Add HSTI/NX/SMM to ASUS bios?

Hi.

I just ran the Device Guard and Credential Guard hardware readiness tool:



Is there a way to add those feature to a BIOS image (ASUS Z170-A)?


Thanks in advance!

HSTI never heard of and not in BIOS, I looked it up and sounds like maybe software solution.
NX is in BIOS already, this is NX-Bit aka Execute Disable Bit (it’s enabeld by default once you load optimized) Located at Advanced >> CPU Config page (if you can’t see it, I can make visible for you, show me image of your BIOS at this page, scroll up/down if needed)
SMM options I can make visible to you as well, they are located at same place as above, once I see your BIOS images from this page I will make visible for you too. There is no specific setting named SMM mitigation though, but a handful of related settings, probably same just named differently (you can see all this in AMIBCP)
This may be referring to BIOS Lock needs to be enabled as well, without that enabled SMM protections cannot be loaded >> BIOS Lock >> Enable/Disable the PCH BIOS Lock Enable feature. (Required to be enabled to ensure SMM protection of flash.)


I think HSTI is actually implemented and working (the error message of the dgreadiness tool was just not very precise)! There are 3 DXE Drivers in a vanilla Z170A.ROM: HstiPlatformDxe, HstiResultDxe, HstiIhvProviderDxe and there are 2 HSTI_RESULTS NVARs with following content:

Error 0x00000002 Platform Security Specification - Boot Guard Configuration - Boot Guard disabled
Error 0x00010001 Platform Security Specification - SPI Flash Configuration - SPI Flash not write protected
Error 0x00010002 Platform Security Specification - SPI Flash Configuration - SPI Flash descriptor overridden
Error 0x00010004 Platform Security Specification - PCH Security Configuration - SPI Controller BIOS Interface unlocked
Error 0x00010008 Platform Security Specification - SPI Flash Configuration - ME FW not in Normal Working State
Error 0x0001000A Platform Security Specification - SPI Flash Configuration - SPI Region Access Rights Invalid
Error 0x00020001 Platform Security Specification - BIOS Guard Security Configuration - BIOS Guard disabled
Error 0x00080003 Platform Security Specification - Memory Map Security Configuration - Non lockable MMIO ranges overlap other critical regions
Error 0x000A0001 Platform Security Specification - PCH Security Configuration - Thermal Configuration unlocked

I’m going to reset the NVRAM and see what HSTI_RESULTS tells me then. Also, those error messages seem not true, unless it keeps error messages saved for a long time.


The ‘normal’ NX-bit is activated in the BIOS (Execute Disable Bit [Enabled]) as well as in Windows (the nx boot-variable is set to OptOut), so that’s not it. The NX Protector is for the BIOS itself:



SMM Mitigations refers to the WSMT ACPI table. It is present on the system but the Protection Flags field (last 4 bytes) is set to 0x00000000, so it’s basically disabled.


Well, I guess this isn’t something that is going to be easy to implement into a closed source binary blob.



I can’t find anything related to PCH/BIOS locking in a settings.txt that I exported to USB from inside the BIOS. Normally it shows hidden bios settings, right?
Edit: Never mind, found them:

SMM Code Access Check [Disabled]
SMM Use Delay Indication [Disabled]
SMM Use Block Indication [Disabled]

But I didn’t know about AMIBCP yet, I’ll give it try. Thx! :slight_smile:

These all would be commonly "As noted below"
Error 0x00000002 Platform Security Specification - Boot Guard Configuration - Boot Guard disabled << Needs private key burned into PCH, not something Asus does at consumer board level
Error 0x00010001 Platform Security Specification - SPI Flash Configuration - SPI Flash not write protected << Assume this means FPRR/PRR - also usually disabled, but can be enabled if you want BIOS flashing issues
Error 0x00010002 Platform Security Specification - SPI Flash Configuration - SPI Flash descriptor overridden << Not true
Error 0x00010004 Platform Security Specification - PCH Security Configuration - SPI Controller BIOS Interface unlocked << Probably true, so you can BIOS flash
Error 0x00010008 Platform Security Specification - SPI Flash Configuration - ME FW not in Normal Working State << This may be true, if your ME FW is corrupted, not working/disabled etc
Error 0x0001000A Platform Security Specification - SPI Flash Configuration - SPI Region Access Rights Invalid << Unsure what it refers to
Error 0x00020001 Platform Security Specification - BIOS Guard Security Configuration - BIOS Guard disabled << usually disabled, but can be enabled if you want BIOS flashing issues
Error 0x00080003 Platform Security Specification - Memory Map Security Configuration - Non lockable MMIO ranges overlap other critical regions << unsure, possibly true / BIOS bug / Poor BIOS construction etc
Error 0x000A0001 Platform Security Specification - PCH Security Configuration - Thermal Configuration unlocked << I saw this when looking up SMM @ DTS SMM, didn’t understand how/why ANY thermal configuration setting would have anything to do with anything you mentioned. But, this can be set if you want

NX Stuff you mentioned, you’d have to speak to Asus about that.

SMM thing you mention, if you know the module which contains those bytes I can modify for you, give me the GUID

BIOS Lock is a hidden setting, I can make visible for you if you want. Yes it should appear in what you exported, if that usually exports hidden settings as well.
Look at BIOS in AMIBCP (5.02.0023 or 5.02.0031), or extract setup module and generate IFR using universal IFR Extractor (Let me know if you need tool, or I can upload IFR txt for you too), you will find in either at Advanced >> PCH Configuration >> Security Configuration


I’m using a bios chip from ebay for my ‘experiments’, it came with just the raw .ROM file on it. I plugged it in like that and started using it. Intel ME version showed as 0.0.0.0 the first time it started, after a reboot it changed to 11.6.10.1196. I later updated it to 11.8.71.3630 using FWUpdLcl64.exe.
Is that perhaps why the error appeared in the HSTS_RESULTS NVAR?

Are the current results MEManufWin64.exe/MEInfoWin64.exe/FPTW64.exe fine? :
MEManufWin64.exe -VERBOSE -TEST:

Intel(R) MEManuf Version: 11.8.70.3626
Copyright(C) 2005 - 2019, Intel Corporation. All rights reserved.


Windows OS Version : 10.0

FW Status Register1: 0x90000245
FW Status Register2: 0x83110306
FW Status Register3: 0x00000420
FW Status Register4: 0x00084000
FW Status Register5: 0x00000000
FW Status Register6: 0x40000000

CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
FPF HW Source value: Not Applicable
ME FPF Fusing Patch Status: ME FPF Fusing patch NOT applicable
Phase: Maestro
ICC: Valid OEM data, ICC programmed
ME File System Corrupted: No
FPF and ME Config Status: Match

FW Capabilities value is 0x31111540
Feature enablement is 0x11111140
Platform type is 0x71220322
No Intel Wireless device was found
Feature enablement is 0x11111140
ME initialization state valid
ME operation mode valid
Current operation state valid
ME error state valid
OEM ICC data valid and programmed correctly
MFS is not corrupted
PCH SKU Emulation is correct
FPF and ME Config values matched

Request Intel(R) ME BIST status command… done

Get Intel(R) ME test data command… done

Get Intel(R) ME test data command… done
Total of 10 Intel(R) ME test result retrieved


Policy Kernel - Boot Guard : Self Test - Passed
MCA - MCA Tests : Blob - Passed
MCA - MCA Tests : MCA Manuf - Passed
SMBus - SMBus : Read byte - Passed
VDM - General : VDM engine - Passed
PAVP - General : Verify Edp and Lspcon Configurations - Passed
PAVP - General : Set Lspcon Port - Passed
PAVP - General : Set Edp Port - Passed

Clear Intel(R) ME test data command… done


MEManuf Operation Passed

MEInfoWin64.exe -VERBOSE:
Intel(R) MEInfo Version: 11.8.70.3626
Copyright(C) 2005 - 2019, Intel Corporation. All rights reserved.




Windows OS Version : 10.0

FW Status Register1: 0x90000245
FW Status Register2: 0x83110306
FW Status Register3: 0x00000420
FW Status Register4: 0x00084000
FW Status Register5: 0x00000000
FW Status Register6: 0x40000000

CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
FPF HW Source value: Not Applicable
ME FPF Fusing Patch Status: ME FPF Fusing patch NOT applicable
Phase: Maestro
ICC: Valid OEM data, ICC programmed
ME File System Corrupted: No
FPF and ME Config Status: Match
FW Capabilities value is 0x31111540
Feature enablement is 0x11111140
Platform type is 0x71220322
No Intel Wireless device was found
Intel(R) ME code versions:

Table Type 117 ( 0x 75 ) found, size of 0 (0x 00 ) bytes
BIOS Version 3802
Table Type 117 ( 0x 75 ) found, size of 0 (0x 00 ) bytes
Table Type 0 ( 0x 00 ) found, size of 66 (0x 42 ) bytes
Table Type 1 ( 0x 01 ) found, size of 113 (0x 71 ) bytes
Table Type 2 ( 0x 02 ) found, size of 84 (0x 54 ) bytes
Table Type 3 ( 0x 03 ) found, size of 68 (0x 44 ) bytes
Table Type 8 ( 0x 08 ) found, size of 14 (0x 0E ) bytes
Table Type 9 ( 0x 09 ) found, size of 28 (0x 1C ) bytes
Table Type 10 ( 0x 0A ) found, size of 16 (0x 10 ) bytes
Table Type 11 ( 0x 0B ) found, size of 25 (0x 19 ) bytes
Table Type 12 ( 0x 0C ) found, size of 21 (0x 15 ) bytes
Table Type 32 ( 0x 20 ) found, size of 22 (0x 16 ) bytes
Table Type 34 ( 0x 22 ) found, size of 29 (0x 1D ) bytes
Table Type 26 ( 0x 1A ) found, size of 29 (0x 1D ) bytes
Table Type 36 ( 0x 24 ) found, size of 18 (0x 12 ) bytes
Table Type 35 ( 0x 23 ) found, size of 27 (0x 1B ) bytes
Table Type 28 ( 0x 1C ) found, size of 29 (0x 1D ) bytes
Table Type 36 ( 0x 24 ) found, size of 18 (0x 12 ) bytes
Table Type 35 ( 0x 23 ) found, size of 27 (0x 1B ) bytes
Table Type 27 ( 0x 1B ) found, size of 30 (0x 1E ) bytes
Table Type 36 ( 0x 24 ) found, size of 18 (0x 12 ) bytes
Table Type 35 ( 0x 23 ) found, size of 27 (0x 1B ) bytes
Table Type 27 ( 0x 1B ) found, size of 17 (0x 11 ) bytes
Table Type 36 ( 0x 24 ) found, size of 18 (0x 12 ) bytes
Table Type 35 ( 0x 23 ) found, size of 27 (0x 1B ) bytes
Table Type 29 ( 0x 1D ) found, size of 27 (0x 1B ) bytes
Table Type 36 ( 0x 24 ) found, size of 18 (0x 12 ) bytes
Table Type 35 ( 0x 23 ) found, size of 27 (0x 1B ) bytes
Table Type 26 ( 0x 1A ) found, size of 29 (0x 1D ) bytes
Table Type 28 ( 0x 1C ) found, size of 29 (0x 1D ) bytes
Table Type 27 ( 0x 1B ) found, size of 30 (0x 1E ) bytes
Table Type 29 ( 0x 1D ) found, size of 27 (0x 1B ) bytes
Table Type 39 ( 0x 27 ) found, size of 55 (0x 37 ) bytes
Table Type 40 ( 0x 28 ) found, size of 43 (0x 2B ) bytes
Table Type 41 ( 0x 29 ) found, size of 26 (0x 1A ) bytes
Table Type 16 ( 0x 10 ) found, size of 25 (0x 19 ) bytes
Table Type 17 ( 0x 11 ) found, size of 112 (0x 70 ) bytes
Table Type 19 ( 0x 13 ) found, size of 33 (0x 21 ) bytes
Table Type 7 ( 0x 07 ) found, size of 29 (0x 1D ) bytes
Table Type 4 ( 0x 04 ) found, size of 188 (0x BC ) bytes
Table Type 20 ( 0x 14 ) found, size of 37 (0x 25 ) bytes
Table Type 130 ( 0x 82 ) found, size of 22 (0x 16 ) bytes
MEBx Version 0.0.0.0000
GbE Version 0.7
Vendor ID 8086
PCH Version 31
FW Version 11.8.71.3630 H
Security Version (SVN) 3
LMS Version 1946.14.0.1377
MEI Driver Version 1944.14.0.1370
Wireless Hardware Version Not Available
Wireless Driver Version Not Available

FW Capabilities 0x31111540

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Service Advertisement & Discovery - NOT PRESENT
Intel(R) NFC Capabilities - NOT PRESENT
Intel(R) Platform Trust Technology - PRESENT/DISABLED

Re-key needed False
Platform is re-key capable True
TLS Disabled
Last ME reset reason Global system reset
Local FWUpdate Enabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Get flash master region access status…done
Host Read Access to ME Enabled
Host Write Access to ME Disabled
Get EC region access status…done
Host Read Access to EC Disabled
Host Write Access to EC Disabled
Protected Range Register Base #0 0x0
Protected Range Register Limit #0 0x0
Protected Range Register Base #1 0x0
Protected Range Register Limit #1 0x0
Protected Range Register Base #2 0x0
Protected Range Register Limit #2 0x0
Protected Range Register Base #3 0x0
Protected Range Register Limit #3 0x0
Protected Range Register Base #4 0x0
Protected Range Register Limit #4 0x0
SPI Flash ID 1 C84018
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 00000000-0000-0000-0000-000000000000
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Disabled
C-link Status Disabled
Independent Firmware Recovery Disabled
EPID Group ID 0x1F90

Retrieving Variable "LSPCON Port Configuration"
LSPCON Ports None

Retrieving Variable "eDP Port Configuration"
5K Ports None
OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000

Retrieving Variable "OEM Public Key Hash"
OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000
ACM SVN FPF 0x0
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000

Retrieving Variable "GuC Encryption Key"
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000

FPF ME
— –
Force Boot Guard ACM Disabled
Retrieving Variable “Force Boot Guard ACM Enabled”
Disabled
Protect BIOS Environment Disabled
Retrieving Variable “Protect BIOS Environment Enabled”
Disabled
CPU Debugging Enabled
Retrieving Variable “CPU Debugging”
Enabled
BSP Initialization Enabled
Retrieving Variable “BSP Initialization”
Enabled
Measured Boot Disabled
Retrieving Variable “Measured Boot Enabled”
Disabled
Verified Boot Disabled
Retrieving Variable “Verified Boot Enabled”
Disabled
Key Manifest ID 0x0
Retrieving Variable “Key Manifest ID”
0x0
Enforcement Policy 0x0
Retrieving Variable “Error Enforcement Policy”
0x0
PTT Enabled
Retrieving Variable “Intel(R) PTT Supported”
Enabled
PTT Lockout Override Counter 0x0
EK Revoke State Not Revoked
PTT RTC Clear Detection FPF 0x0

FPTW64.exe -VERBOSE -I:
Intel (R) Flash Programming Tool. Version: 11.8.70.3626
Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.


Windows OS Version : 10.0

FW Status Register1: 0x94000245
FW Status Register2: 0x83110306
FW Status Register3: 0x00000420
FW Status Register4: 0x00084000
FW Status Register5: 0x00000000
FW Status Register6: 0x40000000

Initializing SPI utilities
Reading HSFSTS register… Flash Descriptor: Valid

Region Limits as programmed into the SPI Registers
FREG0 - DESC Region:Base Address: 0x000000 Limit : 0x000FFF
FREG1 - BIOS Region:Base Address: 0x280000 Limit : 0xFFFFFF
FREG2 - CSME Region:Base Address: 0x003000 Limit : 0x27FFFF
FREG3 - GbE Region:Base Address: 0x001000 Limit : 0x002FFF
FREG4 - PDR Region:Base Address: 0x7FFF000 Limit : 0x000FFF
FREG5 - Region:Base Address: 0x7FFF000 Limit : 0x000FFF
FREG6 - Region:Base Address: 0x7FFF000 Limit : 0x000FFF
FREG7 - Region:Base Address: 0x7FFF000 Limit : 0x000FFF
FREG8 - EC Region:Base Address: 0x7FFF000 Limit : 0x000FFF
FREG9 - Region:Base Address: 0x7FFF000 Limit : 0x000FFF
Address Limit 0x1000000 Maximum Memory 16384kB


— Flash Devices Found —
GD25B128C ID:0xC84018 Size: 16384KB (131072Kb)

Using hardware sequencing.
Reading region information from flash descriptor.
Base: 0x00000000, Limit: 0x00000FFF
Base: 0x00280000, Limit: 0x00FFFFFF
Base: 0x00003000, Limit: 0x0027FFFF
Base: 0x00001000, Limit: 0x00002FFF
— Flash Image Information –
Signature: VALID
Number of Flash Components: 1
Component 1 - 16384KB (131072Kb)
Regions:
DESC - Base: 0x00000000, Limit: 0x00000FFF
BIOS - Base: 0x00280000, Limit: 0x00FFFFFF
CSME - Base: 0x00003000, Limit: 0x0027FFFF
GbE - Base: 0x00001000, Limit: 0x00002FFF
PDR - Not present
EC - Not present
Master Region Access:
CPU/BIOS - ID: 0x00, Read: 0x00F, Write: 0x00A
ME - ID: 0x00, Read: 0x00D, Write: 0x004
GbE - ID: 0x00, Read: 0x009, Write: 0x008
EC - ID: 0x00, Read: 0x101, Write: 0x100
Based on the Host Region FRACC the Host/CPU/BIOS has ( 0x00004ACF ) :
Read Write
CPU/BIOS : Yes No
ME : Yes Yes
GbE : Yes No
EC : No No

Total Accessible SPI Memory: 16384KB, Total Installed SPI Memory: 16384KB
Current ME State ( 0x8 ) : MAESTRO

FPT Operation Successful.

Is it normal that MEBx Version is 0.0.0.0000 and that Phase stays on MAESTRO the whole time? And the ME region is writable for some reason?



Unhiding the BIOS Lock feature with AMIBCP worked fine. Thanks a lot!
Can I set ALL the things to "USER" or are there some things I should be careful with?

ME FW looks healthy to me, but I am not ME FW expert. MEBx is not present in all ME FW, or BIOS disabled etc, so that is normal.
As long as you see healthy and no errors in verbose it should be OK, and you can see ME FW version in windows tools/BIOS main page (if shown) and not 0.0.0.0 or N/A then it’s OK
ME Region is writable via ME FW update tool this is normal, this is how it should be (unless either disabled in BIOS via setting, or FW corrupted).
If ME Region is unlocked in FD, then you could also write ME region with FPT, but usually this is locked on Asus unless previous owner of that chip unlocked the FD (or you did and programmed back in)

You can set many things to user in “Already visible menus/submenus” and they should show up in BIOS, unless suppressed in setup.
If you set something to user and it doesn’t appear, then set back to default and make a list of such items, I will unsuppress in setup for you, or show you how.
Then first you test unsuppressing, then if still doesn’t show up you add AMIBCP user edit on top of that.

Leaving a changed thing that didn’t work can cause issues later, but shouldn’t brick or cause problems while you test things.
Mainly it may cause issue later when you try to do other edits, forgetting this XXX you set failed, or doing something on top of that failed setting that needs it not set etc.
So best to set back once done testing and it failed, that way you’re not working on top of something that may not be needed and may cause conflict with other edit you are trying so change never happens

I have this board here, so anything you get stuck on I could test for you, but in general I know how to unlock it all for this kind of BIOS blindly so probably wouldn’t need to setup the board.

Main menu sections that you cannot see (such as chipset for a general usual example), may need other edits in setup first, then may also need Access Level change in AMIBCP or an AMITSE/SetupData edit first (before, and possibly without needing an AMIBCP edit on top of that)
Sorry, I just noticed, that does not apply here, no hidden chipset. All items within the “Setup” area can be made visible though. None of this ^ applies, since it’s all visible already, the main sections anyway.
So any missing submenu, such as Advanced >> PCH Config for example, you set Access Level to User at ROOT of Advanced, then test, if it doesn’t show, then set back and setup edit is needed first and then tested, if still fail, then add back AMIBCP edit on top of setup edit.
This just example I picked, PCH Config may be visible, I forget. Actually, here would be better example >> Advanced >> Power & Performance << This looks to be suppressed in setup, so that would need undone first, then you see if it shows or not, if not then AMIBCP Access Level on top of setup unsupress.

If you need me to show you how to do setup edits let me know and I will give you some tool links and a more in-depth info than I’m about to give below This is done with UEFITool (V25) + Universal IFR extractor + Hex Editor.
For the last mentioned edit above here’s how you would unsuppress that

Default -
Form: Advanced, FormId: 0x2719 {01 86 19 27 20 00}
0x49C96 Ref: CPU Configuration, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x1BB, FormId: 0x272F {0F 0F ED 00 EE 00 BB 01 00 00 FF FF 00 2F 27}
0x49CA5 Suppress If {0A 82}
0x49CA7 True {46 02} << Here’s what we change, this is suppressing the submenu below it, change to 47 02, becomes false
0x49CA9 Ref: Power & Performance, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x1BC, FormId: 0x2731 {0F 0F 27 01 28 01 BC 01 00 00 FF FF 00 31 27}

Mod Edit -
Form: Advanced, FormId: 0x2719 {01 86 19 27 20 00}
0x49C96 Ref: CPU Configuration, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x1BB, FormId: 0x272F {0F 0F ED 00 EE 00 BB 01 00 00 FF FF 00 2F 27}
0x49CA5 Suppress If {0A 82}
0x49CA7 False {47 02} << Post-Edit
0x49CA9 Ref: Power & Performance, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x1BC, FormId: 0x2731 {0F 0F 27 01 28 01 BC 01 00 00 FF FF 00 31 27}