edgecase
There are no answers - only questions.
Author: StJohn Piano
Published: 2018-02-15
Datafeed Article 38
This article has been digitally signed by Edgecase Datafeed.
3907 words - 984 lines - 25 pages



GOAL



Disable all BIOS settings on Kalkin that facilitate remote access.



CONTENTS


- Goal
- Contents
- Downloadable Assets
- Project Log



DOWNLOADABLE ASSETS



photo_of_diagram_on_inside_of_side_panel_on_kalkin.jpg

4_kalkin_side_open_with_lighting_and_flash.jpg

cropped_image_containing_yellow_button.jpg


These assets are the images displayed in the project log.



PROJECT LOG



I'll read through my map of Kalkin's BIOS, make a note of all BIOS settings that seem to allow/assist any sort of remote access, and turn them off if they're enabled.


Candidate settings:


Security / Setup Password
Lets you set and enable a setup password for the administrator.
If you create a setup password, you must use it to change computer setup options, to flash the ROM, and to make changes to certain Plug and Play settings under Windows.

Security / Power-On Password
Lets you set and enable the power-on password.

[Another setting, Security / Network Server Mode, is available if Security / Power-On Password is enabled.]

Security / Network Boot
Lets you enable/disable the ability to boot from the network using the F12 key or the boot order.

Advanced / Power-On Options
- Remote Wakeup Boot Source (Local Hard Drive/Remote Server). Sets the boot device for the workstation when it is started using Remote Wakeup (takes precedence over the Boot Order menu setting).
[I'm not interested in this setting so much as this question: Where's the Remote Wakeup setting? It doesn't appear to be in my map.]

Advanced / Device Options
- S5 Wake-on-LAN (Enabled/Disabled)
- NIC Option ROM Download (PXE/Disabled)

Advanced / Slot Settings
Lets you Enable/Disable Option ROM Download for each slot. Selective disabling of Option ROM downloads can help manage limited Option ROM space.

Advanced / AMT Configuration
Lets you set the following AMT (Intel Active Management Technology) configuration options:
- AMT (Enabled/Disabled) - Allows for remote discovery, repair and protection of networked workstations. Enabling the AMT function also enables the Network Controller (required for AMT to function correctly).



I've reached the end of the map. Let's answer some questions.


Some acryonyms:
- ROM = Read-Only Memory
- NIC = Network Interface Card
- PXE = Preboot eXecution Environment
- AMT = Intel Active Management Technology
- LAN = Local Area Network


I'm interested in
Security / Power-On Password
because, if enabled, it makes Security / Network Server Mode become available, so I want to make sure it's disabled.

I was interested in
Security / Setup Password
because I thought that it might have a similar unlock-additional-setting aspect, which it does, but not for anything that involves network access.


This project is only concerned with the possibility of remote attack. If I were attempting to harden the BIOS against local attack, the Setup Password would be more important.



What is Network Server Mode, exactly?


Google "network server mode".

Excerpt from:
systemmanager.ru/c01609725.en/14432.htm

The Network Server Mode option is a toggle setting that sets the server to operate in network server mode. This feature works in conjunction with the power-on password. When set to Disabled, the server operates normally. When it is set to Enabled, the following actions occur:
- The local keyboard remains locked until the power-on password is entered.
- The power-on password prompt is bypassed.
- When a diskette is in the diskette drive, the server does not start unless the power-on password is entered locally.



Ok, it protects a remotely-administered server against a casual local attack.



What is Remote Wakeup?


Excerpt from:
www.techopedia.com/definition/15716/remote-wake-up-rwu

Remote Wake-Up refers to remotely turning on a networked computer by sending a network message (called a magic packet) that contains the MAC address of the computer. On receipt, the computer initiates the system wake-up. The computer receiving the magic packet does not need to be left "on", as was the case before Remote Wake-Up became available; so IP personnel no longer have to manually turn "on" networked computers, or remind employees to do so, before remotely checking, configuring, installing software or other tasks. This feature is included in Intel's Wired for Management (WfM) network specification.

Generally, Remote Wake-Up will only work if magic packets are sent from a computer on the same local area network (LAN) or within the current network subnet. However, there are exceptions making it possible to remotely wake-up a computer from outside its LAN.

The Remote Wake-Up feature goes by many names, including: wake on LAN (WOL), wake on WAN, wake up on LAN, power On By LAN, power Up By LAN, resume by LAN and resume on LAN.

For computers communicating via WiFi, the wake on wireless LAN (WoWLAN) supplementary standard must be used.

[...]

Remote Wake-Up is independent of the operating system, or network interface card (NIC), used by the computer. Support for this feature is implemented on the motherboard (in the BIOS) along with the network interface or firmware. However, some operating systems can control the operation with hardware drivers.

The magic packets use the data link layer in the OSI model as they are sent to all NICs using the network broadcast address. The magic packet does not provide any delivery confirmation signal back to the sending computer.

For Remote Wake-Up to function, there are parts of the network/computer interface that need to remain powered, even though the computer is shut off; and some power is consumed for this purpose, as long as the computer is plugged in to a powered electrical outlet.

To function reliably, Remote Wake-Up requires the proper BIOS and NIC; and sometimes the proper OS and support for the final router are required. This can make the setup and testing frustrating for the IT network technician. Moreover, different hardware have a variety of low-power states, such as a fully-off state, sleep or hibernation; some may allow wake-up while others may not.

Remote Wake-Up does have some security issues. Magic packets may be sent by anyone on the LAN, and in some cases by sources outside the LAN. Some measures can be taken to reduce the risk of unintended magic packets being received or others sent with malicious intent; these include: filtering data transmissions to match site-wide security requirements; firewalls preventing access to broadcast addresses within the LAN segments; and the use of 6 byte hexadecimal passwords which must be appended to each magic packet received.



Key section: "The Remote Wake-Up feature goes by many names, including: wake on LAN (WOL), wake on WAN, wake up on LAN, power On By LAN, power Up By LAN, resume by LAN and resume on LAN."

Ok. So the Remote Wakeup setting is probably this one:
Advanced / Device Options / S5 Wake-on-LAN


What does S5 mean, in this context?


Google "S5 Wake-on-LAN".

Excerpt from:
technet.microsoft.com/en-gb/library/bb693821.aspx

Sleep States for Wake On LAN

[...]

Wake On LAN in Configuration Manager 2007 supports waking up computers in sleep states S1 through S5. Sleep states describe the possible power states for a computer, as listed in the following table.

Sleep State Description

S0 = The computer is on and fully functional.

S1 = The computer appears to be off with the CPU stopped. RAM is refreshed, and the computer is running in a low power mode.

S2 = The computer appears to be off with the CPU stopped. RAM is refreshed, and the computer is running in a lower power mode than S1.

S3 (Standby) = The computer appears to be off with no power to the CPU. RAM is in slow refresh.

S4 (Hibernate) = The computer appears to be off with no power to the hardware. System memory has been saved as a temporary file on the hard disk.

S5 (Off) = The computer is off with no power to the hardware, and the operating system has been shut down without saving system memory to disk.



Hm. Key section:
"S5 (Off) = The computer is off with no power to the hardware, and the operating system has been shut down without saving system memory to disk."

So S5 Wake-on-LAN allows an administrator to boot the computer remotely when it is powered down.



I chose this setting:
Advanced / Device Options / NIC Option ROM Download (PXE/Disabled)
as a candidate because it includes NIC and PXE, which both indicate network access.


Let's find out what it is.


Excerpt from:
en.wikipedia.org/wiki/Option_ROM

An Option ROM typically consists of firmware that is called by the system BIOS. For example, an adapter card that controls a boot device might contain firmware that is used to connect the device to the system once the Option ROM is loaded.
[...]
Another common option ROM is a network boot ROM (e.g., a PXE option ROM). This allows a computer without any disks or persistent storage to run an operating system by downloading the necessary software over the network. Of course there needs to be some program to do this download of code, and this is what is stored in the option ROM.



Excerpt from:
en.wikipedia.org/wiki/BIOS

Peripheral cards such as some hard disk drive controllers and some video display adapters have their own BIOS extension option ROMs, which provide additional functionality to BIOS. Code in these extensions runs before the BIOS boots the system from mass storage. These ROMs typically test and initialize hardware, add new BIOS services, and augment or replace existing BIOS services with their own versions of those services. For example, a SCSI controller usually has a BIOS extension ROM that adds support for hard drives connected through that controller. Some video cards have extension ROMs that replace the video services of the motherboard BIOS with their own video services. BIOS extension ROMs gain total control of the machine, so they can in fact do anything, and they may never return control to the BIOS that invoked them.
[...]
Option ROMs normally reside on adapter cards.





Google "NIC Option ROM Download".


Excerpt from:
First result:
support.hp.com/lamerica_nsc_carib-en/product/hp-elitedesk-800-g1-tower-pc/5387466/document/c03840403

NIC PXE Option ROM Download (PXE, iSCSI, disabled). The BIOS contains an embedded NIC option ROM to allow the unit to boot through the network to a PXE server. This is typically used to download a corporate image to a hard drive. The NIC option ROM takes up memory space below 1MB commonly referred to as DOS Compatibility Hole (DCH) space. This space is limited. This F10 option will allow users to disable the downloading of this embedded NIC option ROM thus giving more DCH space for additional PCI cards which may need option ROM space. The default will be to have the NIC option-ROM-enabled. Default is PXE.




I'll check that no option ROM downloads are listed in:
Advanced / Slot Settings



In this section:
"Enabling the AMT function also enables the Network Controller (required for AMT to function correctly)"
what exactly is the network controller?


The Network Controller setting appears here:
Security / Device Security / Network Controller


Google "what is a network controller".

Excerpt from:
www.techspot.com/community/topics/what-is-meant-by-a-network-controller.150210

Q:
Jskid
Jul 18, 2010
[...]
What does it mean that a network interface card comes with its own controller?
What is a controller? Is that another name for a driver?


A:
JMMD
Jul 18, 2010
Network controller is just another name for a network card or network adapter. These cards have their own processors to handle the network interface rather than relying on the motherboard chipset or CPU to do it.



Ok. So "network controller" probably means the NIC/Ethernet setting. If AMT is enabled, then the Network Controller setting will also be enabled, if it is currently disabled.



What is AMT?


Excerpt from:
software.intel.com/en-us/articles/intel-trusted-execution-technology-a-primer
By Matthew Gillespie, published on June 1, 2009, updated January 1, 2015.

Intel AMT enhances the security and central remote management of business PCs by providing a firmware-based out-of band communication channel through which a management console can reach the PC even when it is powered off or the operating system (OS) is non-functional or missing. A management engine within the PC chipset stores authentication information in non-volatile memory that it uses to pass information across the same physical network interface used by the host OS, but with its own logical identity and IP address. This mechanism allows system administrators to dramatically extend their management reach, including the ability to remotely discover hardware and software, power machines up and down, and deploy security patches and other software, regardless of system state. Using Intel AMT, support organizations can also isolate PCs from the rest of the network if they become compromised by malware.



Interesting. It's a little separate computer, which is accessible remotely through a management application, and has complete control over the main computer system.



Right.


Next: Look up these BIOS settings. Disable any of them that are currently enabled.



Press the power button to boot Kalkin. Hold Escape as it boots.

Screen:

Version 2.10.1208. Copyright (C) 2011 American Megatrends, Inc.
16384 MB

Startup Menu
- Continue Startup (Exit)
- System Information
- Change Language
- Diagnostics (F2)
- Boot Menu (F9)
- Computer Setup (F10)
- System Recovery (F11)
- Utilities
- Run UEFI Application...

J51 v01.20
HP Z210 Workstation
Press the ESC key for Startup Menu
Startup Menu



Press F10.

Screen:

HEWLETT-PACKARD COMPUTER SETUP
File | Storage | Security | Power | Advanced
- System Information
- About
- Set Time and Date
- Flash System ROM
- Replicated Setup
- Default Setup
- Apply Defaults and Exit
- Ignore Changes and Exit
- Save Changes and Exit

Aptio Setup Utility - Version 2.10.1208. Copyright (C) 2011 American Megatrends, Inc.


I have used a vertical bar (|) to represent the elements of a horizontal menu.

File
and
System Information
are highlighted.


Use the left and right arrow keys to select the appropriate heading, use the up and down arrow keys to select an option, and then press Enter.


Proceed through the settings.

Security / Setup Password
-> No password is set. I'm just checking.

Security / Power-On Password
-> No password is set.

Security / Network Server Mode
-> Not present.

Security / Network Boot
-> Disabled.

Advanced / Power-On Options
- Remote Wakeup Boot Source (Local Hard Drive/Remote Server).
-> Currently set to Local Hard Drive.

Advanced / Device Options
- S5 Wake-on-LAN (Enabled/Disabled)
-> Enabled. Switch it to Disabled. Press F10 to save the setting.
- NIC Option ROM Download (PXE/Disabled)
-> Currently set to PXE. Switch it to Disabled. Press F10 to save the setting.

Advanced / Slot Settings
-> All seven slots for Option ROM Download are set to Enabled. Switch all of them to Disabled. Press F10 to save these settings.

Advanced / AMT Configuration
- AMT (Enabled/Disabled)
-> Enabled. Switch it to Disabled (this causes the various other options under AMT Configuration to disappear). Press F10 to save the setting.


Choose File / Save Changes and Exit.


Kalkin begins to emit beeps, in groups of 6. After several groups, it stops. Screen is black.


Press power button to turn Kalkin off. Press power button to boot Kalkin. Screen remains black. Kalkin emits beeps, in groups of 6. After several groups, it stops.


Press power button to turn Kalkin off. Press power button to boot Kalkin. Hold Escape as it boots. Screen remains black. Kalkin emits beeps, in groups of 6. After several groups, it stops.


Google "hp workstation 6 beeps".


First result:

Excerpt from:
support.hp.com/gb-en/document/c04045903

SUPPORT COMMUNICATION - CUSTOMER ADVISORY

Document ID: c04045903

Version: 1

Advisory: HP Z1, Z220, Z420, Z620, Z820 Workstation - 6 Beeps After Changing BIOS Settings

Notice: The information in this document, including products and software versions, is current as of the release date. The document is subject to change without notice.

Release date : 12-Dec-2013

Last updated : 12-Dec-2013


DESCRIPTION

HP Workstation boots with 6 beeps and no video following changes in the F10 setup utility.

Symptoms:

After changing and saving one of the following two settings in F10 setup:

1. Security / Secure Boot Configuration / Secure Boot -> Enabled

2. Advanced / Device Options / Video Option ROMS -> EFI

The system may produce 6 beeps on reboot, and will no longer show video on screen or load the operating system. There will appear to be no way to return to the F10 setup menu and change the settings back.

[...]


SCOPE

Information in this document applies to the following:

Systems:
- HP Z1 Workstation
- HP Z220 Convertible Minitower Workstation
- HP Z220 Small Form Factor Workstation
- HP Z420 Workstation
- HP Z620 Workstation
- HP Z820 Workstation

Operating Systems:
- Non-OS Specific


RESOLUTION

The issue occurs because the video card ROM firmware is not UEFI compliant. When the system has been set to only boot using a UEFI compliant video ROM, and no UEFI compliant video ROM is available, the system is unable to activate the video card.

To resolve the issue, use the "Clear CMOS" button located on the system board. The exact location of the button varies slightly by workstation and is documented in the diagram on the inside of the side panel as well as in the service manual.

NOTE: Clearing CMOS will return all BIOS settings to default settings.

Any customizations will need to be re-entered and saved.
Hardware platforms affected : HP Z1 Workstation, HP Z220 Convertible Minitower Workstation, HP Z220 Small Form Factor Workstation, HP Z420 Workstation, HP Z620 Workstation, HP Z820 Workstation

Operating systems affected : Not applicable

Software affected : Not applicable

Support Communication Cross Reference ID : IA04045903



Kalkin is a HP Z210 Workstation. This is not in the list of affected hardware platforms, but it is related to the ones that are.

Key section: "The issue occurs because the video card ROM firmware is not UEFI compliant. When the system has been set to only boot using a UEFI compliant video ROM, and no UEFI compliant video ROM is available, the system is unable to activate the video card."

Perhaps one of the Option ROM Downloads in the Advanced / Slot Settings group was used to set up the video card?


The excerpt includes a possible solution:
-> To resolve the issue, use the "Clear CMOS" button located on the system board. The exact location of the button varies slightly by workstation and is documented in the diagram on the inside of the side panel as well as in the service manual.
-> NOTE: Clearing CMOS will return all BIOS settings to default settings.


Ok, I need to find a particular button on the motherboard.

Press power button to turn Kalkin off.

Unplug Kalkin from the mains socket.

Remove side panel.

There's a diagram on the inside of the side panel.



1: Diagram on the inside of Kalkin's side panel.




There is a "Clear CMOS Button" labelled in the bottom right corner.



2: Kalkin with side panel removed.




Looking into Kalkin, the motherboard is in the same orientation as that shown on the panel diagram. The CPU is high up in the middle (there's a big fan over it, so it's presumably the CPU) and there are four long memory sockets to its right.

Down in the bottom right, there is a small yellow button in the expected position. It's just beneath four black sockets.

Here's a cropped section of the image, with the yellow button slightly below and right of the centre.



3: Cropped section of image 2, showing the section of the motherboard that contains the yellow button.




Touch metal chassis to discharge any static. Reach in and press yellow button. It depresses slightly and returns to its original position with an audible sound.

Plug Kalkin back into the mains. The power button lights up and it appears to turn on. Screen remains black. Wait a while. Press power button to turn Kalkin off.

Press power button to boot Kalkin. Centos boots.

Press and hold power button to turn Kalkin off.


Press power button to boot Kalkin. Hold Escape as it boots.

Startup Menu screen appears. Press F10 to choose Computer Setup.
- Note: Network Boot is now available on Startup Menu.

Computer Setup utility screen appears.


The BIOS has presumably been reset back to its default settings.


Previous changes to BIOS / Computer Setup settings:
While examining a boot problem on Kalkin, I changed
Storage Options / SATA Emulation from RAID+AHCI Mode to IDE Mode,
and
Security / Network Boot from Enabled to Disabled.


Security / Network Boot is on my list.


First, I'd like to find the setting that caused a problem.

When I choose Advanced / Slot Settings, I see:
Slot 1 Option ROM Download = Enabled
Slot 2 Option ROM Download = Enabled
Slot 3 Option ROM Download = Enabled
Slot 4 Option ROM Download = Enabled
Slot 5 Option ROM Download = Enabled
Slot 6 Option ROM Download = Enabled
Slot 7 Option ROM Download = Enabled

One of them is probably the video card adapter option ROM, but there is no indication which one that is.

Hm. It's possible that although each one says "Option ROM Download", it's not downloading anything from the network, but simply from the relevant peripheral adapter card (where the option ROM is presumably stored). Kalkin is not currently connected to the network but has been booting successfully.


Google "Option ROM Download meaning".

Excerpt from:
support.hp.com/lamerica_nsc_carib-en/product/hp-elitedesk-800-g1-tower-pc/5387466/document/c03840403

SATA RAID Option ROM Download (enable/disable). The BIOS contains an embedded SATA RAID option ROM for RAID support. This can be temporarily disabled to save DCH space. Note that with the option ROM disabled, users will be unable to boot to hard drives in the system while running in RAID mode. Default is disabled.



Hm. This setting refers to an "Option ROM Download", but it appears that the ROM in question is embedded.

Alright. Due to this and the 6 beeps HP advisory above (which indicates that the problem relates to a Video Option ROM), I've decided that although the items in Advanced / Slot Settings are labeled "Option ROM Download", they are probably loaded from embedded components, not from across the network. They are probably also involved in making important peripherals work. I won't try to disable them.


So, proceed through new list, making changes in the Computer Setup utility:


Security / Setup Password
-> No password is set.

Security / Power-On Password
-> No password is set.

Security / Network Server Mode
-> Not present.

Security / Network Boot
-> Enabled. Switch it to Disabled. Press F10 to save the setting.

Advanced / Power-On Options
- Remote Wakeup Boot Source (Local Hard Drive/Remote Server).
-> Currently set to Local Hard Drive.

Advanced / Device Options
- S5 Wake-on-LAN (Enabled/Disabled)
-> Enabled. Switch it to Disabled.
- NIC Option ROM Download (PXE/Disabled)
-> Currently set to PXE. Switch it to Disabled.
Press F10 to save these settings.

Advanced / AMT Configuration
- AMT (Enabled/Disabled)
-> Enabled. Switch it to Disabled (this causes the various other options under AMT Configuration to disappear). Press F10 to save the setting.


Last item: Redo a change made during a previous project.
Storage / Storage Options
- SATA Emulation
-> RAID+AHCI Mode. Switch to IDE Mode. A warning pop-up appears: "SATA Emulation changes may prevent access to existing hard drive data and degrade, or corrupt, established volumes.". Press F10 to save the setting.


Choose File / Save Changes and Exit.


Centos boots.


Excellent.


Press and hold power button to turn Kalkin off.


Replace Kalkin's side panel.


Finished.




[start of notes]



Changes from the original text:

- I have not always preserved the format of any excerpts from webpages on other sites (e.g. not preserving the original bold/italic styles, changing the list structures, not preserving hyperlinks).

- I have not always preserved the format of any computer output (e.g. from running bash commands). Examples: Setting input lines in bold text, adding/removing newlines in order to make a sequence of commands easier to read, using hyphens for lists and sublists instead of indentation, breaking wide tables into consecutive sections.


[end of notes]