System76 Blog — System76 ME Firmware Updates Plan

System76 ME Firmware Updates Plan

Update: We’ve been getting a lot of great feedback from people on HackerNews and Reddit. Here are answers to a few common questions:

• The System76 Firmware Update Tool is Open Source and located at https://github.com/system76/firmware-update
• The github repo includes the architectural and security details
• Users are prompted to update firmware. A change log is included. Updates are not initiated without user action.

---

Proprietary code always makes life harder and Intel’s Management Engine (ME) firmware is a particularly challenging chunk of secretive software. Thanks to issues identified by external security researchers, Intel initiated an audit of its ME firmware and discovered multiple critical vulnerabilities as described in SA-00086.

Separately, researchers at Positive Technologies discovered an undocumented High Assurance Platform (HAP) settings in Intel ME firmware. HAP was developed by the NSA for secure computing. Setting the “reserve_hap” bit to 1 disables the ME.

In July of this year we began a project to automatically deliver firmware to System76 laptops similar to the way software is currently delivered through the operating system. We began testing the system in production on August 4th. Now it’s very near ready for laptop customers. For desktops, System76 will work on automated firmware delivery as part of our internal desktop design and manufacturing project.

All of this has culminated in the System76 plan to address Intel’s November 20th vulnerability announcement and our ability to respond to future firmware update needs.

• System76 will automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops. The ME provides no functionality for System76 laptop customers and is safe to disable.
• The roll out will occur over time and customers will be notified by email prior to delivery
• You must run Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware and disabled ME on laptops*
• System76 will investigate producing a distro-agnostic command line firmware install tool. Follow us on your preferred social network for updates.
• System76 will not disable the ME on desktops but will provide updated ME firmware
• Desktop customers will receive instructions for updating the ME via email as they are available

There is a significant amount of testing and validation necessary before delivering the updated firmware and disabled ME. Disabling the ME will reduce future vulnerabilities and using our new firmware delivery infrastructure means future updates can roll out extremely fast and with a higher percentage of adoption (over listing affected models with links to firmware that most people don’t install).

It is important to note, while we can currently disable the ME on laptops, Intel may change how the device functions in the future. We implore Intel to retain the ability for device manufactures and consumers to disable the ME.

* To install the system76-driver (for System76 hardware) on Ubuntu based distributions run the following commands

sudo apt-add-repository -y ppa:system76-dev/stable
sudo apt update
sudo apt install -y system76-driver

Our internal plan in detail with a list of affected products

SA-00086 Vulnerability ME Update Project Plan

Laptops

Disable the ME on all affected laptops

• Test combined ME and firmware delivery in production
• Add UEFI check to driver before starting the firmware daemon
• Fix the remaining automated firmware delivery system bug “Firmware, on occasion, doesn’t install on ‘U’ class products”
• Setup lab with all affected laptops
  • Intel 6th Gen
    • Bonobo (bonw11)
    • Gazelle (gaze10)
    • Gazelle (gaze11)
    • Kudu (kudu2)
    • Kudu (kudu3)
    • Lemur (lemu6)
    • Oryx (orxp1)
    • Oryx (oryp2)
    • Serval (serw9)
  • Intel 7th Gen
    • Bonobo (bonw12)
    • Galago (galp2)
    • Gazelle (gaze12)
    • Kudu (kudu4)
    • Lemur (lemu7)
    • Oryx (oryp3)
    • Serval (serw10)
  • Intel 8th Gen
    • Bonobo (bonw13)
    • Galago (galp3)
    • Lemur (lemu8)
    • Serval (serw11)
• Procure latest ME’s for affected models
• Set HAP bit to 1 on all ME’s without Intel BootGuard
• Create Intel BootGuard firmware with HAP bit set to 1
  • lemu6
  • lemu7
  • lemu8
  • galp2
  • galp3
• Add firmware with the new ME to the automated firmware delivery system
• Test delivery of the new ME and firmware to all models
• Confirm that ME is disabled on each model
• Draft email correspondence to customers
• Compile email list of affected lemu8 customers.
• Send email to lemu8 customers
• Send updated firmware and ME to lemu8 customers using automated delivery
  • Work with the support team to evaluate any failures
• Based on those results, determine timing and delivery of the remaining firmware and update the project plan

Desktops

Update all affected models with new ME firmware

• Create the “firmware” github repo structure for storing desktop firmware
• Procure updated ME for all models
  • Intel 6th Generation
    • Meerkat (meer2)
    • Ratel (ratp5)
    • Sable (sabl6)
    • Wild Dog (wilp12)
  • Intel 7th Generation
    • Leopard (leow8)
    • Meerkat (meer3)
    • Wild Dog (wilp13)
• If the ME also requires a BIOS update, create customized BIOS for each model.
• Add firmware to the “firmware” github project https://github.com/system76/firmware-desktop
• Design desktop Guide page changes to include notification and firmware download
• Modify guides for affected desktops
• Draft email correspondence to customers
• Compile email list for all affected customers
• Send email notification