[RESPONDED] 11th Gen Intel Core BIOS 3.17 Release

11th Gen BIOS 3.17

Update - April 11, 2023

BIOS 3.17 has been removed from beta and marked as a full release. It is now available for download here:

If you already installed the beta, you do not need to re-install.

11th Gen BIOS 3.17 Beta

We are happy to release a Beta of BIOS 3.17. This fixes several security issues, and improves battery life when DP/HDMI expansion cards are attached. If no major regressions are found, we will move this from Beta to full release after around a week of Community testing.

Why 3.10 to 3.17?

In the 3.10 release, some of the SMBIOS/ESRT metadata was encoded using 0x310, which was converted from hex to decimal, and became 3.16. So we had to skip a few versions ahead so that both the hex and decimal versions are both incremented correctly.

Downloads

Windows Installer

https://downloads.frame.work/bios/Framework_Laptop_11th_Gen_Intel_Core_BIOS_3.17.exe

Linux/LVFS

Updating via LVFS is available in the testing channel.

You can enable updates from testing by running:

fwupdmgr enable-remote lvfs-testing

Currently LVFS support has regressed due to fwupdmgr defaulting to file based capsule update on newer versions which is not supported in our BIOS.

Please set DisableCapsuleUpdateOnDisk=true in /etc/fwupd/uefi_capsule.conf before applying this update, otherwise the update will fail.

LVFS may not update if the battery is 100% charged. LVFS uses the battery status to determine if it is safe to apply updates. However if our battery is at 100% and the charger is off, we set the battery charging status to false. In this case you can discharge your battery a few percent, then plug in AC again and run fwupdmgr update.

Downgrading firmware

You can downgrade your firmware by running fwupdmgr downgrade and selecting the version you want to downgrade to. Please note that versions before 3.09 do not have the F3 one time boot file menu if you need to select an alternate bootloader after downgrading.

Linux/Other/UEFI Shell update

https://downloads.frame.work/bios/Framework_Laptop_11th_gen_Intel_Core_BIOS_3.17_EFI.zip

Instructions for EFI shell update:

  1. Extract contents of zip folder to a fat32 formatted USB drive.
  2. Disable secure boot in BIOS.
  3. Boot your system while pressing F12 and boot from the thumb drive.
  4. Let startup.nsh run automatically.
  5. System will reboot, you can unplug the thumb drive.

Warning! Update may cause your system to lose boot entries.

Updating the BIOS firmware will erase NVRAM boot variables, This can cause some alternate bootloaders or operating systems to fail to boot. This may impact users of rEFInd and some Linux distributions. If your system reboots after updating and cannot find a bootable device, you can manually select a boot device by using the one time boot menu by pressing F3 during boot, and manually selecting your EFI boot file. After this you may need to reinstall grub. See Lost GRUB dual boot after updating to BIOS 3.07 - #6 by XADE 41

This should not be an issue for Fedora/Ubuntu unless they are installed alongside a windows partition.

Security Fixes

CVE-2022-35408

CVE-2022-35896

CVE-2022-35893

Changes

  1. Add BIOS menu option in advanced tab to enable standalone operation mode. This will modify onboard LED behavior to remove detection items for audio, touchpad, and display checks triggering debug LED behavior.
  2. Change low battery power LED behavior from red to white.

Fixes

  1. Improve battery life when HDMI/DP expansion cards are attached but no display is connected.
  2. Add support for Capsule on Disk for future updates to improve LVFS compatibility.
  3. Fix pressing F12 key during boot will system hang when disabled BIOS quiet boot.
  4. Correct BIOS setup item TPM availability missing word.

Known Issues

  1. Thunderbolt devices may not be recognized on S4 resume in some cases, but will be detected by replugging the device.
  2. Touchpad PS2 fallback mode may not work if the user is in an OS that supports the SerialIO driver, and then restarts to an OS that does not support the SerialIO driver, such as trying to reboot into the Windows 11 Installation media. Workaround is to power off the laptop and perform a cold boot into the installer/os to enable PS2 mouse fallback mode if necessary.
22 Likes

OK :slight_smile: Updating . . . .

All seems fine but it did log the battery wear up another 0.9%
It automatically reset the Battery Charge Limit to 100%

1 Like

Thanks for the update and caring about the 11th gen bios!

10 Likes

Thanks for the release! I noticed a couple things last night installing this on an i7-1185G7:

  1. The EC is built from commit c1d06ea, which has not yet been pushed to the EmbeddedController repository ( :frowning: )
  2. UEFITool reports that the BootGuard configuration has changed, and the capsule no longer contains any protected ranges (neat!)

EDIT: You can probably ignore my report that it could not be installed; it’s predictably because my ESP is full!

3 Likes

Just updated from 3.10 on Windows 10, everything looks good so far. I also did some quick before/after testing of active power usage with and without expansion cards for a point of comparison. Here are the results I measured using battery discharge rate from HWiNFO64 on an idle Windows 10 desktop and medium screen brightness:

Scenario 3.10 3.17
Baseline 2.7 W 2.7 W
Type-A only 3.1 W 3.1 W
HDMI only 3.5 W 3.1 W
Type-A + HDMI 3.8 W 3.3 W

Looks like the HDMI expansion card draw did significantly go down as noted in the changelog, which is great! Unfortunately it’s still non-negligible, and combined with the Type-A expansion card, still represents around an extra half watt of power draw over only Type-C expansion cards. Hopefully similar improvements to Type-A cards and/or the previously mentioned expansion card firmware updates can bring these numbers down even closer to the baseline.

8 Likes

@Kieran_Levin - is there an eta for when the update will be available via lvfs? It does not appear at this time. Thank you!

Is fwupdmgr enable-remote lvfs-testing not working for you? Which BIOS version are you trying to upgrade from?

It runs, it just shows no updates are available. This is on manjaro, firmware 3.16 from fwupdmgr --get-devices:

├─System Firmware:
│ │   Device ID:          <redacted>
│ │   Summary:            UEFI ESRT device
│ │   Current version:    0.0.3.16
│ │   Minimum Version:    0.0.0.1
│ │   Vendor:             Framework (DMI:INSYDE Corp.)
│ │   Update State:       Success
│ │   GUIDs:              <redacted>
│ │                       <redacted> ← main-system-firmware
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update

Okay, thanks for the update. Let’s give it a few days or simply go the USB route in the meantime.

Running batch 4 i71165G7 with Windows 11 and updated the new BIOS with no issues. Does the RAM have to go through the training process again after BIOS updates? Just asking as there was a delay once the BIOS update was completed and rebooted.

Can you explain what this means?

1 Like

Update - 3.17 shows up in lvfs now and I applied it successfully.

3 Likes

Just updated and did a quick test of S3 suspend/resume with Fedora 36 (mem_sleep_default=deep in kernel command line), all seems well.

Does fix #2 (capsule on disk) mean we’ll not need DisableCapsuleUpdateOnDisk=true going forward?

1 Like

@DHowett we updated the EC repository.

4 Likes

Thanks! I love it!

1 Like

Upgrade worked well via LVFS on Fedora 37. Only thing is that no USB devices were detected on first boot after the upgrade. I had to shutdown the machine completely and keep it off for a few seconds, disconnect everything and re-connect after it was powered on again.

Also the Intel ME version does not seem to be patched with this update. The current version has security vulnerabilities:

Intel(R) CSME Version Detection Tool
Copyright(C) 2017-2022, Intel Corporation, All rights reserved.

Application Version: 8.0.1.0
Scan date: 2022-11-30 17:02:03 GMT

*** Host Computer Information ***
Name: framework
Manufacturer: Framework
Model: Laptop
Processor Name: 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
OS Version: Fedora Linux 37 (Workstation Edition) (6.0.9-300.fc37.x86_64)

*** Intel(R) ME Information ***
Engine: Intel(R) Converged Security and Management Engine
Version: 15.0.23.1706

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
  The detected version of the Intel(R) Converged Security and Management Engine firmware
  has a vulnerability listed in one or more of the public Security Advisories.
  Contact your system manufacturer for support and remediation of this system.

For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html

In [RESPONDED] Firmware Security: CSME Version - #8 by ari, somebody shared a response from support indicating that 3.17 would not update the CSME to address these vulnerabilities, but that 3.18+ was planned to.

3 Likes

@Kieran_Levin, a quick clarification: does this update improve DP/HDMI power draw during suspend, or only when laptop is active? Thx.

@ssu Was hoping this would improve it so I did some testing.

BIOS 3.09:

BIOS 3.17:

Seems like suspend drain hasn’t changed. This is with 1 HDMI, 2 USB-A, and 1 USB-C cards.

5 Likes