Hidden option modification / Overclocking Lock / Mitigate INTEL-SA-00289

Hi all. I’m new here and in BIOS modding generally.

I need my ASRock H410M-HVS BIOS updated to mitigate INTEL-SA-00289.

1. After reading
www . win-raid . com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html
I have successfully updated microcode

2. After reading
www . win-raid . com/t596f39-Intel-Converged-Security-Management-Engine-Drivers-Firmware-and-Tools.html
I have updated ME

But still I’m not able to enable Overclocking Lock which seems to be required to mitigate that issue as I read here:
www . intel . com/content/www/us/en/support/articles/000057197/software/intel-security-products.html

I know my BIOS supports this option cuz I checked it with UEFITool + IRFExtractor as described here:
www . reddit . com/r/Lenovo/comments/id0457/guide_to_reenable_undervolting_after_latest_bios/

What is funny it even seems that Overclocking Lock is already enabled which I checked by RU.efi - but maybe I did it wrong.
It would be better to switch it in BIOS.

What further could you suggest me to do?
Is it hard to unhide those menus? I’m noob in BIOS modding


I could try to edit menu of bios for you.
First make a bios dump with this tool and attach.

Does it have to be dump?
It is last BIOS I successfully flashed.
It has ME an microcode updated.
mega . nz/file/kKQAjDxa#pxj-IxrM7nDZuAfssCDJWETGR2lXMiQwzRyJWYW-xmc

And here is dump
mega . nz/file/8XJU0bSb#fM4HVRJ0JYCT7Q3N9pJjAxsBdKecOHaYoz4Epuco5EQ

But if you could suggest me how could I do it myself I would also appreciate.


So ,the official bios still can be reflash after any modified??? it’s weird.

Ok ! now try this mod and respond to the result.
Check what differences under Advanced tab.

Hm I didn’t try reflashing with original bios after last modified one.
All was flashed with Instant flash tool from UEFI

Awesome. You unlocked all settings :smiley:
Thank you a lot.

However Overclocking Lock indeed was enabled.
Sadly, for some reason it didn’t mitigate INTEL-SA-00289.

I don’t understand your point. Are you really depending on SGX feature? That plundervolt attack is very hard to apply for most attackers plus in order to mitigate that attack you will loose all overclocking and most probably undervolting.
The forums are full of users which are trying the right opposite which means disable overclocking lock setting.

Right I absolutely understand that point :slight_smile:
But in case when software depends on SGX remote attestations it is important to mitigate that issue.
Otherwise hardware is considered as not secure.

Edit bios menu is i can only do for you ,sorry i don’t understand about INTEL-SA-00289.

I understand and appreciate that :slight_smile:

@l00k Did you find a solution to your problem or how did you solve it then?

Nope, INTEL-SA-00289 was not mitigated. I have all configured but still getting that advisory

You can simply download Rweverything and do set bit [20] of 0x194 MSR, which is what OC lock stand for.
It is up to you what you would consider bigger threat because of powerfull Kernel RWe driver is known as heart of many invisible rootkits :slight_smile: