Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intel graphic card firmware updates broken due to Intel ME kernel modules disabling in Qubes #9369

Closed
adrelanos opened this issue Jul 21, 2024 · 2 comments
Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. R: not applicable E.g., help/support requests, questions, discussions, "not a bug," not enough info, not actionable. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@adrelanos
Copy link
Member

Qubes OS release

R4.1

Brief summary

Intel graphics card firmware updates likely broken by Qubes.

Steps to reproduce

Unknown.

Expected behavior

Intel graphics card firmware update should be functional or at least likely functional.

Actual behavior

Intel graphics card firmware update unknown if functional and likely broken by Qubes.

Technical explanation

#3916 and Qubes kernel config show Intel ME related kernel modules as disabled / not compiled in.

Here is quote about the mei-gsc kernel module from https://cateee.net/lkddb/web-lkddb/INTEL_MEI_GSC.html

An MEI device here called GSC can be embedded in an Intel graphics devices, to support a range of chassis tasks such as graphics card firmware update and security tasks.

This means by messing with Intel ME kernel modules, Qubes might break the Intel graphic card firmware update mechanism (which I did not look up yet how that works).

The existence of https://github.com/3mdeb/qubes-fwupd and #8813 implies that Qubes wants to support firmware updates from Qubes dom0.

Security enthusiasts, myself included, don't like Intel ME, a whole operating system running inside the CPU because it is a security risk. Therefore it might be tempting to put a big hammer on anything Intel ME related such as Intel ME kernel modules for activist reasons. These reasons however might not be sound security practices. Qubes also installs Intel / AMD microcode by default, which is proprietary, and where one also needs to blindly hope everything will be OK.

Note, that Intel ME kernel module disabling does nothing about Intel ME running directly inside the CPU.

Therefore, unfortunately, it must be reconsidered if disabling Intel ME kernel modules in Qubes is a good idea as kernel documentation implies that not using that module makes Intel graphic card firmware updates impossible.

@adrelanos adrelanos added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Jul 21, 2024
@marmarek
Copy link
Member

Qubes is not disabling any ME kernel modules. There is a QubesOS/qubes-linux-kernel#705 that is only slightly related, but it's still not merged as I'm still not convinced it won't have negative side effects similar to what you describe here.

@marmarek marmarek closed this as not planned Won't fix, can't repro, duplicate, stale Jul 21, 2024
@andrewdavidwong andrewdavidwong added the R: not applicable E.g., help/support requests, questions, discussions, "not a bug," not enough info, not actionable. label Jul 22, 2024
Copy link

This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding.

If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. R: not applicable E.g., help/support requests, questions, discussions, "not a bug," not enough info, not actionable. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Development

No branches or pull requests

3 participants