Today, Microsoft alongside our biggest silicon partners are announcing a new vision for Windows security to help ensure our customers are protected today and in the future. In collaboration with leading silicon partners AMD, Intel, and Qualcomm Technologies, Inc., we are announcing the Microsoft Pluton security processor. This chip-to-cloud security technology, pioneered in Xbox and Azure Sphere, will bring even more security advancements to future Windows PCs and signals the beginning of a journey with ecosystem and OEM partners.
Pluton immediately rings a ton of alarm bells, since initiatives like this tend to not be a good thing for alternative platforms. There’s good news, though, too – Pluton will take care of firmware updates for your motherboard, which I welcome with open arms, since the current state of firmware updates where you have to use garbage OEM applications is dreadful.
Firmware updates for servers have always been possible through BMCs, IPMI and now RedFish.
On Linux desktops (and servers too), you do not need to use “garbage OEM applications” since there is LVFS (previously known as “fwupd”). This has been available for years now.
https://fwupd.org/
And one rarely needs firmware updates for the motherboard. If it works, don’t fix it.
Thom’s argument sounds like this one: “Sure, ozone depleting chemicals are awful, but they are useful when making bubbly soap.”
I have an old fujitsu laptop that is several versions behind and I am not able to update the firmware on because the updater from the vendor is a windows executable. For better or worse I’ve never had windows installed on it. Incidentally I have some problems with the firmware that would warrant trying an update, but so far I haven’t been able to.
Despite my experience with computers, I’m at a bit of a loss here unless I install windows, which I really don’t want to do.
Any suggestions or out of the box solutions I may have missed?
Fujitsu devices are not listed here…
https://fwupd.org/lvfs/devices/
Can’t you use WinPE booted from a USB or CD?
This.
If I remember correctly you can also install Windows 8 or newer on a thumb drive, it would probably be locked to a single computer so not as portable?
If the laptop is really old there should be an option to burn the firmware update to a CD-R(W).
bubi,
So install windows on the fujitu to external media? Sounds like it would take a long time to install to & from usb thumb drives, haha. But it could work. The other thing is I don’t have a windows license to burn for this. Does anyone know if an unactivated copy of windows would be enough to run the flash utility?
There isn’t, fujitu just offers the bios update as a windows executable.
I’m don’t even see any downloads for the OEM windows install media. Maybe if I call them. This is their standard policy…
https://www.fujitsu.com/downloads/COMP/fpcap/fsdm/Image%20Backup%20and%20Recovery%20Windows%2010%20ENG.pdf
@alfman, Windows works without being activated. It lets you know it’s unactivated through watermarks and disabling the background, but apart from that, it functions the same as if it was activated
jmorgannz,
Thanks for the suggestion, I may give that a shot.
I did try using hirensbootcd and did not have success with it.
https://www.hirensbootcd.org/screenshots/
I left out that this fujitsu laptop is secure boot locked, and despite the options to disable it existing in the bios, the settings are non-functional. I was able to boot ubuntu’s media thanks to it being signed, but ironically I can’t even boot the older windows 7 install media that I have. Presumably if I acquired new windows media it would work.
I was hoping someone might know of a way to update directly from linux. It seemed unlikely to work, but I did try running the updater in wine. I had another idea to run windows under qemu while trying to map the flash programming address into the virtual space, but this is too much effort just to update the damn firmware.
My new computers can run updates directly from the bios with no operating system installed.
I bought it because it was a cheap laptop/tablet hybrid and I thought it was perfect for a project, but this secure boot crap sucks when it cannot be disabled. I wasn’t privy to this fact until it was in my hands. I thought I had done my due diligence when I read the reviews saying it could boot linux, but it only works if your distro is signed by microsoft’s key (mine is not).
/gripe
For older Dell computers, where fwupd doesn’t work and updates from within UEFI do not work either, i have used FreeDOS flashed to USB-drive and running the BIOS-updater executables from there (tested with tens of different Dell computers that run Linux). But I do not know if the exe’s provided by Fujitsu would work this way.
Thom Holwerda,
Yeah. I haven’t studied this at all yet so maybe this gut reaction is wrong, but all too often when a vendor mentions “security” they actually mean securing the platform against the owners and giving the vendors more control over owners after the point of sale..
I’m all for robust hardware security measures, but my support is crucially contingent on owners holding the keys to those measures and not being beholden to a 3rd party.
The one thing that reassures me a bit is today Microsoft is a big user of Linux (Microsoft Azure). Hurting Linux would hence likely hurt their business. As for the rest best to wait and see. Hopefully people will have control over it and it won’t try to take control away claim now you are secured.
Microsoft is great supporter of Linux in the server space. they have no interest on allowing linux to run on consumer hardware though, as it would be detrimental to their Windows sales
Somehow this screams a reboot of Palladium IMO.
> chip-to-cloud security technology
Whatever could go wrong here?
emphyrio,
Always on DRM, coming to an operating system near you. It’s not just for games anymore.
It depends. WTF does “chip-to-cloud security technology” even mean?
skimming the source article it sounds like its yet another (PSP/IME) Platform Security Processor / Intel Management Engine? Is it designed to replace those? don’t see a point in reinventing this wheel that is already working to protect the system/firmware from tampering ? but if they ever wanted to truly ‘secure’ the firmware why not add a firmware write protect jumper on motherboards? no because that would be too easy!
downsides I could totally see them adding Telemetry in the security processor because Microsoft , why not? and users can’t turn it off this way! also could see forced firmware updates slowing or disabling features on older hardware coinciding with new product launches (just like apple has done with software)
tldr Sounds like an over engineered hardware solution to something that could be done in software, when most manufactures fire and forget hardware products providing no updates after a year or so!
leeloo,
Yes it is more complicated than it needs to be. Although I do see the merit in an attestation feature to validate that the firmware is from who is says it is. The reason these mechanisms are designed the way they are though is because one of the underlying goals unfortunately is to take owners out of the chain of trust. Take secure boot, the spec goes through great lengths to ensure that vendors have the ability to lock owners out of their own computers. There are no provisions in the spec for owners to control secure boot themselves without the vendor’s permission. Owner interests had no representation at the table when secure boot was being engineered. As you may recall, this caused so much controversy that microsoft (who themselves were involved in secure boot’s development) had to step in and mandate that secure boot could be disabled for windows 8 hardware certification. This of course is better than nothing, but because it was never part of the standard there’s no standardized way for owners to control secure boot or add alt-os keys. In theory alternative operating systems can sign with their own keys and take advantage of “secure boot”, but in practice very few users can do it and the process remains inconsistent and vendor-specific. Consequently secure boot has become a highly microsoft-centric feature. The practical viability of using secure boot for most means getting signed by microsoft’s key.
And to make matters worse, microsoft’s windows 8 requirement that secure boot be unlockable has been removed in windows 10. So now you can’t even be sure that you’ll be able to turn off secure boot when you buy an x86 computer.
I know I’m preaching to the choir here, but it’s important to keep our eyes open. Otherwise there’s a real risk of loosing more control on our own hardware.
One protection looking forward, I believe, is to purchase Enterprise grade machines in the future. As M$ and HW OEMS will only listen to what corporations mandate as they have the lion’s share of teh wallets.
spiderdroid,
Yeah I see where you are coming from.
On the other hand though for me that optimism is mixed when witnessing how quickly enterprises are swallowing the hook when it comes to “cloud”. They’re lining up to hand their keys over to cloud service providers where they explicitly know they’ll have less control over their own data than the 3rd parties do…
One company I work with outsourced network authentication to a cloud provider. They administrate accounts through a 3rd party website, and when I log into the VPN the cloud provider is responsible for authorizing or blocking the connection. I don’t know what they were thinking because there’s a lot of good tools for managing user accounts that don’t requiring giving 3rd parties control over your network and paying a monthly subscription fee for the privilege.
Maybe they thought that outsourcing would save them the hassle of support. But when I encountered issues logging in I tested this theory and the cloud party provider would not help, they actually deferred back to the company I was working for. So there I was getting cloud VPN tech support from an upper level engineer working at the company paying for cloud VPN service. It’s bonkers.
Oh and with the new reliance on google virtual classrooms due to covid, my kids are encountering problems with cloud services there too. There’s this really weird bug were some of my son’s assignments are missing pages. My daughter didn’t have these problems, so my first thought was that the teacher must have been doing something wrong. We tried different browsers and it made no difference, however it turns out that when using the mobile application all the pages are there. We contacted the school’s IT department and they said the problem was completely reproducible but that they’re nothing they could do other than have it escalated. We’re some two weeks into this problem and google still hasn’t fixed it. Meanwhile students aren’t seeing the whole assignment on the computer. On the funny side, you can say “Google ate my homework” and it be completely true.
My apologies for this tangent on top of another tangent, I’ve lost the tracks, haha.
@ Alfman
Understood and I completely agree. That echos my same issue with ServiceNow. LOL Corp Fromages rely on 3rd party cloud services as they are internal. I clear tickets daily and am dinged at teh end of the month in a review that they’re not done. LOL Between that and firmwide U I issues where Links used to work, then doesnt anymore. I cant search and “click” on a ticket. I have to Open that link in a new window, etc. Thats the same with inventory searches as teh entire IT inventory is on ServiceNow. There’s no one toe escalate to nor complain to as Joe IT Guy has zero leverage with a giant such as ServiceNow , nor the layers of management that you have to wade through to get the attention of the account representative. I work for an international bank. But then again, that’s just ServiceNow. We’re deeply entrenched in Azure, etc. also. LOL