Framework has notoriously bad bios support. If you care about security, it’s probably best to buy something from a reputable vendor like lenovo until Framework’s firmware team is more mature.
1 Like
Notorius really?
The 3.19 I am using is from Dec 2021.
This is a topic on the 11th Gen by the way. Is that what you have and why you are complaining.
And by the way what security issues do think I may be susceptible to that would cause you or me much concern??
1 Like
Notorius really?
I think notorious is fair: Framework’s software and firmware have been a mess, but it’s working on them | Ars Technica
The 3.19 I am using is from Dec 2021.
2021 is 3 years ago (2 and a half years since December if you wanna spit hairs), and OP is correct that there have been several vulnerabilities discovered since then.
Is that what you have and why you are complaining
I have a 12th gen but I’m not the one complaining here, OP is. I was just suggesting he find a vendor with a better bios support track record if he wants vulns to be patched quickly.
what security issues
I don’t know what your threat model is, but arbitrary code execution is a valid cause for concern for me: NVD - CVE-2022-35407
3 Likes
Thanks for the link. Is that the Dec 2022 worry you have?
So if it’s an ongoing issue Framework either can’t put pressure on Insyde to fix it or it has been fixed and Framework have decided not to offer it.
I would imagine it’s more likely the first.
Whereas I have no security concerns, you have got me interested.
How likely is it to be exploited and
what threat does it present in the user world?
There are many dangers in the world, and they are increasing. My idea is to try and develop a lifestyle that isn’t so vulnerable rather than rely on others to fix the vulnerabilities they present or expect them to change.
Thanks again
So I wonder how someone is going to mess with my EFi and
what they can do to undermine my security.
Maybe ‘they’ have decided that although there is a vulnerability, as there is to the entry to every house, is it much of a problem when the house the user lives in is even more vulnerable.
2 Likes
I’m starting to dislike CVE more and more. 
I’m not going to go thru all the CVE’s, but there was one where any attack where access to the EFI partition was necessary. That means it is a physical attack or some sort of root exploit that allows writing to that partition. So, essentially, you already have to be compromised for this to be effective.
2 Likes
We’ve released an alpha version of a new EFI updater design today for 12th Gen, which is a rewrite to resolve the issues that we’ve seen around the previous updater handling different firmware areas on Intel platforms. Once we’re able to vet out this new updater type, we’ll be able to bring it to 11th Gen as well and continue to use it for further updates more easily in the future.
11 Likes
Think about how many things you run with elevated privileges. Even carefully vetting every application you run with root or root-like privileges, it’s not uncommon for trusted applications to fall victim to supply chain attacks. Privilege escalation bugs are also unfortunately common and can be used to exploit bios vulns just like these.
Malicious applications (or malicious libraries used by trusted applications, or malicious plugins in trusted applications) love vulnerabilities like these because by getting into the bios they can do whatever they want before the OS even loads. They can encrypt your data and ask for a ransom, they can put a malicous payload on your harddrive to install telemetry, etc. all while evading OS-level security.
It can affect dual-boot users as well. Maybe you play pirated games on one partition and do sensitive work on another partition thinking you’re safe, but vulns in firmware like this can totally blow your strategy.
So while it’s true that vulns like this require for something on your device to already be compromised, the chances are pretty high that something else on your device IS compromised. Firmware security is often all about defense-in-depth, yes, but there are really really good reasons to have defense-in-depth nowadays.
1 Like
That is an interesting attack vector. Haven’t run Windows since the 90’s, but I thought they had the “Administrator”. Would a game need root-equivalent privileges to install?
If you’re already compromised, the BIOS vulnerability doesn’t make it any worse was my point. If someone has a privilege escalation, you’re toast. The attacker could also write to the firmware of the harddrive which would be an even worse persistent threat. If someone has physical access, you’re toast also.
IMO, including firmware in defense in depth is like saying
- the front-door was unlocked (physical access)
- and we put the keys to the safe next to the safe (privilege escalation)
- but the robber had to wait 30 min because of the time-delay on the safe to open.
It is technically correct, which is the best type of correct on the internet, but I just don’t think it meaningfully improves most threat-models.
Haven’t run Windows since the 90’s, but I thought they had the “Administrator”
Good point, I am also not very familiar with how Windows does it nowadays. I dual-boot linux distros (not for piracy though I promise, I buy my games 
).
If someone has a privilege escalation, you’re toast.
This is not quite true. Linux security is not as simple as root vs non-root. Many exploits can escalate permission just far enough to enable read or write to a single folder for example, or to execute a single program or group of programs. Privilege escalation doesn’t always mean escalation to root, it often just means escalating far enough to deliver your payload or to exploit a deeper vuln (like a firmware vuln). This is why things like bubblewrap, firejail, apparmor, and se-linux exist – they allow you to tighten your grip on applications with more granularity than the simple root vs non-root perms do without having to create a new user per application.
Firmware vulnerabilities like these can make relatively minor OS or application vulnerabilities into pretty major ones, which is why most laptop companies are so quick to patch them.
I think we’re mostly on the same page though 
We agree defense-in-depth is good, and just disagree on the importance to the average user.
2 Likes
Completely off-topic at this point, but I was actually curious about this. From man capabilities, a list of a few that could do it:
- CAP_SYS_MODULE - load kernel modules
- CAP_SYS_RAWIO - raw reads/writes
- CAP_CHOWN - get access to the raw device
- CAP_DAC_OVERRIDE - bypass permission checks
- CAP_FOWNER
- CAP_SYS_ADMIN
- CAP_SYS_BOOT - kexec-load
- …Maybe others?
I can’t think of a single binary that is using the above capabilities AND running as non-root. So it certainly is a possibility, but for me, the most dangerous binaries remain the webbrowsers. 
1 Like
But this is a discussion around facts, not your idea of a lifestyle.
That is okay for me, but how does that solve the problem?
That brings me to the question, when this future will be?
Then please open your own discussion. We are discussing a different problem here. Please don’t disturb this.
The worry is that framework is unable to provide a consistent way to get the firmware fixed in time. We are talking about a previously working EFI method, that is not available for a firmware fix that was ready A YEAR AGO!
Yes I do know what you mean but we are not dealing with a hardware or software issue but how people are being, albeit a business in this case.
The purchase of this laptop is very much a lifestyle choice as was and is it’s creation and development.
"But this is a discussion around facts, not your idea of a lifestyle.
Or is the question about wanting an update and pointing to the people at Framework or is it something tangible.
I understand the argument but not quite who it is directed at. If it was to be directed at the Framework people then why make the issue public? The facts are that the issue is public maybe and whom this worry is directed at ~ the forum is exactly that a personal i.e. lifestyle choice.
So I don’t disagree with any facts as portrayed I was just querying the depth of concern.
I’d better leave this topic now and mute it, but thanks for the responses and I hope those that worry are really OK 
It would be interesting to hear framework on this. It’s their decision to make it either
- a lifestyle product with a short lifetime like a throw away consumable
- a serious alternative to established products on a reusable platform
Up to now it is more like a “we drop support early to make people buy the new hardware”.
So framework, where is your committment to lifetime and support?
Will you fix the charging issue? Will you follow the path and go for a TB4 certification as announced earlier? Will you come to a timely release cycle for firmware hotfixes?
And, if yes, when?
To be clear: The pending answer to this question holds me back from investing more in framework hardware. Convince me, convince us!
Certainly there are things Framework needs to improve. They are working to do so, but it’s not possible to have dates as to when individual issues will be fixed. If it’s just not acceptable to you, then consider selling your Framework laptop and getting something else. Perhaps return to Framework when you consider that the results of their efforts are adequate for you.
Also, note that while Framework staff does post here on some things, this is primarily a user forum, you’re not likely to get a staff response here. If you want to actually ask them about something, you can contact them, Framework | Contact Us
Lenovo is the manufacturer that once literally built a malware into the BIOS of their laptop, that was reinstalling itself in Windows each time the user would try to remove it.
1 Like
Why can’t they just give a timeline, if they
- have a firmware binary for nearly a year that is the exact 3.20 version we need
- they have release EFI methods for firmware updates for the exact model earlier
It is just a matter of packaging it again!
But they don’t care, that is my impression. They have sold their hardware and they are happy to have the money now. Who cares what comes after.
Fine is you are willing accept this and run a defective device, I am not.
Contacting the service desk until now never came to any solution. We have to build up some pressure to get what we have paid for!