System76 ME Firmware Updates Plan

Update: We’ve been getting moderately about a high-quality ideas from participants on HackerNews and Reddit. Here are solutions to some standard questions:

• The System76 Firmware Update Instrument is Launch Supply and positioned at https://github.com/system76/firmware-update
• The github repo includes the architectural and security necessary ingredients
• Customers are triggered to update firmware. A alternate log is incorporated. Updates are no longer initiated without particular person action.

Proprietary code repeatedly makes lifestyles tougher and Intel’s Administration Engine (ME) firmware is a namely engaging chunk of secretive machine. On account of things identified by external security researchers, Intel initiated an audit of its ME firmware and stumbled on a entire lot of serious vulnerabilities as described in SA-00086.

One after the other, researchers at Sure Technologies stumbled on an undocumented Excessive Assurance Platform (HAP) settings in Intel ME firmware. HAP was as soon as developed by the NSA for get computing. Setting the “reserve_hap” bit to 1 disables the ME.

In July of this year we started a conducting to robotically inform firmware to System76 laptops such as the formula machine is on the second delivered via the working machine. We started finding out the machine in manufacturing on August 4th. Now it’s very as regards to ready for notebook computer customers. For desktops, System76 will work on computerized firmware transport as portion of our interior desktop make and manufacturing conducting.

All of this has culminated within the System76 thought to handle Intel’s November twentieth vulnerability announcement and our skill to acknowledge to future firmware update needs.

• System76 will robotically inform updated firmware with a disabled ME on Intel Sixth, 7th, and 8th Gen laptops. The ME provides no efficiency for System76 notebook computer customers and is get to disable.
• The roll out will occur over time and customers will be notified by email before transport
• It’s important to escape Ubuntu Sixteen.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and occupy the System76 driver installed to receive the most fresh firmware and disabled ME on laptops*
• System76 will examine producing a distro-agnostic uncover line firmware install instrument. Apply us on your most well-most approved social network for updates.
• System76 will no longer disable the ME on desktops nevertheless will provide updated ME firmware
• Desktop customers will receive instructions for updating the ME by email as they’re on hand

There is a basic quantity of finding out and validation important before delivering the updated firmware and disabled ME. Disabling the ME will reduce back future vulnerabilities and using our current firmware transport infrastructure capability future updates can roll out extremely mercurial and with the next share of adoption (over listing affected fashions with links to firmware that most participants don’t install).

It’s necessary to designate, whereas we can on the second disable the ME on laptops, Intel would possibly maybe per chance well alternate how the machine strategies in some unspecified time in the future. We implore Intel to retain the flexibility for machine manufactures and customers to disable the ME.

* To install the system76-driver (for System76 hardware) on Ubuntu basically based completely mostly distributions escape the next commands

sudo upright-add-repository -y ppa:system76-dev/get
sudo upright update
sudo upright install -y system76-driver

Our interior thought intimately with an inventory of affected products

SA-00086 Vulnerability ME Update Project Plan

Laptops

Disable the ME on all affected laptops

• Test mixed ME and firmware transport in manufacturing
• Add UEFI test to driver before starting the firmware daemon
• Fix the closing computerized firmware transport machine trojan horse “Firmware, now and then, doesn’t install on ‘U’ class products”
• Setup lab with all affected laptops
• Intel Sixth Gen
• Bonobo (bonw11)
• Gazelle (gaze10)
• Gazelle (gaze11)
• Kudu (kudu2)
• Kudu (kudu3)
• Lemur (lemu6)
• Oryx (orxp1)
• Oryx (oryp2)
• Serval (serw9)
• Intel 7th Gen
• Bonobo (bonw12)
• Galago (galp2)
• Gazelle (gaze12)
• Kudu (kudu4)
• Lemur (lemu7)
• Oryx (oryp3)
• Serval (serw10)
• Intel 8th Gen
• Bonobo (bonw13)
• Galago (galp3)
• Lemur (lemu8)
• Serval (serw11)
• Acquire latest ME’s for affected fashions
• Keep HAP bit to 1 on all ME’s without Intel BootGuard
• Create Intel BootGuard firmware with HAP bit residing to 1
• lemu6
• lemu7
• lemu8
• galp2
• galp3
• Add firmware with the present ME to the computerized firmware transport machine
• Test transport of the present ME and firmware to all fashions
• Confirm that ME is disabled on every model
• Draft email correspondence to customers
• Collect email listing of affected lemu8 customers.
• Ship email to lemu8 customers
• Ship updated firmware and ME to lemu8 customers using computerized transport
• Work with the crimson meat up crew to take into memoir any screw ups
• Based on these outcomes, resolve timing and transport of the closing firmware and update the conducting thought

Desktops

Update all affected fashions with current ME firmware

• Create the “firmware” github repo development for storing desktop firmware
• Acquire updated ME for all fashions
• Intel Sixth Technology
• Meerkat (meer2)
• Ratel (ratp5)
• Sable (sabl6)
• Wild Dog (wilp12)
• Intel 7th Technology
• Leopard (leow8)
• Meerkat (meer3)
• Wild Dog (wilp13)
• If the ME furthermore requires a BIOS update, originate customized BIOS for every model.
• Add firmware to the “firmware” github conducting https://github.com/system76/firmware-desktop
• Function desktop Handbook online page changes to consist of notification and firmware download
• Modify guides for affected desktops
• Draft email correspondence to customers
• Collect email listing for all affected customers
• Ship email notification