Skip to content

Dasharo System Features

When entering the Dasharo System Features menu, one may see the following submenus to appear:

Dasharo Security Options

This menu offers security-sensitive options like:

  • BIOS boot medium lock - enabled/disables flash protection on the vboot recovery firmware partition. Disable it if you need access to whole flash with flashrom.
  • Enable SMM BIOS write protection - when enabled, allows only SMM code (the privileged code installed by the firmware in the system memory) to write to BIOS flash. Recommended to be enabled if Firmware setup password is set. Disable the protection if you need access to flash with flashrom.

Networking Options

  • Enable network boot - the option controls if the network boot should be enabled or not. This option is disabled by default on most Dasharo supported devices. When disabled, it prevents loading network controller drivers and unregisters iPXE as boot option (iPXE disappears from Boot Manager and One Time Boot menus)

USB Configuration

  • Enable USB stack - controls loading of UEFI USB drivers, when enabled all USB drivers are loaded making USB keyboards and mass storage drives functional in the firmware (to browse setup, press hotkeys or move around bootloaders like GRUB). If disabled no USB device will work before OS is loaded (firmware will not communicate with USB devices).
  • Enable USB Mass Storage driver - this option is blocked if USB stack is disabled. If disabled, UEFI USB Mass Storage driver is not loaded and one cannot boot from USB drives. Essentially this option controls the USB boot capability. It does not affect other devices, like USB keyboards.

Intel Management Engine Options

This submenu is used to access Intel Management Engine related options. Currently the only option available is Intel ME mode which allows to enable or disable Management Engine:

On the right side of the window there is a help section describing the option meaning. If the window is too small, the help section may be divided and not fully shown on the screen. To scroll the help section use D or d keys to scroll down and U or u to scroll up.

Intel ME can be disabled in two ways:

  • Disabled (Soft) - when set, causes the Dasharo firmware to send ME_DISABLE command via MEI/HECI. MEI/HECI interface is being hidden from OS when ME is disabled.
  • Disabled (HAP) - when set, causes the Dasharo firmware to set HAP bit in the flash descriptor. MEI/HECI interface is being hidden from OS when ME is disabled. HAP method is much more efficient as it halts the ME firmware execution even earlier than Soft Disable described above

When the mode is set to Enabled, Dasharo enables the Intel Management engine by either sending ME_ENABLE command via MEI/HECI or clearing the HAP bit in flash descriptor, depending on the previously active ME mode. MEI/HECI device should be functional in OS when ME is enabled.

Any change in the Dasharo firmware setup requires saving the changes and a platform reset (unless specified otherwise).

For more information about neutering and disabling ME see also me_cleaner.

NOTE: me_cleaner is not supported on all platforms! If a platform supports me_cleaner (i.e. ME version is lower or equal 11.x) it is recommended to set HAP bit and clean the ME region with me_cleaner script permanently.

Chipset Configuration

The submenu contains general chipset options. Currently available options:

  • Enable PS/2 controller - enables/disables PS/2 controller on the platform. When disabled PS/2 keyboards and mice will stop working in firmware and OS. PS/2 controller will not be functional in OS. This option is not available on laptops where PS/2 is used for the integrated keyboard and possibly touchpad.
  • Enable watchdog - controls the chipset watchdog functionality. If enabled, watchdog will be counting with the timeout specified below. The firmware automatically kicks the watchdog periodically so even without OS support, the platform will not reset itself when watchdog expires.
  • Watchdog timeout value - watchdog timeout in seconds. Allowed range is 60-1024 seconds. The Option is only visible if watchdog is set to enabled.