Something to note: this CLI tool will be getting a GUI in GNOME’s settings in a future version:
So, it would be great to see it get to HSI-4.
Something to note: this CLI tool will be getting a GUI in GNOME’s settings in a future version:
So, it would be great to see it get to HSI-4.
What did you do to get Encrypted RAM? That’s showing as disabled for me, so not sure what I missed (swap and my boot disk are both encrypted as far as I can see)
IIRC there’s an option for it in the BIOS if you have the 11th gen i7-1185G7. I could be wrong, though, so it’s always worth checking. It should be near other settings related to the CPU.
Quick update:
There’s discussion here about the CSME version:
An issue was posted to the CLI tool’s GitHub: CSME Invalid · Issue #4999 · fwupd/fwupd · GitHub
It seems like we either have to wait for Intel and or Framework to release an update. I’m not really sure which one, since I’m struggling to find if patches are CPU-specific and if one is available for the 11th gen i7-1185G7.
Thanks, I’ll give a look but may be out of luck as a cheapskate who only has a i5-1135G7.
IIRC encrypted memory requires Intel vPro.
Quick update:
Framework Support got back to me about this!
Thank you for your patience, I’ve escalated this report to our Lead Engineer who has confirmed that this will not be updated in the forthcoming 3.17 BIOS update, but is now planned to be updated/fixed in BIOS 3.18 hopefully due later this year.
Regards,
This is great to hear. I really appreciate that they escalated the issue and that they were able to respond so quickly! Thanks Framework Support, I’m looking forward to BIOS 3.18!
I asked the support for an ETA on a new gen 11 firmware including the security fixes. Unfortunately they could not provide a time frame for the update.
Hi,
the latest firmware update (3.17) for the gen 11 did not include Intel Management Engine related security fixes. What’s the ETA for the next firmware release that will include the security fixes?
Thanks for reaching out to Framework Support. Unfortunately, we currently don’t have an estimated timeline for the next firmware release but rest assured that our team is working on it and will surely announce the details when it happens. If you have other concerns or inquiries, please don’t hesitate to reach out. Thank you for your patience.
Hi @43c
Thanks for updating this thread and thank you for reaching out to our support team, firmware updates shouldn’t be that long to be released, will update this space once it’s out.
cheers!
I am having trouble justifying an upgrade if this significant delay is indicative of how Framework is going to address known vulnerabilities in their firmware. This thread discusses a vulnerability that could/should have been addressed in an update that was released more than 6 months ago but was not and no subsequent update has been forthcoming.
I get that priority is most likely 100% on the new AMD firmware and that Framework is operating with limited resources, though this is kind of a bummer. It’s already end of June and there is no update on this topic. Like @JoshB mentioned, if this is an indicator on how framework manages firmware vulnerabilities for older devices, It’s hard to recommend them for business use even though I’d really like to.
@43c I’m grumpy that firmware related news of any kind is relegated to the backseat by the firmware team…now I’m trying to figure out just what exactly I’m going to do about it.
@GhostLegion It does suck we basically have no official timeline on firmware release for existing products with the fixes.
I saw @Kieran_Levin comment on the 12th Gen beta firmware post, They are testing out a new version and will try to get it out soon after validation.
let’s see how that goes.
Stumbled upon this thread, dumping some info
PS: For anyone that randomly found themselves here on an “unsupported” OS for Framework, you need CONFIG_SECURITY_LOCKDOWN_LSM kernel flag compiled to report the security status. Probs a good idea to set it to “Integrity” as well.
So we’re now in February '24, in May '22, almost two years ago(!), intel released security updates for the CSME rated High and listing physical-unauthenticated or adjacent_network-authenticated as attack vectors:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00613.html
I’ve heard many explanations from releasing a new laptop (sorry, two years, I don’t care anymore!) and a third party vendor being responsible. For the latter case you have SLAs (or, maybe you don’t).
If I’d have more time I’d seriously look into extracting the Windows update executable (e.g., using GitHub - jbit/uninsyde: Extract chunks from Insyde H2O Iflash files) and trying to flash the UEFI capsule manually. Because it seems that Framework won’t budge.
Mind me, if the statement would be “sorry, we don’t officially support Linux and we don’t have the SLAs to get our third-party vendor to provide updates, you’re on your own there” – I’d be much more OK with that. It’s the dishonesty and waiting for years that’s driving me crazy.
Framework, own up.
Well if this is on a 12th gen Intel you had the 3.06 Beta that actually fixed that issue, and then you had the 3.08 Beta which has been out just over a month 12th Gen Intel Core BIOS 3.08 Beta Release . In the original 3.06 Beta thread Framework did apologize and explained that they had hired additional dedicated personnel at Insyde to work through the backlog and push out regular UEFI updates. We are beginning to see the results of those efforts.
Also cross-posting here: I’ve created an updater to update on Linux through the UEFI shell. There are some caveats and you may not trust all files provided there-in (read the README):
It’s 11 gen. And there’s no “work” to push through, no firmware to develop. It’s literally just repackaging the CSME FWUpdate.bin in a UEFI capsule. Which Framework falsely claims isn’t possible while other vendors do this regularly.
Just pull apart any CSME update by, say, Lenovo, extract the cap file and you’ll find a UEFI capsule firmware.bin, extract with UEFIExtract and you’ll find a body.bin in there with the ME magic $FPT at 0x10 – just like the FWUpdate.bin file.
I don’t have a problem with overworked staff. But I get annoyed after almost 2 years(!) of delays with “sorrys” that don’t change a thing, mindless excuses and misinfo around LVFS not being able to update the CSME. If in doubt, contact Richard Hughes from LVFS to help you guide through the capsule creation process, he’s a kind soul.
This is very true.