[SOLVED] Complexity rules for AMD BIOS password? Why? (Moved)

ksimuk · March 8, 2024, 12:58pm

Every time I’d like to enter BIOS, my password has expired. @Matt_Hartley is Framework even discussing fixing the massive security flaw?

Aurelien_D · March 8, 2024, 3:33pm

I’m in for asking a fix for this too.

CruelSun · March 9, 2024, 2:20pm

I have always been leary of bios passwords. But I was considering it because the FL16 will be a big purchase for me and I plan on doing a lot of traveling for the next several years.

This situation is really concerning, not so much that it exists, but that It seemingly has not been actively addressed by Framework…

@Matt_Hartley is this being addressed?

GhostLegion · March 9, 2024, 2:56pm

@ksimuk @CruelSun Both of you are asking the wrong fella. He’s Linux support, not firmware or BIOS/UEFI stuff. @Kieran_Levin is the guy you want. Or potentially @TheTwistgibber since he’s customer support generally. All Matt can do is ask the guys in charge of this stuff and ferry the response back here.

CruelSun · March 9, 2024, 3:03pm

Thank you!

Kieran_Levin · March 11, 2024, 9:09pm

Can you share what platform you are experiencing these issues on?
Password expiration is not defined behavior so I would like to fix this if possible.

On newer platforms in progress we are addressing requests to allow longer passwords, which was a previous request from the community.

Ulmondil · March 11, 2024, 9:29pm

I was asked to change the bios password two times since I got my fw13 with Amd 7640u in late November. Once it happened in mid/late December iirc. It expired again in late February (this time the laptop had been powered off for some days because I was away and I left it at home, don’t know if this matters). Bios version was 03.03.

GhostLegion · March 11, 2024, 10:05pm

That kind of attitude isn’t likely going to get the result you want, he trying to help y’know.

Charlie_6 · March 11, 2024, 10:07pm

Sorry. I guess I’ll stay away from this…

jhoff80 · March 11, 2024, 11:37pm

7840U FW13 has told me my BIOS password has expired twice now and forced me to change. I haven’t gone into the BIOS since a few months ago, but I suspect it’s probably expired again.

Mistral24 · March 12, 2024, 6:46am

My Password has expired several times now. I can’t say it exactly but it must expire every several weeks…maybe 4 weeks…

Matt_Hartley · March 12, 2024, 5:33pm

Yes, it’s being discussed and looked into. Additionally.

Rei · March 11, 2024, 7:57pm

@Kieran_Levin
would framework also address the bios password issue on the next release of bios?

pierce · March 11, 2024, 10:52pm

Yes, that matches the sha256 of the zip file I downloaded

Kieran_Levin · March 12, 2024, 7:46pm

we will investigate this, but this will most likely not make it in to the next AMD bios update, as we are too far along in the release process to update.

Emanuel_Loffler · March 15, 2024, 7:29pm

Thanks, that’s good to know! Even if it won’t make it into the next release, it’s great to know that you’re working on this.

I believe you can trigger the password expiration by disconnecting the battery, by the way. If you’re looking for a way to debug this, I mean. As I recall, I was forced to change the password after that.

In my case, it happened with pre-installed 3.03 on 7840U

Vlad_Didenko · March 15, 2024, 9:16pm

Refer to [RESPONDED] Complexity rules for BIOS password? Why? (Moved) - #18 by Vlad_Didenko

Do not care for LONGER passwords. Framework should allow users to disable password complexity and expiration enforcement. I want actually to own what I paid for.

Emanuel_Loffler · March 16, 2024, 9:57am

I think you may have missed out on one line in @Kieran_Levin 's post.
“Password expiration is not defined behavior so I would like to fix this if possible.”

He spoke of longer passwords after that.

Getting rid of complexity rules would be a nice thing, too. Although that really is a small concern for me, as long as the rules don’t get any worse. At the current level, “password” becomes “P4ssword.” and we’re done. But I guess dropping the rules shouldn’t be hard to do when length and expiration are addressed.

@Kieran_Levin What’s important (imo) would be the password-reuse, though! It’s no good behaviour that the firmware won’t allow me to use a previous password. You can leave a warning in but there are good use cases for reusing a password (e.g. using a stronger, harder to memorize password in critical situations, then reverting to a more relaxed password for secure environments).

(Edit: Thinking about it another time: If you leave the warning in, you need to retain the hash of the more secure password, which is not behavior that I’d wish for in my threat model considerations.)

Vlad_Didenko · March 16, 2024, 3:51pm

Nope, I did not miss anything. My general request stands:

allow disabling all of the password enforcement as a whole

It may be easiest programmatically to return systems to the state of no surprise for users.

paulos · March 18, 2024, 10:41pm

FW13 with AMD Ryzen. And the expiration unfortunately does not work reliably when the laptop runs out of power (or rather - it reliably expires when the battery runs out :)) so I would rather have the option to get rid of it. (Or at least clearing the password history, which seems to be three previous passwords.)