Hi Mapleleaf,
thank you for your reply. Yes I am on Linux and I am aware of workarounds - with mixed results.
** Please don’t get me wrong, the work of framework is outstanding **
Still the situation is that
1a) Framework seeks for people (especially BIOS engineering) since very long
1b) For the 11th gen intel BIOS, framework has shown they are able to provide a EFI shell update method and still for the latest BIOS version addressing two high risk vulnerabilities and two medium ones, they are not available since May 2023. That is a year soon! Is that a way to address security?
2) The disconnect issue for this USB-C connector that was announced as something “Technically TB4, but not sure if we get it sertified” exists since the device is on the market. My support request for this goes back to September 2022. If they did not solve it until now, they never will! That’s why I am asking if I can get it replaced with something that gets support?
How would you rate the framework support?
How do they deal with “design issues”?
Framework has notoriously bad bios support. If you care about security, it’s probably best to buy something from a reputable vendor like lenovo until Framework’s firmware team is more mature.
2021 is 3 years ago (2 and a half years since December if you wanna spit hairs), and OP is correct that there have been several vulnerabilities discovered since then.
Is that what you have and why you are complaining
I have a 12th gen but I’m not the one complaining here, OP is. I was just suggesting he find a vendor with a better bios support track record if he wants vulns to be patched quickly.
what security issues
I don’t know what your threat model is, but arbitrary code execution is a valid cause for concern for me: NVD - CVE-2022-35407
I’m not going to go thru all the CVE’s, but there was one where any attack where access to the EFI partition was necessary. That means it is a physical attack or some sort of root exploit that allows writing to that partition. So, essentially, you already have to be compromised for this to be effective.
We’ve released an alpha version of a new EFI updater design today for 12th Gen, which is a rewrite to resolve the issues that we’ve seen around the previous updater handling different firmware areas on Intel platforms. Once we’re able to vet out this new updater type, we’ll be able to bring it to 11th Gen as well and continue to use it for further updates more easily in the future.
Think about how many things you run with elevated privileges. Even carefully vetting every application you run with root or root-like privileges, it’s not uncommon for trusted applications to fall victim to supply chain attacks. Privilege escalation bugs are also unfortunately common and can be used to exploit bios vulns just like these.
Malicious applications (or malicious libraries used by trusted applications, or malicious plugins in trusted applications) love vulnerabilities like these because by getting into the bios they can do whatever they want before the OS even loads. They can encrypt your data and ask for a ransom, they can put a malicous payload on your harddrive to install telemetry, etc. all while evading OS-level security.
It can affect dual-boot users as well. Maybe you play pirated games on one partition and do sensitive work on another partition thinking you’re safe, but vulns in firmware like this can totally blow your strategy.
So while it’s true that vulns like this require for something on your device to already be compromised, the chances are pretty high that something else on your device IS compromised. Firmware security is often all about defense-in-depth, yes, but there are really really good reasons to have defense-in-depth nowadays.
That is an interesting attack vector. Haven’t run Windows since the 90’s, but I thought they had the “Administrator”. Would a game need root-equivalent privileges to install?
If you’re already compromised, the BIOS vulnerability doesn’t make it any worse was my point. If someone has a privilege escalation, you’re toast. The attacker could also write to the firmware of the harddrive which would be an even worse persistent threat. If someone has physical access, you’re toast also.
IMO, including firmware in defense in depth is like saying
the front-door was unlocked (physical access)
and we put the keys to the safe next to the safe (privilege escalation)
but the robber had to wait 30 min because of the time-delay on the safe to open.
It is technically correct, which is the best type of correct on the internet, but I just don’t think it meaningfully improves most threat-models.
Haven’t run Windows since the 90’s, but I thought they had the “Administrator”
Good point, I am also not very familiar with how Windows does it nowadays. I dual-boot linux distros (not for piracy though I promise, I buy my games ).
If someone has a privilege escalation, you’re toast.
This is not quite true. Linux security is not as simple as root vs non-root. Many exploits can escalate permission just far enough to enable read or write to a single folder for example, or to execute a single program or group of programs. Privilege escalation doesn’t always mean escalation to root, it often just means escalating far enough to deliver your payload or to exploit a deeper vuln (like a firmware vuln). This is why things like bubblewrap, firejail, apparmor, and se-linux exist – they allow you to tighten your grip on applications with more granularity than the simple root vs non-root perms do without having to create a new user per application.
Firmware vulnerabilities like these can make relatively minor OS or application vulnerabilities into pretty major ones, which is why most laptop companies are so quick to patch them.
I think we’re mostly on the same page though We agree defense-in-depth is good, and just disagree on the importance to the average user.
Completely off-topic at this point, but I was actually curious about this. From man capabilities, a list of a few that could do it:
CAP_SYS_MODULE - load kernel modules
CAP_SYS_RAWIO - raw reads/writes
CAP_CHOWN - get access to the raw device
CAP_DAC_OVERRIDE - bypass permission checks
CAP_FOWNER
CAP_SYS_ADMIN
CAP_SYS_BOOT - kexec-load
…Maybe others?
I can’t think of a single binary that is using the above capabilities AND running as non-root. So it certainly is a possibility, but for me, the most dangerous binaries remain the webbrowsers.
The worry is that framework is unable to provide a consistent way to get the firmware fixed in time. We are talking about a previously working EFI method, that is not available for a firmware fix that was ready A YEAR AGO!
It would be interesting to hear framework on this. It’s their decision to make it either
a lifestyle product with a short lifetime like a throw away consumable
a serious alternative to established products on a reusable platform
Up to now it is more like a “we drop support early to make people buy the new hardware”.
So framework, where is your committment to lifetime and support?
Will you fix the charging issue? Will you follow the path and go for a TB4 certification as announced earlier? Will you come to a timely release cycle for firmware hotfixes?
And, if yes, when?
To be clear: The pending answer to this question holds me back from investing more in framework hardware. Convince me, convince us!
Certainly there are things Framework needs to improve. They are working to do so, but it’s not possible to have dates as to when individual issues will be fixed. If it’s just not acceptable to you, then consider selling your Framework laptop and getting something else. Perhaps return to Framework when you consider that the results of their efforts are adequate for you.
Also, note that while Framework staff does post here on some things, this is primarily a user forum, you’re not likely to get a staff response here. If you want to actually ask them about something, you can contact them, Framework | Contact Us
Lenovo is the manufacturer that once literally built a malware into the BIOS of their laptop, that was reinstalling itself in Windows each time the user would try to remove it.
have a firmware binary for nearly a year that is the exact 3.20 version we need
they have release EFI methods for firmware updates for the exact model earlier
It is just a matter of packaging it again!
But they don’t care, that is my impression. They have sold their hardware and they are happy to have the money now. Who cares what comes after.
Fine is you are willing accept this and run a defective device, I am not.
Contacting the service desk until now never came to any solution. We have to build up some pressure to get what we have paid for!
Does that solve the problem we are discussing here?
BTW: I see a difference in a manufacturer releasing a faulty BIOS when the even weren’t aware of the vulnerability and on the other hand with an organization that simply does not care and is not committed.
).
We agree defense-in-depth is good, and just disagree on the importance to the average user.