Open miczyg1 opened 1 year ago
TME is not available on the SKUs offered by Novacustom. so HSI-4 will not be possible with current hardware.
TME is not available on the SKUs offered by Novacustom. so HSI-4 will not be possible with current hardware.
We should check if upcoming models would be able to support this. Maybe @pietrushnic can check and let me know.
HSI-1/HSI-2/HSI-3 should be possible and we should probably focus on that for a next release after the hotfix release of this month.
MK-TME is branded as part of vPRO Enterprise and may not be available on lower-tier SKUs. We'll know which SKUs have which features in 2 days once MTL officially launches.
@miczyg1 I guess we can achieve HSI-2 easily, just:
✘ CSME manufacturing mode: Unlocked
What are the consequences of locking CSME?
✘ TPM PCR0 reconstruction: Invalid
I guess this one requires fixes in the TPM event log according to this. TPM event logs may be hard because of crossing the boundary between coreboot and UEFI payload. Solving those issues, IMHO should be part of DSP and could be scheduled for the next release - I'm not sure when it can happen, but we should build a roadmap for it. @macpijan @BeataZdunczyk cc
HSI-3 is Intel Boot Guard, and we plan to introduce that to NovaCustom, which is currently forming, so we are on track with that.
HSI-4 is not possible right now as the CPU lacks the TME feature, but we need to work on having the highest fwupd security level on upcoming models.
HSI-5? Support for TrenchBoot. The vision of that HSI level was presented during TrenchBoot Summit 2021
What are the consequences of locking CSME?
Not being able to enable HAP anymore (because all we need is to lock descriptor, not CSME). And to pass the CSME tests, one has to keep CSME enabled, otherwise the assessment of CSME status will fail (due to not being able to read CSME registers).
HSI-4 is not possible right now as the CPU lacks the TME feature, but we need to work on having the highest fwupd security level on upcoming models.
The selected MTL SKUs will not have TME. Intel reserves the TME feature only to vPro capable SKUs for MTL. Probably the same goes for ADL. So HSI-3 is max due to HW limitations. Fortunately all new laptops will have TXT capability.
We'll know which SKUs have which features in 2 days once MTL officially launches.
Please... We don't have CNDA documentation access for nothing. A little bit of searching and one can find relevant information.
Please... We don't have CNDA documentation access for nothing. A little bit of searching and one can find relevant information.
I did, and I did not find the exact CPU feature matrix for each SKU. Please point me to the right doc when you find it.
Not being able to enable HAP anymore (because all we need is to lock descriptor, not CSME). And to pass the CSME tests, one has to keep CSME enabled, otherwise the assessment of CSME status will fail (due to not being able to read CSME registers).
@wessel-novacustom is an important note for those who want to buy HSI-compatible hardware.
This issue will be very important to us in 2024.
@pietrushnic Intel ME HAP disabling is a very important feature for a lot of our customers.
But we still want to become a HSI-compatible laptop vendor.
The end user should have the choice.
Which device was this HSI test ran on? @miczyg1
It was NV4x 12th Gen from Novacustom with our custom firmware which enables BootGuard (for internal use in the company).
Does anyone know the HSI level of the current implementation of dasharo on the MSI Z790-P?
It is HSI-1 max. Z790 are shipped as fused and BootGuard is not possible on these platforms.
With a compatible CPU its possible to get vPro enterprise and TME support, so in theory HSI-4 with the MSI motherboard should be possible, but I was wondering if anyone had a current HSI rating for it with dasharo.
Yes, TME is possible with proper CPU, but see above about BootGuard.
According to this, the CPUs used in the latest NovaCustom laptops (V54 and V56) should support memory encryption (not multi-key) and therefore reach HSI:4.
According to this, the CPUs used in the latest NovaCustom laptops (V54 and V56) should support memory encryption (not multi-key) and therefore reach HSI:4.
That's great! We will discuss and plan this.
According to this, the CPUs used in the latest NovaCustom laptops (V54 and V56) should support memory encryption (not multi-key) and therefore reach HSI:4.
That's great! We will discuss and plan this.
Relevant: https://github.com/fwupd/fwupd/issues/7180 (Scroll down)
The problem you're addressing (if any)
Not all checks pass in the
fwupdmgr security
:Describe the solution you'd like
Fix the issues to reach HSI-4:
CSME manufacturing mode: Unlocked
- requires a locked flash descriptor to pass (will render ME Disabled HAP option unusable, besides HSI requires ME to be available to query the fuses and Boot Guard state)TPM PCR0 reconstruction: Invalid
will be fixed by solving https://github.com/Dasharo/dasharo-issues/issues/455✘ Encrypted RAM: Not supported
for some reason TME seems not to be active when Boot Guard is enabled. Needs further investigation.https://github.com/Dasharo/dasharo-issues/issues/464 TME not supported by the CPUsWhere is the value to a user, and who might that user be?
First professionally secured laptop with open-source firmware reaching HSI-4
Describe alternatives you've considered
No response
Additional context
No response