BETA update for the fingerprint reader in LVFS testing

We have released new fingerprint reader firmware to LVFS which fixes a physical MITM vulnerability described in A Touch of Pwn - Part I

Version: 1000334

If you want to update, you can enable the testing remote for LVFS.

fwupdmgr enable-remote lvfs-testing

And then update.

Please note that our FPR vendor, and security researcher did not issue a CVE for this issue.

We have performed internal testing on this update on Framework 13 and 16. If no major issues are reported during the beta period we will promote this update to stable after approximately one week.

Release notes:

  1. Fix MITM vulnerability.

Known Issues:

  1. If you are running LVFS below 1.9.14 you may see an error when the update completes that the device did not return. In our testing this is caused by too short a timeout to wait for the device to reenumerate after flashing the firmware. And can be safely ignored. This was fixed in 1.9.14. See Goodix firmware update fails, but actually succeeds ยท Issue #6809 ยท fwupd/fwupd ยท GitHub
  2. If you are running 1.9.14 > LVFS > 1.9.13, the update will request to reboot the system, this is not needed, you may also see an error message at the end of the update.

Feedback:

If you want to provide feedback, you can upload your lvfs report after the update and restart. If you want to report any issues on the forum, please include your LVFS version.
fwupdmgr --version

Kernel version.

distribution you are running.

Framework Laptop model you are using.
sudo dmidecode --string system-product-name

9 Likes

Weโ€™re recommending Fedora for this one. Fully updated Fedora, tested solid on FW13 and FW16.

3 Likes

Update went just fine. Uploaded the feedback report as well.

I personally donโ€™t use the fingerprint at all, but any security fixes are welcomed.
Thank you.

fwupdmgr update
Devices with no available firmware updates:
 โ€ข CT1000P5PSSD8
 โ€ข UEFI Device Firmware
 โ€ข UEFI Device Firmware
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ Upgrade Fingerprint Sensor from 01000252 to 01000330?                        โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ LVFS release to allow native Linux update from the factory firmware.         โ•‘
โ•‘                                                                              โ•‘
โ•‘ Fingerprint Sensor and all connected devices may not be usable while         โ•‘
โ•‘ updating.                                                                    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Perform operation? [Y|n]:
Waitingโ€ฆ                 [***************************************] Less than one minute remainingโ€ฆ
Successfully installed firmware
Devices with the latest available firmware version:
 โ€ข System Firmware
 โ€ข UEFI Device Firmware
 โ€ข UEFI Device Firmware
 โ€ข UEFI dbx

System Info:

Operating System: Fedora Linux 39
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.12
Kernel Version: 6.7.9-200.fc39.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 16 ร— 12th Gen Intelยฎ Coreโ„ข i5-1240P
Memory: 31.1 GiB of RAM
Graphics Processor: Mesa Intelยฎ Graphics
Manufacturer: Framework
Product Name: Laptop (12th Gen Intel Core)
System Version: A4

EDIT: I needed to do two updates to get on the most recent version.

fwupdmgr update
Devices with no available firmware updates:
 โ€ข CT1000P5PSSD8
 โ€ข UEFI Device Firmware
 โ€ข UEFI Device Firmware
Devices with the latest available firmware version:
 โ€ข System Firmware
 โ€ข UEFI Device Firmware
 โ€ข UEFI Device Firmware
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ Upgrade Fingerprint Sensor from 01000330 to 01000334?                        โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ Fix physical MITM vulnerability that was found from blackwinghq - a touch    โ•‘
โ•‘ of pwn part 1.                                                               โ•‘
โ•‘                                                                              โ•‘
โ•‘ Fingerprint Sensor and all connected devices may not be usable while         โ•‘
โ•‘ updating.                                                                    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Perform operation? [Y|n]:
Waitingโ€ฆ                 [***************************************] Less than one minute remainingโ€ฆ
Successfully installed firmware
 โ€ข UEFI dbx
1 Like

Shouldnโ€™t that have been 01000334?

Trying this here on a 11gen machine (currently on this same 330 firmware), with lvfs-testing enabled, and with fwupdmgr refresh --force run. fwupdmgr update doesnโ€™t show any updates available.

Fedora 39 up to date, BIOS is 3.17.

Edit: fwupdmgr get-updates shows -334 available on the AMD laptop thoughโ€ฆ

1 Like

Youโ€™re right, Apparently I needed to jump to 01000330 first, just rebooted and checked for updates again, now I have another update, which is 01000334.

1 Like

OK, after some time the update showed up for the 11 gen machine too:

$ fwupdmgr --version
compile   org.freedesktop.fwupd         1.9.15
compile   com.hughsie.libxmlb           0.3.15
compile   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.fwupd         1.9.15
runtime   org.kernel                    6.7.9-200.fc39.x86_64
$ sudo dmidecode --string system-product-name
Laptop

Edit: AMD laptop for completeness:

$ sudo dmidecode --string system-product-name
Place your right index finger on the fingerprint reader
Laptop 13 (AMD Ryzen 7040Series)
1 Like

Update went fine on an my machine (Linux):

CPU: AMD 7840u
OS: Arch Linux
Kernel: 6.7.9-arch1-1.1
EC: 3.03b

And it still seems to reliably match my fingerprint (no need to re-register anything).

1 Like

Failed on my machine, also Arch Linux, but Intel 12th Gen.

Same error as described for lvfs < 1.9.14, but Iโ€™ve got lvfs 1.9.15.

Device did not seem to be visible in authentification screens. Iโ€™m investigating how reachable it is.

------------ EDIT: Version infos: ---------------

LVFS Version (note that the kernel version is NOT the one it failed with! I updated and rebooted inbetweenโ€ฆ)

compile   com.hughsie.libxmlb           0.3.15
compile   org.freedesktop.Passim        0.1.5
compile   com.hughsie.libjcat           0.2.1
compile   org.freedesktop.fwupd         1.9.15
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.Passim        0.1.5
runtime   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.kernel                    6.7.9-arch1-1
runtime   org.freedesktop.fwupd         1.9.15

Laptop (12th Gen Intel Core)

----------- EDIT 2 -----------

Iโ€™m fairly certain that the fail was caused by usbguard. It seems that the device ID changed after the update. Still have not recovered entirely.

----------- EDIT 3 --------------

Fingerprint worked immediately after whitelisting the new usb id, but did not appear in fwupdmgr get devices. However after a reboot it did reappear. Probably couldโ€™ve solved that with a restart of the fwpud service, my guess.

--------- EDIT 4 ---------------

So yeah, seems to work for me on arch with intel 12th Gen too, as long as you dont have any interfering systems (which would block this on all OSses).

Other questions.

Since apparently Goodix did not really implement SDBC on Linux, how did they fix that?

Importantly, I could imagine that we would have to re-enroll our fingerprints to be safe from spoofing in the future.

Do you know about these questions?

3 Likes

The finger print reader update ran fine on Linux pop-os 22.04 ( with current updates ) on my DIY US i7-1165G7
I do not use the sensor so I did not test functionality after the update.

spence@pop-os:~$ fwupdmgr --version
compile   org.freedesktop.fwupd         1.9.5
compile   com.hughsie.libxmlb           0.3.10
compile   com.hughsie.libjcat           0.1.9
runtime   org.freedesktop.fwupd-efi     1.0
compile   org.freedesktop.gusb          0.3.10
runtime   com.dell.libsmbios            2.4
runtime   org.freedesktop.gusb          0.3.10
runtime   org.freedesktop.fwupd         1.9.5
runtime   org.kernel                    6.6.10-76060610-generic

spence@pop-os:~$  sudo dmidecode --string system-product-name
Laptop

spence@pop-os:~$ fwupdmgr update
Devices with no available firmware updates: 
 โ€ข SHGP31-1000GM
 โ€ข UEFI Device Firmware
 โ€ข UEFI Device Firmware
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ Upgrade Fingerprint Sensor from 01000330 to 01000334?                        โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ Fix physical MITM vulnerability that was found from blackwinghq - a touch    โ•‘
โ•‘ of pwn part 1.                                                               โ•‘
โ•‘                                                                              โ•‘
โ•‘ Fingerprint Sensor and all connected devices may not be usable while         โ•‘
โ•‘ updating.                                                                    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Perform operation? [Y|n]: Y
Waitingโ€ฆ                 [***************************************] Less than one minute remainingโ€ฆ
Successfully installed firmware
Devices with the latest available firmware version:
 โ€ข System Firmware
 โ€ข UEFI dbx
spence@pop-os:~$ fwupdmgr update
Devices with no available firmware updates: 
 โ€ข SHGP31-1000GM
 โ€ข UEFI Device Firmware
 โ€ข UEFI Device Firmware
Devices with the latest available firmware version:
 โ€ข Fingerprint Sensor
 โ€ข System Firmware
 โ€ข UEFI dbx
spence@pop-os:~$

Good stuff.

Working so far on Arch w/ firmware 3.03b.

Updated on Fedora 39 on Laptop 13 (AMD Ryzen 7040Series)

compile   com.hughsie.libxmlb           0.3.15
compile   com.hughsie.libjcat           0.2.1
compile   org.freedesktop.fwupd         1.9.15
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.fwupd         1.9.15
runtime   org.kernel                    6.7.9-200.fc39.x86_64

This is the report:

fwupdmgr update
Devices with no available firmware updates: 
 โ€ข WD BLACK SN770 1TB
Devices with the latest available firmware version:
 โ€ข System Firmware
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ Upgrade Fingerprint Sensor from 01000330 to 01000334?                        โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ Fix physical MITM vulnerability that was found from blackwinghq - a touch    โ•‘
โ•‘ of pwn part 1.                                                               โ•‘
โ•‘                                                                              โ•‘
โ•‘ Fingerprint Sensor and all connected devices may not be usable while         โ•‘
โ•‘ updating.                                                                    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
Perform operation? [Y|n]: 
Downloadingโ€ฆ             [   -                                   ]
Restarting deviceโ€ฆ       [*************************************  ] Less than one minute remainingโ€ฆ
failed to wait for attach replug: device 23ec719b6aabc2d2dac5176c232f0da7a21881b0 did not come back

Although it gave me an error it works fine :slight_smile:

May I ask, whether this new firmware will also ship with a new driver for Windows (via Windowsupdate)?
And whether I can or should also test/use it on Debian Bookworm?

This is for LVFS testing, so it would be a different conversation. I assume it will be made available through expected (usual) methods as other drivers are provided by Framework. Itโ€™s a Windows thing, so outside of my scope.

You can, however, we test against supported distros only. That said, itโ€™s not going to hurt to try. Follow the directions provided carefully and be mindful of fwupdmgr version as outlined in the guide provided here.

We need specific feedback as outlined:

Something still seems to have gone wrong; Iโ€™m trying to update the BIOS to 3.05b via the lfvs-testing channel, but that channel doesnโ€™t seem to update for some reason.

sudo fwupdmgr refresh --force
Updating lvfs-testing
Downloadingโ€ฆ             [  -                                    ]
Updating lvfs
Downloadingโ€ฆ             [***************************************]
Successfully downloaded new metadata: 0 local devices supported

If I disable lvfs-testing, then lvfs metadate canโ€™t be updated.

Edit: UEFI version shows 771 instead of 3.03 (the uint conversion thing)

Summary:            UEFI System Resource Table device (Updated via caspule-on-disk)
Current version:    771