Update for the fingerprint reader in LVFS testing

We have released new fingerprint reader firmware to LVFS which fixes a physical MITM vulnerability described in A Touch of Pwn - Part I

Version: 1000334

If you want to update, you can enable the testing remote for LVFS.

fwupdmgr enable-remote lvfs-testing

And then update.

Please note that our FPR vendor, and security researcher did not issue a CVE for this issue.

We have performed internal testing on this update on Framework 13 and 16. If no major issues are reported during the beta period we will promote this update to stable after approximately one week.

Release notes:

1. Fix MITM vulnerability.

Known Issues:

1. If you are running LVFS below 1.9.14 you may see an error when the update completes that the device did not return. In our testing this is caused by too short a timeout to wait for the device to reenumerate after flashing the firmware. And can be safely ignored. This was fixed in 1.9.14. See Goodix firmware update fails, but actually succeeds · Issue #6809 · fwupd/fwupd · GitHub
2. If you are running 1.9.14 > LVFS > 1.9.13, the update will request to reboot the system, this is not needed, you may also see an error message at the end of the update.

Feedback:

If you want to provide feedback, you can upload your lvfs report after the update and restart. If you want to report any issues on the forum, please include your LVFS version.
fwupdmgr --version

Kernel version.

distribution you are running.

Framework Laptop model you are using.
sudo dmidecode --string system-product-name

We’re recommending Fedora for this one. Fully updated Fedora, tested solid on FW13 and FW16.

Update went just fine. Uploaded the feedback report as well.

I personally don’t use the fingerprint at all, but any security fixes are welcomed.
Thank you.

fwupdmgr update
Devices with no available firmware updates:
 • CT1000P5PSSD8
 • UEFI Device Firmware
 • UEFI Device Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade Fingerprint Sensor from 01000252 to 01000330?                        ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ LVFS release to allow native Linux update from the factory firmware.         ║
║                                                                              ║
║ Fingerprint Sensor and all connected devices may not be usable while         ║
║ updating.                                                                    ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:
Waiting…                 [***************************************] Less than one minute remaining…
Successfully installed firmware
Devices with the latest available firmware version:
 • System Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
 • UEFI dbx

System Info:

Operating System: Fedora Linux 39
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.12
Kernel Version: 6.7.9-200.fc39.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 16 × 12th Gen Intel® Core™ i5-1240P
Memory: 31.1 GiB of RAM
Graphics Processor: Mesa Intel® Graphics
Manufacturer: Framework
Product Name: Laptop (12th Gen Intel Core)
System Version: A4

EDIT: I needed to do two updates to get on the most recent version.

fwupdmgr update
Devices with no available firmware updates:
 • CT1000P5PSSD8
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • System Firmware
 • UEFI Device Firmware
 • UEFI Device Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade Fingerprint Sensor from 01000330 to 01000334?                        ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Fix physical MITM vulnerability that was found from blackwinghq - a touch    ║
║ of pwn part 1.                                                               ║
║                                                                              ║
║ Fingerprint Sensor and all connected devices may not be usable while         ║
║ updating.                                                                    ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:
Waiting…                 [***************************************] Less than one minute remaining…
Successfully installed firmware
 • UEFI dbx

Shouldn’t that have been 01000334?

Trying this here on a 11gen machine (currently on this same 330 firmware), with lvfs-testing enabled, and with fwupdmgr refresh --force run. fwupdmgr update doesn’t show any updates available.

Fedora 39 up to date, BIOS is 3.17.

Edit: fwupdmgr get-updates shows -334 available on the AMD laptop though…

You’re right, Apparently I needed to jump to 01000330 first, just rebooted and checked for updates again, now I have another update, which is 01000334.

OK, after some time the update showed up for the 11 gen machine too:

$ fwupdmgr --version
compile   org.freedesktop.fwupd         1.9.15
compile   com.hughsie.libxmlb           0.3.15
compile   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.fwupd         1.9.15
runtime   org.kernel                    6.7.9-200.fc39.x86_64

$ sudo dmidecode --string system-product-name
Laptop

Edit: AMD laptop for completeness:

$ sudo dmidecode --string system-product-name
Place your right index finger on the fingerprint reader
Laptop 13 (AMD Ryzen 7040Series)

Update went fine on an my machine (Linux):

CPU: AMD 7840u
OS: Arch Linux
Kernel: 6.7.9-arch1-1.1
EC: 3.03b

And it still seems to reliably match my fingerprint (no need to re-register anything).

Failed on my machine, also Arch Linux, but Intel 12th Gen.

Same error as described for lvfs < 1.9.14, but I’ve got lvfs 1.9.15.

Device did not seem to be visible in authentification screens. I’m investigating how reachable it is.

------------ EDIT: Version infos: ---------------

LVFS Version (note that the kernel version is NOT the one it failed with! I updated and rebooted inbetween…)

compile   com.hughsie.libxmlb           0.3.15
compile   org.freedesktop.Passim        0.1.5
compile   com.hughsie.libjcat           0.2.1
compile   org.freedesktop.fwupd         1.9.15
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.Passim        0.1.5
runtime   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.kernel                    6.7.9-arch1-1
runtime   org.freedesktop.fwupd         1.9.15

Laptop (12th Gen Intel Core)

----------- EDIT 2 -----------

I’m fairly certain that the fail was caused by usbguard. It seems that the device ID changed after the update. Still have not recovered entirely.

----------- EDIT 3 --------------

Fingerprint worked immediately after whitelisting the new usb id, but did not appear in fwupdmgr get devices. However after a reboot it did reappear. Probably could’ve solved that with a restart of the fwpud service, my guess.

--------- EDIT 4 ---------------

So yeah, seems to work for me on arch with intel 12th Gen too, as long as you dont have any interfering systems (which would block this on all OSses).

Other questions.

Since apparently Goodix did not really implement SDBC on Linux, how did they fix that?

Importantly, I could imagine that we would have to re-enroll our fingerprints to be safe from spoofing in the future.

Do you know about these questions?

The finger print reader update ran fine on Linux pop-os 22.04 ( with current updates ) on my DIY US i7-1165G7
I do not use the sensor so I did not test functionality after the update.

spence@pop-os:~$ fwupdmgr --version
compile   org.freedesktop.fwupd         1.9.5
compile   com.hughsie.libxmlb           0.3.10
compile   com.hughsie.libjcat           0.1.9
runtime   org.freedesktop.fwupd-efi     1.0
compile   org.freedesktop.gusb          0.3.10
runtime   com.dell.libsmbios            2.4
runtime   org.freedesktop.gusb          0.3.10
runtime   org.freedesktop.fwupd         1.9.5
runtime   org.kernel                    6.6.10-76060610-generic

spence@pop-os:~$  sudo dmidecode --string system-product-name
Laptop

spence@pop-os:~$ fwupdmgr update
Devices with no available firmware updates: 
 • SHGP31-1000GM
 • UEFI Device Firmware
 • UEFI Device Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade Fingerprint Sensor from 01000330 to 01000334?                        ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Fix physical MITM vulnerability that was found from blackwinghq - a touch    ║
║ of pwn part 1.                                                               ║
║                                                                              ║
║ Fingerprint Sensor and all connected devices may not be usable while         ║
║ updating.                                                                    ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: Y
Waiting…                 [***************************************] Less than one minute remaining…
Successfully installed firmware
Devices with the latest available firmware version:
 • System Firmware
 • UEFI dbx
spence@pop-os:~$ fwupdmgr update
Devices with no available firmware updates: 
 • SHGP31-1000GM
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • Fingerprint Sensor
 • System Firmware
 • UEFI dbx
spence@pop-os:~$

Good stuff.

Working so far on Arch w/ firmware 3.03b.

Updated on Fedora 39 on Laptop 13 (AMD Ryzen 7040Series)

compile   com.hughsie.libxmlb           0.3.15
compile   com.hughsie.libjcat           0.2.1
compile   org.freedesktop.fwupd         1.9.15
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.fwupd         1.9.15
runtime   org.kernel                    6.7.9-200.fc39.x86_64

This is the report:

fwupdmgr update
Devices with no available firmware updates: 
 • WD BLACK SN770 1TB
Devices with the latest available firmware version:
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade Fingerprint Sensor from 01000330 to 01000334?                        ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Fix physical MITM vulnerability that was found from blackwinghq - a touch    ║
║ of pwn part 1.                                                               ║
║                                                                              ║
║ Fingerprint Sensor and all connected devices may not be usable while         ║
║ updating.                                                                    ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: 
Downloading…             [   -                                   ]
Restarting device…       [*************************************  ] Less than one minute remaining…
failed to wait for attach replug: device 23ec719b6aabc2d2dac5176c232f0da7a21881b0 did not come back

Although it gave me an error it works fine

May I ask, whether this new firmware will also ship with a new driver for Windows (via Windowsupdate)?
And whether I can or should also test/use it on Debian Bookworm?

This is for LVFS testing, so it would be a different conversation. I assume it will be made available through expected (usual) methods as other drivers are provided by Framework. It’s a Windows thing, so outside of my scope.

You can, however, we test against supported distros only. That said, it’s not going to hurt to try. Follow the directions provided carefully and be mindful of fwupdmgr version as outlined in the guide provided here.

We need specific feedback as outlined:

Something still seems to have gone wrong; I’m trying to update the BIOS to 3.05b via the lfvs-testing channel, but that channel doesn’t seem to update for some reason.

sudo fwupdmgr refresh --force
Updating lvfs-testing
Downloading…             [  -                                    ]
Updating lvfs
Downloading…             [***************************************]
Successfully downloaded new metadata: 0 local devices supported

If I disable lvfs-testing, then lvfs metadate can’t be updated.

Edit: UEFI version shows 771 instead of 3.03 (the uint conversion thing)

Summary:            UEFI System Resource Table device (Updated via caspule-on-disk)
Current version:    771

I’ve successfully updated on a 12th gen Framework 13 from v252 to v334 in one attempt on Fedora 40 with fwupd 1.9.21 . The fingerprint reader works as expected.

Will this reach stable soon? This thread is very old, but it seems the update is still only in lvfs-testing.

$ fwupdmgr enable-remote lvfs-testing
Authenticating…          [ -                                     ]
Do you want to refresh this remote now? (Requires internet connection) [Y|n]: y
Downloading…             [************************************   ]
Successfully enabled and refreshed remote

$ fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade Fingerprint Sensor from 01000248 to 01000334?                        ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Fix physical MITM vulnerability that was found from blackwinghq - a touch    ║
║ of pwn part 1.                                                               ║
║                                                                              ║
║ Fingerprint Sensor and all connected devices may not be usable while         ║
║ updating.                                                                    ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Waiting…                 [***************************************] Less than one minute remaining…
Successfully installed firmware
Devices with the latest available firmware version:
 • System Firmware
Devices with no available firmware updates: 
 • Laptop Webcam Module (2nd Gen)
 • SHGP31-1000GM

The reader works fine.