Update: We’ve been getting a lot of great feedback from people on HackerNews and Reddit. Here are answers to a few common questions:



The System76 Firmware Update Tool is Open Source and located at https://github.com/system76/firmware-update



The github repo includes the architectural and security details



Users are prompted to update firmware. A change log is included. Updates are not initiated without user action.

Proprietary code always makes life harder and Intel’s Management Engine (ME) firmware is a particularly challenging chunk of secretive software. Thanks to issues identified by external security researchers, Intel initiated an audit of its ME firmware and discovered multiple critical vulnerabilities as described in SA-00086.

Separately, researchers at Positive Technologies discovered an undocumented High Assurance Platform (HAP) settings in Intel ME firmware. HAP was developed by the NSA for secure computing. Setting the “reserve_hap” bit to 1 disables the ME.

In July of this year we began a project to automatically deliver firmware to System76 laptops similar to the way software is currently delivered through the operating system. We began testing the system in production on August 4th. Now it’s very near ready for laptop customers. For desktops, System76 will work on automated firmware delivery as part of our internal desktop design and manufacturing project.

All of this has culminated in the System76 plan to address Intel’s November 20th vulnerability announcement and our ability to respond to future firmware update needs.

System76 will automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops. The ME provides no functionality for System76 laptop customers and is safe to disable.

The roll out will occur over time and customers will be notified by email prior to delivery

You must run Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware and disabled ME on laptops*

System76 will investigate producing a distro-agnostic command line firmware install tool. Follow us on your preferred social network for updates.

System76 will not disable the ME on desktops but will provide updated ME firmware

Desktop customers will receive instructions for updating the ME via email as they are available

There is a significant amount of testing and validation necessary before delivering the updated firmware and disabled ME. Disabling the ME will reduce future vulnerabilities and using our new firmware delivery infrastructure means future updates can roll out extremely fast and with a higher percentage of adoption (over listing affected models with links to firmware that most people don’t install).

It is important to note, while we can currently disable the ME on laptops, Intel may change how the device functions in the future. We implore Intel to retain the ability for device manufactures and consumers to disable the ME.

* To install the system76-driver (for System76 hardware) on Ubuntu based distributions run the following commands

sudo apt-add-repository -y ppa:system76-dev/stable

sudo apt update

sudo apt install -y system76-driver

Our internal plan in detail with a list of affected products

SA-00086 Vulnerability ME Update Project Plan

Laptops



Disable the ME on all affected laptops

Test combined ME and firmware delivery in production

Add UEFI check to driver before starting the firmware daemon

Fix the remaining automated firmware delivery system bug “Firmware, on occasion, doesn’t install on ‘U’ class products”

Setup lab with all affected laptops

Intel 6th Gen



Bonobo (bonw11)





Gazelle (gaze10)





Gazelle (gaze11)





Kudu (kudu2)





Kudu (kudu3)





Lemur (lemu6)





Oryx (orxp1)





Oryx (oryp2)





Serval (serw9)



Intel 7th Gen



Bonobo (bonw12)





Galago (galp2)





Gazelle (gaze12)





Kudu (kudu4)





Lemur (lemu7)





Oryx (oryp3)





Serval (serw10)



Intel 8th Gen



Bonobo (bonw13)





Galago (galp3)





Lemur (lemu8)





Serval (serw11)

Procure latest ME’s for affected models

Set HAP bit to 1 on all ME’s without Intel BootGuard

Create Intel BootGuard firmware with HAP bit set to 1

lemu6



lemu7



lemu8



galp2



galp3

Add firmware with the new ME to the automated firmware delivery system

Test delivery of the new ME and firmware to all models

Confirm that ME is disabled on each model

Draft email correspondence to customers

Compile email list of affected lemu8 customers.

Send email to lemu8 customers

Send updated firmware and ME to lemu8 customers using automated delivery

Work with the support team to evaluate any failures

Based on those results, determine timing and delivery of the remaining firmware and update the project plan

Desktops



Update all affected models with new ME firmware