Intel 11th Gen Firmware Support - a BIG question mark

Hi there,
proud owner of 11th gen intel version, but at the same time very disappointed information security expert. If not angry. And would like to give my machine back.

Since September 2023 I am waiting for a Firmware Update which addresses nothing less than 2 medium and 2 high ranked security issues with the BIOS.
https://knowledgebase.frame.work/en_us/framework-laptop-bios-releases-S1dMQt6F
That page mentions the EFI Shell update within short. But what is short in the aspect of such high rated security issues?
Is that a fair move to keep users in suspense for such a long time?
Don’t make promises you are not going to keep.

And it minds me something: The charging implementation on my 11th gen intel is still not working properly. When setting the charge limit to 80%, the USB connection is reset every two minutes resulting in a loss of external mouse, keyboard and screen connection. What the heck! No wonder it never passed the Thundebolt announced certification.

Can I get an exchange mainboard that works as announced please?

Framework, you do a great job and you deserve all the respect, but don’t gamble with your community by just dropping support for your (not even yet) legacy!
And don’t play with security, you are compromising far too much!

BR
Uwe

1 Like

Are you using Linux? The disconnect is provoked by the change in charging current, and there is a well-known workaround that I am using too, with a little script.

Also, you are probably aware that they are precisely currently tackling this problem of firmware updates frequency? With a growth in their team and all. So I’d say you could just wait a bit more and see what happens.

Hi Mapleleaf,
thank you for your reply. Yes I am on Linux and I am aware of workarounds - with mixed results.
** Please don’t get me wrong, the work of framework is outstanding **

Still the situation is that
1a) Framework seeks for people (especially BIOS engineering) since very long
1b) For the 11th gen intel BIOS, framework has shown they are able to provide a EFI shell update method and still for the latest BIOS version addressing two high risk vulnerabilities and two medium ones, they are not available since May 2023. That is a year soon! Is that a way to address security?
2) The disconnect issue for this USB-C connector that was announced as something “Technically TB4, but not sure if we get it sertified” exists since the device is on the market. My support request for this goes back to September 2022. If they did not solve it until now, they never will! That’s why I am asking if I can get it replaced with something that gets support?

How would you rate the framework support?
How do they deal with “design issues”?

In the meantime, could you tell more about what’s going wrong with this workaround?

Framework has notoriously bad bios support. If you care about security, it’s probably best to buy something from a reputable vendor like lenovo until Framework’s firmware team is more mature.

1 Like

Notorius really?

The 3.19 I am using is from Dec 2021.

This is a topic on the 11th Gen by the way. Is that what you have and why you are complaining.

And by the way what security issues do think I may be susceptible to that would cause you or me much concern??

1 Like

Notorius really?

I think notorious is fair: Framework’s software and firmware have been a mess, but it’s working on them | Ars Technica

The 3.19 I am using is from Dec 2021.

2021 is 3 years ago (2 and a half years since December if you wanna spit hairs), and OP is correct that there have been several vulnerabilities discovered since then.

Is that what you have and why you are complaining

I have a 12th gen but I’m not the one complaining here, OP is. I was just suggesting he find a vendor with a better bios support track record if he wants vulns to be patched quickly.

what security issues

I don’t know what your threat model is, but arbitrary code execution is a valid cause for concern for me: NVD - CVE-2022-35407

3 Likes

Thanks for the link. Is that the Dec 2022 worry you have?

So if it’s an ongoing issue Framework either can’t put pressure on Insyde to fix it or it has been fixed and Framework have decided not to offer it.

I would imagine it’s more likely the first.

Whereas I have no security concerns, you have got me interested.
How likely is it to be exploited and
what threat does it present in the user world?

There are many dangers in the world, and they are increasing. My idea is to try and develop a lifestyle that isn’t so vulnerable rather than rely on others to fix the vulnerabilities they present or expect them to change.

Thanks again

So I wonder how someone is going to mess with my EFi and
what they can do to undermine my security.

Maybe ‘they’ have decided that although there is a vulnerability, as there is to the entry to every house, is it much of a problem when the house the user lives in is even more vulnerable.

2 Likes

I’m starting to dislike CVE more and more. :zipper_mouth_face:

I’m not going to go thru all the CVE’s, but there was one where any attack where access to the EFI partition was necessary. That means it is a physical attack or some sort of root exploit that allows writing to that partition. So, essentially, you already have to be compromised for this to be effective.

2 Likes

We’ve released an alpha version of a new EFI updater design today for 12th Gen, which is a rewrite to resolve the issues that we’ve seen around the previous updater handling different firmware areas on Intel platforms. Once we’re able to vet out this new updater type, we’ll be able to bring it to 11th Gen as well and continue to use it for further updates more easily in the future.

11 Likes

Think about how many things you run with elevated privileges. Even carefully vetting every application you run with root or root-like privileges, it’s not uncommon for trusted applications to fall victim to supply chain attacks. Privilege escalation bugs are also unfortunately common and can be used to exploit bios vulns just like these.

Malicious applications (or malicious libraries used by trusted applications, or malicious plugins in trusted applications) love vulnerabilities like these because by getting into the bios they can do whatever they want before the OS even loads. They can encrypt your data and ask for a ransom, they can put a malicous payload on your harddrive to install telemetry, etc. all while evading OS-level security.

It can affect dual-boot users as well. Maybe you play pirated games on one partition and do sensitive work on another partition thinking you’re safe, but vulns in firmware like this can totally blow your strategy.

So while it’s true that vulns like this require for something on your device to already be compromised, the chances are pretty high that something else on your device IS compromised. Firmware security is often all about defense-in-depth, yes, but there are really really good reasons to have defense-in-depth nowadays.

1 Like

That is an interesting attack vector. Haven’t run Windows since the 90’s, but I thought they had the “Administrator”. Would a game need root-equivalent privileges to install?

If you’re already compromised, the BIOS vulnerability doesn’t make it any worse was my point. If someone has a privilege escalation, you’re toast. The attacker could also write to the firmware of the harddrive which would be an even worse persistent threat. If someone has physical access, you’re toast also.

IMO, including firmware in defense in depth is like saying

  • the front-door was unlocked (physical access)
  • and we put the keys to the safe next to the safe (privilege escalation)
  • but the robber had to wait 30 min because of the time-delay on the safe to open.

It is technically correct, which is the best type of correct on the internet, but I just don’t think it meaningfully improves most threat-models.

Haven’t run Windows since the 90’s, but I thought they had the “Administrator”

Good point, I am also not very familiar with how Windows does it nowadays. I dual-boot linux distros (not for piracy though I promise, I buy my games :sweat_smile:).

If someone has a privilege escalation, you’re toast.

This is not quite true. Linux security is not as simple as root vs non-root. Many exploits can escalate permission just far enough to enable read or write to a single folder for example, or to execute a single program or group of programs. Privilege escalation doesn’t always mean escalation to root, it often just means escalating far enough to deliver your payload or to exploit a deeper vuln (like a firmware vuln). This is why things like bubblewrap, firejail, apparmor, and se-linux exist – they allow you to tighten your grip on applications with more granularity than the simple root vs non-root perms do without having to create a new user per application.

Firmware vulnerabilities like these can make relatively minor OS or application vulnerabilities into pretty major ones, which is why most laptop companies are so quick to patch them.

I think we’re mostly on the same page though :+1: We agree defense-in-depth is good, and just disagree on the importance to the average user.

2 Likes

Completely off-topic at this point, but I was actually curious about this. From man capabilities, a list of a few that could do it:

  • CAP_SYS_MODULE - load kernel modules
  • CAP_SYS_RAWIO - raw reads/writes
  • CAP_CHOWN - get access to the raw device
  • CAP_DAC_OVERRIDE - bypass permission checks
  • CAP_FOWNER
  • CAP_SYS_ADMIN
  • CAP_SYS_BOOT - kexec-load
  • …Maybe others?

I can’t think of a single binary that is using the above capabilities AND running as non-root. So it certainly is a possibility, but for me, the most dangerous binaries remain the webbrowsers. :laughing:

1 Like

But this is a discussion around facts, not your idea of a lifestyle.

That is okay for me, but how does that solve the problem?

That brings me to the question, when this future will be?

Then please open your own discussion. We are discussing a different problem here. Please don’t disturb this.

The worry is that framework is unable to provide a consistent way to get the firmware fixed in time. We are talking about a previously working EFI method, that is not available for a firmware fix that was ready A YEAR AGO!

Yes I do know what you mean but we are not dealing with a hardware or software issue but how people are being, albeit a business in this case.

The purchase of this laptop is very much a lifestyle choice as was and is it’s creation and development.

"But this is a discussion around facts, not your idea of a lifestyle.

Or is the question about wanting an update and pointing to the people at Framework or is it something tangible.

I understand the argument but not quite who it is directed at. If it was to be directed at the Framework people then why make the issue public? The facts are that the issue is public maybe and whom this worry is directed at ~ the forum is exactly that a personal i.e. lifestyle choice.

So I don’t disagree with any facts as portrayed I was just querying the depth of concern.

I’d better leave this topic now and mute it, but thanks for the responses and I hope those that worry are really OK :slight_smile: