Announcement

Collapse
No announcement yet.

Intel Seamless Update: Intel Preparing For System Firmware Updates Without The Reboot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel Seamless Update: Intel Preparing For System Firmware Updates Without The Reboot

    Phoronix: Intel Seamless Update: Intel Preparing For System Firmware Updates Without The Reboot

    "Intel Seamless Update" is a forthcoming feature for Intel platforms seemingly first being exposed by their new Linux kernel patches working on the functionality... Intel is working on being able to carry out system firmware upates such as UEFI updates but doing so at run-time and being able to avoid the reboot in the process...

    https://www.phoronix.com/scan.php?pa...eamless-Update

  • #2
    I don't really care about this because firmware updates are very rare, so I don't consider it a problem that a reboot is required on those very rare occasions.

    The problem is that firmware updates are very few, with long in between them and for a very short duration. Consumers are not getting any updates for a motherboard released last year.

    What I really would like to see is open source firmware.

    Comment


    • #3
      Originally posted by uid313 View Post
      I don't really care about this because firmware updates are very rare, so I don't consider it a problem that a reboot is required on those very rare occasions.

      The problem is that firmware updates are very few, with long in between them and for a very short duration. Consumers are not getting any updates for a motherboard released last year.

      What I really would like to see is open source firmware.
      Then you are likely not the target audience for this patch.

      In the article, it is explicitly stated for the enterprise where reliability matters so much that any reboot is considered a loss.

      Comment


      • #4
        Originally posted by uid313 View Post
        The problem is that firmware updates are very few, with long in between them and for a very short duration. Consumers are not getting any updates for a motherboard released last year.
        I don't agree. 25 BIOS updates over the last three years for a sub 100 EUR board: https://www.asus.com/us/Motherboards...HelpDesk_BIOS/

        Comment


        • #5
          Originally posted by George99 View Post
          I don't agree. 25 BIOS updates over the last three years for a sub 100 EUR board: https://www.asus.com/us/Motherboards...HelpDesk_BIOS/
          Oh, I only got 12 updates, and only for one year.
          https://www.asus.com/US/supportonly/...HelpDesk_BIOS/

          Maybe Asus have gotten better since then, my board is an old one from 2013.

          Comment


          • #6
            Reducing the pain of BIOS updates is a good thing. However, it also shows that there is too much dependence on BIOS services these days. Ideally we shouldn't care much about the BIOS itself and ought to rely more on things like kexec to boot into a new kernel and re-initialize whatever hardware it needs, fix whatever security issues, etc. Of course there are practical limitations to this having to do with certain latches, IP blocks, etc. that can only be reset by rebooting the platform, but that's more of a platform design issue.

            Comment


            • #7
              Originally posted by uid313 View Post
              I don't really care about this because firmware updates are very rare, so I don't consider it a problem that a reboot is required on those very rare occasions.

              The problem is that firmware updates are very few, with long in between them and for a very short duration. Consumers are not getting any updates for a motherboard released last year.

              What I really would like to see is open source firmware.
              There is (coreboot/libreboot) but they make it hard to impossible to use without flashing it using an external flasher. But even that can fail if any of the "tamper protection" stuff is enabled and the checksum doesn't match at boot you get a brick. I think setting the ME disable bit at the same time when flashing anything custom should make it work, though. I'll have to try it some day on my laptop. Apparently HP thinks only business customers deserve backdoor free system firmware, everyone else better like the glowware. On their business stuff you can disable all signed firmware checks and flash what the heck you want.

              I even started disassembling their firmware to see which UEFI variables control that behavior and if it's possible to set manually on a consumer device, since all their firmware is based on the same code. I even though about trying to write an exploit for a certain bug that leads to SMM level access. It's rated as "easy" to exploit, but I have no experience with anything that low level. I wish there was a POC for it to help bootstrap coreboot. I guess taking a look at the firmware update and diffing it with the old version could be instructive. At some point I'm probably just going to try with a programmer and see how it goes. Poking at the security sure is fun, though.

              Comment


              • #8
                Originally posted by binarybanana View Post
                Apparently HP thinks only business customers deserve backdoor free system firmware, everyone else better like the glowware. On their business stuff you can disable all signed firmware checks and flash what the heck you want.
                To be fair, custom BIOS would probably be hard to support, which means more expensive, which means only enterprise would be willing to pay for it. I mean the aftermath of mistakes, not them doing the BIOS work. Consumers kinda expect the manufacturer to support them. That said, just include a "warranty is void if you flash a custom firmware" clause and give them the finger if they cry.

                I'd like to play with Coreboot in my old netbook at some point, but I'm a software guy with fear of damaging the hardware and no electronics skills

                Comment


                • #9
                  Originally posted by binarybanana View Post

                  There is (coreboot/libreboot) but they make it hard to impossible to use without flashing it using an external flasher. But even that can fail if any of the "tamper protection" stuff is enabled and the checksum doesn't match at boot you get a brick. I think setting the ME disable bit at the same time when flashing anything custom should make it work, though. I'll have to try it some day on my laptop. Apparently HP thinks only business customers deserve backdoor free system firmware, everyone else better like the glowware. On their business stuff you can disable all signed firmware checks and flash what the heck you want.

                  I even started disassembling their firmware to see which UEFI variables control that behavior and if it's possible to set manually on a consumer device, since all their firmware is based on the same code. I even though about trying to write an exploit for a certain bug that leads to SMM level access. It's rated as "easy" to exploit, but I have no experience with anything that low level. I wish there was a POC for it to help bootstrap coreboot. I guess taking a look at the firmware update and diffing it with the old version could be instructive. At some point I'm probably just going to try with a programmer and see how it goes. Poking at the security sure is fun, though.
                  Yeah this coreboot and libreboot sounded nice, but its not for consumer hardware, its just for Chromebooks and Facebook servers. Not for PC.

                  Comment


                  • #10
                    Originally posted by binarybanana View Post
                    Apparently HP thinks only business customers deserve backdoor free system firmware, everyone else better like the glowware. On their business stuff you can disable all signed firmware checks and flash what the heck you want.
                    No, they know that business (and by business you should assume enterprise level with IT support departments) customers have support contracts and it's assumed the in house and contract support know what they're doing. It also means regulatory regimes like HIPAA, FARCA, etc are in play.

                    The usual people that buy their consumer lines are often lucky they can turn on their computer let alone successfully update firmware, the OS, or even their webbrowser... ("What's that? Why do I have to update? Windows... Windows? There's a version number?"). You don't want to spend $$$ in support on someone that bought a $450 computer, maybe not even a $1000 when you sell 1 $1k computer to maybe 10 $450 computers.

                    My mom is the more typical type they sell consumer lines to, and she panics if an icon changes design. She went off the deep end when Microsoft started pushing Microsoft accounts on people using Home in the last "feature update". Luckily I talked her past it. And no there's no way on this earth would I try to get her to use Linux outside of her phone.

                    Comment

                    Working...
                    X