> The BIOS that has locked the AHCI is currently cryptographically signed by Lenovo.
Cryptographically signed firmwares are an Intel requirement and have been since Sandy/Ivy Bridge. Go look at Dell or HP and you'll find the exact same requirements for UEFI updates.
> Currently, one user had successfully installed Linux on their device by manually flashing their BIOS by soldering a chip programmer onto the actual chip.
Yes, this is the only way to bypass the firmware update signature check. Because by flashing the actual SPI EEPROM the check is not executed.
> So, is this your idea of supporting it ourselves?
Where on earth did the author ever imply or state that?
Flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware update.
Sometimes vendors are careless/lazy and people find other ways to flash modified firmwares. In cases where vendors don't screw up the reference firmware enough to nullify the security checks, you need to flash it manually.
Go read about this yourself (free eBook on Intel platform security): www.apress.com/9781430265719
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: DIY support
Date: 2016-09-21 11:42 pm (UTC)Cryptographically signed firmwares are an Intel requirement and have been since Sandy/Ivy Bridge. Go look at Dell or HP and you'll find the exact same requirements for UEFI updates.
> Currently, one user had successfully installed Linux on their device by manually flashing their BIOS by soldering a chip programmer onto the actual chip.
Yes, this is the only way to bypass the firmware update signature check. Because by flashing the actual SPI EEPROM the check is not executed.
> So, is this your idea of supporting it ourselves?
Where on earth did the author ever imply or state that?
Flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware update.
Sometimes vendors are careless/lazy and people find other ways to flash modified firmwares. In cases where vendors don't screw up the reference firmware enough to nullify the security checks, you need to flash it manually.
Go read about this yourself (free eBook on Intel platform security): www.apress.com/9781430265719