corrupted BIOS due to Intel SPI bug in kernel
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Boot-Repair |
Fix Released
|
Medium
|
YannUbuntu | |||
Linux |
Confirmed
|
Medium
|
||||
linux (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | |||
Artful |
Fix Released
|
Critical
|
Unassigned | |||
linux-hwe-edge (Ubuntu) | ||||||
Xenial |
Fix Released
|
Critical
|
Unassigned | |||
linux-oem (Ubuntu) | ||||||
Xenial |
Fix Released
|
Critical
|
Unassigned |
Bug Description
An update to linux kernel on Ubuntu 17.10 that enabled the Intel SPI drivers results in a serial flash that is read only in Intel Broadwell and Haswell machines with serial flashes with SPI_NOR_HAS_LOCK set.
Warning: 32bit iso on sourceforge for boot-repair-disk still contains unpatched Kernel. This is especially dangerous if boot-repair fails to repair the system to a bootable state, as there will be no way of applying the Fix detailed below.
Symptoms:
* BIOS settings cannot be saved
* USB Boot impossible
* EFI entries read-only.
---
Fix: The issue was fixed in kernel version 4.13.0-21 by configuring the kernel so it is not compiled with Intel SPI support. But previous affected machines still suffered from a broken BIOS.
Repair: If you still can boot into Ubuntu, you can recover your BIOS with the following steps:
1. Boot into Ubuntu
2. Download http://
3. Install the downloaded package:
$ sudo dpkg -i linux-image-
4. Make sure the kernel is installed without any error. Once installed, reboot.
5. At grub, choose the newly installed kernel. You can choose the "recovery" mode.
6. Reboot and go to BIOS settings to confirm your BIOS has been recovered.
7. In case your BIOS is not recovered, reboot to the new kernel, then reboot *once again* to the new kernel, do not enter BIOS settings before the reboot. After the second reboot, check BIOS.
8. If your BIOS issue remains, download another kernel from http://
After your BIOS is fixed, the kernel packages you just installed are no longer needed, you can remove it by running 'sudo dpkg -r linux-image-
The patch used to build the linux v4.15 kernel in step 8 can be found at https:/
If you have applied updates, and find that you can not boot the above fixed kernel because of Secure Boot and that the kernel is unsigned, but can still boot another kernel for your system; here's what you can do:
1) Download http://
$ wget http://
2) Copy grubx64.efi.signed over /boot/efi/
$ sudo cp grubx64.efi.signed /boot/efi/
3) Reboot; you should now be able to load the new unsigned kernel that allows fixing firmware / SPI.
4) Once you're satisfied that things work; boot to Ubuntu with a standard, signed kernel, and re-install the right GRUB version for your system:
$ sudo grub-install
---
Test Case: Fix has been verified by our HWE team on affected hardware.
Regression Potential: Minimal, it's unlikely anyone is actually doing anything which requires this driver.
---
Affected Machines:
Lenovo B40-70
Lenovo B50-70
Lenovo B50-80
Lenovo Flex-3
Lenovo Flex-10
Lenovo G40-30
Lenovo G50-30
Lenovo G50-70
Lenovo G50-80
Lenovo S20-30
Lenovo U31-70
Lenovo Y50-70
Lenovo Y70-70
Lenovo Yoga Thinkpad (20C0)
Lenovo Yoga 2 11" - 20332
Lenovo Yoga 3 11"
Lenovo Z50-70
Lenovo Z51-70
Lenovo ideapad 100-15IBY
Acer Aspire E5-771G
Acer Aspire ES1-111M-C1LE (fixed following your new instruction (thank you))
Acer TravelMate B113
Acer Swift SF314-52 (Fixed by 4.14.9)
Toshiba Satellite S55T-B5233
Toshiba Satellite L50-B-1R7
Toshiba Satellite S50-B-13G
Toshiba Satellite L70-A-13M
Dell Inspiron 15-3531
Mediacom Smartbook 14 Ultra M-SB14UC (fixed with official fix)
Acer Aspire E3-111-C0UM
HP 14-r012la
Fujitsu Q584 (unable to fix due to non booting OS on the tablet)
---
Affected serial flash devices by manufacturer part number, JEDEC ID (SPI_NOR_HAS_LOCK set in drivers/
/* ESMT */
f25l32pa, 0x8c2016
f25l32qa, 0x8c4116
f25l64qa, 0x8c4117
/* GigaDevice */
gd25q16, 0xc84015
gd25q32, 0xc84016
gd25lq32, 0xc86016
gd25q64, 0xc84017
gd25lq64c, 0xc86017
gd25q128, 0xc84018
gd25q256, 0xc84019
/* Winbond */
w25q16dw, 0xef6015
w25q32dw, 0xef6016
w25q64dw, 0xef6017
w25q128fw, 0xef6018
---
Original Description:
Basically on Lenovo Y50-70 after installing Ubuntu 17.10, many users reported a corrupted BIOS.
It's not possible to save new settings in BIOS anymore and after rebooting, the system starts with the old settings.
Moreover (and most important) USB booting is not possible anymore since USB is not recognized. It's very serious, since our machines do not have a CDROM.
Lenovo forums at the moment are full of topics regarding this issue.
Thank you!!
CVE References
information type: | Private Security → Public |
summary: |
- Ubuntu 17.10 corrupting BIOS - Lenovo Y50-70 + Ubuntu 17.10 corrupting BIOS - many LENOVO laptops models |
description: | updated |
description: | updated |
Changed in grub2 (Ubuntu): | |
status: | Fix Released → Confirmed |
affects: | grub2 (Ubuntu) → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
status: | Incomplete → New |
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
tags: | added: artful |
tags: | added: apport-collected wayland-session |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
importance: | High → Critical |
Changed in linux (Ubuntu Artful): | |
importance: | Undecided → Critical |
status: | New → Confirmed |
tags: | added: kernel-key |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Artful): | |
status: | Confirmed → Fix Committed |
Changed in linux-hwe-edge (Ubuntu Artful): | |
status: | New → Invalid |
Changed in linux-oem (Ubuntu Artful): | |
status: | New → Invalid |
Changed in linux (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-hwe-edge (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux-oem (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux-hwe-edge (Ubuntu): | |
status: | New → Confirmed |
Changed in linux-oem (Ubuntu): | |
status: | New → Confirmed |
tags: | added: verification-needed-artful |
tags: |
added: verification-failed-artful removed: verification-needed-artful |
tags: |
added: verification-done-artful removed: verification-failed-artful |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Artful): | |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in linux-hwe-edge (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
Changed in linux-oem (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
no longer affects: | linux (Ubuntu Xenial) |
no longer affects: | linux-hwe-edge (Ubuntu) |
no longer affects: | linux-hwe-edge (Ubuntu Artful) |
affects: | linux (openSUSE) → ubuntu-translations |
no longer affects: | ubuntu-translations |
no longer affects: | linux-oem (Ubuntu) |
no longer affects: | linux-oem (Ubuntu Artful) |
Changed in linux-hwe-edge (Ubuntu Xenial): | |
importance: | Undecided → Critical |
Changed in linux-oem (Ubuntu Xenial): | |
importance: | Undecided → Critical |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Artful): | |
assignee: | nobody → Seb (seb-y) |
assignee: | Seb (seb-y) → nobody |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
assignee: | nobody → ramdas chormale (ramdaschormale) |
Changed in linux (Ubuntu Artful): | |
assignee: | nobody → Derek Ashby (delsubuntu) |
Changed in linux (Ubuntu Artful): | |
assignee: | Derek Ashby (delsubuntu) → nobody |
Changed in linux (Ubuntu): | |
assignee: | ramdas chormale (ramdaschormale) → nobody |
description: | updated |
description: | updated |
tags: | added: patch |
tags: | removed: kernel-key |
description: | updated |
description: | updated |
description: | updated |
summary: |
- Ubuntu 17.10 corrupting BIOS - many LENOVO laptops models + corrupted BIOS due to Intel SPI bug in kernel |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in linux (Ubuntu): | |
status: | Fix Released → Fix Committed |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
assignee: | nobody → tovagliari amos (tovatamos) |
tags: | added: dell-inspiron-13-7352 |
Changed in linux (Ubuntu): | |
assignee: | tovagliari amos (tovatamos) → nobody |
Changed in linux (Ubuntu): | |
assignee: | nobody → Gino Amon (gmartel.amon) |
Changed in linux (Ubuntu): | |
assignee: | Gino Amon (gmartel.amon) → nobody |
description: | updated |
Changed in linux (Ubuntu): | |
assignee: | nobody → Fujinaga Daiki (fr099) |
Changed in linux (Ubuntu): | |
assignee: | Fujinaga Daiki (fr099) → nobody |
tags: | added: cscc |
description: | updated |
description: | updated |
description: | updated |
Changed in boot-repair: | |
status: | New → Triaged |
importance: | Undecided → Medium |
assignee: | nobody → YannUbuntu (yannubuntu) |
Changed in linux: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Created attachment 256825
early boot log with kernel 4.11.2
My machine boots fine with kernel 4.11.3. However, on the next boot, the firmware says: "Configuration Changed - Requires restart", and the firmware settings are reset to defaults. There was no such issue with the 4.10 kernels.
My machine is a Lenovo Thinkpad Yoga (first generation) with the latest firmware revision.
I attach a piece of logs I gathered booting kernel 4.11.2 with efi=debug. Is there any other piece of data I can provide?