Would have been nicer of FW to make a similar comment on this thread to what they are doing with BIOS updates, even a copy paste of what they said to Ars Technica.
7 Likes
Reading that made me feel so bitter it hurts. I said much the same a year ago and got slapped so hard I stepped away for months. I was called insulting and toxic. Suddenly everyone is seeing the light and yet there is not growing demand for Framework to pivot to Coreboot, which I have yet to see an articulated argument that explains how pivoting to Coreboot permanently wouldn’t fix these issues with firmware. Maybe I don’t understand Coreboot maintenance and how platforms are supported over there (very likely since not a dev) but I would think firmware would be easier (note I didn’t say easy) if it was Coreboot instead of Insyde.
7 Likes
I remember Intel was using Insyde for sometime then switched to Aptio V by AMI (or was it the reverse) for their NUCs. I was wondering if Framework can leverage a bit from Intel Visual BIOS but now I see NUCs are given to ASUS for maintenance.
Coreboot can be rather rough looking at different implementations (at least for us end users), but I guess it is probably the way forward and probably loads of work need to be done to achieve at least feature parity.
4 Likes
Another thing I actually when Framework worked with Google to launch the Chromebook versions, I was hoping Framework could leverage the work of Google’s Coreboot and port it to the laptops of the same generation too.
4 Likes
Coreboot would make it so that FW is not needed in maintaining it unless they sign it and lock the hardware to only their signature (like Intel BootGuard, in which case there would be no change to the overall process of updating).
But have there been many devices with Coreboot booting Windows? Microsoft has a bunch of requirements with SecureBoot etc.
And what I have seen so far of the manufacturers shipping Coreboot, it is more barebones, like no GUI, configured by compiling your own variants or changing options from the commandline. So maybe not ready yet to be given to simple users that also want to use Windows. Which will still be the majority of customers. So the question is, can it be the sole focus of development yet? Or can it only be an alternative for some part of customers.
And for 3rd parties to maintain the Coreboot build comprehensively, the vendors (Intel, AMD etc.) need to open-source their firmware support packages or would need a process of releasing their binary blobs publicly.
Builds reverse engineering stuff instead may lack a whole bunch of features, especially in the security department.
Similarly to unlocking the bootloader of an Android device. Most manufacturers disable all their security in that case. Which means further firmware updates are no longer authenticated and an attacker could manipulate the firmware / OS on the device to undermine all of the security that is built on top of it (i.e. Firmware TPM is built on top of Intel ME, which is secured by Intel BootGuard, which as I understand it, is currently fused into the hardware). Many people that want to mod their own firmware / software may not care about that, because that kind of security is just slowing them down, but it is still a loss of features that Windows or other software actually uses. And it is more work to have a generic mechanism, like the Pixels have, where you can relock the bootloader with your own custom keys and enforce the same security the original firmware had.
And going back from that state, locked with custom keys, to a proprietary build that enforces proprietary security that some manufacturers involved may want to keep (like encrypting their software so that people can neither manipulate nor look into it and having the encryption keys kept secure by the hardware, otherwise they won’t give you access to their software) is another difficult topic, that probably involves a lot of companies working together to achieve a solution that works for all, by either engineering solutions that are vendor agnostic or opensourcing everything.
Edit: to clarify: I am not involved deeply enough to give any kind of status report. This was just a general outline of the kind of problems and tradeoffs involved.
Edit2: TL;DR;
the buzzword behind all of this is Root of Trust. Right now desktop hardware seems to be built for a vendor specific root of trust (fusing hardware to a specific trusted vendor, which is then the only one that can sign software for that hardware). And you have to forgo all the security stemming from that to not be bound to that single vendor. To have that be dynamic and under control of the user is possible, for everything but DRM, but is also more work. To have a system that can both be run in a DRM-capable mode not under control of the user, but at any time be switched to a user-controlled mode and back again is very hard.
4 Likes
I dont have my hopes high for it yet. could take him/them still some big time in reliably porting it to the locked down version of our 12gen FW. And some of yall really just want a stable regular bios. this very 3.08 Beta seems to be this stable one they would love to give us.
I really hope they just get this bios stable enough (or atleast the updating method seems to be the show stopper). the EFI one worked fine for me. maybe documenting the exact method they advice maybe?
2 Likes
There’s a response from Framework about the article on Reddit…we shall see
7 Likes
At this point, actions speak louder than words. Seems many Framework users are frustrated, all with our own issues (mine is the 3.08 wont install 
). Here’s hoping they can turn it around.
4 Likes
Hopefully the media fire will make it more clear how important this is. Their reputation is rightfully on the line. Bios security is serious.
2 Likes
That whole article reads like the same empty promises and excuses that we’ve seen over and over. Their most loyal customers, the early adopters and forum users, have been talking about this issue for a long time. But they didn’t care until a tech blog site wrote about it.
3 Likes
Agreed, it feels like an attempt to just negate bad PR. The reply from Nirav on Hackernews is identical to the reply from cmonkey on reddit.
Hackernews:
3 Likes
Quality of the PR aside, to the best of my knowledge Nirav == nrp == cmonkey
6 Likes
Because it is
1 Like
Is the 3.0b safe for all to use? I’m having the same issue, but this BIOS isn’t on the official BIOS release page.
I don’t want to install something that’s an engineering release and not meant for wide release.
On Ars, I responded to nrp’s comment, about how the 12th gen update was just released, “so its ok now” post, with a few examples of what makes it seem, like Framework had no time to even read this thread and apply things they were notified here about their own post / release notes before they made it an actual release.
That the release happened silently last weak, just really gives me the impression, that the only reason the release happened was PR. And they rushed everything, not even reading what they were posting. And nobody has been monitoring this thread at all, as we all could have guessed already. And if somebody had reported a critical issue with the updater, they might not even have realized it, in their hurry.
All of the things in my response are tiny things, that they could easily fix within minutes, just by editing the text, if they just care to. And things I have said here before and should have been fixed in this thread long before that release.
I am very curious how long it takes them to “fix” the release page for 12th gen now. And if they will acknowledge it.
And if Ars cares to be negative, they can maybe show that this specific “release” happened only as a reaction to them. Because the author of the article was not even told it was or was going to be released. But FW responded publicly with “it was already released last week”.
Stuff like that, and that they have been very cagey, like announcing “having a contract” for more support, when they knew the contract would not even start for over 3 months and not effective until just now (supposedly), is what makes me not trust them, when they now say the problems are almost fixed.
There have been way too many “soons” that turned into half a year and more with Framework trying not to acknowledge it. And completely their fault for not just being straight-forward about this and trying to weasel through it without acknowledging their mistakes (not having support staff) and how long it took them to negotiate and procure the fixes that will hopefully be coming.
7 Likes
I am the last person to defend the BIOS situation…but statements like these are not helpful. If you have ever worked in operations particularly in a situation with rapidly changing conditions and priorities you would realize that your intentions, and stated goals don’t always match up with what actually happens, when it happens, and why it happened. I don’t see any malicious or untrustworthy behavior here. I just see typical operational issues, that you learn from, and move on.
As to cagey behavior…once again have you ever owned or worked for a small business? A small business that is making waves in a very big market? Essentially Framework is a minnow trying to survive in a sea full of predators, and natural disasters that could kill it. So yeah when anything I say could be used against me in litigation, litigation that could kill the business, yeah I would be really careful about how, where, when, and why I said anything.
That all being said they really should find a better way to communicate to the user base, or at least keep the user base in the loop. They don’t need to do this, but one of the things Framework benefits from immensely is a very engaged and often very knowledgeable user base, so they probably should try to keep it engaged, and engaged in a positive way. I bought my laptop with a 3-4 year upgrade cycle in mind, and with a 5 year target from inception of the company to have these kinds of things figured out. So far they are on target, so I will continue to support them.
9 Likes
That is perfectly fine. If you are behind, and therefore want to show progress by making an announcement, but also cannot or do not want to speak on specifics or want to commit to a specific timeline you may not be able to keep, the consequence should then be updates on the status, as they become available. That is sth. that can be promised in one sentence in the announcement. But best is to just show it:
So with that example, they admitted to Ars, that the hiring process for the team only started at the end of last year. So that would have been a milestone to report to everybody you already announced to having the contract in the first place. Just a quick: “progress update on firmware support team: hiring has now started”. And a further update at the time when they feel confident that the team is now up and running. That would have still shown that there is progress.
You’ll note that my posts on this forum pretty much guess that exactly that is what is happening back when they announced the contract. Simple things. Just a few sentences, showing follow-through. But that did not happen. Same with the 3.06 update. Where every 3 months we got the PR response “we have not forgotten, we are still working on it”. And then nothing, clearly showing that either they are skipping over larger amounts of critical details. Or are barely dedicating any actual time to actually working on the problem (as has now been confirmed).
And I have not been as loud as I am now, hoping for / anticipating such believable progress reports.
Since January we know, the 3.06 update was cancelled long ago. They worked on 3.07, but it did not pass internal testing. And they may have started work on 3.08 end of last year. All waypoints that could be communicated with a single sentence, showing at least progress and also being honest about stuff like: “in the past 6 months we did not have much time to dedicate to testing version x, so that is why it took us until now to advance to the next version”.
And how was any of this helped, by not talking about it, but making it obvious that they did not care to devote time to 12th gen (or 11th gen, 13 th gen). Now they have admitted to it. Doing this peacemeal would have shown the same original problem of not having enough support resources, but would not have lost my trust.
Of course, for the companies PR, it would have been better if nobody asks questions and they do never have to admit to making a mistake. But nobody interested in a long-lasting product or company should be interested in that and I do not believe that they could not see this problem brewing.
If they would have announced problems preventing them from supporting the older models early last year, but having solved those problems for the newer variants (with enough details to be believable) I would have trusted them and upgraded to a newer board (because I was on an early board. My willingnes for that reduces every generation). If all I see is being stalled again and again without any actual, believable progress reported, how am I to believe there is a sincere effort to make up for mistakes that clearly happened already. How am I to believe that they solved the problem that caused that mistake if they choose to not admit the mistake. PR Hype answers like “team of rockstars” only make the company seem less sincere.
Yeah. And that is why, if when they announced having the contract, they would have talked about it being a part of the reason it took so long, I would have forgiven that, because it makes sense to me, that talking about the negotiation you are currently in publicly could very well undermine your negotiating position.
Like I said, I am open to much. If one cannot explain things to me to convince me, one needs to convince me with actions. Repeated actions, so it does not just seem like a one-off. I hold no grudge. But they lost my trust. And winning it back trough actions takes a lot longer than explaining enough for me to believe that the course they are on will lead to success. And I am just reacting to their choices. And I am making that known. Because there would have been opportunities to get an upgraded board or not advise friends and family against a purchase in the meantime and I have no good alternative to Framework, if I cannot trust them with my money (for things that have firmware that needs to be maintained).
Edit:
@nadb And to make this clear, I do not consider any of this solved, especially because of the way they seemed to override any process and made more mistakes in rushing this to release, seemingly purely for PR reasons but STILL unwilling to devote even 1hour of a developers time to actually working feedback in this thread into their release notes for the “final” release that we know is broken, because they released the version that claims my notebook is not 12th gen, that they provided a fixed installer for back in January.
That is the really catastrophic thing to me. That they are still only going by a PR playbook, making and showing more unnecessary mistakes in the process instead of finally learning from it. That just makes me think that they are either incompetent or hiding even more problems than they already admitted to.
3 Likes
I’ve been very disappointed by the lack of communications regarding this BIOS update and published my thoughts here:
https://community.frame.work/t/my-framework-has-been-abandoned
4 Likes
I can forgive all the issues with the computers, I know this stuff is hard with a small team. But the killer for me is their communication. It sucks. That kills all the good will with the community.
5 Likes