We have released new fingerprint reader firmware to LVFS which fixes a physical MITM vulnerability described in A Touch of Pwn - Part I
Version: 1000334
If you want to update, you can enable the testing remote for LVFS.
fwupdmgr enable-remote lvfs-testing
And then update.
Please note that our FPR vendor, and security researcher did not issue a CVE for this issue.
We have performed internal testing on this update on Framework 13 and 16. If no major issues are reported during the beta period we will promote this update to stable after approximately one week.
If you are running 1.9.14 > LVFS > 1.9.13, the update will request to reboot the system, this is not needed, you may also see an error message at the end of the update.
Feedback:
If you want to provide feedback, you can upload your lvfs report after the update and restart. If you want to report any issues on the forum, please include your LVFS version. fwupdmgr --version
Kernel version.
distribution you are running.
Framework Laptop model you are using. sudo dmidecode --string system-product-name
Update went just fine. Uploaded the feedback report as well.
I personally donโt use the fingerprint at all, but any security fixes are welcomed.
Thank you.
fwupdmgr update
Devices with no available firmware updates:
โข CT1000P5PSSD8
โข UEFI Device Firmware
โข UEFI Device Firmware
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Upgrade Fingerprint Sensor from 01000252 to 01000330? โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ LVFS release to allow native Linux update from the factory firmware. โ
โ โ
โ Fingerprint Sensor and all connected devices may not be usable while โ
โ updating. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Perform operation? [Y|n]:
Waitingโฆ [***************************************] Less than one minute remainingโฆ
Successfully installed firmware
Devices with the latest available firmware version:
โข System Firmware
โข UEFI Device Firmware
โข UEFI Device Firmware
โข UEFI dbx
System Info:
Operating System: Fedora Linux 39
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.12
Kernel Version: 6.7.9-200.fc39.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 16 ร 12th Gen Intelยฎ Coreโข i5-1240P
Memory: 31.1 GiB of RAM
Graphics Processor: Mesa Intelยฎ Graphics
Manufacturer: Framework
Product Name: Laptop (12th Gen Intel Core)
System Version: A4
EDIT: I needed to do two updates to get on the most recent version.
fwupdmgr update
Devices with no available firmware updates:
โข CT1000P5PSSD8
โข UEFI Device Firmware
โข UEFI Device Firmware
Devices with the latest available firmware version:
โข System Firmware
โข UEFI Device Firmware
โข UEFI Device Firmware
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Upgrade Fingerprint Sensor from 01000330 to 01000334? โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Fix physical MITM vulnerability that was found from blackwinghq - a touch โ
โ of pwn part 1. โ
โ โ
โ Fingerprint Sensor and all connected devices may not be usable while โ
โ updating. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Perform operation? [Y|n]:
Waitingโฆ [***************************************] Less than one minute remainingโฆ
Successfully installed firmware
โข UEFI dbx
Trying this here on a 11gen machine (currently on this same 330 firmware), with lvfs-testing enabled, and with fwupdmgr refresh --force run. fwupdmgr update doesnโt show any updates available.
Fedora 39 up to date, BIOS is 3.17.
Edit: fwupdmgr get-updates shows -334 available on the AMD laptop thoughโฆ
Youโre right, Apparently I needed to jump to 01000330 first, just rebooted and checked for updates again, now I have another update, which is 01000334.
Iโm fairly certain that the fail was caused by usbguard. It seems that the device ID changed after the update. Still have not recovered entirely.
----------- EDIT 3 --------------
Fingerprint worked immediately after whitelisting the new usb id, but did not appear in fwupdmgr get devices. However after a reboot it did reappear. Probably couldโve solved that with a restart of the fwpud service, my guess.
--------- EDIT 4 ---------------
So yeah, seems to work for me on arch with intel 12th Gen too, as long as you dont have any interfering systems (which would block this on all OSses).
The finger print reader update ran fine on Linux pop-os 22.04 ( with current updates ) on my DIY US i7-1165G7
I do not use the sensor so I did not test functionality after the update.
spence@pop-os:~$ fwupdmgr --version
compile org.freedesktop.fwupd 1.9.5
compile com.hughsie.libxmlb 0.3.10
compile com.hughsie.libjcat 0.1.9
runtime org.freedesktop.fwupd-efi 1.0
compile org.freedesktop.gusb 0.3.10
runtime com.dell.libsmbios 2.4
runtime org.freedesktop.gusb 0.3.10
runtime org.freedesktop.fwupd 1.9.5
runtime org.kernel 6.6.10-76060610-generic
spence@pop-os:~$ sudo dmidecode --string system-product-name
Laptop
spence@pop-os:~$ fwupdmgr update
Devices with no available firmware updates:
โข SHGP31-1000GM
โข UEFI Device Firmware
โข UEFI Device Firmware
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Upgrade Fingerprint Sensor from 01000330 to 01000334? โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Fix physical MITM vulnerability that was found from blackwinghq - a touch โ
โ of pwn part 1. โ
โ โ
โ Fingerprint Sensor and all connected devices may not be usable while โ
โ updating. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Perform operation? [Y|n]: Y
Waitingโฆ [***************************************] Less than one minute remainingโฆ
Successfully installed firmware
Devices with the latest available firmware version:
โข System Firmware
โข UEFI dbx
spence@pop-os:~$ fwupdmgr update
Devices with no available firmware updates:
โข SHGP31-1000GM
โข UEFI Device Firmware
โข UEFI Device Firmware
Devices with the latest available firmware version:
โข Fingerprint Sensor
โข System Firmware
โข UEFI dbx
spence@pop-os:~$
fwupdmgr update
Devices with no available firmware updates:
โข WD BLACK SN770 1TB
Devices with the latest available firmware version:
โข System Firmware
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Upgrade Fingerprint Sensor from 01000330 to 01000334? โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Fix physical MITM vulnerability that was found from blackwinghq - a touch โ
โ of pwn part 1. โ
โ โ
โ Fingerprint Sensor and all connected devices may not be usable while โ
โ updating. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Perform operation? [Y|n]:
Downloadingโฆ [ - ]
Restarting deviceโฆ [************************************* ] Less than one minute remainingโฆ
failed to wait for attach replug: device 23ec719b6aabc2d2dac5176c232f0da7a21881b0 did not come back
May I ask, whether this new firmware will also ship with a new driver for Windows (via Windowsupdate)?
And whether I can or should also test/use it on Debian Bookworm?
This is for LVFS testing, so it would be a different conversation. I assume it will be made available through expected (usual) methods as other drivers are provided by Framework. Itโs a Windows thing, so outside of my scope.
You can, however, we test against supported distros only. That said, itโs not going to hurt to try. Follow the directions provided carefully and be mindful of fwupdmgr version as outlined in the guide provided here.
Something still seems to have gone wrong; Iโm trying to update the BIOS to 3.05b via the lfvs-testing channel, but that channel doesnโt seem to update for some reason.
