search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
24 stars 0 forks source link

Problem with check_if_me_disabled() function in dts-functions.sh #853

Open roloff-it opened 3 months ago

roloff-it commented 3 months ago

Component

Dasharo Tools Suite

Device

NovaCustom NV41 12th Gen (i7-1260P Prozessor)

Dasharo version

Dasharo (coreboot+UEFI) v1.7.2

Dasharo Tools Suite version

v1.2.21

Brief summary

Problem with check_if_me_disabled() function in dts-functions.sh

How reproducible

The problem occurs immediately and repeatedly when the script enters the function mentioned after clicking on point 5 "Check and apply Dasharo firmware updates" in DTS and encounters the else section in the if query described below.

How to reproduce

Create DTS USB stick.

Make settings in Coreboot: Current Secure Boot State: Disabled Intel ME mode: Disabled (HAP) Lock the BIOS boot medium disabled Enable SMM Bios write protection disabled Eary boot DMA protection disabled

Connect to Network via Ethernet Boot from USB stick

Expected behavior

An entry-level subscription was used, which was obtained from Dasharo through the device manufacturer for this exact computer. The script was expected to run without any problems.

Actual behavior

Coreboot is in use, the script runs in: ... else

If we are running coreboot, check for status in logs

cbmem -1 | grep -q "ME is disabled" && ME_DISABLED=1 && return # HECI (soft) disabled
cbmem -1 | grep -q "ME is HAP disabled" && ME_DISABLED=1 && return # HAP disabled
# TODO: If proprietary BIOS, then also try to check SMBIOS for ME FWSTS
# BTW we could do the same in coreboot, expose FWSTS in SMBIOS before it
# gets disabled
print_warning "Can not determine if ME is disabled, assuming enabled."
echo "Can not determine if ME is disabled, assuming enabled."  >> $ERR_LOG_FILE

fi ... Both cbmem -1 commands return nothing. The return after the second AND is not executed in both lines. The warning is issued: "Can not determine if ME is disabled, assuming enabled."

lspci | grep 00:16:0 and lspci shows nothing regarding Intel ME

Screenshots

IMG_1141 IMG_1142

Additional context

The problem was raised and briefly discussed in Dasharo Support over the weekend.

Solutions you've tried

I don't have a solution. There seems to be nothing to read regarding Intel ME with cbmem or lspci. Maybe you can check the device and give a return by the function because you know that this modell/type of computer reacts like this.

lspci | grep 00:16:0 and lspci shows nothing regarding Intel ME

wessel-novacustom commented 3 months ago

Does the warning pop up when soft-disabling Intel ME?

roloff-it commented 3 months ago

Does the warning pop up when soft-disabling Intel ME?

I didn't try this and ended up ignoring the warning. The installation then began after a second warning. I had previously made the settings in Coreboot described under "How to reproduce". Heads works after that, at least here.

macpijan commented 2 months ago

The problem is, with the HAP disable method, the ME state cannot be determined - please see the note: Can not determine if the ME is disabled

Some context from firmware developers:

There is no other method but to check cbmem log whether the
appropriate line is there or not, telling what the HAP state is.

This problem could be solved in a more standard way, going back
to: https://github.com/Dasharo/coreboot/pull/453

In the same way reference code Intel also proceeds. It exposes the
FWSTS from ME to SMBIOS, and if ME is not available you can pull
the status from there, so it would also work for proprietary FW if
you added this to DTS and coreboot

When the ME is set to disabled (soft), it is correctly detected as disabled, and at present, this should be the recommended state for flashing.

We need at least DTS messages and documentation updates. Finally, we need to go back to the solution linked above.