lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9ad46cc5-0d49-8f51-52ff-05eb7691ef61@intel.com>
Date: Mon, 31 Mar 2025 15:52:58 +0300
From: "Lifshits, Vitaly" <vitaly.lifshits@...el.com>
To: Jacek Kowalski <jacek@...ekk.info>, Tony Nguyen
	<anthony.l.nguyen@...el.com>, Przemek Kitszel <przemyslaw.kitszel@...el.com>,
	Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, "Paolo
 Abeni" <pabeni@...hat.com>
CC: <intel-wired-lan@...ts.osuosl.org>, <netdev@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: Re: [Intel-wired-lan] [PATCH] e1000e: add option not to verify NVM
 checksum



On 3/18/2025 10:46 PM, Jacek Kowalski wrote:
> Many laptops and motherboards including I219-V network card have
> invalid NVM checksum. While in most instances checksum is fixed by
> e1000e module or by using bootutil, some setups are resistant to NVM
> modifications. This result in the network card being completely
> unusable.
> 
> It seems to be the case on Dell Latitude 5420 where UEFI firmware
> corrupts (in this module's sense) checksums on each boot. No set of
> BIOS options seems to help.
> 
> This commit adds e1000e module option called VerifyNVMChecksum
> (defaults to 1) that allows advanced users to skip checkum verification
> by setting it to 0.
> 
> Signed-off-by: Jacek Kowalski <Jacek@...ekk.info>
> Cc: stable@...r.kernel.org


Hi Jacek,
Are you certain that the UEFI FW corrupts the checksum each time, or is 
it just that the system left the factory with incorrect checksum?
 From what we know, the Latitude E5420 is 11th Gen Intel CPU (Tiger Lake).
Starting from this generation, a security change makes it impossible for 
software to write to the I219 NVM.
However, since in previous generations this was possible, it was, 
unfortunately, common practice by vendors to release the NVM without a 
valid checksum, relying on the e1000e module or on bootutil, as you 
mentioned, to “fix” it upon first boot.
By 12th Gen systems, this practice was discontinued, and all NVMs were 
shipped with proper checksum. It is possible that some 11th Gen systems 
such as yours “slipped through the cracks”.

 From a technical perspective, your patch looks correct. However, if the 
checksum validation is skipped, there is no way to distinguish between 
the simple checksum error described above, and actual NVM corruption, 
which may result in loss of functionality and undefined behavior. This 
means, that if there is any functional issue with the network adapter on 
a given system, while checksum validation was suspended by the user, we 
will not be able to offer support

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ