2 for registers). Sometimes it's disabled by firmware as a sort of 'security' mechanism.

Yeah, there's not a whole lot there in the docs, but it's PIO SPI that handles most of the flash addressing for you, so it's not the most complex thing in the world to begin with. More "fill the buffer and go" sort of deal.

link
amluto 2955 days ago
But, if your firmware cares about preventing flashable rootkits, then these registers should be locked such that you can only flash from SMM or during initial boot. The fact that AFUEFI works at all on a System76 laptop is a bad sign IMO.
link
jackpot51 2955 days ago
That is good to know. We will also need to unlock the flash descriptor, which is more proprietary code to reverse engineer.
link