In the attached screenshot you’ll see I have gotten everything working properly with Secure Boot, kernel lockdown, etc. to get everything up to HSI-4 covered. To meet HSI-4 requirements I’m missing two things, one is rollback prevention and the other is SME (encrypted memory).
According to fwupdmgr security
rollback prevention is supported on the 7840U, and I verified this with the AMD spec sheet, but there’s no option listed for this in the BIOS configuration utility that I can find. How do I enable this and/or when is this going to be supported in BIOS? SME is unfortunately not available on this processor SKU, so clearly won’t be able to do that.
Thanks
1 Like
You might or might not want to enable rollback prevention, it does nothing to improve security and can lead to lack of customization. Please do your own research instead of blindly believe the so-called “firmware security” tab on KDE.
For example, “suspend-to-ram” is better, it saying disabled is more secure means the so-called “firmware security” tab’s credibility is questionable. This might because of
conflict of interest
From one of my colleague I heard that a manufacturer (HP iirc) pushed a BIOS “security” update that disabled the S3 sleep(it was an Intel 11th gen so S3 is originally supported) on their Victus laptop. Due to the rollback “protection” the owner of the computer is unable to install older BIOS firmware to get S3 back. In conclusion in the eye of HP the consumer is a security adversary.
and you may want to understand what’s security for you, what’s your threats model? does removing the choice of rolling back really benefits you? Instead of trying to wear HSI-4 as a “badge of honor”
If you search “rollback” on this forum you can see that rolling back BIOS version is a common practice in troubleshooting
1 Like
First, my threat model is basically nil. I am using my Framework 13 as a toy, primarily. I am doing a mixture of light gaming and mostly using it as an opportunity to refresh my knowledge about various things on more modern hardware. Prior to acquiring this device, I only had much older hardware that was not Macs, so I was unable to experiment with a lot of the newer capabilities, including things like Secure Boot, and the various firmware security options.
Secondly, your statements regarding suspend-to-ram and rollback prevention are untrue. The reason why you don’t want to use suspend-to-ram on a platform like the Framework 13, is because it has removable memory modules and suspend-to-ram makes you vulnerable to cold boot attacks. By disabling suspend-to-ram, you are protected from the most direct forms of cold boot attacks, which is not to claim that suspend-to-idle is not vulnerable, but it is not as vulnerable as suspend-to-ram. On most platforms, including Macs, cold boot attacks are mitigated due to having RAM soldered onto the mainboard however this creates a negative tradeoff for hardware upgrades and repairability. Rollback prevention is to ensure that an attacker cannot flash an older vulnerable version of microcode or other firmware onto the SoC on the system, it’s an SoC level protection, and is helpful to prevent rollback based downgrade attacks.
Both of these are to mitigate attacks that would require an attacker to have physical access to your system and at least some specialized tools, so neither is particularly common or a significant issue for most folks. Just because I am exploring various options doesn’t imply I am recommending that others do the same on a daily driver system. I am certainly not “collecting badges”. You don’t know me from adam, but I do know what I am doing and if I end up breaking my system in some way, I am not particularly concerned.
Thanks for your reply, but it doesn’t answer me question which is:
- Am I missing something about how to enable rollback prevention in the current BIOS as it /is/ supported by the 7840U SoC; or
- When will the Framework 13 BIOS be updated to support rollback prevention?
You can use Smokeless UMAF, as shown
The “SMM isolation support” and “FAR switch”
Disclaimer: Not tested, use as your own risk
1 Like
Thanks for the link to Smokeless UMAF, this looks like just the type of thing I need. Will plan to try to this out this weekend and see how it goes.
Just know that you are in unsupported territory if you do that and anything might happen.
The logic to properly handle changing these hidden settings might not be properly implemented.
1 Like
Definitely noted. Well off the beaten path when I’m booting a generic firmware configuration tool to enable features not in the shipping BIOS.
Daniel,
Another question springs to mind in the same context as this thread. Is there any plan to offer AMD Ryzen Pro (e.g. Ryzen 7 PRO 7840U) in the Framework laptops in the future? Only the PRO series processors offer “AMD Memory Guard”, which is their SME implementation, and similarly only the PRO series processors are FIPS certified when using the built-in security processor’s crypto engine.
Thanks
1 Like
Bump. Would be great if anyone from framework staff could ask around on if/when Ryzen Pro series will be offered in future product pipelines so we can get encrypted ram/memory. I do love to avoid shutting down
@Tyler_Duzan - I flagged the thread to the staff to see if anyone could check it for us. Hopefully they are okay with this; I’d love to have this feature.
I’m also curious… Were you able to play around with Smokeless UMAF and toggle this feature? This flag has been in my mind since the working bios was released back in March/April, but I caused such a stink rushing them to get it out I didn’t want to push my luck asking lesser questions lmao; thank you very much for asking these questions!!!
EDIT: I used the Smokeless UMAF and made the following changes:
- Disabled wake on lan/PME
- Disabled wake on voice
- Enabled AMD DPTC (dynamic power and thermal control) interface
- Enabled STT sensor reporting
- Set SMM isolation from disabled to auto
- Enabled Firmware Anti-rollback (FAR)
Reboot after exiting UMAF and then stock bios took 5ish seconds longer than normal after applying the changes, but no other issues to report. Bios, boot, everything is just as before.
I believe enabling FAR is a two step process for Smokeless. First you toggle the bottom (only selectable flag) to True. After reboot GDM still showed it as disabled. I went back into Smokeless UMAF and the top FAR toggle was now True. After booting into OS after this second check of the toggle in UMAF, AMD Secure Rollback Protection is now reported to OS as enabled.
Do report back if you have more to share than this
All said and done, including making the USB and changes, end to end it took me maybe 30-40 minutes taking it slow.
Cheers!
1 Like
Thanks for testing this out. I have not had the opportunity to do so yet. Something came up last week that took more time than I anticipated and then I decided to wait because I got the ship notification for a second Framework 13 AMD which should arrive next week. I figure I’ll do this over the following weekend.