AMD "Sinkclose" (CVE-2023-31315) in Framework 13-inch laptop?

News has reached here about CVE-2023-31315, a critical vulnerability of decades’ worth of AMD processors which, long story short, means I should replace the motherboard if my AMD chip is of one of the vulnerable models. (Can’t reliably detect compromise, no casual-hobbyist-level fix if compromised, not all models will get a firmware patch, blah blah)

AMD has a somewhat informative page that hints at a broad range of affected processors without listing specific model numbers: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

Is my Framework 13-inch AMD affected (dmidecode says “AMD Ryzen 5 7640U w/ Radeon 760M Graphics”)? Does Framework sell a motherboard with an unaffected AMD processor model? Can I replace a Framework AMD motherboard with a Framework Intel motherboard (to at least trade one set of problems for another)?

2 Likes

Yes, the Framework is vulnerable, and AMD had fixes available since mid-July.

Since this requires ring 0 access to be exploited, I wouldn’t worry about it too much. However, I hope Framework has been lining up a fixed firmware for release.

For anyone running Linux, the dmidecode output:

Handle 0x0035, DMI type 40, 14 bytes
Additional Information 1
        Referenced Handle: 0x0000
        Referenced Offset: 0x00
        String: AGESA!V9 PhoenixPI-FP8-FP7 1.1.0.2a
        Value: 0x00000000

Needs to be stating PhoenixPI-FP8-FP7 1.1.0.3 or later after the vulnerability is fixed.

7 Likes

AMD has already released the firmware patch for these CPUs. I would be very surprised if Framework doesn’t release an update with that CPU (probably in the next month or two, potentially sooner if you use a beta update).

That page does list specific families of processors, including “AMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics”. That is the family of processors that your CPU is in so it is affected.

Directly below that it lists that for those processors the issue was resolved in PhoenixPI-FP8-FP7 version 1.1.0.3.

Currently your laptop’s firmware has PhoenixPI-FP8-FP7 version 1.1.0.2a.

The latest firmware update for the Intel based Framework mainboards patched 8 security vulnerabilities including one Intel CPU vulnerability that was rated 7.2 on the Common Vulnerability Scoring System and a an motherboard firmware vulnerability (which also affected motherboards from other brands such as Lenovo) rated a 9.8. By comparison this AMD issue is rated a 7.5.

New security vulnerabilities get discovered all the time and then get fixed through a firmware update. Buying a new motherboard+CPU just to get away from a security vulnerability that AMD has already released a fix for (and Framework should hopefully be releasing soon) does not help avoid security vulnerabilites.

If you do plan on switching mainboards to avoid these issues then you should probably plan on switching every couple weeks as new vulnerabilities get discovered and one ones get patched (which motherboard has fewer severe security issues at any given time varies).

2 Likes

Thank you for the solid info that the 7640U is in the 7040 family. I am gratified that a fix might conceivably become available to Framework’s clients. However, this is no laughing matter. Unlike most CPU faults, a Sinkclose infestation may be undetectable, and incurable once it has happened. From any reasonable point of view (except “I’m feeling lucky”), the patch is already too late for mainboards that have already been in use. Fortunately, for DIY customers, there are always options. I have decided the right solution for me is the Mainboard Of The Month Club.

1 Like

I believe that is also true of the Insyde exploit that was recently fixed on the Intel boards (as well as many boards from other companies such as Lenovo). That exploit was ranked as a critical severity by the US government (whereas this AMD exploit is only ranked as high severity).

When AMD or Intel have a widespread security vulnerability it gets a lot of media attention, however when AMI/Insyde/Phoenix (the 3 big makers of motherboard firmware, which is just as important for security) have a similarly widespread/severe issue it doesn’t get the same level of media attention.

I don’t mean to be dismissive of this issue, however I am certainly desensitized to situations like this because it is a very common occurrence that security vulnerabilites on this scale get discovered and then get patched with no indication that they ever got abused maliciously.

Let’s see if Framework’s improved BIOS management process would release fixes sooner…and how it compares to the timeline of other brands. (I have two AMD ThinkPads in the same boat.)

Wow, hadn’t heard about a recent similar problem with Intel boards! In any case, the Mainboard Of The Month Club is a great answer. I already have a rubber mallet ready for installing the first one. (Never install a mainboard with a metal-headed hammer.)

Can’t wait to switch to CoreBoot/OpenSIL, so that we can manage BIOS and firmware updates ourselves.

2 Likes

Man I hope opensil actually works out.

2 Likes

How exactly do you plan of getting hold of the AGESA update to compile into your own BIOS?

I am not, the exact point of opensil is to replace that whole mess.

My point exactly. :wink:

That’ll rely on it being true open source, and not binary like AGESA morphed into. Which I’ll believe when it ever arrives. 2026 wasn’t it?

Even somewhat open source would be a huge improvement. Apparently they are aiming for 2026 full production ready but that may indeed be very optimistic. Curious how the proof of concept planned for the end of the year turns out if it does at all.

I really hope it works out but I’ll also belie it when I see it.

Great news @Adrian_Joachim @Magic https://www.phoronix.com/news/AMD-Open-Source-FW-Strategy

The great bit remains to be seen but it is definitely news

1 Like

Just looking for an update on this. Does Framework have an ETA?

1 Like

How’s remediation going? It seems from AMD’s vulnerability page that the July 18 version of the 7040-series platform initialization driver (“PhoenixPI-FP8-FP7 1.1.0.3”) would need to be incorporated into a CPU firmware update. Is there ongoing work to incorporate this change?

As an aside, this is the one thing holding me back from buying my first replacement mainboard. It’s tough to drop hundreds on a board with an unfixed vulnerability.

3 Likes

Curious if there are any updates the Framework team can share? The relevant platform update from AMD has been available for some time. I certainly appreciate that it takes time to integrate the new code and ultimately release a firmware update, but it would be nice to have a ballpark idea of when a fix might become available.

2 Likes