Skip to content

Deployment

Deployment section of Dasharo Knowledge Base FAQ considers topic of open-source firmware deployment, which may include operations of reading and writing SPI NOR flash, as well as binary modifications.

If you can't find the answer to your questions feel free to contact us through Community Channels or submit issue through Dasharo Github.

Flashrom

Following sections explain how to deal with most common flashrom errors.

Could not get I/O privileges (Operation not permitted)

If you see a flashrom error like this:

ERROR: Could not get I/O privileges (Operation not permitted).
You need to be root.
Error: Programmer initialization failed.

It means you have insufficient privileges to perform initialization. Please use sudo before flashrom command.

/dev/mem mmap failed: Operation not permitted

/dev/mem mmap failed: Operation not permitted
FAILED!
FATAL ERROR!
Error: Programmer initialization failed.

Linux kernel restricts access to IOMEM. To fix that add iomem=relaxed to the kernel command line.

Recommended way to fix the problem:

  • Edit /etc/default/grub:
GRUB_CMDLINE_LINUX="iomem=relaxed"
  • Update GRUB2 config with:
sudo update-grub2
  • Alternatively, if previous command doesn't work:
sudo grub-mkconfig -o /boot/grub/grub.cfg
  • Reboot and try flashrom command again

Other method:

  • Edit grub.cfg in /boot/grub/:
linux /boot/vmlinuz-4.15.0-115-generic ro quiet iomem=relaxed
  • Reboot and try flashrom command again

Last resort you can try to modify boot option runtime. YMMV:

  • If your computer uses BIOS for booting, then hold down the Shift, or if your computer uses UEFI for booting, press Esc several times, while GRUB is loading to get the boot menu. And, after getting a GRUB menu, press E on a boot entry to append iomem=relaxed to kernel command line and press Ctrl+X or F10 to boot. Although this setting is temporary and will last only during the next boot, this way is faster and a customer doesn't need to re-generate anything.

Please note having it as a temporary setting maybe is slightly better for security (there's a reason why it's disabled by default).

If the above does not resolve the problem, the kernel may be compiled with strict devmem, which prohibits accessing the IOMEM. You should then take different Linux system.

Transaction error between offset ...?

SPI Configuration is locked down.
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-only.
FREG2: Management Engine region (0x00005000-0x005fffff) is locked.
Not all flash regions are freely accessible by flashrom. This is most likely
due to an active ME. Please see https://flashrom.org/ME for details.
At least some flash regions are read protected. You have to use a flash
layout and include only accessible regions. For write operations, you'll
additionally need the --noverify-all switch. See manpage for more details.
Enabling hardware sequencing due to multiple flash chips detected.
OK.
Found Programmer flash chip "Opaque flash chip" (12288 kB, Programmer-specific) mapped at physical address 0x0000000000000000.
Reading flash... Transaction error between offset 0x00005000 and 0x0000503f (= 0x00005000 + 63)!
Read operation failed!
FAILED.

Most probably it means problem lays in ME not allowing to read its region. One of the method to mitigate the issues is to put ME in Manufacturing Mode. Such operation depends on ME version, SPI flash layout and platform design. Detail information you should find in sections dedicated to given hardware. To access documentation for supported hardware please go to Hardware Compatibility List.

Please note we consider further mitigations in Dasharo Roadmap.