Model: Beelink GTI14 BIOS Version: GTi14T112 Serial: Ask over PM if required, but it shouldn’t be needed. Issue: I run RHEL 10.1 on this device. Upon logging in I was prompted to update firmware to update SecureBoot certs. It was unable to update SecureBoot certs as update capsules are not enabled. I went to go look for a BIOS setting to enable update capsules but could not find it. Looking further though, I found 2 other things: This device is using the AMI Test platform key which is subject to the PKFAIL vulnerability (CVE-2024-8105). Shipping to consumer devices shouldn’t be using this key as documented by AMI. https://access.redhat.com/security/cve/cve-2024-8105 https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem https://www.ami.com/resource/ami-and-microsoft-announce-patch-for-systems-deployed-with-uefi-test-keys/ This device is using Microsoft’s 2011 SecureBoot certs. These expire in June of 2026 . When this happens, devices with SecureBoot enabled will not be able to boot their OS’s, including the Windows 11 Beelink incudes with their systems. https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856 Solution: Beelink needs to publish updated BIOS that have an updated Platform Key that is not the AMI Test key and that includes the updated Microsoft 2023 CA SecureBoot certs. Failing to do so leaves system vulnerable to CVE-2024-8105 and in June 2026 will cause systems to fail to boot. Thank you.

GTI14 using AMI Test key (PKFAIL) and old Microsoft SecureBoot certs

rmkjr

Model: Beelink GTI14
BIOS Version: GTi14T112
Serial: Ask over PM if required, but it shouldn’t be needed.
Image description

Issue: I run RHEL 10.1 on this device. Upon logging in I was prompted to update firmware to update SecureBoot certs. It was unable to update SecureBoot certs as update capsules are not enabled. I went to go look for a BIOS setting to enable update capsules but could not find it. Looking further though, I found 2 other things:

This device is using the AMI Test platform key which is subject to the PKFAIL vulnerability (CVE-2024-8105). Shipping to consumer devices shouldn’t be using this key as documented by AMI.

This device is using Microsoft’s 2011 SecureBoot certs. These expire in June of 2026. When this happens, devices with SecureBoot enabled will not be able to boot their OS’s, including the Windows 11 Beelink incudes with their systems.
- https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856

Solution: Beelink needs to publish updated BIOS that have an updated Platform Key that is not the AMI Test key and that includes the updated Microsoft 2023 CA SecureBoot certs. Failing to do so leaves system vulnerable to CVE-2024-8105 and in June 2026 will cause systems to fail to boot.

Thank you.

Beelink CS-Jane

rmkjr Hi there,apologies for the delay in responding due to the holiday.
We have forwarded this issue to our R&D department. We will keep you updated on any developments.

rmkjr

Beelink CS-Jane
Thank you, and happy new year!

Beelink CS-Jane

rmkjr You are welcome.Thanks for your patience and understanding in advance.