Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security features of Protectli V1000 series #1119

Open
0x192 opened this issue Nov 3, 2024 · 3 comments
Open

Security features of Protectli V1000 series #1119

0x192 opened this issue Nov 3, 2024 · 3 comments

Comments

@0x192
Copy link

0x192 commented Nov 3, 2024

Dasharo version: v0.9.3

Here is the current HSI level of the Protectli V1210. I know it cannot be higher than HSI-0 because of the lack of TPM 2.0.

router:~# fwupdmgr security
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Host Security ID: HSI:0! (v2.0.1)

HSI-1
✔ csme override:                 Locked
✔ csme v0:13.50.27.1987:         Valid
✔ Platform debugging:            Not supported
✔ SPI lock:                      Enabled
✔ Supported CPU:                 Valid
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✘ BIOS firmware updates:         Disabled
✘ csme manufacturing mode:       Unlocked
✘ SPI write:                     Enabled
✘ SPI BIOS region:               Unlocked
✘ TPM v2.0:                      Not found

However, can we expect the following features in future Dasharo updates?

I know this device will never pass csme manufacturing mode as Intel (CS)ME has been disabled , so that's that.

Thank you for your work!
@miczyg1
Copy link
Contributor

miczyg1 commented Nov 4, 2024

V1000 series should have the ME enabled due to lack of dTPM, so that fTPM can work (for Windows to be happy during installation). If you have a disabled ME then something is wrong with the firmware you are running or the ME itself.

The currently enabled featureset in Dasharo for V1000 is chosen by Protectli.

@0x192
Copy link
Author

0x192 commented Nov 6, 2024

If you have a disabled ME then something is wrong with the firmware you are running or the ME itself.

Mhm my bad. Why did I said that? CSME is definitively not disabled on my machine.

The good news is that if CSME is in manufacturing mode that means you could potentially add your own keys and implement Intel Boot Guard (like for Novacustom devices) if negotiated by Protectli. Right?

Coreboot + Intel Bootguard would be incredible!

The currently enabled featureset in Dasharo for V1000 is chosen by Protectli.

Understandable. I sent an email to the Protectli team to have an answer.

@miczyg1
Copy link
Contributor

miczyg1 commented Nov 7, 2024

The good news is that if CSME is in manufacturing mode that means you could potentially add your own keys and implement Intel Boot Guard (like for Novacustom devices) if negotiated by Protectli. Right?

Theoretically yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miczyg1 @0x192