Hidden option modification / Overclocking Lock / Mitigate INTEL-SA-00289

l00k · May 20, 2021, 10:49pm

Hi all. I’m new here and in BIOS modding generally.

I need my ASRock H410M-HVS BIOS updated to mitigate INTEL-SA-00289.

1. After reading
www . win-raid . com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html
I have successfully updated microcode

2. After reading
www . win-raid . com/t596f39-Intel-Converged-Security-Management-Engine-Drivers-Firmware-and-Tools.html
I have updated ME

But still I’m not able to enable Overclocking Lock which seems to be required to mitigate that issue as I read here:
www . intel . com/content/www/us/en/support/articles/000057197/software/intel-security-products.html

I know my BIOS supports this option cuz I checked it with UEFITool + IRFExtractor as described here:
www . reddit . com/r/Lenovo/comments/id0457/guide_to_reenable_undervolting_after_latest_bios/

0x3D428 Form: View/Configure CPU Lock Options, FormId: 0x2747 {01 86 47 27 C9 02}
0x3D42E One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x3E, VarStore: 0x11, QuestionId: 0x28B, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 FF 04 00 05 8B 02 11 00 3E 00 10 10 00 01 00}
0x3D43F One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 07 04 00 30 00 00}
0x3D446 One Of Option: Enabled, Value (8 bit): 0x1 {09 07 03 00 00 00 01}
0x3D44D End One Of {29 02}
0x3D44F One Of: Overclocking Lock, VarStoreInfo (VarOffset/VarName): 0xE2, VarStore: 0x11, QuestionId: 0x28C, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 FB 04 FC 04 8C 02 11 00 E2 00 10 10 00 01 00}
0x3D460 One Of Option: Disabled, Value (8 bit): 0x0 {09 07 04 00 00 00 00}
0x3D467 One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 07 03 00 30 00 01}
0x3D46E End One Of {29 02}
0x3D470 End Form {29 02}

What is funny it even seems that Overclocking Lock is already enabled which I checked by RU.efi - but maybe I did it wrong.
It would be better to switch it in BIOS.

What further could you suggest me to do?
Is it hard to unhide those menus? I’m noob in BIOS modding

genius239 · May 21, 2021, 4:33am

@l00k

I could try to edit menu of bios for you.
First make a bios dump with this tool and attach.

l00k · May 21, 2021, 7:37pm

@genius239
Does it have to be dump?
It is last BIOS I successfully flashed.
It has ME an microcode updated.
mega . nz/file/kKQAjDxa#pxj-IxrM7nDZuAfssCDJWETGR2lXMiQwzRyJWYW-xmc

And here is dump
mega . nz/file/8XJU0bSb#fM4HVRJ0JYCT7Q3N9pJjAxsBdKecOHaYoz4Epuco5EQ

But if you could suggest me how could I do it myself I would also appreciate.

genius239 · May 21, 2021, 8:07pm

@l00k

So ,the official bios still can be reflash after any modified??? it’s weird.

Ok ! now try this mod and respond to the result.
Check what differences under Advanced tab.

l00k · May 21, 2021, 8:15pm

Hm I didn’t try reflashing with original bios after last modified one.
All was flashed with Instant flash tool from UEFI

Edit
@genius239
Awesome. You unlocked all settings
Thank you a lot.

However Overclocking Lock indeed was enabled.
Sadly, for some reason it didn’t mitigate INTEL-SA-00289.

DaCou · May 21, 2021, 11:41pm

I don’t understand your point. Are you really depending on SGX feature? That plundervolt attack is very hard to apply for most attackers plus in order to mitigate that attack you will loose all overclocking and most probably undervolting.
The forums are full of users which are trying the right opposite which means disable overclocking lock setting.

l00k · May 21, 2021, 11:54pm

Right I absolutely understand that point
But in case when software depends on SGX remote attestations it is important to mitigate that issue.
Otherwise hardware is considered as not secure.

genius239 · May 22, 2021, 6:17am

@l00k
Edit bios menu is i can only do for you ,sorry i don’t understand about INTEL-SA-00289.

l00k · May 22, 2021, 12:40pm

@genius239
Sure.
I understand and appreciate that

HTR1234324 · May 27, 2021, 4:38pm

@l00k Did you find a solution to your problem or how did you solve it then?

l00k · June 22, 2021, 11:19pm

Nope, INTEL-SA-00289 was not mitigated. I have all configured but still getting that advisory

DaCou · June 23, 2021, 4:18pm

You can simply download Rweverything and do set bit [20] of 0x194 MSR, which is what OC lock stand for.
It is up to you what you would consider bigger threat because of powerfull Kernel RWe driver is known as heart of many invisible rootkits