Flash lock diagram #1214
Open
Flash lock diagram #1214
+231
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
… flows Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
m-iwanicki
requested changes
Feb 2, 2026
Co-authored-by: Michał Iwanicki <michal.iwanicki@3mdeb.com>
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
m-iwanicki
approved these changes
Feb 3, 2026
Contributor
m-iwanicki
left a comment
m-iwanicki
left a comment
There was a problem hiding this comment.
LGTM. capsule_update_dependency_chart.svg should be confirmed by someone from Dasharo team.
…ption Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
| rev: v2.3.0 | ||
| hooks: | ||
| - id: codespell | ||
| exclude: '^.*.(webp|jpeg|jpg|png|pdf|svg)$' |
Member
There was a problem hiding this comment.
Looks like the second . should actually be \. in all values of exclude keys since this is a regular expression. Unlikely to make a difference in practice, but still.
| | --- | --- | --- | --- | | ||
| | BIOS Lock (SPI Protected Ranges) | Runtime | PCH registers | Specific memory addresses in the BIOS region defined in these registers are hardware-locked from writing, regardless of BIOS_WE. | | ||
| | SMM BIOS Write Protection | Runtime | PCH registers | Hardware enforcement. The BIOS region is read-only unless the processor is physically executing in SMM (System Management Mode). Even if BIOS_WE is set, writes fail if not in SMM. | | ||
| | HAP Mode (High Assurance Platform) | Persistent | Intel Flash Descriptor | Disables the ME. Required for updating the ME region on an Unfused system via Capsule, because you cannot overwrite the ME firmware while it is running. | |
Member
There was a problem hiding this comment.
Suggested change
| | HAP Mode (High Assurance Platform) | Persistent | Intel Flash Descriptor | Disables the ME. Required for updating the ME region on an Unfused system via Capsule, because you cannot overwrite the ME firmware while it is running. | | |
| | HAP Mode (High Assurance Platform) | Persistent | Intel Flash Descriptor | Disables the ME. Required for updating the ME region on an Unfused system via Capsule, because you must not overwrite the ME firmware while it is running. | |
Because you can, but it's a bad idea.
| | Feature Name | Type | Controlled by | Impact on Flash Updates | | ||
| | --- | --- | --- | --- | | ||
| | BIOS Lock (SPI Protected Ranges) | Runtime | PCH registers | Specific memory addresses in the BIOS region defined in these registers are hardware-locked from writing, regardless of BIOS_WE. | | ||
| | SMM BIOS Write Protection | Runtime | PCH registers | Hardware enforcement. The BIOS region is read-only unless the processor is physically executing in SMM (System Management Mode). Even if BIOS_WE is set, writes fail if not in SMM. | |
Member
There was a problem hiding this comment.
Suggested change
| | SMM BIOS Write Protection | Runtime | PCH registers | Hardware enforcement. The BIOS region is read-only unless the processor is physically executing in SMM (System Management Mode). Even if BIOS_WE is set, writes fail if not in SMM. | | |
| | SMM BIOS Write Protection (BWP) | Runtime | PCH registers | Hardware enforcement. The BIOS region is read-only unless the processor is physically executing in SMM (System Management Mode). Even if BIOS_WE is set, writes fail if not in SMM. | |
It's referred to as "SMM BWP" in the chart.
Member
There was a problem hiding this comment.
Disable SMM BWP
Allows writes outside SMM
Capsule updates perform all flash writes in SMI handler and don't actually need this, although this protection does get disabled.
Should mention that for unfused platform we flash IFD as well? Essentially everything is flashed.
On fused units we also skip RW_UNUSED and SI_GBE.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ref: ncm-2117