System76 ME Firmware Updates Plan
- System76 Drivers For Windows
- System76 Windows 10
- System76 Lemur Pro
- System76 Computers
- System76 Kudu Windows Drivers
- System76 Driver Download
Update: We’ve been getting a lot of great feedback from people on HackerNews and Reddit. Here are answers to a few common questions:
Thelio Io is a System76 designed chassis controller and hard drive backplane that moves proprietary functionality from the mainboard to the open source Thelio Io daughterboard. Moving chassis and thermal control to Thelio Io enables far more granular performance optimization. After you download the driver, you need to extract the file to a specific location. Open device manager and choose Mice and other pointing software. Right-click on the first option available and select update. Choose the ‘browse my computer’ selection, and then through. Download Elan driver from Softpedia; Save these to the device you in which you are replacing the drivers. How to install Precision Touchpad drivers. Now it's time to install the driver.
- System76 ACPI Driver (DKMS). Contribute to pop-os/system76-acpi-dkms development by creating an account on GitHub.
- An Operating System by System76. Pop!OS has 162 repositories available. Follow their code on GitHub.
- The System76 Firmware Update Tool is Open Source and located at https://github.com/system76/firmware-update
- The github repo includes the architectural and security details
- Users are prompted to update firmware. A change log is included. Updates are not initiated without user action.
Proprietary code always makes life harder and Intel’s Management Engine (ME) firmware is a particularly challenging chunk of secretive software. Thanks to issues identified by external security researchers, Intel initiated an audit of its ME firmware and discovered multiple critical vulnerabilities as described in SA-00086.
Separately, researchers at Positive Technologies discovered an undocumented High Assurance Platform (HAP) settings in Intel ME firmware. HAP was developed by the NSA for secure computing. Setting the “reserve_hap” bit to 1 disables the ME.
In July of this year we began a project to automatically deliver firmware to System76 laptops similar to the way software is currently delivered through the operating system. We began testing the system in production on August 4th. Now it’s very near ready for laptop customers. For desktops, System76 will work on automated firmware delivery as part of our internal desktop design and manufacturing project.
All of this has culminated in the System76 plan to address Intel’s November 20th vulnerability announcement and our ability to respond to future firmware update needs.
- System76 will automatically deliver updated firmware with a disabled ME on Intel 6th, 7th, and 8th Gen laptops. The ME provides no functionality for System76 laptop customers and is safe to disable.
- The roll out will occur over time and customers will be notified by email prior to delivery
- You must run Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, Pop!_OS 17.10, or an Ubuntu derivative and have the System76 driver installed to receive the latest firmware and disabled ME on laptops*
- System76 will investigate producing a distro-agnostic command line firmware install tool. Follow us on your preferred social network for updates.
- System76 will not disable the ME on desktops but will provide updated ME firmware
- Desktop customers will receive instructions for updating the ME via email as they are available
There is a significant amount of testing and validation necessary before delivering the updated firmware and disabled ME. Disabling the ME will reduce future vulnerabilities and using our new firmware delivery infrastructure means future updates can roll out extremely fast and with a higher percentage of adoption (over listing affected models with links to firmware that most people don’t install).
It is important to note, while we can currently disable the ME on laptops, Intel may change how the device functions in the future. We implore Intel to retain the ability for device manufactures and consumers to disable the ME.
* To install the system76-driver (for System76 hardware) on Ubuntu based distributions run the following commands
sudo apt-add-repository -y ppa:system76-dev/stable
sudo apt update
sudo apt install -y system76-driver
Our internal plan in detail with a list of affected products
SA-00086 Vulnerability ME Update Project Plan
Laptops
Disable the ME on all affected laptops
- Test combined ME and firmware delivery in production
- Add UEFI check to driver before starting the firmware daemon
- Fix the remaining automated firmware delivery system bug “Firmware, on occasion, doesn’t install on ‘U’ class products”
- Setup lab with all affected laptops
- Intel 6th Gen
- Bonobo (bonw11)
- Gazelle (gaze10)
- Gazelle (gaze11)
- Kudu (kudu2)
- Kudu (kudu3)
- Lemur (lemu6)
- Oryx (orxp1)
- Oryx (oryp2)
- Serval (serw9)
- Intel 7th Gen
- Bonobo (bonw12)
- Galago (galp2)
- Gazelle (gaze12)
- Kudu (kudu4)
- Lemur (lemu7)
- Oryx (oryp3)
- Serval (serw10)
- Intel 8th Gen
- Bonobo (bonw13)
- Galago (galp3)
- Lemur (lemu8)
- Serval (serw11)
- Procure latest ME’s for affected models
- Set HAP bit to 1 on all ME’s without Intel BootGuard
- Create Intel BootGuard firmware with HAP bit set to 1
- lemu6
- lemu7
- lemu8
- galp2
- galp3
- Add firmware with the new ME to the automated firmware delivery system
- Test delivery of the new ME and firmware to all models
- Confirm that ME is disabled on each model
- Draft email correspondence to customers
- Compile email list of affected lemu8 customers.
- Send email to lemu8 customers
- Send updated firmware and ME to lemu8 customers using automated delivery
- Work with the support team to evaluate any failures
- Based on those results, determine timing and delivery of the remaining firmware and update the project plan
Desktops
Update all affected models with new ME firmware
- Create the “firmware” github repo structure for storing desktop firmware
- Procure updated ME for all models
- Intel 6th Generation
- Meerkat (meer2)
- Ratel (ratp5)
- Sable (sabl6)
- Wild Dog (wilp12)
- Intel 7th Generation
- Leopard (leow8)
- Meerkat (meer3)
- Wild Dog (wilp13)
- If the ME also requires a BIOS update, create customized BIOS for each model.
- Add firmware to the “firmware” github project https://github.com/system76/firmware-desktop
- Design desktop Guide page changes to include notification and firmware download
- Modify guides for affected desktops
- Draft email correspondence to customers
- Compile email list for all affected customers
- Send email notification
The lspci -k
output, run from the Pop! OS installation, is
The lscpu
output is
Requirements
I want to have full-disk encryption, with the exception of the boot partition and I am installing with WiFi. There is a discrete NVIDIA graphics card. I would like to use it for OpenCL/CUDA and for an external monitor.
Preliminaries
I used the archlinux-2019.01.01-x86_64.iso
, put it on a USB flash drive using dd
(standard procedure).
Inserted the USB drive, booted while pressing F7
on boot to enter the boot disk picker. Once there, press e
to enter kernel command line options. Add video=1920x1080
to enlarge the console fonts (I have the 4K screen version of Oryx Pro and the default resolution makes the letters tiny) and module_blacklist=nouveau
to switch off the NVIDIA GPU for now. The commands should be separated by space and entered at the end of the line. Switching off the nouveau
driver is necessary, otherwise any hardware listing (such as lspci
) will hang with fans blazing. The WiFi card has functional firmware, checked by running
List WiFi networks, pick the relevant and follow prompts to connect:
Set up time and date.
I want to use LVM on LUKS to get full-disk encryption, including the SWAP. /boot
will be unencrypted.
Disk preparation
System76 Drivers For Windows
Partition the target disk (here, it is /dev/nvme0n1
).
To list partitions:
System76 requires the EFI partition to be in /boot
so that it can do firmware updates. I leave the secondary disk alone. It is already formatted and has data on it. I use gdisk
to set up GPT.
p
to list current partitionso
to delete them all and create an empty GPT partition tablen
to create new
- first (for EFI, code EF00): default start, end at +500M, otherwise defaults, erase ext4 signature if asked
- second (LVM, code 8E00): the rest of the disk
p
to check if everything looks sanew
to write (THE DISK WILL BE ERASED AT THIS POINT)
Format the EFI boot partition (left unencrypted):
Create the non-boot file systems. The following will require coming up with a passphrase. I followed the instructions in Encrypting an entire system.
Encrypt the future LVM container:
I have to use luks1
because GRUB does not support luks2
as of this writing. That is not an issue in the ThinkPad set-up, as far as I can tell because I am booting from BIOS there rather than EFI. Prepare the logical volumes:
Mount the EFI boot partition:
Installation
Install Arch:
Generate fstab
:
Edit /mnt/etc/crypttab
to add a line
The discard
option enables TRIM support. There are security implications, but not serious enough for my use case. Read the linked documentation to decide for yourself. An easy way to transfer the UUID without typing it is to do
and edit the crypttab
file to make it correct, or use :read
in vim.
There is an issue with GRUB and LVM which causes grub-mkconfig to hang and grub-install to keep probing LVM devices. For the workaround, prepare the following:
Configuration
Move into the fresh Arch installation on the main disk. Note that the paths will no longer require /mnt
in front.
To deal with the GRUB/LVM problem, run
Edit /etc/mkinitcpio.conf
(this is now on the target drive):
Use blkid
to list UUIDs of devices. Edit /etc/default/grub
to modify variables. Append “lvm” to GRUB_PRELOAD_MODULES
. Uncomment the GRUB_ENABLE_CRYPTDISK=y
line. Append cryptdevice=UUID=UUID-of-/dev/nvme0n1p2:cryptlvm root=/dev/MainVolGroup/root resume=/dev/MainVolGroup/swap ec_sys.write_support=1 video=1920x1080 module_blacklist=nouveau
to GRUB_CMDLINE_LINUX_DEFAULT
. The resume=...
part is for suspend to disk support. Install GRUB on EFI:
Make the GRUB config:
Activate NetworkManager:
Time zone and locale specification (I am in New York, yours may be different).
Uncomment all en_US
entries in /etc/locale.gen
.
Set LANG=en_US.UTF-8
in newly created /etc/locale.conf
.
Network settings:
Create /etc/hostname
and write nerv there (that is the name I gave the laptop; substitute what you like). Edit /etc/hosts
to add
Exit chroot
, optionally unmount -R /mnt
, and shut down the computer. Remove the USB drive and start the laptop again.
Driver installation
Start by connecting to WiFi
and enter the WiFi password (if any) at the prompt.
Start by installing the NVIDIA drivers:
The System76 drivers are available from AUR. Cannot install these using root, so I generate my root password and add a regular user first.
To enable sudo
for the user, uncomment the %wheel ALL=(ALL) ALL
line in /etc/sudoers
. I like to reboot etc without entering a password, so I also add %wheel ALL=(ALL) NOPASSWD: REBOOT
. I add /sbin/shutdown
to the REBOOT
alias. Reboot the laptop. Login as the regular user and proceed with driver installation. First install kernel headers:
Now install the kernel modules (mostly following the instructions here):
Environment set-up
Basic connectivity
I start with installing htop
to test that everything is working. Then
ethtool
to manage the internet cardiptables
firewallopenvpn
VPNnetworkmanager-openvpn
VPN plugin forNetworkManager
To set up the firewall, write the following (with sudo
):
Save the rules to a file. I retain a copy for re-use on other systems.
X windows
Next, I set up X windows. I want the whole thing, including the fonts, so I go with the xorg
group.
Add a version of the i3 window manager along with some needed add-ons.
Copy fonts that I have in the add_fonts
directory in this repository to the freshly created /usr/share/fonts/added
, then run
for fontconfig
to recognize them (check with fc-list
). Copy the local.conf
file from the systemwide_conf
directory (I keep in my dotfiles to /etc/fonts
. Copy the 60-fonts.conf
to /etc/X11/xorg.conf.d
.
To set up a good-looking environment, I need to install
For a graphical login, I use lightDM
.
I included the modified config files in the systemwide_config
directory in my dotfiles. Move lightdm.conf
and lightdm-gtk-greeter.conf
to /etc/lightdm
. Add any images you want for background to /usr/share/pixmap
.
Vim
I clone my dotfile repo to get the .vimrc
and the .vim
directory. For YouCompleteMe
to work, I need to install cmake
:
Change to the .vim/bundle
directory and clone the VundleVim repository to it. Start vim
and run
After that, change to YouCompleteMe
and run
Miscellaneous software
System76 Windows 10
Next I install various pieces of software for general operation.
LaTeX
I use a close to maximal TeX Live. Install it with
R compilation
I compile R from source because I want a bast BLAS/LAPACK implementation. I currently like Intel’s math kernel library. Download the archive from Intel’s website (you have to sign in but it’s free) and unzip it. Get into the unpacked directory. Before installation, make sure you have cpio
already installed. Then type (possibly with sudo
)
and follow prompts. It will complain that the OS is unsupported, but ignore that and everything seems to proceed normally. Download R dependencies (except blas
and lapack
that will be provided by MKL).
Install some optional dependencies.
Unzip the R download tarball and change to the directory. Run the MKL script that establishes some needed shell variables.
While I am at it, I add $MKLROOT
to .bashrc
. It helps to have it for any other compilations that require BLAS. Then run configuration and installation.
System76 Lemur Pro
Check that the linking worked by running
(it is the bin
directory in the current R download directory, not /bin
)
I also need the GNU Scientific library for one of my projects.
NVIDIA set-up
I mostly follow the instructions here. I activate the NVIDIA card
System76 Computers
I add the file 10-nvidia-drm-outputclass.conf
to /usr/share/X11/xorg.conf.d
. This file contains
System76 Kudu Windows Drivers
I also put the following script in /etc/lightdm
to check if the NVIDIA card is on at startup, and add an external monitor if it is connected.
System76 Driver Download
I keep the screens (I have a 4K external monitor, and the HiDPI screen on the laptop) at the full resolution, but enlarge fonts and follow some suggestions on the Arch HiDPI wiki page. I am really happy with the text rendering with this set-up. Running the screens at 1080p made everything larger, but noticeably fuzzier.
Comments are closed.