In general, there is no (and there should not be a) way to disable secure boot from within the operating system. That would somewhat defeat the purpose of secure boot, as a rootkit could just turn off the security features before it installed itself.
I just updated this threadās first comment with the info about Framework Laptop Chromebook Edition based on what we know.
Updated about a month ago, but having major issues with eGPU and Thunderbolt Hub (Windows 11, i7-1280P, 64GB, 4TB), which I didnāt have with 3.05. Can someone provide the link for 3.05, so I can go back?
@Danny_Goff You canāt go back with 12th gen or it screws your left ports. They will only operate at USB 3 speeds if you downgrade.
So going back to 3.05 causes USB3 speeds on USB4/TB4 hardware? DEFINITELY a gap/concern thereā¦
@Danny_Goff Tbf, they did warn you about that in the initial post. And it looks like I was wrongā¦its USB 2.0 speeds.
Just to be clear, 11th gen can still downgrade. Only 12th gen gets borked doing so as far as I know.
It seems that InsydeH2O BIOS is used for both Framework 13 Intel 13 Gen and AMD - https://twitter.com/insydesw/status/1639393614148296705
Disappointing but not unexpected, maybe us software turbonerds will get some love next time around.
Is there any reason to update to 3.10 now? I just checked and found they have released 3.10 UEFI update. What are the improvements and reasons to update.
I am currently on 3.07 with Windows 10, my CPU is 11th gen. I am planning on going to Windows 11 with a clean install soon.
Thanks
@R_P Just take a look at the thread for the change log, here is the very first thing written on the post.
What are the security vulnerabilities? How serious it? People want to know.
Thanks
The BIOS vendor Inside Softwareās CVE list is below. The link is also in the first comment on this page. Then you see CVSS v3 numbers. As on the page, itās not easy to search by CVE such as e.g. āCVE-2021-41842ā by browser search, but you can open Inspect menu or the HTML source, and search by āCVE-2021-41842ā. And you see the CVSS v3 number of this CVE is 8.2. In my impression, if the number is more than āhighā, itās better to apply it.
https://nvd.nist.gov/vuln-metrics/cvss
High 7.0-8.9
Critical 9.0-10.0
See the list of CVEs here:
Itās been a while since it was discussed, maybe thereās news:
- Will there eventually be a charging hysteresis for all OSes, i.e. in BIOS? āStart charging at or belowā¦ā and āStop charging atā¦ā?
Other wishes:
-
Power button sleep indicator to work with all sleep states.
-
Device charge through usb can be turned off for sleeping/hibernating/powered down state.
Even better: turn on/off separately for each port. That way, disks can spin down (and stop blinkenlights) that are on port A while the phone on port B is still charged. -
A similarly differentiated wake on usb. Useful eg, to wake only when the keyboard sends a key but not when someone bumps against the table and jerks the mouse. (Needs them to be not on the same port via hub, of course.)
I have some specific question regarding the BIOS for the 13th gen Framework.
A) Intel Trusted Execution Technology
- Should I activate it or not?
- What does it do exactly to my system?
- What is the DPR Memory size and which value should I use, if question 1. is āyesā?
B) Standalone operation/detection
- What are those options?
- Standalone Operation is disabled and Standalone Detection is enabled. Is that okay?
C) TPM
- TPM Availability is enabled > okay butā¦
- TPM Operation is āno operationā. Should I change it?
- If 2. is āyesā, to what? I use Bitlocker with a PIN currently.
D) Supervisor Password
- Is that the BIOS password?
E) Chassis intrusion detection
- What is it and should I activate it?
Thanks in advance
Iād like to sum myself to the ask for better control over battery charging thresholds, and also echo the message @Odin just left.
It is currently hard to know what are the possibilities of the current firmware with regards to build-in security, and probably not documented (or not easy to find). For example, Iād like to reproduce what I could do with other laptopsā UEFI, to enable a storage device password (e.g.: Self-Encrypting Disks) and, in addition, enable unlocking it with a fingerprint at boot (by storing the disk password on the TPM). The TPM menu presents the options in a way that makes it really hard to understand, to the point that I simply donāt know whether it could be possible at all.
Because no one could give some information, I searched on my own. Long story short:
- Intel TXT: Dont use it. Itās useful for IT administration for devices like servers and workstations and not for normal use cases
- Standalone Operation: same.
- Supervisor Password: can be used as BIOS only or Pre-Boot
- Chassis Intrusion Detection: same as above. Only useful for IT administration, servers and Workstations where multiple people have access to. Just keep it off.
But the TPM Optionā¦ man there are some long snaky options to select and no further explanation. Here, a further explanation by the Framework guys or any expert would be great.
TPM operation is a bit confusing. Itās more like a button (where selecting something performs an action) rather than a configuration setting.
You can think of it more like, āwhat will be done to the TPM when I hit save?ā Things like āreset itā or ādisable SHA1ā. You donāt need to perform these actions unless you are having a specific issue with the TPM.
sneaky
There are some technical terms in the operation menu, but I wouldnāt call them sneaky. What are you referring to?
EDIT: oh, you said āsnakyā. Sorry!
I added the section of the Framework Laptop 13 Intel 13th Gen.
Does anyone who bought the Framework Laptop 13 Intel 13th Gen, could you run the following commands, and share the result on Linux? I want to know the BIOS vendor and the initial BIOS version just in case.
$ sudo dmidecode -s bios-vendor
$ sudo dmidecode -s bios-version
There you go:
$ sudo dmidecode -s bios-vendor
INSYDE Corp.
$ sudo dmidecode -s bios-version
03.03