Arch Linux

srpax

Member

Registered: 2024-09-25

Posts: 3

[SOLVED] Read-Only UEFI

Device: Samsung Galaxy Book3 Pro 16"
Model: NP960XFG-KC1US
OS: Arch Linux 64-bit
Boot Loader: EFI boot stub
UEFI version: v2.8
UEFI Shell version: v2.2
UEFI implementation: AMI Aptio (product not specified, afuefi does not
work)
UEFI Secure Boot Mode: Setup (PK uninstalled)
TPM: Off

Hi folks.

TL;DR: Can't persist NV UEFI variables through a reset.

First off, I will preface this with: this is more closely related to a UEFI or OEM issue, given my Arch Install works fine when I boot from a UEFI shell. I will move to off-topic area if requested, but wanted to try here first for visibility reasons.

My issue is that I cannot add new boot options. Using either efibootmgr once booted into Arch, or the bcfg UEFI Shell command produce the same result: a seemingly successful addition of a new boot option, but everything is blown away after a reset.

This may be indicative of a more serious issue with writing to the NOR flash (Samsung may have a write protection mechanism). Fortunately the chip is a Winbond W25R, which is a pretty common chip I can manually flash with the laptop powered off. However, that is a PITA, especially with my device that isn't specifically supported by coreboot or derivative project.

I have tried the following:
- using efibootmgr to manage boot options specifically
- using UEFI shell with:
  - bcfg (creates the global UEFI vars, but they don't persist)
  - setvar (can't create global UEFI vars at all)

Open to any suggestions, trying to avoid custom UEFIs until absolutely necessary.

EDIT1: The UEFI implementation seems to have a very rudimentary method for maintaining boot options, as described in the Unified Extensible Firmware Interface wiki (although it isn't random at all, in fact very consistent - they were removed on every reset). The "Fake OS" suggestion described in that same section worked for me.

EDIT2: Added laptop and environment configuration to help others find this post if needed.

Last edited by srpax (2024-12-16 16:49:32)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 12,324

Re: [SOLVED] Read-Only UEFI

https://wiki.archlinux.org/title/Unifie … mware_menu

srpax

Member

Registered: 2024-09-25

Posts: 3

Re: [SOLVED] Read-Only UEFI

https://wiki.archlinux.org/title/Unifie … mware_menu

Good link - I've read this page a handful of times but missed the troubleshoot section for some reason. May be useful to link these tips in boot-loader-specific wiki pages. I ran through the userspace suggestions already, but since the UEFI Shell is equally unable to produce a boot entry, I don't think that's the problem.

§7.7.1 and §7.10 are interesting:
- §7.7.1 describes placing a bootloader at specific fallback locations - this wouldn't work for a boot stub, but I suppose I could try a UKI. Trying to avoid a boot loader since I eventually want to use Secure Boot.
- §7.10 describes the method of using a fake EFI application at a fallback location to prevent any dumb UEFI maintenance routine from clearing out the NVRAM in the case there are no recognized boot options.

I'll update this post with the results of trying these two methods, starting with §7.10 first.

EDIT: The "Fake OS" suggestion in §7.10 worked.

Last edited by srpax (2024-12-16 16:47:05)