Deployment section of Dasharo Knowledge Base FAQ considers topic of open-source firmware deployment, which may include operations of reading and writing SPI NOR flash, as well as binary modifications.
Following sections explain how to deal with most common
How to install flashrom ?
- Install flashrom v1.1 or newer with your distribution's package manager if you don't have it installed yet. If your distro doesn't provide flashrom or provides an outdated one, you can build it yourself using this instruction.
- Or compile recent version of flashrom:
sudo apt install libpci-dev libftdi-dev libusb-1.0-0-dev git clone https://github.com/flashrom/flashrom.git cd flashrom sudo make install
Could not get I/O privileges (Operation not permitted)
If you see a flashrom error like this:
ERROR: Could not get I/O privileges (Operation not permitted). You need to be root. Error: Programmer initialization failed.
It means you have insufficient privileges to perform initialization. Please use
/dev/mem mmap failed: Operation not permitted
/dev/mem mmap failed: Operation not permitted FAILED! FATAL ERROR! Error: Programmer initialization failed.
Linux kernel restricts access to IOMEM. To fix that add
iomem=relaxed to the
kernel command line.
Recommended way to fix the problem:
- Update GRUB2 config with:
- Alternatively, if previous command doesn't work:
sudo grub-mkconfig -o /boot/grub/grub.cfg
- Reboot and try
linux /boot/vmlinuz-4.15.0-115-generic ro quiet iomem=relaxed
- Reboot and try
Last resort you can try to modify boot option runtime. YMMV:
- If your computer uses BIOS for booting, then hold down the Shift, or if
your computer uses UEFI for booting, press Esc several times, while GRUB
is loading to get the boot menu. And, after getting a GRUB menu, press E
on a boot entry to append
iomem=relaxedto kernel command line and press Ctrl+X or F10 to boot. Although this setting is temporary and will last only during the next boot, this way is faster and a customer doesn't need to re-generate anything.
Please note having it as a temporary setting maybe is slightly better for security (there's a reason why it's disabled by default).
If the above does not resolve the problem, the kernel may be compiled with strict devmem, which prohibits accessing the IOMEM. You should then take different Linux system.
Transaction error between offset ...?
SPI Configuration is locked down. FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-only. FREG2: Management Engine region (0x00005000-0x005fffff) is locked. Not all flash regions are freely accessible by flashrom. This is most likely due to an active ME. Please see https://flashrom.org/ME for details. At least some flash regions are read protected. You have to use a flash layout and include only accessible regions. For write operations, you'll additionally need the --noverify-all switch. See manpage for more details. Enabling hardware sequencing due to multiple flash chips detected. OK. Found Programmer flash chip "Opaque flash chip" (12288 kB, Programmer-specific) mapped at physical address 0x0000000000000000. Reading flash... Transaction error between offset 0x00005000 and 0x0000503f (= 0x00005000 + 63)! Read operation failed! FAILED.
Most probably it means problem lays in ME not allowing to read its region. One of the method to mitigate the issues is to put ME in Manufacturing Mode. Such operation depends on ME version, SPI flash layout and platform design. Detail information you should find in sections dedicated to given hardware. To access documentation for supported hardware please go to Hardware Compatibility List.
Please note we consider further mitigations in Dasharo Roadmap.
How to use flashrom to backup vendor BIOS?
It is always a good idea to backup the original BIOS of your hardware, before switching to open-source firmware.
- Boot Dasharo Tools Suite
- Choose option 9) Shell.
- Read content of SPI NOR flash:
flashrom -p internal -r bios_backup_`date +%Y%m%d`.bin flashrom v1.2-551-gf47ff31 on Linux 5.10.0-9-amd64 (x86_64) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). Found chipset "Intel Q77". Enabling flash write... SPI Configuration is locked down. The Flash Descriptor Override Strap-Pin is set. Restrictions implied by the Master Section of the flash descriptor are NOT in effect. Please note that Protected Range (PR) restrictions still apply. Enabling hardware sequencing due to multiple flash chips detected. OK. Found Programmer flash chip "Opaque flash chip" (12288 kB, Programmer-specific) mapped at physical address 0x0000000000000000. Reading flash... done.
If you face any issues, please refer to the troubleshooting section for hardware platform.