The only thing that it flags as an issue is CSME version. Looking at the documentation for this tool: FwupdPlugin – 1.0: Host Security ID Specification It seems like this is something that has to be updated in the BIOS.
Is this something I should be worried about, or can it be disregarded?
What did you do to get Encrypted RAM? That’s showing as disabled for me, so not sure what I missed (swap and my boot disk are both encrypted as far as I can see)
IIRC there’s an option for it in the BIOS if you have the 11th gen i7-1185G7. I could be wrong, though, so it’s always worth checking. It should be near other settings related to the CPU.
It seems like we either have to wait for Intel and or Framework to release an update. I’m not really sure which one, since I’m struggling to find if patches are CPU-specific and if one is available for the 11th gen i7-1185G7.
Thank you for your patience, I’ve escalated this report to our Lead Engineer who has confirmed that this will not be updated in the forthcoming 3.17 BIOS update, but is now planned to be updated/fixed in BIOS 3.18 hopefully due later this year.
Regards,
This is great to hear. I really appreciate that they escalated the issue and that they were able to respond so quickly! Thanks Framework Support, I’m looking forward to BIOS 3.18!
I asked the support for an ETA on a new gen 11 firmware including the security fixes. Unfortunately they could not provide a time frame for the update.
Hi,
the latest firmware update (3.17) for the gen 11 did not include Intel Management Engine related security fixes. What’s the ETA for the next firmware release that will include the security fixes?
Thanks for reaching out to Framework Support. Unfortunately, we currently don’t have an estimated timeline for the next firmware release but rest assured that our team is working on it and will surely announce the details when it happens. If you have other concerns or inquiries, please don’t hesitate to reach out. Thank you for your patience.
Thanks for updating this thread and thank you for reaching out to our support team, firmware updates shouldn’t be that long to be released, will update this space once it’s out.
I am having trouble justifying an upgrade if this significant delay is indicative of how Framework is going to address known vulnerabilities in their firmware. This thread discusses a vulnerability that could/should have been addressed in an update that was released more than 6 months ago but was not and no subsequent update has been forthcoming.
I get that priority is most likely 100% on the new AMD firmware and that Framework is operating with limited resources, though this is kind of a bummer. It’s already end of June and there is no update on this topic. Like @JoshB mentioned, if this is an indicator on how framework manages firmware vulnerabilities for older devices, It’s hard to recommend them for business use even though I’d really like to.
@43c I’m grumpy that firmware related news of any kind is relegated to the backseat by the firmware team…now I’m trying to figure out just what exactly I’m going to do about it.
@GhostLegion It does suck we basically have no official timeline on firmware release for existing products with the fixes.
I saw @Kieran_Levin comment on the 12th Gen beta firmware post, They are testing out a new version and will try to get it out soon after validation.
let’s see how that goes.
Encrypted RAM requires the following BIOS flags
Intel Trusted Execution Technology
Total Memory Encryption - this flag achieves Pass for Encrypted RAM @ HSI4
PS: For anyone that randomly found themselves here on an “unsupported” OS for Framework, you need CONFIG_SECURITY_LOCKDOWN_LSM kernel flag compiled to report the security status. Probs a good idea to set it to “Integrity” as well.
So we’re now in February '24, in May '22, almost two years ago(!), intel released security updates for the CSME rated High and listing physical-unauthenticated or adjacent_network-authenticated as attack vectors:
I’ve heard many explanations from releasing a new laptop (sorry, two years, I don’t care anymore!) and a third party vendor being responsible. For the latter case you have SLAs (or, maybe you don’t).
Mind me, if the statement would be “sorry, we don’t officially support Linux and we don’t have the SLAs to get our third-party vendor to provide updates, you’re on your own there” – I’d be much more OK with that. It’s the dishonesty and waiting for years that’s driving me crazy.
Well if this is on a 12th gen Intel you had the 3.06 Beta that actually fixed that issue, and then you had the 3.08 Beta which has been out just over a month 12th Gen Intel Core BIOS 3.08 Beta Release . In the original 3.06 Beta thread Framework did apologize and explained that they had hired additional dedicated personnel at Insyde to work through the backlog and push out regular UEFI updates. We are beginning to see the results of those efforts.
Also cross-posting here: I’ve created an updater to update on Linux through the UEFI shell. There are some caveats and you may not trust all files provided there-in (read the README):
It’s 11 gen. And there’s no “work” to push through, no firmware to develop. It’s literally just repackaging the CSME FWUpdate.bin in a UEFI capsule. Which Framework falsely claims isn’t possible while other vendors do this regularly.
Just pull apart any CSME update by, say, Lenovo, extract the cap file and you’ll find a UEFI capsule firmware.bin, extract with UEFIExtract and you’ll find a body.bin in there with the ME magic $FPT at 0x10 – just like the FWUpdate.bin file.
I don’t have a problem with overworked staff. But I get annoyed after almost 2 years(!) of delays with “sorrys” that don’t change a thing, mindless excuses and misinfo around LVFS not being able to update the CSME. If in doubt, contact Richard Hughes from LVFS to help you guide through the capsule creation process, he’s a kind soul.
