Hi,
I want to use this mainboard for coreboot and utilize Intel Boot Guard and Measured/Verified Boot. The earlier BIOS versions (7E06vA0 to 7E06vA2) one can download from the msi website don’t have End of Manufacturing at first boot set. All later ones do.
So I thought that if I attach an external SPI programmer to a new, never booted mainboard, I’ll be able to modify either the original image I was able to dump or, because mfit was unable to modify the NVAR values, like EoM on first boot, (something about read-only files) on the dumped image, one of the early BIOS images.
EDIT: Added the warnings regarding read-only files from mfit.
fit.log:WARNING : Failed to write NVAR EomFirstBootEnabled. File mca/eom_config is read-only.
fit.log:WARNING : Failed to write NVAR EomFirstBootEnabled. File mca/eom is read-only.
EDIT2: These read-only files don’t seem to be related to any settings that can be done in mfit. I just compared the mfit config files of the dumped image and the one I downloaded - which can be modified - and aside from EoM on first boot there were some minor differences and non-FFFF flash region access. After modifying the dumped image with mfit to set FFFF for read+write on all regions, the NVAR problem persisted. Is there something in the dumped image that defines read-only areas?
EDIT3: It’s not the descriptor region but the ME region that contains the read-only setting.
Specifically I disabled EoM on first boot and unlocked the file descriptor and flash, thinking I’d be able to adjust everything later.
After booting the first time the result was:
End Of Manufacturing
NVAR Configuration State Unlocked
EOM Settings Lock(none)
EOM Flow Full
HW Binding State Enabled
Flash Protection Mode Unprotected
FPF Committed Yes
FW Supported FPFs FPF UEP
*In Use
--- ---
1st OEM Key Hash Revoked Disabled Disabled
1st OEM Key Hash size Disabled Disabled
1st OEM RSA Key size Enabled Enabled
2nd OEM Key Hash Revoked Disabled Disabled
2nd OEM Key Hash size Disabled Disabled
2nd OEM RSA Key size Enabled Enabled
. . .
1st OEM Public Key Hash FPF 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1st OEM Public Key Hash UEP 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2nd OEM Public Key Hash FPF 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2nd OEM Public Key Hash UEP 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Normally it apparently looks like this:
End Of Manufacturing
NVAR Configuration State Locked
EOM Settings Lock(Flash,Config) on 1st Boot
EOM Flow Full
HW Binding State Enabled
Flash Protection Mode Protected
FPF Committed Yes
Now, it seems like I did not succeed. I hoped to have EoM disabled, so I can modify the FPF bits via $UEP, but they appear to be committed.
Does anyone know if
- MSI burned the FPF at their factory and I never had a chance
- No matter what I set via mfit, FPF will always be fused at first boot due to ??? so I would need to adjust the image via mfit to match my final configuration via external programmer and booting for the first time
- there is something else besides EoM on first boot and unlocking the descriptor that causes the EoM flow and commits the FPF
- there is anything I can salvage here, i.e. is there a way to set the OEM public key hash and bootguard profile?
Thanks in advance for any help!