msr-lock.html: 1 Error; 2 Missing steps; Inconsistencies

[LeeBinder]

• Guide in question: OpenCore Post-Install/ Fixing CFG Lock
• Link to page with the issue: https://dortania.github.io/OpenCore-Post-Install/misc/msr-lock.html

First of all: 100 thousand x THANK YOU for your awesome guide !!!!

1. Let's start with the error first:

At this point, run either reset in the shell

change to

At this point, while still in the shell, type reboot and press ENTER

reason: reset is not a valid command and will do nothing, + 'run' can be defined more clearly for more optimal user-friendliness

2. Missing steps:

1. Open your firmware with UEFITool and then find CFG Lock as a Unicode string. If nothing pops up then your firmware doesn't support CFG Lock, otherwise continue on.

2. You'll find that this string is found within a Setup folder, right-click and export as Setup.bin (or even Setup.sct)

change to

1. Open your firmware with UEFITool and then find CFG Lock as a Unicode string. If nothing pops up then your firmware doesn't support CFG Lock, otherwise continue on.

2. Double-click onto the line with the search result in the bottom pane.

3. You'll find that this string is found within a Setup folder. Right-click onto the Setup entry, click onto Export as is and export as Setup.bin (or even Setup.sct)

3. Inconsistencies: on my Laptop (Asus VivoBook S15 with x510UAR UEFI BIOS) the exact opposite to the explanations applies!

via UEFITool > ifrextract, my FW's MSR E2 register is at 0x527. Via modified GRUB Shell

setup_var 0x527

=> error: offset is out of range ->

setup_var2 0x527

=> error: offset is out of range ->

setup_var_3 0x527

=> finally NO offset is out of range error, therefore accdg. to the instructions:

setup_var_3 0x527 0x00

exit > OC > VerifyMsrE2:

This firmware has LOCKED MSR 0xE2 register!

-> continue to boot macOS, reboot (because accdg. to some it sometimes needs 1 reboot for the register to show as UNLOCKED), recheck via VerifyMsrE2 - still

This firmware has LOCKED MSR 0xE2 register!

As per hint from a fellow VivoBook hackintosher with same UEFI BIOS type & version as mine:

setup_var 0x527 0x00

exit > OC > VerifyMsrE2 - lo-and-behold, despite of error: offset is out of range, finally:

This firmware has UNLOCKED MSR 0xE2 register!

Next: in UEFI BIOS, load Setup Defaults > VerifyMsrE2 => LOCKED as expected/ supposed >

setup_var2 0x527 0x00

exit > OC > VerifyMsrE2 - again, despite of error: offset is out of range, also:

This firmware has UNLOCKED MSR 0xE2 register!

---

Does this reverse-logic only apply to Asus Laptops? Or to others, too? No matter what, this indicates that the guide needs some adaptations.

Let me know if you need any more info 🔢

[whatnameisit]

@LeeBinder When I typed the command line setup_var 0x527 0x00 I meant, "Have you followed the guide correctly?" I didn't mean despite the error message you should go ahead and use setup_var.

I think the Dortania guide may be rewritten to contain the step LeeBinder said was missing. But on the actual use of grub and setup_var, the guide itself contains no error. The error is in the commands. Someone with the right skills may write a new setup_var like setup_var_4 to correctly examine the offsets and the range of the guid. Until then, the users would be advised to use the quirks in OpenCore to disable writes to Msr 0xE2 because ignoring errors may lead to bricking the computer.

[dreamwhite]

* Guide in question: OpenCore Post-Install/  Fixing CFG Lock

* Link to page with the issue: https://dortania.github.io/OpenCore-Post-Install/misc/msr-lock.html

First of all: 100 thousand x THANK YOU for your awesome guide !!!!

1. Let's start with the error first:

At this point, run either reset in the shell

change to

At this point, while still in the shell, type exit and press ENTER

reason: reset is not a valid command and will do nothing, + 'run' can be defined more clearly for more optimal user-friendliness

2. Missing steps:

1. Open your firmware with UEFITool and then find CFG Lock as a Unicode string. If nothing pops up then your firmware doesn't support CFG Lock, otherwise continue on.

2. You'll find that this string is found within a Setup folder, right-click and export as Setup.bin (or even Setup.sct)

change to

1. Open your firmware with UEFITool and then find CFG Lock as a Unicode string. If nothing pops up then your firmware doesn't support CFG Lock, otherwise continue on.
2. Double-click onto the line with the search result in the bottom pane.
3. You'll find that this string is found within a Setup folder. Right-click onto the Setup entry, click onto Export as is and export as Setup.bin (or even Setup.sct)

3. Inconsistencies: on my Laptop (Asus VivoBook S15 with x510UAR UEFI BIOS) the exact opposite to the explanations applies!

via UEFITool > ifrextract, my FW's MSR E2 register is at 0x527. Via modified GRUB Shell

setup_var 0x527

=> error: offset is out of range ->

setup_var2 0x527

=> error: offset is out of range ->

setup_var_3 0x527

=> finally NO offset is out of range error, therefore accdg. to the instructions:

setup_var_3 0x527 0x00

exit > OC > VerifyMsrE2:

This firmware has LOCKED MSR 0xE2 register!

-> continue to boot macOS, reboot (because accdg. to some it sometimes needs 1 reboot for the register to show as UNLOCKED), recheck via VerifyMsrE2 - still

This firmware has LOCKED MSR 0xE2 register!

As per hint from a fellow VivoBook hackintosher with same UEFI BIOS type & version as mine:

setup_var 0x527 0x00

exit > OC > VerifyMsrE2 - lo-and-behold, despite of error: offset is out of range, finally:

This firmware has UNLOCKED MSR 0xE2 register!

Next: in UEFI BIOS, load Setup Defaults > VerifyMsrE2 => LOCKED as expected/ supposed >

setup_var2 0x527 0x00

exit > OC > VerifyMsrE2 - again, despite of error: offset is out of range, also:

This firmware has UNLOCKED MSR 0xE2 register!

Does this reverse-logic only apply to Asus Laptops? Or to others, too? No matter what, this indicates that the guide needs some adaptations.

Let me know if you need any more info 🔢

The steps you took are right but after unlocking your CFG Lock offset, you need to turn off the PC and power it on again. When using the setup_var commands you can clearly see the state of the offset BEFORE the edit and AFTER the edit.

You should see something like:

0x527 offset was 0x01 Setting 0x572 offset to 0x00

May I ask you if you can provide screenshots of the commands? Thank you so much

[whatnameisit]

@dreamwhite is it reboot or shutdown and boot? I thought a single reboot was fine for the unlock message to correctly print. Dortania guide says reboot or reset via command. When I wrote my previous comment I assumed after reboot MSR 0xE2 was still shown locked in the message and therefore indeed still locked for LeeBinder.

[dreamwhite]

@dreamwhite is it reboot or shutdown and boot? I thought a single reboot was fine for the unlock message to correctly print. Dortania guide says reboot or reset via command. When I wrote my previous comment I assumed after reboot MSR 0xE2 was still shown locked in the message and therefore indeed still locked for LeeBinder.

"Shutdown and boot". This thing applies not only for CFG Lock but for every bios option that you edit through modGRUBShell.efi

[LeeBinder]

@ both of you: warm or soft reboot (Ctrl+Alt+Del - aka "reset"?) clearly suffices here, no power-off and power back on necessary for UNLOCKED to show up

@dreamwhite I HAVE to catch some sleep now and for now can provide photos I made earlier, of the check commands w/o flipping the register to 0x00, here:

click to expand

  

BTW, a much (!!!!) simpler solution is CFGLock - unlock (MSR 0xE2) (worked for me right away): as first option you can have people use that ONE EFI (no other tools etc. required), that's all. Then underneath, for those for which CFGLock does not work, continue with the updated guide.

Remember, this grub mod uses a version from 2013 as code base - that MUST leed to oddities on current hardware. I dare say, from all the options out there, mod_grub is the last one.

Good nite from here, and tentatively till tomorrow (can't guarantee, though)

[dreamwhite]

@ both of you: warm or soft reboot (Ctrl+Alt+Del - aka "reset"?) clearly suffices here, no power-off and power back on necessary for UNLOCKED to show up

@dreamwhite I HAVE to catch some sleep now and for now can provide photos I made earlier, of the check commands w/o flipping the register to 0x00, here:

click to expand

  

BTW, a much (!!!!) simpler solution is CFGLock - unlock (MSR 0xE2): as first option you can have people use that ONE EFI (no other tools etc. required), that's all. Then underneath, for those for which CFGLock does not work, continue with the updated guide.

Remember, this grub mod uses a version from 2013 as code base - that MUST leed to oddities on current hardware. I dare say, from all the options out there, mod_grub is the last one.

Good nite from here, and tentatively till tomorrow (can't guarantee, though)

Thank you so much for the screenshot. So have I to get some sleep ahah

Just to inform you: CFGLock.efi (which was rewritten by zhen-zen on PR 167 of OpenCorePkg doesn't work with every firmware. Some of them still need modGRUBShell.efi (or ru.efi)

Anyways have a good night you too ^^

[LeeBinder]

OK, good to know, & thanks, will have. Got your msg right when my hand was about to close the lid, so one more tidbit: I highly recommend to refrain from the term "reset" in this context - reset is used as in factory reset on a router, or reset back to system defaults. Reboot is the most suitable term. BTW, once I chose the correct setup var 0x00, exit, VerifyMsrE2 displayed UNLOCKED right away even w/o ANY reboot. Just saying that as a matter of fact not even any type of reboot is a must on each system. Don't we love diversity :)

[LeeBinder]

Here's my findings and subsequent recommendations:

ControlMsrE2.efi is in active development - latest build 2021-02-05 from OC Debug 0.6.7 - and can be obtained by downloading latest OC debug release > EFI.zip: EFI/OC/Tools/ControlMsrE2.efi

With this entry in EFI/OC/config.plist

<dict>
    <key>Arguments</key>
    <string>unlock</string>
    <key>Auxiliary</key>
    <true/>
    <key>Comment</key>
    <string>Interactive MsrE2 controller for unlocking CFG Lock</string>
    <key>Enabled</key>
    <true/>
    <key>Name</key>
    <string>ControlMsrE2</string>
    <key>Path</key>
    <string>ControlMsrE2.efi</string>
    <key>RealPath</key>
    <false/>
    <key>TextMode</key>
    <false/>
</dict>

unlocking MSR E2 is breeze:

Brummbär's CFGLock.efi is basically an old version of ControlMsrE2.efi (from 2020-05 or before) with the unlock arg integrated, and thus can most likely be disregaded.

Therefore my clear recommendation for the guide is to first point visitors to ControlMsrE2.efi with above instructions as first choice.

The complicated many-steps approach via UEFITool > Universal-IFR-Extractor > ancient GRUB Shell would be option # 2 only for those with a system which does not allow CFG unlock via ControlMsrE2.efi - it's simply too awkward to be option # 1. That existing part of the guide ought to be updated as per my outline in this issue's initial post.

Option # 3 would remain RU - CFG LOCK/Unlocking.

What's your take :) ?

[dreamwhite]

Here's my findings and subsequent recommendations:

ControlMsrE2.efi is in active development - latest build 2021-02-05 from OC Debug 0.6.7 - and can be obtained by downloading latest OC debug release > EFI.zip: EFI/OC/Tools/ControlMsrE2.efi

With this entry in EFI/OC/config.plist

<dict>
  <key>Arguments</key>
  <string>unlock</string>
  <key>Auxiliary</key>
  <true/>
  <key>Comment</key>
  <string>Interactive MsrE2 controller for unlocking CFG Lock</string>
  <key>Enabled</key>
  <true/>
  <key>Name</key>
  <string>ControlMsrE2</string>
  <key>Path</key>
  <string>ControlMsrE2.efi</string>
  <key>RealPath</key>
  <false/>
  <key>TextMode</key>
  <false/>
</dict>

unlocking MSR E2 is breeze:

Brummbär's CFGLock.efi is basically an old version of ControlMsrE2.efi (from 2020-05 or before) with the unlock arg integrated, and thus can most likely be disregaded.

Therefore my clear recommendation for the guide is to first point visitors to ControlMsrE2.efi with above instructions as first choice.

The complicated many-steps approach via UEFITool > Universal-IFR-Extractor > ancient GRUB Shell would be option # 2 only for those with a system which does not allow CFG unlock via ControlMsrE2.efi - it's simply too awkward to be option # 1. That existing part of the guide ought to be updated as per my outline in this issue's initial post.

Option # 3 would remain RU - CFG LOCK/Unlocking.

What's your take :) ?

Well I can't say that you're wrong since the steps for unlocking CFG Lock are right. Personally, since I don't like unlocking the CFG Lock using ControlMsrE2 (as I may need doing other stuff like changing DVMT Pre-allocated or DVMT Total Gfx Mem options which aren't available via BIOS GUI), I'd go directly for modGRUBShell.efi or even ru.efi (I never used this last one but it seems very promising)

Therefore, answering your question: yeah I agree with you partially ^^

[LeeBinder]

All right. Grab whatever is relevant. I personally always differentiate between my personal needs and preferences, and goal-oriented instructions I publish about a specific topic as ergonomically (quickest simplest way from A > B) as possible. I like contributing and hope many others do, too, like the OC dev team who create and freely share the debug tools with us, certainly hoping we spread the word, so whatever makes your guide more fluent and helpful can potentially benefit future visitors 🤗 🕊️.

[dreamwhite]

All right. Grab whatever is relevant. I personally always differentiate between my personal needs and preferences, and goal-oriented instructions I publish about a specific topic as ergonomically (quickest simplest way from A > B) as possible. I like contributing and hope many others do, too, like the OC dev team who create and freely share the debug tools with us, certainly hoping we spread the word, so whatever makes your guide more fluent and helpful can potentially benefit future visitors 🤗 🕊️.

Of course. I just wrote a stupid draft on a few paper sheets. Probably, after rearranging them I'm gonna make a PR if @khronokernel likes the idea of specifying multiple methods for unlocking the CFG Lock. Please note that at the moment I haven't found any well-wrote resource for ru.efi so probably someone needs to write about it :/

[zhen-zen]

Hi, I'm about to complete a refactor of derBrumbaer's ControlMsrE2 at https://github.com/acidanthera/OpenCorePkg/pull/167. Do you mind testing the build at https://github.com/acidanthera/OpenCorePkg/actions/runs/674995313?

[LeeBinder]

@zhen-zen can do, if you post a link pointing directly to that build's compiled ControlMsrE2.efi. Looked but did not find.

[dreamwhite]

@zhen-zen can do, if you post a link pointing directly to that build's compiled ControlMsrE2.efi. Looked but did not find.

I don't know if you ever had CI experience with GitHub Actions, but basically with a certain frequency (e.g. after each commit), the project is built. If you open the linked page by zhen-zen, scroll down and click on macOS XCODE5 Artifacts: it'll provide you a download link.

If you're still having probs click on the direct link that I've copied from the above page

[LeeBinder]

Little exp. In addition I'm working several jobs at the same time right now. The easier & as user-friendly as possible = the better/ quicker.

In that context, thanks for the direct link. The ControlMsrE2.efi in debug and in release have a very different byte count, 10 vs. 40 kb. @zhen-zen @dreamwhite you want both tested?

Can do later tonite, in about 12 hours or so.

[LeeBinder]

Feedback - positive: both, debug and release ControlMsrE2.efi working fine here 👍

[zhen-zen]

Feedback - positive: both, debug and release ControlMsrE2.efi working fine here 👍

Thanks a lot!

[LeeBinder]

@zhen-zen @dreamwhite as per documentation right from Intel, Slice posted here that the MSR E2H register was introduced with 1st gen. Nehalem CPUs (2008). Therefore I recommend to, in your guide, expand

Note that this guide is only applicable for Intel users.

into

Note that this guide is only applicable for Intel users with Nehalem (2008) and newer CPUs - Intel CPUs older than Nehalem don't have this register. To see if your Intel CPU qualifies, you can see Wikipedia: List of Intel CPU microarchitectures

[EDIT]: accdg. to Sergey Slice: Sandy Bridge (2011) -> Nehalem (2008)