FrameworkComputer/SoftwareFirmwareIssueTracker

Disabled USB Boot can easily be bypassed

Opened this issue · 1 comments

marten713 commented

Device Information

System Model or SKU

  • Framework Laptop 13 (11th Gen Intel® Core™)
  • Framework Laptop 13 (12th Gen Intel® Core™)
  • Framework Laptop 13 (13th Gen Intel® Core™)
  • Framework Laptop 13 (AMD Ryzen™ 7040 Series)
  • Framework Laptop 13 (Intel® Core™ Ultra Series 1)
  • Framework Laptop 16 (AMD Ryzen™ 7040 Series)

Probably this applies to other Framework Series as well, but I was only able to test with these models.

BIOS VERSION

13th Gen Intel: 03.08
AMD Ryzen 7040: 03.09
Intel Core Ultra 1: 03.04 (I know updates are available; I just didn't have the time yet)

DIY Edition information

Memory: Crucial Technology (if SKU is really of interest for this let me know and I will look it up)
Storage: Western Digital (same, if SKU is of interest I'll look it up)

Standalone Operation

Are you running your mainboard as a standalone device. Is standalone mode enabled in the BIOS?

  • Yes
  • No

Describe the bug

After disabling the option USB Boot in the BIOS/UEFI setup I am still able to easily boot from a USB stick via the Boot From File option.

The USB stick does not get shown in the boot manager menu anymore but this can be bypassed.

Steps To Reproduce

I'm using a USB drive with a Debian 13 live ISO so I guess steps 5 to 8 may vary depending on the image one uses.

  1. Make sure USB Boot is disabled in UEFI (UEFI -> Boot -> USB Boot -> disabled)
  2. Plugin a bootable USB drive
  3. Boot notebook and press F2
  4. In the menu select Boot From File
  5. In the File Explorer select the volume that says something like PciRoot(0x0)/Pci(0xD,0x0)/USB... (in my case it is listed as the first volume)
  6. Select <EFI>
  7. Select <boot>
  8. Select bootx64.efi or grubx64.efi
  9. Now the boot process starts

Expected behavior

My expectation is that when the option USB Boot is disabled it should be impossible to boot from a USB device (at least as long as one can not provide the UEFI administrator password).

Screenshots

Let me know if pictures would be of any help.

Operating System (please complete the following information):

This happens before the OS gets involved.

Additional context

-/-

JohnAZoidberg commented

After disabling the option USB Boot in the BIOS/UEFI setup I am still able to easily boot from a USB stick via the Boot From File option.
The USB stick does not get shown in the boot manager menu anymore but this can be bypassed.

This is the expected behavior that we inherit from the default Insyde behavior (The BIOS vendor we and many other OEMs use).
The purpose of the setting is just to make sure that no USB drive would be booted automatically, not to completely block boot from USB devices.
We can clarify this better in the description of the setting.

  • 👍1