BIOS Update and Write Protection (AN05): Difference between revisions
Eugenbeluga (talk | contribs) No edit summary |
Piotrkorsak (talk | contribs) mNo edit summary |
||
| Line 51: | Line 51: | ||
The following sections will explain the necessary settings in the congatec Embedded BIOS to enable the security feature and how the congatec System Utility (CGUTIL) can be used with a password protected BIOS. | The following sections will explain the necessary settings in the congatec Embedded BIOS to enable the security feature and how the congatec System Utility (CGUTIL) can be used with a password protected BIOS. | ||
For detailed information about the congatec System Utility please consult the user's guide. This can be found on the congatec homepage ([ | For detailed information about the congatec System Utility please consult the user's guide. This can be found on the congatec homepage ([https://www.congatec.com www.congatec.com]). | ||
{{Note|congatec has removed the support for other BIOS flash tools except for the congatec System Utility. With such flash tools the BIOS update is not possible regardless of the protection mechanism described in the AN.}} | {{Note|congatec has removed the support for other BIOS flash tools except for the congatec System Utility. With such flash tools the BIOS update is not possible regardless of the protection mechanism described in the AN.}} | ||
| Line 58: | Line 58: | ||
The feature described in this Application Note is supported by the congatec System Utility starting from Revision 1.3.0. It is recommended to always use the latest revision of the congatec System Utility. Check the congatec website regularly to ensure that you have the latest version of the utility. | The feature described in this Application Note is supported by the congatec System Utility starting from Revision 1.3.0. It is recommended to always use the latest revision of the congatec System Utility. Check the congatec website regularly to ensure that you have the latest version of the utility. | ||
The congatec System Utility requires a cgos driver version equal to or higher than 1.02.014. The driver can be downloaded from the congatec homepage ([ | The congatec System Utility requires a cgos driver version equal to or higher than 1.02.014. The driver can be downloaded from the congatec homepage ([https://www.congatec.com www.congatec.com]). | ||
The BIOS Update and Write Protection feature is supported on most newer congatec COMs and SBCs. Some older products running UEFI firmware versus the legacy BIOS do not support the BIOS Update Write Protection feature. | The BIOS Update and Write Protection feature is supported on most newer congatec COMs and SBCs. Some older products running UEFI firmware versus the legacy BIOS do not support the BIOS Update Write Protection feature. | ||
Latest revision as of 14:47, 22 November 2024
| Affected Products | Products featuring UEFI Firmware |
|---|
Preface
Application Note explains the benefits and describes the security feature called 'BIOS Update and Write Protection' incorporated in the congatec Embedded BIOS. This Application Note also describes how this feature can be used with the congatec System Utility Tool (CGUTIL).
Terminology
| Term | Description |
|---|---|
| UEFI | Unified Extensible Firmware Interface |
| AMI | American Megatrends, Inc - congatec’s BIOS partner |
| Aptio | AMIs UEFI Firmware product |
| POST | Power On Self Test |
| Flash | A special type of EEPROM (Electrically Erasable Read Only Memory) that can be erased and reprogrammed in blocks instead of one byte at a time. Many modern PCs have their BIOS stored on a flash memory chip so that it can easily be updated if necessary. |
| CGOS API | congatec operating system application programming interface |
| CGUTIL | congatec System Utility |
| COM | Computer on Module |
| SBC | Single board computer |
| GUI | Graphical user interface |
Introduction
Some applications require security features that must protect the BIOS against undesired manipulations. Most common BIOS support password protected BIOS setup programs to avoid unauthorized access to the BIOS settings. This security feature can be easily bypassed by flashing over the secured BIOS using an adequate non secured BIOS. Common BIOS flash tools have no mechanism to recognize if the BIOS that is to be overwritten is secured or not.
The congatec Embedded BIOS employs a security feature which prohibits flashing over a secured BIOS (see the note below).
The following sections will explain the necessary settings in the congatec Embedded BIOS to enable the security feature and how the congatec System Utility (CGUTIL) can be used with a password protected BIOS.
For detailed information about the congatec System Utility please consult the user's guide. This can be found on the congatec homepage (www.congatec.com).
Note:
congatec has removed the support for other BIOS flash tools except for the congatec System Utility. With such flash tools the BIOS update is not possible regardless of the protection mechanism described in the AN.
Requirements
The feature described in this Application Note is supported by the congatec System Utility starting from Revision 1.3.0. It is recommended to always use the latest revision of the congatec System Utility. Check the congatec website regularly to ensure that you have the latest version of the utility.
The congatec System Utility requires a cgos driver version equal to or higher than 1.02.014. The driver can be downloaded from the congatec homepage (www.congatec.com).
The BIOS Update and Write Protection feature is supported on most newer congatec COMs and SBCs. Some older products running UEFI firmware versus the legacy BIOS do not support the BIOS Update Write Protection feature.
Check the user’s guide of the product you are using for detailed information.
BIOS Settings
After a BIOS password has been set in the BIOS setup (see Figure 1) an additional 'BIOS Update and Write Protection' setup node will appear. If set to 'Enabled', the BIOS protection will be activated after the next reboot (see Figure 2).
.png)
_001.png)
The BIOS Password cannot be changed or disabled as long as the BIOS Update and Write Protection feature is enabled.
congatec System Utility (Windows GUI)
Any write access to the BIOS Flash device (BIOS Update or BIOS Module Modification) with CGUTIL will fail when the BIOS Update and Write Protection is enabled (see Figures 3, 4, 5, 10 and 11).
With older revisions of CGUTIL, it was only possible to write to the BIOS Flash device after the system supervisor disabled the BIOS Update & Write Protection in the BIOS setup.
Newer CGUTIL tools (from revision 1.3.0) can temporarily disable the BIOS Update and Write Protection so that the user can do the necessary changes in the BIOS flash (see Figures 6, 7 and 8). Although the BIOS Update and Write Protection is deactivated by the CGUTIL tool, it will still remain enabled in the BIOS setup and will be reactivated after the next reboot.
BIOS Update
Install the latest versions of the congatec system utility and CGOS driver. Then launch the CGUTIL GUI version and select Board (CGOS) as operation target.
.png)
Press the BIOS Update button and select the BIOS file to be updated.
.png)
The button 'Deactivate BIOS Update Protection' must be pressed to temporarily allow write accesses to the BIOS flash device and provides the ability to perform the BIOS update. The Update BIOS button is grayed out until the correct password has been entered (see Figure 5). The protection will remain disabled until the next reboot.
_004.png)
_005.png)
Only with the correct BIOS password entered, the BIOS Update command button will be activated.
_006.png)
BIOS Module Modification
What is true for a BIOS update is also true for BIOS module updates. A BIOS Module modification is also not possible when the BIOS Write Protection is active. The button 'Deactivate BIOS Write Protection' (see picture 8) will temporarily allow write accesses to the BIOS flash device. The protection will remain disabled until the next reboot.
.png)
_008.png)
After entering the BIOS password as in Figure 5 above, the BIOS module can be written to the flash device.
congatec System Utility (Command Line)
The same protection features mentioned in the previous sections are also applicable when using the command line version of the congatec System Utility (CGUTLCMD). BIOS update and write accesses will not be possible when the BIOS Update and Write Protection is active (Figure 10).
_009.png)
With the command line version of the congatec System Utility the BIOS Update and Write Protection can be disabled with the help of the /BP parameter.
_010.png)
.png)
/BP:[password] deactivates the BIOS write protection to allow BIOS updates.
The use of the command line version of the congatec system utility is shown here in the UEFI shell environment. The same procedure applies to DOS and Linux. Refer to the congatec application note titled BIOS Update (AN01) for more details about updating the congatec Embedded BIOS.