See my previous post here, I found it. Did not look to be in a region directly covered by bootguard if I am reading UefiTool correctly. But it might still be covered by transitively. I do not know enough to figure that out easily.
I also first found the black image and the TianoCore logo. The rest I found by doing a binary search for magic bytes of various image formats supported by the parsers that are shipped by Insyde. Frameworks Logos and the new diagnostic graphics I found in the AMD bios are mostly PNG.
Happy new Year Alan and thank you very much for the link.
Hopefully there will be an update for the 13th Gen soon, so my Boss isnt worried about that anymore.
Have to update 40 machines then
I found the GUID 67A75EF8-C454-45A0-A648-0A2B489F9BD6 in a boot guard protected region (The framework logo with the text “framework” after it).
My interpretation is, that white regions are completely protected, yellow regions are partly protected and red regions are not protected by intel boot guard.
I matched the red regions to the IBB segments listed under security and assumed from that that those should be the directly protected sections. I.e. the address of the image is not covered by any of the IBB segments.
But not like I am entirely sure on this.
Little Company in Germany, we changed to Framework Devices from our old Dell Stuff.
(40 Machines, 28 are rolled out, rest will follow if there isnt any colleague on vaction left)
Disclaimer: this post is for paranoid people only.
A machine compromised with a LogoFail attack could just pretend to do a firmware upgrade and show the new firmware version in the UI, while still being the old compromised version.
In my opinion, the only way to verify the new firmware version is using the TPM2.
Therefore you need to get a tpm2-quote and verify it (checkquote). Also to prevent attacks on the verification (e.g. spoofing a random key), you need to verify the endorsement-key signed by the TPM2-manufacturer and make sure, the attestation-key used to create the quote is stored in the TPM2 (makecredential/activatecredential).
To verify the PCR0 hash value of the TPM2, here are the firmware measurements for a Gen12 3.08 firmware:
Heads up for anyone like me who was been semi-regularly checking this thread and LVFS for updates:
12th gen BIOS 3.08 Beta includes fix for “CVE-2023-40238 LogoFAIL”. Not great news for Linux users as this update can’t roll out via LVFS and the UEFI updater was pulled two months ago due to unexpected failures, but still…
I don’t see any similar update for the 11th gen, and I don’t know what the LogoFAIL situation is for AMD. However I still thought I’d post as I’d been assuming any progress would show up in this thread and/or in the available LVFS updates for Linux…
Realistically nobody should be using the 12th gen anymore, it’s gone nearly 2 years without a single stable patch. Kinda stinks that the early framework boards were sold as finished products; they had pretty prototype-like lifespans.
Are you talking about UEFI updates? Almost no reason to update on laptops unless there’s a security or stability issue. I have never one time updated UEFI on a laptop; to relegate a device to outmoded status because of UEFI updates not being available on an otherwise stable system seems a little silly.
Of course I’d agree that when there are no security issues UEFI updates aren’t critical. Unfortunately though, the 12th gen has had known vulns since shortly after launch: 12th Gen BIOS Vulnerability
Best part is, the logos at least 12th gen shows anywhere are png. But the base BIOS seems to be a very unified build from Insyde that includes all the parsers for all formats. Number one way to be more security conscious would be to only enable / add the code for the formats actually used. It’s modular after all. The AMD FW13 also had a PXE exploit listed (with FW stating they were unsure if it could be exploited, seeing as the FW does not support PXE booting anyway. Also an issue I do not think was fixed for 12th gen yet).
That just tells you that Insyde is not being defensive in there development at all. Just throwing tons of unused code in there, when they have proven that its not secure and they seem to not even test for robustness, even after the issues were publicized.
LogoFAIL has now been found in the wild.
Researchers have made public, for the first time, that code was found on an internet-connected server. The code uses LogoFAIL to install a bootkit for Linux, bootkitty, and appears production-ready / ready to release.
Bootkitty: “Hard to detect, Hard to disinfect”
So, has logoFAIL been fixed for Release BIOS firmware for every gen? @anyone who happens to know
This is what I saw looking through the firmware release pages. • 11th Gen
I do not find “LogoFAIL” or the exploit identifier numbers in the notes on the firmware page. 11th Gen BIOS and Driver firmware page
I do not find “LogoFAIL” or the exploit identifiers CVE-2023-40238, BRLY-2023-006, or CVE-2023-39538 in the notes in the firmware pages for any of the others. The 13th Gen, Intel Ultra Series 1, or Framework Laptop 16 AMD 7040.
Were they perhaps never affected to begin with? I believe they are affected, as I recall seeing mention.
I have not searched through any Beta firmware.
If beta firmware is required to protect against logoFAIL, then I’d like to see Framework either push it to release, if at all possible. Or email affected customers to inform them that beta firmware is available to fix it.
(to some it also seems cheap).