-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fwupdmgr security
on Lenovo Thinkpad X1 Carbon (Gen 12)
#7180
Comments
Can you try with the 1_9_X branch in fwupd upstream please? I've pushed bae1284 already. |
Yes, that fixes the |
But the bootguard problem remains I guess. |
Yes, but I only tried applying the patch bae1284 on top of 1.9.18. I can try using the 1_9_X branch if you did further changes that could fix the bootguard as well. |
@iyanmv can you attach the output of |
Sure, here it is: sudo fwupdtool get-plugins --plugins pci-mei -vv
|
So all the HFSTSx registers are zero. @mrhpearson do you know if Lenovo might have disabled reading the MEI config registers (PCI_CFG_HFS_x) on newer hardware? The defines I have are:
Also, @iyanmv do you get the same result when disabling secure boot in the firmware setup? |
So here it is after disabling secure boot: fwupdmgr security iyan@bespin
Host Security ID: HSI:1! (v1.9.18)
HSI-1
✔ BIOS firmware updates: Enabled
✔ MEI key manifest: Valid
✔ csme manufacturing mode: Locked
✔ csme override: Locked
✔ csme v0:18.0.5.2098: Valid
✔ Platform debugging: Disabled
✔ SPI write: Disabled
✔ SPI lock: Enabled
✔ SPI BIOS region: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
HSI-2
✔ BIOS rollback protection: Enabled
✔ Intel BootGuard: Enabled
✔ Intel BootGuard OTP fuse: Valid
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
✘ Intel BootGuard ACM protected: Invalid
✘ Intel BootGuard verified boot: Invalid
HSI-3
✔ CET Platform: Supported
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
✘ Intel BootGuard error policy: Invalid
HSI-4
✔ SMAP: Enabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
✘ CET OS Support: Not supported
✘ UEFI secure boot: Disabled
This system has HSI runtime issues.
» https://fwupd.github.io/hsi.html#hsi-runtime-suffix
Host Security Events
2024-04-29 12:28:05: ✘ Secure Boot disabled
2024-04-25 22:07:12: ✔ Linux swap changed: Disabled → Encrypted
2024-04-24 22:59:56: ✔ Kernel lockdown enabled
2024-04-24 22:53:13: ✔ BIOS rollback protection changed: Disabled → Enabled
2024-04-24 20:55:32: ✔ Secure Boot enabled sudo fwupdtool get-plugins --plugins pci-mei -vv
I think it's the same. |
Created internal ticket LO-3022 to get feedback from the FW team. A note that it's a holiday in Japan and China this week so I won't get answers until at least next week. |
FW team thinks this will be fixed with fb18ce3 |
Nah, that's the cosmetic fix -- the real problem is the register reads are failing. |
Hi @iyanmv - could you do 'sudo lspci -xxx -s 00:16.0' on your system please? I'd like to capture the registers from a ship level support system (all of the ones in our team are pre-ship) Thanks |
|
@mrhpearson (unrelated question but perhaps you can help) Do you know if the Intel Ultra 7 155H supports TME? It's not clear in the specs (they do mention that TME-MK is not supported, but nothing about TME). It would be weird if Intel decided to drop this with previous generations supporting RAM encryption. At least the X1 Carbon Gen 11 had an option in the BIOS (I think disabled by default) to enable the TME, but this option is missing in the X1 Carbon Gen 12. |
Should be there - under Security->Memory protection |
I can't see that option on my system, only the "Execution Prevention" item. |
Interesting... Just to confirm - your system is a regular purchased Lenovo unit? I will need to check with the FW team. |
Yes, that is correct. Bought in Switzerland (not directly from Lenovo, but from Computacenter TS GmbH) but it is registered in Lenovo website. It is the Type 21KD with the Intel 7 155H and the 1080P FHD IR+RGB camera, not the MIPI one. Not sure about the vPro or how to check that. |
Some updates: According to Intel this is a industry wide issue, and is related to the contents of HFSTS6 changing - meaning fwupdmgr cannot determine the bootguard configuration correctly. @hughsie - once I have the details I'll likely reach out offline on how to get this fixed in fwupd. |
Describe the bug
Running
fwupdmgr security
on a Lenovo Thinkpad X1 Carbon (Gen 12) returns the following:MEI version is missing and Intel BootGuard ACM protected and Intel BootGuard verified boot are marked as invalid although should be supported according to the CPU specs.
fwupd version information
Please provide the version of the daemon and client.
Please note how you installed it (
apt
,dnf
,pacman
, source, etc):pacman
**fwupd device information**
Please provide the output of the fwupd devices recognized in your system.
Additional questions
The text was updated successfully, but these errors were encountered: