LogoFAIL firmware attack (with link to Insyde's security advisory)

Any Updates for the Gen 13th Intel Laptops?


I wanted to find out if the Logo is included in the Boot Guard section (Gen12). According to UefiTool LogoPcx is included in the boot guard section.

1FD0BACE-6F0A-4085-901E-F6210385CB6F > 20BC8AC9 > LzmaCustomDecompressGuid > Volume image section > EfiFirmwareFileSzstem2Guid > LogoPcx).

Offset: EFD070h
Name: LogoPcx
File GUID: 6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0

I extracted the logo and it is just a black image (1024*768 pixels). I have not found another logo. Does anybody know where the framework logo is stored? Does the code draw the logo itself?

1 Like

So the attack requires the attacker to already own the system? :thinking:

1 Like

is the thread you should be following.


Howdy gang, in lieu of an update (for now) I’ve turned on the verbose boot mode (not near by computer, can’t remember the exact babe). This prints system info and doesn’t seem to draw the logo. Act accordingly everyone.


See my previous post here, I found it. Did not look to be in a region directly covered by bootguard if I am reading UefiTool correctly. But it might still be covered by transitively. I do not know enough to figure that out easily.

I also first found the black image and the TianoCore logo. The rest I found by doing a binary search for magic bytes of various image formats supported by the parsers that are shipped by Insyde. Frameworks Logos and the new diagnostic graphics I found in the AMD bios are mostly PNG.

1 Like

Sadly no framework employee has acknowledged that this won’t parse the logo. If the logo is still parsed, the machine is still vulnerable.

Great, thank you very much!

Sadly no framework employee answers this question.

1 Like

Happy new Year Alan and thank you very much for the link.
Hopefully there will be an update for the 13th Gen soon, so my Boss isnt worried about that anymore.
Have to update 40 machines then :smiley:

I found the GUID 67A75EF8-C454-45A0-A648-0A2B489F9BD6 in a boot guard protected region (The framework logo with the text “framework” after it).
My interpretation is, that white regions are completely protected, yellow regions are partly protected and red regions are not protected by intel boot guard.

1 Like

Where are you working? :smiley:

1 Like

I matched the red regions to the IBB segments listed under security and assumed from that that those should be the directly protected sections. I.e. the address of the image is not covered by any of the IBB segments.
But not like I am entirely sure on this.


You are correct, thank you very much.
I had a look at the source code. Red means protected, which is confusing to me:

Little Company in Germany, we changed to Framework Devices from our old Dell Stuff.
(40 Machines, 28 are rolled out, rest will follow if there isnt any colleague on vaction left)


Disclaimer: this post is for paranoid people only.

A machine compromised with a LogoFail attack could just pretend to do a firmware upgrade and show the new firmware version in the UI, while still being the old compromised version.
In my opinion, the only way to verify the new firmware version is using the TPM2.
Therefore you need to get a tpm2-quote and verify it (checkquote). Also to prevent attacks on the verification (e.g. spoofing a random key), you need to verify the endorsement-key signed by the TPM2-manufacturer and make sure, the attestation-key used to create the quote is stored in the TPM2 (makecredential/activatecredential).

To verify the PCR0 hash value of the TPM2, here are the firmware measurements for a Gen12 3.08 firmware:








These can be verified via the tpm2 eventlog. (e.g. on linux: tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements)


this is amazing to hear

Heads up for anyone like me who was been semi-regularly checking this thread and LVFS for updates:

12th gen BIOS 3.08 Beta includes fix for “CVE-2023-40238 LogoFAIL”. Not great news for Linux users as this update can’t roll out via LVFS and the UEFI updater was pulled two months ago due to unexpected failures, but still…

I don’t see any similar update for the 11th gen, and I don’t know what the LogoFAIL situation is for AMD. However I still thought I’d post as I’d been assuming any progress would show up in this thread and/or in the available LVFS updates for Linux…


Realistically nobody should be using the 12th gen anymore, it’s gone nearly 2 years without a single stable patch. Kinda stinks that the early framework boards were sold as finished products; they had pretty prototype-like lifespans.

Are you talking about UEFI updates? Almost no reason to update on laptops unless there’s a security or stability issue. I have never one time updated UEFI on a laptop; to relegate a device to outmoded status because of UEFI updates not being available on an otherwise stable system seems a little silly.


Of course I’d agree that when there are no security issues UEFI updates aren’t critical. Unfortunately though, the 12th gen has had known vulns since shortly after launch: 12th Gen BIOS Vulnerability


A new firmware update for AMD should release very soon (at least as a beta) and will fix this.