GTR7 Pro BIOS Security

Wowa

Hello,

I own a GTR7 Pro with BIOS version GTR_P5C6V37.
System notified me that I have poor seciurity configuration of the BIOS.

Here is what I found using fwupdmgr security --force command:

• Host Security ID: HSI:0 (v1.9.20)
• HSI-1
• ✔ BIOS firmware updates:         Enabled
• ✔ Fused platform:                Locked
• ✔ Supported CPU:                 Valid
• ✔ TPM empty PCRs:                Valid
• ✔ TPM v2.0:                      Found
• ✔ UEFI bootservice variables:    Locked
• ✔ UEFI secure boot:              Enabled
• ✘ UEFI platform key:             Invalid
• HSI-2
• ✔ IOMMU:                         Enabled
• ✔ Platform debugging:            Locked
• ✔ TPM PCR0 reconstruction:       Valid
• ✘ SPI write protection:          Disabled
• HSI-3
• ✔ CET Platform:                  Supported
• ✔ Suspend-to-idle:               Enabled
• ✔ Suspend-to-ram:                Disabled
• ✘ SPI replay protection:         Not supported
• ✘ Pre-boot DMA protection:       Disabled
• HSI-4
• ✔ SMAP:                          Enabled
• ✘ Processor rollback protection: Disabled
• ✘ Encrypted RAM:                 Not supported
• Runtime Suffix -!
• ✔ fwupd plugins:                 Untainted
• ✔ CET OS Support:                Supported
• ✔ Linux kernel lockdown:         Enabled
• ✔ Linux swap:                    Encrypted
• ✔ Linux kernel:                  Untainted
  

Copy the Code
What particularly bothered me:

• UEFI platform key - probably outdated - I'll be reading about that. I hope it will be possible to update this key.
• SPI write protection and SPI replay protection - I can't find BIOS option for that. Is it possible to enable it?
  

tuiguang13

Hello there,
We will ask for the technical personnel.After getting any answer,we will reply you.

Wowa

tuiguang13 replied at 2024-05-30 15:38
Hello there,
We will ask for the technical personnel.After getting any answer,we will reply you.

Any update?

I was able to workaround the UEFI platform key problem, by replacing keys using github/microsoft/secureboot_objects keys. Now UEFI platform key test is marked valid. It would be good if Beelink released a BIOS update that includes the latest certificates. At this moment there is Platform Key named "DO NOT TRUST - Ami Test PK"

bignay2000

Really be great to get a BIOS version that passed this modern security stuff.  This would make the GTR7Pro a perfect computer!

Wowa

Any update?

tuiguang13

Wowa replied at 2024-08-25 15:06
Any update?

Hello there,
Have you updated the V38 bios?We send it to you  in a private message.
This is the V38 bios for GTR7:  https://mega.nz/folder/zmoExBKY#6B0swS087DZ5-dL72yneOw
Tutorial:  https://mega.nz/file/aiAlmSzI#Ez ... R77W_KYXDpMOJGhnWc4
Have a nice day!