Do we know yet if our BIOS is vulnerable to LogoFAIL? If so, please add this to the list of reasons why we need a new update (preferably with a LogoFAIL fix, though I hesitate to ask for even more, since it seems like Framework is struggling to give us even basic updates). It is still unacceptable that we haven’t gotten security fixes for the BIOS since the factory.
The answer is “Yes”.
I posted a link to an article about this yesterday. As I understand it the attacker would need physical access to the device to change the logo, so the danger is pretty low, though not negligible.
There are also at least two other threads about this. A moderator probably needs to look at merging them before we have every other thread about this.
Yes, according to this list: Finding LogoFAIL: The Dangers of Image Parsing During System Boot | Binarly – AI -Powered Firmware Supply Chain Security Platform
So we know the bad parsers are in the BIOS. I don’t think we know yet, if the official logo is in a signed section of the BIOS or if it supports any of the hardcoded paths or NVars to silently load a new logo from the ESP.
So might still be similar to Dell’s vulnerability (Dell logo is signed, would require another vulnerability to even get to the bad parsers) or full-blown vulnerability from the ESP.
Somebody would have to look into the BIOS image to figure out about the builtin logo. Or follow those CWEs, which could possibly reveal the other prerequisites for exploits are present/not present.
Edit:
I was curious, so I tried to take a peek:
Yep, the various parser drivers are all present inside the 3.06 image for 12th gen. And if I am reading UefiTool correctly, the Framework Boot logo (in png format, GUID 67A75EF8-C454-45A0-A648-0A2B489F9BD6 in case anybody is interested) is in a section unprotected by Intel Boot Guard (although I have no idea if it is not protected by another signature / checksum transitively).
Curiously I also found the TianoCore logo in Bitmap format in there and network drivers. Did I miss that the FW can PXE boot with the official network adapter?
Edit2: AMD 3.03 image looks very much similar in that regard. Although it includes 3 more pngs, that seem to show some diagnostic info (like no display attached etc.)
Given there are genuine, known, public exploits that effect this computer this should be an absolute priority within the company. I understand that it is difficult working with with an outside partner but a year with no BIOS update for such a new device is unacceptable.
At the very least a transparent, and clear communication platform should be established. As suggested above, perhaps twice monthly status updates?
altho not cool to have a potential firmware attack, this one is clearly impacting most (except the chromebook) of frameworks products, lets hope they are able to give us a nice new update soon.
maybe this triggers some smaller fast updates for all of us 12th gen users.
Nothing for us 12th gens for over a year after there press release said it was ready so I say nope.
I come here once a week to check if we have been abandoned. It feels very gross to have made such an investment in Framework in the name of lengthening the life of My and My extended family’s electronics. To witness first hand the abandonment to focus on more products that likely will also end up abandoned and ultimately in the trash bin.
I’m out of hope for it. Such a bummer and waste. I was genuinely excited for the first time in forever with Tech
Anything new since Apr 12?
Hmm, probably testing “3.08” if those security patches are also coming.
Would be great to get those updates and an version released, even if it doesnt include all the patches or wanted updates.
We’re now 10 days away from the beta’s 1st birthday. I hope the Framework support team are planning a birthday party with cake to celebrate.
I couldn’t agree more. I got the Framework to replace a 2020 HP Envy x360 with the expectation that it would be more sustainable. The HP has received 13 released BIOS updates (with the latest just a few months ago), the Framework - none. Being able to repair/upgrade hardware is wonderful, but it’s only part of the sustainability equation. To say I’m disillusioned at this point would be an understatment.
I’ve tried very hard to remain patient and not rant post.
but…
This is utterly ridiculous.
Framework would be better off just announcing EOL for 12th gen boards than continue making promises that they clearly can’t uphold.
EOL was effectively December of last year when the standard 90 day window to patch known vulnerabilities was missed.
Well, I already used the term “ridiculous” some month ago to voice my growing dissatisfaction. But after the Framework team joined this discussion and signalled to take our concerns and questions serious and especially after @nrp lined out Frameworks plan for future Bios development I really thought, everything would get better.
Unfortunately this was two month ago and since then we have not heard anything from an official since.
It is okay for me, that they Framework cannot provide an update every two weeks, but every two month should be possible, especially for a project that is more than just a little overdue.
Even if it takes longer it might be a good idea to tell us what is an realistic time frame for a new beta release and if that ETA is missed give us a new one and perhaps an explanation of what happened. Framework, please communicate with us!
In the current situation I have postponed further purchases (a matte screen for my 12th Gen as well as a new 13th Gen for a relative), because I am simply unsure (and disappointed) about what is happening here.
Cynically speaking, although I still hope that’s not the reason: Framework doesn’t make money by supporting bought products, they make money by selling new products with the promise of sustainability (which also includes bios updates)…
2 years in Europe. (or huh, patch window?)
Hi folks,
Just a note that we have not forgotten about you. At this time, this last post from Nirav outlines the process we’ll use when we’re ready.
We genuinely appreciate your patience as we are a small team of rock stars undertaking a herculean effort as we make amazing products.
Speaking for myself, I appreciate your perspective on this. Yes, I absolutely hear you and no, we’re not ignoring you. When I have an update, you will see it here. This will be the go to thread.
Thanks everyone.
Hey @Matt_Hartley thanks for the update. Do you have answers to my questions from August yet?
I’ll ping ya there. - DM’d ya. The idea here is to keep these threads on focus - releases and beta testing. Thanks
All,
This will be the last reply on this thread until we have an update.