Press "Enter" to skip to content

BIOS update without restart

A technique called Intel Seamless Firmware Update aims to refresh the UEFI BIOS of servers without disrupting operations. Intel has published the specification for a “Management Mode Firmware Runtime Update – OS Interface” and submitted patches for the Linux kernel.

“Seamless Firmware Update” or “Management Mode Runtime Update” process the firmware update in the form of a “UEFI Capsule Image”; the latter is also used by more and more Windows notebooks and the Linux Vendor Firmware Service (LVFS).

What is special about Seamless Firmware Update, however, is that the system processes the UEFI capsule image in System Management Mode (SMM) while the (operating system) is running and writes it to the flash chip. The aforementioned Intel specification describes the virtual ACPI device called “INTC1080”, which serves as an interface between the operating system (OS) and SMM, but which Intel only calls “Management Mode” (MM) here. The operating system “injects” the UEFI capsule image into the memory area of ​​the MM via this ACPI device.

In the Description of the Linux patch for the seamless firmware update an Intel employee explains that it is primarily about servers. IT and cloud service providers often agree maximum downtimes for services with their customers in so-called service level agreements (SLAs). The restart due to a BIOS update can take a few minutes. 5 minutes correspond to 0.001 percent of a year (525,600 minutes) and are only possible once a year with 99.999 percent agreed availability. However, virtual machines can be moved to other hosts via live migration.

With desktop PCs and notebooks, a seamless firmware update would be more of a convenience. the previous Intel information on Seamless Firmware Update (PDF) also do not reveal how the system reloads the new BIOS code during operation.

It comes as a surprise that Intel is expanding the functionality of the SMM (and now abbreviated as MM). The IT industry is actually trying to curtail the power of the SMM, which is intransparent for the operating system: There are a number of known malware attacks that use the SMM as a gateway.

With considerable effort Microsoft has therefore for the “Secured-Core PC”, which even more computers are likely to implement with Windows 11, specifications for “SMM Isolation“developed about the ACPI-Tabelle “Windows SMM Security Mitigation Table” (WSMT).

More from c't magazine

More from c't magazine

More from c't magazine


(queue)

Article Source

Disclaimer: This article is generated from the feed and not edited by our team.