Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tool: Add error for write locked #450

Merged
merged 1 commit into from
Jul 15, 2024
Merged

tool: Add error for write locked #450

merged 1 commit into from
Jul 15, 2024

Conversation

crawfxrd
Copy link
Member

Add a new error for the case of trying to flash when security is enabled and it is still locked and update the related docs.

@crawfxrd crawfxrd requested review from jackpot51 and a team March 22, 2024 21:00
@crawfxrd crawfxrd marked this pull request as ready for review March 22, 2024 21:01
@crawfxrd crawfxrd changed the title Add error for write locked tool: Add error for write locked Mar 22, 2024
@XV-02 XV-02 self-assigned this Apr 15, 2024
@XV-02
Copy link

XV-02 commented Apr 17, 2024
edited
Loading

After running ectool.sh security unlock I get presented with the unlock prompt on every boot - hot or cold - until I cancel out of it.

That doesn't feel correct? I would expect it to prompt for a single boot, and then the standard locked behaviour to reassert on subsequent boots.

@XV-02
Copy link

XV-02 commented Apr 17, 2024
edited
Loading

Also, should the post ectool.sh security unlock message highlight that a reboot is insufficient to correctly change the security state?

Currently tool/src/main.rs line 299 prints "Shut down the system for the security state to take effect" which is technically correct, but could perhaps more forcibly state that a cold boot is required?

@XV-02 XV-02 mentioned this pull request Apr 17, 2024
Merged
@crawfxrd
tool: Add error for write locked
2a2e4b1 
Add a new error for the case of trying to flash when security is enabled
and it is still locked and update the related docs.

Signed-off-by: Tim Crawford <[email protected]>
@crawfxrd
Copy link
Member Author

crawfxrd commented Jun 18, 2024
edited
Loading

After running ectool.sh security unlock I get presented with the unlock prompt on every boot - hot or cold - until I cancel out of it.

Addressed by system76/firmware-setup#45.

This change was reverted; it's intended behavior for it to show up even when unlocked.

Currently tool/src/main.rs line 299 prints "Shut down the system for the security state to take effect" which is technically correct, but could perhaps more forcibly state that a cold boot is required?

Per UEFI wording for ResetType, "Shutdown" is the correct type of event. "Cold" and "Warm" are reset events that will not trigger the EC logic to reboot unlocked.

XV-02
XV-02 approved these changes Jul 15, 2024
View reviewed changes
Copy link

@XV-02 XV-02 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks to be working as desired still, and all my concerns/thoughts have been addressed and reviewed.

@crawfxrd crawfxrd merged commit 70c8678 into master Jul 15, 2024
47 checks passed
@crawfxrd crawfxrd deleted the flash-internal-security branch July 15, 2024 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XV-02 XV-02 XV-02 approved these changes

@jackpot51 jackpot51 jackpot51 approved these changes

Assignees

@XV-02 XV-02

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@crawfxrd @XV-02 @jackpot51