heads Msi dasharo upstream

Replaces #1962

This is based on Dasharo's coreboot instead of coreboot 25.03.

This is draft for the moment, I'll be testing MSI Pro Z790-P DDR5 on Thursday 28th. I'll un-draft post testing.

It should work, as I have been using my custom fork https://github.com/Tonux599/heads/tree/my-custom-msi_z790p_ddr5 for awhile now without issue. However, that fork is not suitable for most as I've customised it for my own uses (like forcing XMP, disabling hyperthreading, etc).

@mblanqui @Hexdigest123 can you test on your boards?

Need to do some commit cleanup pre-merge also.

TODO:

[x] Maybe upgrade to Dasharo v1.1.5/v0.9.3

Aug 27 '25 00:08 Tonux599

See table below for artefacts ready to be tested.

Board	Artefacts
UNTESTED_msi_z690a_ddr4	https://app.circleci.com/pipelines/github/Tonux599/heads/146/workflows/e5e32e13-c5f3-41e8-b965-49accd44880f/jobs/1666/artifacts
UNTESTED_msi_z690a_ddr5	https://app.circleci.com/pipelines/github/Tonux599/heads/146/workflows/e5e32e13-c5f3-41e8-b965-49accd44880f/jobs/1676/artifacts
UNTESTED_msi_z790p_ddr4	https://app.circleci.com/pipelines/github/Tonux599/heads/146/workflows/e5e32e13-c5f3-41e8-b965-49accd44880f/jobs/1667/artifacts
msi_z790p_ddr5	https://app.circleci.com/pipelines/github/Tonux599/heads/146/workflows/e5e32e13-c5f3-41e8-b965-49accd44880f/jobs/1679/artifacts

I have tested msi_z790p_ddr5 myself and it works without issue. A few things to note:

No USB keyboard support.
PS/2 keyboard work (this was unsupported in Dasharo's release).
No HOTP support.
There's no bootsplash right now as at one point it was causing hangs. This can be retested later if required.
This uses flashprog instead of flashrom. Dasharo's release used their own flashrom branch, but current heads flashprog works fine for my board.

In the future, we can create variants supporting USB keyboard and HOTP if the community requires.

Future issues that need addressing are:

Making sure bootsplash works.
Avoiding the workaround for >16MiB flash (41251770065eed4e509ccf736437294447676ce0, bf9708f4c0b8266cd313f3dcbe6584cd40b74fd5, and 9be0ce316771fddafcb623bd0dd05de915b872d5). A fix to flashtools may help here. The current workaround adds time to boot.

@tlaurion this is good to merge IMO, msi_z790p_ddr5 works great. It's now over to others to test their variants.

Aug 28 '25 12:08 Tonux599

Thanks so much for this PR! Testing it on my z790p pro DDR5 and it works great (I enabled USB keyboards)

Sep 17 '25 23:09 aphick

Thanks so much for this PR! Testing it on my z790p pro DDR5 and it works great (I enabled USB keyboards)

Did you have any issues setting the whole thing up or were there any hoops i would try it on my device but the last thing i wanna do is reflash my board with a programmer because the firmware ripped it apart

Sep 18 '25 09:09 Hexdigest123

Thanks so much for this PR! Testing it on my z790p pro DDR5 and it works great (I enabled USB keyboards)

Did you have any issues setting the whole thing up or were there any hoops i would try it on my device but the last thing i wanna do is reflash my board with a programmer because the firmware ripped it apart

You shouldn't need a programmer. You can just flash from a USB stick on the port on the back.

https://docs.dasharo.com/unified/msi/recovery/#using-msi-flashbios-button

Sep 18 '25 12:09 Tonux599

Im gonna try it on the weekend gonna give you guys an update on saturday or sunday

Sep 18 '25 13:09 Hexdigest123

Can i just build it normally via the docker or do i need some extra tailoring i would have just pulled your fork and build it like in the documentation

Sep 18 '25 13:09 Hexdigest123

Can i just build it normally via the docker or do i need some extra tailoring i would have just pulled your fork and build it like in the documentation

Just checkout the fork and run ./docker_latest.sh make BOARD=whatever. Or just download the builds here: https://github.com/linuxboot/heads/pull/1995#issuecomment-3233390635

Sep 18 '25 15:09 Tonux599

How do I enable USB keyboard support, and if it's already somewhat stable, I'd move to Heads completely if you think this is feasible.

Sep 18 '25 15:09 Hexdigest123

How do I enable USB keyboard support, and if it's already somewhat stable, I'd move to Heads completely if you think this is feasible.

I set export CONFIG_USB_KEYBOARD=y in boards/msi_z790p_ddr5/msi_z790p_ddr5.config but this did NOT enable them. Once flashed I had to use a PS2 Keyboard to enable USB keyboards in the Heads settings

Sep 18 '25 15:09 aphick

How do I enable USB keyboard support, and if it's already somewhat stable, I'd move to Heads completely if you think this is feasible.

I set export CONFIG_USB_KEYBOARD=y in boards/msi_z790p_ddr5/msi_z790p_ddr5.config but this did NOT enable them. Once flashed I had to use a PS2 Keyboard to enable USB keyboards in the Heads settings

Thanks for the warning, well i need to look forward on how to handle that issue before flashing heads

Sep 18 '25 15:09 Hexdigest123

How do I enable USB keyboard support, and if it's already somewhat stable, I'd move to Heads completely if you think this is feasible.

I set export CONFIG_USB_KEYBOARD=y in boards/msi_z790p_ddr5/msi_z790p_ddr5.config but this did NOT enable them. Once flashed I had to use a PS2 Keyboard to enable USB keyboards in the Heads settings

Looks like it should be CONFIG_REQUIRE_USB_KEYBOARD=y not CONFIG_USB_KEYBOARD=y. Thank you for raising this, looks like it changed since Dasharo's Heads release.

@Hexdigest123 please use CONFIG_REQUIRE_USB_KEYBOARD=y and report back your test results. Also, what board are you using?

Sep 18 '25 16:09 Tonux599

@tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

Sep 18 '25 16:09 Tonux599

How do I enable USB keyboard support, and if it's already somewhat stable, I'd move to Heads completely if you think this is feasible.

I set export CONFIG_USB_KEYBOARD=y in boards/msi_z790p_ddr5/msi_z790p_ddr5.config but this did NOT enable them. Once flashed I had to use a PS2 Keyboard to enable USB keyboards in the Heads settings

Looks like it should be CONFIG_REQUIRE_USB_KEYBOARD=y not CONFIG_USB_KEYBOARD=y. Thank you for raising this, looks like it changed since Dasharo's Heads release.

@Hexdigest123 please use CONFIG_REQUIRE_USB_KEYBOARD=y and report back your test results. Also, what board are you using?

Im using the msi_z790p_ddr5 and thanks for the clarification

Sep 18 '25 16:09 Hexdigest123

@tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

I am not sure about this. People coming to Heads, having a board that permits ps2 keyboard but deciding to use USB? USB hid being a security risk, is there anything justifying usage of USB keyboard vs ps2?

If so, what about we enable it in config by default, and warn the user to deactivate it through config for additional security?

Otherwise I don't have anything against it per se, but we might at some point hit some limitations through CircleCI for free tier build time but we ar not there yet.

Sep 18 '25 16:09 tlaurion

@tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

I am not sure about this. People coming to Heads, having a board that permits ps2 keyboard but deciding to use USB? USB hid being a security risk, is there anything justifying usage of USB keyboard vs ps2?

If so, what about we enable it in config by default, and warn the user to deactivate it through config for additional security?

Otherwise I don't have anything against it per se, but we might at some point hit some limitations through CircleCI for free tier build time but we ar not there yet.

If CONFIG_USER_USB_KEYBOARD=y is set a build time can it be disabled by the user later? That might be the best of both worlds and yeah maybe sometime add a warning somewhere that it has been enabled.

Sep 18 '25 17:09 Tonux599

Looks like Dasharo literally just released new versions for the MSI boards, so will update sometime.

https://docs.dasharo.com/variants/msi_z690/releases/#v115-2025-09-18 https://docs.dasharo.com/variants/msi_z790/releases/#v093-2025-09-18

non-LTS so may not be as stable though.

Sep 18 '25 17:09 Tonux599

@tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

I am not sure about this. People coming to Heads, having a board that permits ps2 keyboard but deciding to use USB? USB hid being a security risk, is there anything justifying usage of USB keyboard vs ps2?

If so, what about we enable it in config by default, and warn the user to deactivate it through config for additional security?

Otherwise I don't have anything against it per se, but we might at some point hit some limitations through CircleCI for free tier build time but we ar not there yet.

If CONFIG_USER_USB_KEYBOARD=y is set a build time can it be disabled by the user later? That might be the best of both worlds and yeah maybe sometime add a warning somewhere that it has been enabled.

All laptop boards now build and ship usb hid, but don't load it by default unless configured so. config-gui.sh documents this as code.

Sep 18 '25 17:09 tlaurion

@tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

I am not sure about this. People coming to Heads, having a board that permits ps2 keyboard but deciding to use USB? USB hid being a security risk, is there anything justifying usage of USB keyboard vs ps2?

If so, what about we enable it in config by default, and warn the user to deactivate it through config for additional security?

Otherwise I don't have anything against it per se, but we might at some point hit some limitations through CircleCI for free tier build time but we ar not there yet.

If CONFIG_USER_USB_KEYBOARD=y is set a build time can it be disabled by the user later? That might be the best of both worlds and yeah maybe sometime add a warning somewhere that it has been enabled.

All laptop boards now build and ship usb hid, but don't load it by default unless configured so. config-gui.sh documents this as code.

Sep 18 '25 17:09 tlaurion

Looks like Dasharo literally just released new versions for the MSI boards, so will update sometime.

https://docs.dasharo.com/variants/msi_z690/releases/#v115-2025-09-18 https://docs.dasharo.com/variants/msi_z790/releases/#v093-2025-09-18

non-LTS so may not be as stable though.

Both based on coreboot 24.12.

As general advice, use make coreboot helpers to save in defconfig format, remove config lines there that should not be overriden, and then use helper to save back in oldconfig format.

@Tonux599 do you plan on bumping coreboot version soon? Mostly all boards but NV4x seem to have been bumped, which heads share for buildstack for most boards.

Sep 19 '25 19:09 tlaurion

@tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

I am not sure about this. People coming to Heads, having a board that permits ps2 keyboard but deciding to use USB? USB hid being a security risk, is there anything justifying usage of USB keyboard vs ps2?

If so, what about we enable it in config by default, and warn the user to deactivate it through config for additional security?

Otherwise I don't have anything against it per se, but we might at some point hit some limitations through CircleCI for free tier build time but we ar not there yet.

If CONFIG_USER_USB_KEYBOARD=y is set a build time can it be disabled by the user later? That might be the best of both worlds and yeah maybe sometime add a warning somewhere that it has been enabled.

As said in prior comment, the idea here was to have users use ps2 when supported (or on-board keyboards for laptops) to enable us keyboard once per options config override or at build time (board config), letting the default be safer (ps2 safer then us for keyboards in regard of rubber ducky).

I would like to read a good justification to change this first, from a real use case that would justify usb keyboard when ps2 is available from motherboard connector @Hexdigest123 ? Why do you prefer usb to ps2?

Sep 19 '25 19:09 tlaurion

E> > > @tlaurion re discussion above, would you like me to create usb keyboard variants? That would double the number of board configs though.

I am not sure about this. People coming to Heads, having a board that permits ps2 keyboard but deciding to use USB? USB hid being a security risk, is there anything justifying usage of USB keyboard vs ps2? If so, what about we enable it in config by default, and warn the user to deactivate it through config for additional security? Otherwise I don't have anything against it per se, but we might at some point hit some limitations through CircleCI for free tier build time but we ar not there yet.

If CONFIG_USER_USB_KEYBOARD=y is set a build time can it be disabled by the user later? That might be the best of both worlds and yeah maybe sometime add a warning somewhere that it has been enabled.

As said in prior comment, the idea here was to have users use ps2 when supported (or on-board keyboards for laptops) to enable us keyboard once per options config override or at build time (board config), letting the default be safer (ps2 safer then us for keyboards in regard of rubber ducky).

I would like to read a good justification to change this first, from a real use case that would justify usb keyboard when ps2 is available from motherboard connector @Hexdigest123 ? Why do you prefer usb to ps2?

I think USB support from the pre-built images isn't strictly necessary, but I prefer it because I'm not going to buy a PS/2 keyboard just to use my USB keyboard. Having the option to turn it on and build it myself is fine with me. I'm just glad someone did the heavy lifting of upgrading Heads to the newest version, and a big thanks again.

I'm in the process of flashing the ROM onto my board and will give you an update.

Sep 19 '25 20:09 Hexdigest123

Before i switch over to the firmware for more then just a few tests does it have the new microcode for 14th Gen Intel CPU's so its not getting fried?

Sep 19 '25 20:09 Hexdigest123

I switched my firmware, and from what I can tell, the startup works just fine. However, I'll need a PS/2 keyboard, which I'll buy tomorrow, since the "CONFIG_REQUIRE_USB_KEYBOARD=y" flag didn't work for some reason.

I'll be back for the full test.

Sep 19 '25 21:09 Hexdigest123

I switched my firmware, and from what I can tell, the startup works just fine. However, I'll need a PS/2 keyboard, which I'll buy tomorrow, since the "CONFIG_REQUIRE_USB_KEYBOARD=y" flag didn't work for some reason.

I'll be back for the full test.

The PR that made things configurable, usb hid module included by default, while not loaded unless configured by user was https://github.com/linuxboot/heads/pull/1838

Init: https://github.com/linuxboot/heads/blob/master/initrd%2Finit#L189

Calling enable _usb from etc/functions : https://github.com/linuxboot/heads/blob/master/initrd%2Fetc%2Ffunctions#L387

So either export CONFIG_USB_KEYBOARD_REQUIRED=y

Or

export CONFIG_USER_USB_KEYBOARD=y

In board config should work @Hexdigest123. If exported variables in board config don't match what code expects, the driver won't be loaded by enable_usb and usb hid won't be there so usb keyboard won't work.

Edit: Export requirements missing under https://github.com/linuxboot/heads/blob/master/doc/config.md

Sep 19 '25 22:09 tlaurion

Hi, I just tried out your fork. It seems I'm doing something wrong because it's not working at all (basic setup, booting into an OS). Here is some output that might help.

I tried the following:

Reset TPM
OEM Ownership
Add PGP Key via the interface
Reflashed HEADS again
Reset HOTP, TOTP

Sep 20 '25 18:09 Hexdigest123

@Hexdigest123 what TPM module are you using?

Sep 20 '25 18:09 Tonux599

Looks like Dasharo literally just released new versions for the MSI boards, so will update sometime. https://docs.dasharo.com/variants/msi_z690/releases/#v115-2025-09-18 https://docs.dasharo.com/variants/msi_z790/releases/#v093-2025-09-18 non-LTS so may not be as stable though.

Both based on coreboot 24.12.

As general advice, use make coreboot helpers to save in defconfig format, remove config lines there that should not be overriden, and then use helper to save back in oldconfig format.

@Tonux599 do you plan on bumping coreboot version soon? Mostly all boards but NV4x seem to have been bumped, which heads share for buildstack for most boards.

Maybe. Added it to a TODO on first post. Will do some testing on my custom branch first, but might leave it to the future as currently this PR has about 2 months of stability testing going for it.

Sep 20 '25 18:09 Tonux599

Before i switch over to the firmware for more then just a few tests does it have the new microcode for 14th Gen Intel CPU's so its not getting fried?

It uses whatever is here https://github.com/Dasharo/dasharo-blobs/tree/main/msi

Of-course, your OS may update it anyway on boot.

Sep 20 '25 18:09 Tonux599

@Hexdigest123 what TPM module are you using?

I bought this mainboard and I'm not sure, but I believe it should have a TPM 2.0 MSI MS-4462 (9672) module. https://shop.3mdeb.com/product/msi-pro-z790-p-wifi-ddr5-motherboard-with-dasharo-pro-package/

Sep 20 '25 18:09 Hexdigest123

@Hexdigest123 what TPM module are you using?

I bought this mainboard and I'm not sure, but I believe it should have a TPM 2.0 MSI MS-4462 (9672) module. https://shop.3mdeb.com/product/msi-pro-z790-p-wifi-ddr5-motherboard-with-dasharo-pro-package/

I can't see on that product page that it ships with a TPM installed? Where you using Dasharo's Heads before and was it working? Can you check to see if the TPM is installed to the motherboard?

The errors in your screenshot show that the TPM can't be found by the kernel. So either it's not installed, or something else is wrong that is hiding it.

Sep 20 '25 18:09 Tonux599