Framework Laptops are now Thunderbolt 4 certified

Yes fwupdmgr and fwupd use LVFS. fwupdmgr is also capable of installing local files if available.

If you need them, I am sure many people on this forum would be more than happy to be beta-testers for this, I certainly would be happy to test on Debian testing (AKA Ubuntu, if you will).

No official because it hasn’t been officially released, although apparently the newer 12th gen Laptops are being shipped with 3.05 (like my own 3rd Batch). So just another strange behavior from Framework.

I find this statement a little odd, I think as mentioned in :

updates to the latops that are already in the hands of users are delayed because there does not exist a reliable update mechanism across operating systems yet. As such upgrades can potentially brick components, Framework must ensure reliability and ease-of-use of the upgrade tools. Otherwise the resulting support tickets, cost for potential replacements parts will just turn out to be an economic nightmare for them.

I think especially because they listen to the community and do not only provide windows based update software, we should be a little patient here.

At the factory this is a different story, you have access to each individual component potentially to direct interfaces and if something goes wrong you don’t have to pay for shipping costs or support agents. Also your users don’t have any downtime because their device is not in a functioning state

Hi all,

Why not do the upgrade process the old school way: with a bootable USB image ?
This should be easier to control, free of any interactions and OS agnostic.

Hey Framework team,

Is there any chance that the new firmware helps with BitLocker issues?

I use a TB4 dock and also a TB3 eGPU and booting up with one of these hooked up makes the computer thinks I made signifiant changes to the computer and thus triggers BitLocker safety mode.

If the new firmware helps about this that would be even greater news.

Thanks in advance!

It’s pretty unlikely.

TL;DR: No, it is a security feature that protects you from rootkits. Fortunately, you can turn it off yourself.

BitLocker binds its encryption key to some platform registers (specifically, TPM "PCR"s) that are used to track what code is running during startup. Since an external graphics card quite likely has a UEFI driver–or an Option ROM–that runs during boot, adding and removing one materially changes the value of that register.

It’s this same register that would signal whether your machine was compromised due to the installation of a malicious bootloader, firmware image or PCIe device.

If Framework Computer were to make changes to the configuration of this register to resolve this issue, it would simultaneously wipe out BitLocker’s ability to detect things like firmware rootkits.

Fortunately, you can change which PCRs BitLocker cares about if you’re adding and removing Thunderbolt devices often enough that this becomes a problem.

Thanks for the answers!

Let me share what information I gathered so far about this. Not to say you’re wrong in any way!

First, I have read that the behavior depends on the BIOS implementation. Basically, whether the PCIe devices over TB are connected before or after the BitLocker verification. I read that apparently some manufacturers made it that way, plugging the PCIe devices after the BitLocker verification and thus enabling their laptop to work flawlessly with BitLocker, TB dock connected or not at boot.

Second, I never got to successfully change the PCRs BitLocker cares about after following many tutorial. I ended up finding that this requires the “pro” version of Windows, which I did not pay for. Maybe I should upgrade… In any case this is worth noting for other people, I mean I literally spent a few hours trying many things before noticing this “little” detail.

Ah! I was definitely not aware of those things. Thanks

Can we get a beta release already? A bootable USB option would be good enough.

The change they would need to make is, to add a BIOS option to “disable booting Boot-ROMS behind USB4”, as other TB/USB4 hosts have. Then the eGPU does not boot and TPM is not affected.
GPU Boot-ROMs are only needed for BIOS output through that GPU. The OS does not need it, as it loads its own drivers. It just would mean, that the OS cannot use the eGPU during early boot and it will only start working at the login screen. For a notebook with builtin display, not a huge problem. And if you are using the FW standalone you are not likely to unplug the eGPU (and can leave the option on / turn it back on). I think this would solve most usecases and results in the same behavior as just plugging in the eGPU after the BIOS finishes booting, just automatic, with less hassle.

Fyi, booting NVMe drives behind USB4 will not be affected, as they do not have/need Boot-ROMs anyway. That would be another option of “disable booting any device behind USB4”, that would just be against drive-by attacks were some foreign OS is booted to manipulate / take over the device or extract data. Something that should be much less relevant with TPM-based security like bitlocker and secure firmware.

Was not aware of this and am now super happy that this is possible! I turned off bitlocker because it was doing exactly this with my egpu. Thanks so much!

After some research, the required PCR to be disabled to avoid device plug triggers is PCR 2. It does allow BIOS modification without requiring the recovery password, so an attacker could theoretically change settings to allow a live boot without the TPM hardening the key, but standard bitlocker will prevent an unsophisticated attacker from accessing your data and that was my concern.

Hi!

I’m looking to buy a new laptop soon, and Framework laptops are on my shortlist. Has the new BIOS been released (or is it officially pre-installed on new devices) yet, i.e. does the Thunderbolt 4 certification already apply to newly ordered laptops yet? If it hasn’t, is there an ETA for a release?

Can all four thunderbolt ports be used simultaneously without splitting bandwidth?

For example if I plug high-resolution displays into three of them and an eGPU into the fourth, will the displays be taking up bandwith that could have been used by the eGPU?

I’m not lucky enough to have three high-res displays and an eGPU to test with, I’m just curious.

@BusyBoredom I want to say yes since 4 lanes are dedicated to each port but I do know for sure that the left and right side each have their own controllers so at least 2 ports for sure can be used without splitting bandwidth (one on each side). If all ports are being strained that much it is possible that the controllers wouldn’t be able to keep up but I don’t know for sure. Somebody can chime in to go in greater detail.

@BusyBoredom I think the answer to that is a bit complicated - each of the TB4 ports can do full bandwidth on the low level, but since TB is a tunneling protocol, the stuff that is tunneled on top of that might be limited. I previously wrote a big blogpost on USB and TB that might help understand this, though I did not dig into total bandwidth limits for the framework laptop. I did write a bit on the limits on displayport bandwidth:

The USB-C ports are divided into two pairs, each pair sharing a single USB4 router / TB controller, and with two DP 4xHBR3 interfaces on each controller. This means at most two DP streams divided between the two ports in the pair (which includes both TB/USB4 tunnels and DP-alt-mode). [source, section 10, Framework uses UP3]

Hmm interesting, ok thanks That’s a really awesome writeup you’ve put together.

I guess practically speaking, putting an EGPU alone on one side and all other peripherals on the other should satisfy the vast majority of use cases without having to worry about possibly leaving EGPU bandwidth on the table.

Would be neat if someone from framework could chime with some definitive guidance on what the total bandwidth limitations are (across all 4 ports and per-side).

Hello, looking into getting the 12th gen, does this mean with the USB-C Expansion module, I can connect Thunderbolt 4 devices?

Short answer, yes! eGPUs, docks, storage devices…if it uses the protocol, it will connect.

Long answer, you could connect and use them near-perfectly (and in my experience perfectly) beforehand, even with the 11th gen. What this thread means is that Intel themselves are slapping a badge of honor on the laptop and saying “this passes our standards for a laptop that can connect to Thunderbolt 4 devices”. It’s a marketing point.

So it’s been almost 6 month now since this announcement.
Any updates on new BIOS release?