12th Gen Intel Core BIOS 3.06 Beta

This was 2 weeks ago.
Are there any updates on this? When can we expect the update? Is it still a long way to go?

Just got to be patient. As Kieran mentioned, they’re still doing validation on the bios build. Better they take the time to properly validate it than to rush out a bios that could brick your laptop or some functionality.

Is there anything wrong in my wording? I am just asking for an update. People are waiting for this.

There’s a lot going on in the background and they’ll provide an update when they’re ready to release it. Something to remember is they contract out bios work to Insyde so things can take a while.

For anyone curious about timelines, Before this update 3.06 was released as beta, we had a comment from Kieran roughly about 2 months before, about this update being in the works. I believe it was after FW announced thunderbolt 4 certification for 12th gen.

Point is, even if kieran want to get a new bios version out, we are looking at similar time frame.

I understand, waiting sucks, I’ve been daily driving this beta release for 6+ months. Unfortunately FW is still a small company. I would like FW to exist in 5 years, so let’s give them the room to grow reasonably.

Having trouble finding consistent info on the topic, what should our retimer versions be? I’ve noticed that I have to reseat my type a and Ethernet expansion card on boot for them to work.

Thank you very much, now I have a rough guestimate (all I wanted)

Framework 16 just opened for preorders so I assume they’re very busy right now

They’re working on fixing a fingerprint reader bug on the 13th gen too. IMO though, the vulnerabilities in the 12th gen should be much higher priority than a fingerprint reader malfunction.

Maybe I’m out of touch since I don’t work in this industry, but active vulns are never left unaddressed for longer than 90 days max in my industry (and are normally patched within hours).

Seems to me like it’s been about a year since 12th gen came out and we have not received any “complete”/official updates (only this beta). Going forward I am keeping a close eye on how they plan to support the newer 13" and the 16" before I consider purchasing anything Framework. With respect to the promisees we keep getting, the saying “Fool Me Once, Shame on You; Fool Me Twice, Shame on Me” comes to mind.

I don’t know if I missed something, but the Software Center in Fedora 38 on a 12th Gen offers me an update. But actually the update is not released yet, right?
Is there a way I can prevent the update (I’m new to Fedora, used to run Ubuntu till recently)?

Sure its not just the SecureBoot dbx update?
According to LVFS: Home the only updates hosted at this time are those we know about and marked as Beta/Testing.

I don’t know, maybe I misunderstand what I see here, in this case please forgive me.

PXL_20230721_1925368791920×2560 1020 KB

PXL_20230721_1925027691920×1440 531 KB

PXL_20230721_1924511411920×2560 966 KB

PXL_20230721_1924333941920×1440 528 KB

You might have the lvfs testing repo enabled.

Out of curiosity, I went through all the vulnerabilities mentioned in the top post here.

Almost all of them are about privilege escalation from ring 0 to ring -2, which means that code running in the kernel (eg. device drivers) can exploit the vulnerability to elevate privileges into system management mode (SMM). Practically, these sort of vulnerabilities aren’t terribly critical for end-users, because they already require a deeply compromised system that is running malware in the kernel.

2 vulnerabilities are different, though:

CVE-2022-35897 can only be exploited during boot and requires physical access to the machine. This sort of attack is only relevant for very niche threat models and so also doesn’'t seem like a realistic concern for most users.

CVE-2022-36337 looks somewhat worse than all the other vulnerabilities, since it is potentially exploitable from ring 3:

An attacker with local privileged access can exploit this vulnerability to elevate privileges from ring 3 or ring 0 (depends on the operating system) to a DXE Runtime UEFI application and execute arbitrary code.

It sadly doesn’t include much detail beyond that, but “ring 3” is where all user applications run, so it is more accessible to malware than ring 0. It does mention “privileged access”, which I understand as root/Administrator privileges, so presumably not every application can do it. It also doesn’t mention which OS allows exploitation from ring 3, unfortunately.

Ultimately though, exploiting this vulnerability would still at the very least seem to require the user to run specially crafted malware as root or with Administrator privileges, so if you take the usual precautions, this is also not something to worry about, usually.

All that said, there is absolutely no situation in which leaving 9 vulnerabilities in your firmware unpatched for half a year after public disclosure is in any way a good look. I am sure Framework understands this, but it is still sad to see, small company or not. (it’s entirely possible that the reason the progress has been so slow is due to Insyde or Intel taking their sweet time, but the almost complete radio silence on this issue is worrying)

I expect the main issue is the choice to bundle the security fixes with the changes to support Thunderbolt certification. I’m sure it’s the latter (and not the security fixes) that’s the source of the bugs causing the delay in a final release, since those changes are likely the bulk of the complexity in the update.

That choice does not leave me with a positive impression. The security fixes should have been released standalone, with the Thunderbolt certification changes held for the next release. Bundling everything together feels like a pretty rookie software development mistake to me, even considering that a BIOS/firmware update is a riskier kind of update than other kinds of software updates, which might lead someone to think that the better move would be fewer overall updates.

Meanwhile, another nearly four weeks have passed and there is no further feedback from Framework. The communication behavior is lousy.

Forgive me for being blunt, but this is starting to remind me of Duke Nukem Forever, it is getting ridiculous in my eyes.

Have all the builds created since December failed internal validation? Are there really no improvements that are large or stable enough to release a new build, even when it is labeled as beta, signaling that it is not mature?

After more than six months and two nebulous announcements of further internal test versions, I would like to have more concrete information about the schedule and contents: What is the expected timing for the next beta? And what problems will be addressed, e.g. will we perhaps see better fan-, throttling- and energy management that some people domplained about? And will support for the larger batteries be implemented? Will all CVEs discovered until now be closed?
Or will we just get a then hopefully working update sometime in the second half of 2023 but at the level of the known issues of fall 2022?

It’s done when it’s done is completely acceptable for free software, and might be even here if it were just about Thunderbolt certification. But it is (also) about security problems, bug fixes and support of new hardware. So if you still don’t have a working solution for the Thunderbolt part, someone at Framework should make the decision to activate a plan B and separate it from the rest of the update to release the important and hopefully working parts in a reasonable short time frame. Even if this means more work for you and that the promised full Thunderbolt support will have to be delayed further, I think it would give you a better reputation than what we see now.

Besides, I paid for the device. And I paid more than I would have paid at a larger manufacturer because I had actually hoped for better and longer support for all important aspects of my notebook.

If it doesn’t match your expectations you are free to sell it and find something that does. This is a very small company, it is wholly unsurprising that things take time and communication is intermittent. I don’t know if they have a PR person, much less a team. They’re still working on a resolution for the 11th gen board, so in my mind they are supporting their systems.

Yup. IMO at this point we should be getting weekly updates at least. Even if the update is just “we’re continuing testing but we’re not satisfied the build is ready”.

My suspicion is that work on this update has been put on hold due to other priorities, but they’re certainly not going to tell us that.

Oh please, what a cop-out. It’s perfectly reasonable to expect, demand, and push for a higher level of support from a company that has sold you a product.

Selling that product on the secondhand market and buying something new from another vendor should be considered a last resort.