search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Security features of Protectli V1000 series #1119

Open 0x192 opened 2 weeks ago

0x192 commented 2 weeks ago

Dasharo version: v0.9.3

Here is the current HSI level of the Protectli V1210. I know it cannot be higher than HSI-0 because of the lack of TPM 2.0.

 router:~# fwupdmgr security
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Host Security ID: HSI:0! (v2.0.1)

HSI-1
✔ csme override:                 Locked
✔ csme v0:13.50.27.1987:         Valid
✔ Platform debugging:            Not supported
✔ SPI lock:                      Enabled
✔ Supported CPU:                 Valid
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✘ BIOS firmware updates:         Disabled
✘ csme manufacturing mode:       Unlocked
✘ SPI write:                     Enabled
✘ SPI BIOS region:               Unlocked
✘ TPM v2.0:                      Not found

However, can we expect the following features in future Dasharo updates?

I know this device will never pass csme manufacturing mode as Intel (CS)ME has been disabled , so that's that.

Thank you for your work!

miczyg1 commented 2 weeks ago

V1000 series should have the ME enabled due to lack of dTPM, so that fTPM can work (for Windows to be happy during installation). If you have a disabled ME then something is wrong with the firmware you are running or the ME itself.

The currently enabled featureset in Dasharo for V1000 is chosen by Protectli.

0x192 commented 2 weeks ago

If you have a disabled ME then something is wrong with the firmware you are running or the ME itself.

Mhm my bad. Why did I said that? CSME is definitively not disabled on my machine.

The good news is that if CSME is in manufacturing mode that means you could potentially add your own keys and implement Intel Boot Guard (like for Novacustom devices) if negotiated by Protectli. Right?

Coreboot + Intel Bootguard would be incredible!

The currently enabled featureset in Dasharo for V1000 is chosen by Protectli.

Understandable. I sent an email to the Protectli team to have an answer.

miczyg1 commented 2 weeks ago

The good news is that if CSME is in manufacturing mode that means you could potentially add your own keys and implement Intel Boot Guard (like for Novacustom devices) if negotiated by Protectli. Right?

Theoretically yes.