Model: Beelink GTI14 BIOS Version: GTi14T112 Serial: Ask over PM if required, but it shouldn’t be needed. Issue: I run RHEL 10.1 on this device. Upon logging in I was prompted to update firmware to update SecureBoot certs. It was unable to update SecureBoot certs as update capsules are not enabled. I went to go look for a BIOS setting to enable update capsules but could not find it. Looking further though, I found 2 other things: This device is using the AMI Test platform key which is subject to the PKFAIL vulnerability (CVE-2024-8105). Shipping to consumer devices shouldn’t be using this key as documented by AMI. https://access.redhat.com/security/cve/cve-2024-8105 https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem https://www.ami.com/resource/ami-and-microsoft-announce-patch-for-systems-deployed-with-uefi-test-keys/ This device is using Microsoft’s 2011 SecureBoot certs. These expire in June of 2026 . When this happens, devices with SecureBoot enabled will not be able to boot their OS’s, including the Windows 11 Beelink incudes with their systems. https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856 Solution: Beelink needs to publish updated BIOS that have an updated Platform Key that is not the AMI Test key and that includes the updated Microsoft 2023 CA SecureBoot certs. Failing to do so leaves system vulnerable to CVE-2024-8105 and in June 2026 will cause systems to fail to boot. Thank you.

GTI14 using AMI Test key (PKFAIL) and old Microsoft SecureBoot certs

rmkjr

Model: Beelink GTI14
BIOS Version: GTi14T112
Serial: Ask over PM if required, but it shouldn’t be needed.

Issue: I run RHEL 10.1 on this device. Upon logging in I was prompted to update firmware to update SecureBoot certs. It was unable to update SecureBoot certs as update capsules are not enabled. I went to go look for a BIOS setting to enable update capsules but could not find it. Looking further though, I found 2 other things:

This device is using the AMI Test platform key which is subject to the PKFAIL vulnerability (CVE-2024-8105). Shipping to consumer devices shouldn’t be using this key as documented by AMI.

This device is using Microsoft’s 2011 SecureBoot certs. These expire in June of 2026. When this happens, devices with SecureBoot enabled will not be able to boot their OS’s, including the Windows 11 Beelink incudes with their systems.
- https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856

Solution: Beelink needs to publish updated BIOS that have an updated Platform Key that is not the AMI Test key and that includes the updated Microsoft 2023 CA SecureBoot certs. Failing to do so leaves system vulnerable to CVE-2024-8105 and in June 2026 will cause systems to fail to boot.

Thank you.

Beelink CS-Jane

rmkjr Hi there,apologies for the delay in responding due to the holiday.
We have forwarded this issue to our R&D department. We will keep you updated on any developments.

Beelink CS-June

rmkjr

Hello there,

I have sent you the new BIOS file to solve tthe problem, please check your PM.

Have a nice day~

rmkjr

Beelink CS-Jane
Thank you, and happy new year!

Beelink CS-Jane

rmkjr You are welcome.Thanks for your patience and understanding in advance.

rmkjr

Thank you Beelink! The new BIOS update added the new 2023 keys. The only change I had to do at the end of the provided documentation was to reset factory secure boot keys at the end to get the 2023 key to show up. Everything else worked perfectly. Thank you for getting this done before the June date!

Beelink CS-Jane

rmkjr Hi there,
You are welcome.Thanks for your feedback!