PS: Liliputing has info on a few Dell models that also can have Intel ME disabled.
Reminder to OEMs: publish the hashes of your platform firmware. Hopefully using codehash.db.
In below twitter thread, Joanna asked Dell support for hashes for their firmware. Eventually, Rick Martinez of Dell got involved, so this is a good example of a conversation on this topic by two who understand the issues.
It looks like Dell needs to use HTTPS:
Platform Software Senior Principal Engineer/BIOS Architect (17000X39)
[…]You’ll apply skills and experience across the full cycle of software development (specification development and review, debug and validation) to enable features and capabilitiesof platforms in areas like UEFI drivers, thermal, power management, security, manageability, manufacturability, configurability and embedded controllers.
* Work with Industry forums for spec development like UEFI, DMTF, PCI Sig, ACPI, etc
* Ability to take ownership of overall UEFI platform design throughout the platform lifecycle
* 12+ years experience in BIOS / firmware SW development
* UEFI Programming expertise
* Low level programming capability -system/motherboard/device/chipset level
* Experience with analyzers and other HW tools to debug complex system SW issues
PFSExtractor v0.1.0 – extracts contents of Dell firmware update files in PFS format
Usage: PFSExtractor pfs_file.bin
“[…] Responsible for discovering and exploiting vulnerabilities affecting Dell software and firmware. […]“
If you build a Linux-based system, you should be putting your firmware updates on fwupd. Dell is the only vendor currently doing this.
What about: System76, ThinkPenguin, Purism, HP, etc??
Hmm, it looks like System76 might be working on it!
Dell/EMC has a new Tech Note, written by Wei Liu and Seamus Jones, summarizing some of the new firmware security features available in their new server:
Cyber-Resiliency Starts at the Chipset and BIOS
2-page Tech Note covering new BIOS features introduced with PowerEdge 14G servers, offering unique resiliency to malicious intent or user error. The two features highlighted, BIOS Recovery and integration of Intel Boot Guard, respectively, are further demonstration of PowerEdge engineering commitment to ensuring the security and stability of enterprise infrastructures.