Hi i have a Beelink EQR5 Mini PC, Ryzen 5 5650U. Ii recently installed Ubuntu and it highlighted security issues in the bios including using a PK Test key. I’ve tried resetting it, but it appears the device was shipped with this non secure key.

How do I update the bios and correct this?

Bios version: FP656V507
Bios serial: B56504AG11187

Thanks

    Jpringle4444

    Your BIOS is already up to date and doesn’t need to be updated.

    May I ask what exactly does a security vulnerability refer to?

        9 days later

        support13
        The referred issue seems to be PKfail, as the UEFI BIOS includes AMI Test Key as SecureBoot Platform Key, which are insecure because their private key was leaked. This renders SecureBoot virtually useless and needs to be fixed.

        So I want to ask BeeLink to provide an updated UEFI with secure Platform Key and KEK.

            Hello support13,

            We need an updated UEFI BIOS for the exact same issue. We can’t deploy these EQR Mini PC as kiosks using Intune because the PKfail.

            servger and Jpringle4444 are correct in that the secure keys were either leaked or just test keys which our deployment processes do not recognize as valid anymore. We essentially have 90+ bricks until we update the BIOS on all off them.

            The last update I can find for the model we have is from 12/13/2024. https://dr.bee-link.cn/?dir=uploads%2FEQR%2FBios%2FEQR5

            The model we have is EQR5_D4-L-32500SD0W64PRO-HD/XA
            CPU AMD Ryzen 7 5825U Processor
            One of the devices SN: B58255FG80020

            This was reported almost 2 weeks ago, Has any progress been made for anyone on this issue?

                  FreckleEye
                  Sorry for the late reply. Our R&D personnel need to verify it. If it is a BIOS issue, the BIOS can be updated to solve it. Any updates will be notified to you

                    Thank you for the update!

                    Are we able to get a timeline for R&D? Depending on turn around, our management may decide to return devices and go with a different model or vendor. Main reason for my push to get it resolved ASAP.

                      FreckleEye
                      We are truly sorry. We have inquired with the R&D personnel and it is still under testing. We cannot determine the specific time of the test results either. Sorry again. We will inform you in time if there are any updates.

                        FreckleEye @support13
                        Even though my knowledge about Secure Boot is limited, I think what Beelink needs to do is deploying their own Secure Boot keys. This steps can also be done by customers with the difference that the files are not integrated in a UEFI update image but installed via the UEFI settings.

                        The involved private keys must be stored in a way that ensures that they may never be leaked.
                        If Beelink ship their own keys, they then also are responsible for updating the DB and DBX files whenever it is necessary. These updates don’t have to be in form of UEFI updates and can be distributed as signed files.

                        Some useful documentation:

                            servger
                            Thank you very much for your suggestions and the documents you provided.

                            We will give feedback on the suggestions you put forward to the relevant personnel.

                              4 days later

                              FreckleEye
                              I’m really sorry that this problem has bothered you for so long. The R&D personnel haven’t detected it yet. Thank you again for your patience in waiting.