Dmiconfig (hardware compatibility mode)
Dmiconfig (hardware compatibility mode)
To date, general support of new computers is a costly and time-consuming process – the sheer number of new notebook models grows every day. Each model brings new hardware and software with it – a challenge for any software that works so closely with the hardware, as with Matrix42 Full Disk Encryption.
A hardware compatibility mode has been introduced to allow for the support of older or unusual hardware configurations until they can be researched and fully supported in a future release. For example:
- Hardware does not function correctly under Windows after successful PBA authentication. This includes hardware that is no longer recognized. The cause of such a failure is that once successful authentication has taken place in the Linux PBA not all the BIOS settings can be correctly handled and set for Windows.
- Hardware support for newer systems as yet not natively supported by Matrix42 Full Disk Encryption.
- Poorly programmed BIOS.
Mechanisms
It is now possible to use two mechanisms to change the boot method as well as select an alternative Linux kernel configuration that enables ACPI support:
- Boot mechanism;
Changes the method with which information is passed from the PBA to the FDE 16-bit code – known as KICKSTART.
- Alternative kernel with ACPI support.
Booth Method | Details | |
---|---|---|
Boot mechanisms |
KICKSTART=[BIOS] |
Standard mechanism used by Matrix42 and should not be edited. |
KICKSTART=[FAST] |
This mechanism has been implemented for systems that have unusual hardware configurations not supported by the KEXEC mechanism. |
|
KICKSTART=[KEXEC] |
This mechanism is similar to KICKSTART=BIOS but does not need a reboot. |
|
Alternative kernel |
KERNEL=/boot/bzImage-acpi |
This will automatically select an alternative Linux kernel configuration that enables ACPI kernel with DRM support. This is something found almost exclusively in desktop computers and is rarely needed. |
The KEXEC and FAST mechanisms should be used only if the standard mechanism (BIOS) does not work.
Screen parameters
- PBA_RESOLUTION
Defines the default or specific resolution of the display when loading PBA.
- PBA_RESOLUTION=DEFAULT uses the resolution specified in the default settings of a device.
- PBA_RESOLUTION=800x600 (where 800 is width and 600 is height) uses the certain specified resolution.
Kernel parameters
- Irqpoll
Alters the way that the kernel handles interrupts. This is useful if the PBA kernel log shows messages stating that an interrupt occurred.
- ¾ pci=snb -enable -ahci -to -legacy
Matrix42 AHCI mode kernel option switches the chipset to ATA mode prior to performing the soft reset which boots the Windows. It fixes many instances where the chipset is in AHCI mode and the soft reset fails to boot Windows.
Default computers
Some computers have already been identified as ready for hardware compatibility mode and have already been included in the msi package (this can be edited). They are the following:
- Acer Veriton M665 (KICKSTART=KEXEC)
- Fujitsu-Siemens C1110D (KICKSTART=BIOS plus KERNEL=/boot/bzImage-acpi)
- Fuijitsu S710 and E780 (KICKSTART=KEXEC)
- LenovoS12 (KICKSTART=BIOS)
- Panasonic ToughbookCF-19.3 (KICKSTART=KEXEC)
- Panasonic ToughbookCF-52 (KICKSTART=KEXEC)
- Toshiba TecraS4 (KICKSTART=BIOS)
How to implement?
A helper application is provided with the product package called dmiconfig (direct media interface configuration) that allows you to obtain the information necessary to create a new default configuration setup (whitelist) for deployment with the msi package. Systems defined by default in this file (dmi.ini) file will be automatically installed and booted accordingly.
Dmiconfig tool
Open dmiconfig by starting a command prompt and entering <path>dmiconfig into the command line. This will display the following options:
Command line parameter | Details |
---|---|
export
|
Copy the default *.ini files from the PBA partition to the Windows partition under c:\windows\nac\sbs. NOTE: If the files on the Windows partition are newer than the files on the PBA partition, the operation will fail. The following option is available: --force: force the replacement of newer files. |
import
|
This will copy the custom configuration file from the Windows partition to the PBA partition. If the file on the PBA partition is newer then the file on the Windows partition, the operation will fail. The following option is available: --force: force the replacement of newer files. |
dump
|
Dump the effective configuration for the machine on which dmiconfig is running. The result is displayed in the command line. For example: [Acer,Veriton T/M/S661;461] DMI_SYS_VENDOR=Acer DMI_PRODUCT_NAME=Veriton T/M/S661;461 The following options are available: --short: Perform the shortest possible configuration dump (recommended for broad rollouts). --long: Perform the longest possible configuration dump (recommended for specific computers as this includes serial number information etc.). --pba: View the current DMI configuration used by the PBA. --db: Dump the content of the two configuration files on the PBA-Partition (must be used with --pba). |
set |
Replace settings for the machine on which dmiconfig is running. The following option is available: --pba: If you do not use this parameter, you have to call dmiconfig import to activate the new configuration. |
stat |
Check if the files on the PBA-Partition are the same as the files on the Windows Partition. This will then inform you if the configuration needs updating or not:
|
Creating a dmi file to be included in the installation
- Install, but do not initialize Matrix42 Full Disk Encryption.
- Open a command shell (run as administrator) and start the dmiconfig.exe tool in the Helper Applications directory.
- Enter the following command: dmiconfig dump. This will display the configuration of the computer.
- Open the file C:\WINDOWS\NAC\SBS\dmi.default.ini in a text editor add the lines of configuration that were dumped in the previous step.
- Under the configuration add the line KICKSTART=BIOS or KICKSTART=KEXEC depending on which mechanism that works on the target computer.
- To boot the computer using the alternative Linux kernel (with ACPI support) add the following: KERNEL=/boot/bzImage-acpi.
- The final entry should look something like this:
[Acer,Veriton T/M/S661;461] DMI_SYS_VENDOR=Acer DMI_PRODUCT_NAME=Veriton T/M/S661;461 KICKSTART=KEXEC KERNEL=/boot/bzImage-acpi
- Save the file as dmi.ini to a location of your choice. Place the file in the same installation directory as the msi package so that it will be automatically included in the rollout.
Adding current configuration to the PBA
- Install and initialize the FDE component, install, but do not initialize the PBA component.
- Reboot as prompted after FDE initialization.
- Follow steps 1 – 6 as stated above for dmi creation.
- Save the file as dmi.ini under C:\WINDOWS\NAC\SBS\.
- Initialize the PBA component.
- Go back to the open command prompt and enter the following syntax: dmiconfig.exe import.
- Reboot the computer.
- The PBA will appear as normal. After successful authentication, a quick reboot will be performed in compatibility mode.