Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections.
An attacker could take advantage to load bootkits (e.g. BlackLotus, HybridPetya, and Bootkitty) that can evade OS-level security controls and persist across OS re-installs.
Framework should release a firmware update ASAP to address this. They are improving their update frequency but lag far behind larger OEMs like Lenovo.
Here are the affected models and recommended fix.
Eclypsium researchers estimates that the problem has impacted roughly 200,000 Framework computers:
Framework 13 (11th Gen Intel), fix planned in 3.24
Framework 13 (12th Gen Intel), fixed in 3.18, DBX update planned in 3.19
Framework 13 (13th Gen Intel), fixed in 3.08, DBX update issued in 3.09
Framework 13 (Intel Core Ultra), fixed in 3.06
Framework 13 (AMD Ryzen 7040), fixed in 3.16
Framework 13 (AMD Ryzen AI 300), fixed in 3.04, DBX update planned in 3.05
Framework 16 (AMD Ryzen 7040), fixed in 3.06 (Beta), DBX update issued in 3.07
Framework Desktop (AMD Ryzen AI 300 MAX), fixed in 3.01, DBX update planned in 3.03
Impacted users are recommended to apply the available security updates. Where a patch isn’t available yet, secondary protection measures like physical access prevention is crucial. Another temporary mitigation is to delete Framework’s DB key via the BIOS.
Note that they received the disclosure before the report was released. Hence why most are the fixes are implemented but not all of them. For example, the planned DBX updates.
We’re heading into off-topic territory here. Lets keep discussion based on the article and their firmware updates please.
The presence of the risky mm command is not the result of a compromise but appears more of an oversight. After learning of the issue, Framework started to work on remediating the vulnerabilities.
I officially regret my purchase. The first strike was their slow implementation of firmware updates. I would never get a Fairphone for the same reason. Both companies know about hardware, but place a lower priority on software security.
Although Secure Boot on Linux is worst than the implementation you would see in Windows and macOS devices, it is better than nothing (as Jonah said in his original Techlore post). I would rather have limited protection from evil maids and rootkits than none at all.
There are also some OEMs trying to address these limitations. For example, Novacustom sells a Qubes OS laptop with HEADS firmware, which significantly improves protection against evil maid attacks. You would need to plug in a USB stick everytime you boot though. As for timely updates, I’m not sure if Novacustom (or frankly any clevo reseller) is better or worst than framework.
Ironically, Lenovo does an amazing job of supporting their laptops for years after production discontinues. It must be nice being a large corporation with a business segment haha