hngopher.com

       [HN Gopher] Changing firmware config that doesn't want to be cha...
       ___________________________________________________________________
        
       Changing firmware config that doesn't want to be changed
        
       Author : zdw
       Score  : 66 points
       Date   : 2023-01-05 05:55 UTC (1 days ago)
        
 (HTM) web link (mjg59.dreamwidth.org)
 (TXT) w3m dump (mjg59.dreamwidth.org)
        
       | josephcsible wrote:
       | > This is also considered a security boundary - before
       | ExitBootServices everything running has been subject to any
       | secure boot restrictions, and afterwards applications can do
       | whatever they want.
       | 
       | This is how things are supposed to work, but in practice, the
       | pro-tivoization corporate lobby has successfully gotten the
       | "Secure" Boot restrictions to be enforced even after
       | ExitBootServices is called. E.g., try to load an unsigned kernel
       | module on RHEL or Ubuntu with it enabled.
        
       | Ristovski wrote:
       | For anyone interested in efivars, I have an old blog post about
       | essentially the same thing but going a bit more in-depth,
       | including how to actually modify the efivar entries:
       | https://ristovski.github.io/posts/inside-insydeh2o/
        
       | metadat wrote:
       | Do you have to flash this modified firmware to the machine or how
       | is it applied?
        
         | theamk wrote:
         | > Rewriting Setup-EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9 with a
         | modified value in offset 0x39 will allow direct manipulation of
         | the config option
         | 
         | Looks like a simple write to UEFI vars. The option is still
         | grayed out, but it is now in the correct state.
        
         | iforgotpassword wrote:
         | As you need the boot services still loaded, you cannot do this
         | from Linux or Windows. One way is to use a hacked up version of
         | grub or similar that has commands to write to EFI vars.
        
         | pixl97 wrote:
         | I'm pretty sure that it's saved where any other custom changes
         | you make in the EFI screen would be. But instead of using the
         | GUI you're just directly editing the config on NVRAM.
        
       | causality0 wrote:
       | Firmware stubborness can be infuriating. For example, I had a
       | very nice windows tablet that was rendered useless by an un-
       | downgradable firmware update introducing a two-second lag to
       | touchscreen taps.
        
       ___________________________________________________________________
       (page generated 2023-01-06 23:01 UTC)