Intel graphic card firmware updates broken due to Intel ME kernel modules disabling in Qubes

[adrelanos]

Qubes OS release

R4.1

Brief summary

Intel graphics card firmware updates likely broken by Qubes.

Steps to reproduce

Unknown.

Expected behavior

Intel graphics card firmware update should be functional or at least likely functional.

Actual behavior

Intel graphics card firmware update unknown if functional and likely broken by Qubes.

Technical explanation

#3916 and Qubes kernel config show Intel ME related kernel modules as disabled / not compiled in.

Here is quote about the mei-gsc kernel module from https://cateee.net/lkddb/web-lkddb/INTEL_MEI_GSC.html

An MEI device here called GSC can be embedded in an Intel graphics devices, to support a range of chassis tasks such as graphics card firmware update and security tasks.

This means by messing with Intel ME kernel modules, Qubes might break the Intel graphic card firmware update mechanism (which I did not look up yet how that works).

The existence of https://github.com/3mdeb/qubes-fwupd and #8813 implies that Qubes wants to support firmware updates from Qubes dom0.

Security enthusiasts, myself included, don't like Intel ME, a whole operating system running inside the CPU because it is a security risk. Therefore it might be tempting to put a big hammer on anything Intel ME related such as Intel ME kernel modules for activist reasons. These reasons however might not be sound security practices. Qubes also installs Intel / AMD microcode by default, which is proprietary, and where one also needs to blindly hope everything will be OK.

Note, that Intel ME kernel module disabling does nothing about Intel ME running directly inside the CPU.

Therefore, unfortunately, it must be reconsidered if disabling Intel ME kernel modules in Qubes is a good idea as kernel documentation implies that not using that module makes Intel graphic card firmware updates impossible.

[marmarek]

Qubes is not disabling any ME kernel modules. There is a QubesOS/qubes-linux-kernel#705 that is only slightly related, but it's still not merged as I'm still not convinced it won't have negative side effects similar to what you describe here.

[github-actions]

This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:

• Help and support requests (please see Help, support, mailing lists, and forum)
• Questions (please see Help, support, mailing lists, and forum)
• Discussion issues (please see Help, support, mailing lists, and forum)
• Bug reports for behavior that is already working as intended
• Enhancement requests to improve things that are already working as intended
• Issues that rest on mistaken assumptions or misunderstandings
• Issues that do not provide enough information
• Issues that are not actionable

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding.

If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.