Dasharo Enterprise roadmap for reaching fwupd HSI-4 security level #463
Comments
|
TME is not available on the SKUs offered by Novacustom. so HSI-4 will not be possible with current hardware. |
We should check if upcoming models would be able to support this. Maybe @pietrushnic can check and let me know. HSI-1/HSI-2/HSI-3 should be possible and we should probably focus on that for a next release after the hotfix release of this month. |
|
MK-TME is branded as part of vPRO Enterprise and may not be available on lower-tier SKUs. We'll know which SKUs have which features in 2 days once MTL officially launches. |
|
@miczyg1 I guess we can achieve HSI-2 easily, just: What are the consequences of locking CSME? I guess this one requires fixes in the TPM event log according to this. TPM event logs may be hard because of crossing the boundary between coreboot and UEFI payload. Solving those issues, IMHO should be part of DSP and could be scheduled for the next release - I'm not sure when it can happen, but we should build a roadmap for it. @macpijan @BeataZdunczyk cc HSI-3 is Intel Boot Guard, and we plan to introduce that to NovaCustom, which is currently forming, so we are on track with that. HSI-4 is not possible right now as the CPU lacks the TME feature, but we need to work on having the highest fwupd security level on upcoming models. HSI-5? Support for TrenchBoot. The vision of that HSI level was presented during TrenchBoot Summit 2021 |
Not being able to enable HAP anymore (because all we need is to lock descriptor, not CSME). And to pass the CSME tests, one has to keep CSME enabled, otherwise the assessment of CSME status will fail (due to not being able to read CSME registers).
The selected MTL SKUs will not have TME. Intel reserves the TME feature only to vPro capable SKUs for MTL. Probably the same goes for ADL. So HSI-3 is max due to HW limitations. Fortunately all new laptops will have TXT capability.
Please... We don't have CNDA documentation access for nothing. A little bit of searching and one can find relevant information. |
I did, and I did not find the exact CPU feature matrix for each SKU. Please point me to the right doc when you find it. |
@wessel-novacustom is an important note for those who want to buy HSI-compatible hardware. This issue will be very important to us in 2024. |
|
@pietrushnic Intel ME HAP disabling is a very important feature for a lot of our customers. But we still want to become a HSI-compatible laptop vendor. The end user should have the choice. |
It was NV4x 12th Gen from Novacustom with our custom firmware which enables BootGuard (for internal use in the company).
It is HSI-1 max. Z790 are shipped as fused and BootGuard is not possible on these platforms.
Yes, TME is possible with proper CPU, but see above about BootGuard. |
|
According to this, the CPUs used in the latest NovaCustom laptops (V54 and V56) should support memory encryption (not multi-key) and therefore reach HSI:4. |
That's great! We will discuss and plan this. |
Relevant: fwupd/fwupd#7180 (Scroll down) |
and others
The problem you're addressing (if any)
Not all checks pass in the
fwupdmgr security:Describe the solution you'd like
Fix the issues to reach HSI-4:
CSME manufacturing mode: Unlocked- requires a locked flash descriptor to pass (will render ME Disabled HAP option unusable, besides HSI requires ME to be available to query the fuses and Boot Guard state)TPM PCR0 reconstruction: Invalidwill be fixed by solving #455✘ Encrypted RAM: Not supportedfor some reason TME seems not to be active when Boot Guard is enabled. Needs further investigation.#464 TME not supported by the CPUsWhere is the value to a user, and who might that user be?
First professionally secured laptop with open-source firmware reaching HSI-4
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: