UEFI BIOS firmware / mitigation updates - can they affect Manjaro / GRUB preferences?

Not sure where to ask, so i'll ask here.

I've noticed that my Workstation's BIOS update brings loads of updates for:

  • Intel CPU Microcode
  • Firmware updates fro all those CVEs

DELL UEFI BIOS v1.12.1:
https://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverid=wjtf5&oscode=wt64a&productcode=precision-17-7730-laptop

So i wonder, given the fact that i'm mitigations=off kinda guy and sudo spectre-meltdown-checker still gives same as before desirable output...

What are those BIOS level mitigations actually mean?
Won't they anyhow interfere with my OS-level GRUB mitigations=off?
Are they meant for Windows only or something like that?

P.S. I hate UEFI BIOSes with great passion - they should burn in hell alongside with secure-boot and Intel Management Engine :face_with_symbols_over_mouth: :grin:

they won't affect OS level mitigation settings you have in place but will of course apply whatever mitigations they provide before your machine gets as far as loading grub or systemd-boot.

1 Like

They're a heck of a lot easier to deal with now than a few, short years ago when one either needed a running Windows installed or being well-versed in updating via FreeDOS. :smiley:

2 Likes

Well, if we're speaking in terms of ease of updates - you're right, now they're better than before, although this may be very different across different manufcaturers, for example with this DELL i got lucky and just need to either do fwupd or loading FAT32 flash with bios.exe on it...

But if we're speaking from ease of use and hassle-free standpoint...call me old-school, but i'd rather FreeDOS myself to death, than deal with all those restrictions and not being able to use just plain old OS agnostic non-secure-boot BIOS :upside_down_face:

On newest hardware, especially laptops like this DELL there are quite a lot of problems with it:

  1. It's not even an option to go usual BIOS route, given "internal SSDs / hard-drives can't use legacy" :woozy_face:

  2. Linux's journalctl -p3 -xb will scream like 100 ACPI errors on each boot, regardless of acpi_* grub options, and nobody in DELL naturally would give a crap about it :dizzy_face:

  3. I've read that there will be stuff like hardware parts serial number / model locks (thx god not for my particular model) for some models in near future...Kinda like Apple crap, where if something goes wrong you can use only specific model of any part without going to their certified support centers and paying extra briefcase of cash :rofl:

So yeah...Brave new world :space_invader:

I just don't like idea of something very simple that should always work and do one thing right, becoming inherently more complex and therefore buggy :upside_down_face:

They all can including nvme drives, if Dell are telling you otherwise then the problem is Dell support don't know their arse from their elbow, under linux it would work no problem. With W7 or earlier you'd need an nvme controller driver if available and that's where the real problem lies, not a physical hardware barrier.

I've read that there will be stuff like hardware parts serial number / model locks (thx god not for my particular model) for some models in near future

Microsoft Store purchased machines have an element of that already. You need to download a firmware update from the manufacturer to unlock additional modes for the storage controller for example because a lot of them force the fakeRAID configuration.

Oh yeah, that's not hardware problem, it's this dreaded UEFI bios at least for specific model, probably due to it being workstation so perceived as "more corporate"...

Believe me - it just locks the option for boot loader inside bios itself (not OS-level), if you choose legacy for it (and explicitly warns with notification about that too), at least for nvme - you can even install OS with legacy and it just won't load on next reboot :sweat_smile:

That's just some false sense of security on their part i think...For drive-swap attacks. Although it's really stupid, since bios still has ability to load external drives (at least if there's no bios-password).
So still it's really easy to attack any machine whatever the hell they think UEFI BIOS is trying to do :rofl:

That's no wonder for Microsoft / Apple i have no more questions for a long time :laughing:, but i have more worry about general hardware manufacturers...That road for all hardware would be legitimately scary :no_mouth:

Don't be too concerned about ASRock, ASUS, MSI, Gigabyte retail motherboards doing that any time soon. Bulk ordered OEM boards on the otherhand will always contain tailored ROMs to the specification the company ordering them desires.

IIRC, next-to-last time I flashed the BIOS on my 2014 Dell laptop--not a candidate for fwupd--it took about a half day to accomplish, what with Googling, trying the wrong version of FreeDOS, then finally completing the task--albeit with bated-breath.

The last time, on the same machine was quicker--I just followed this sage advice--as you are well aware (since you were there) :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by