Skip to content

Disabled USB Boot can easily be bypassed #89

New issue
New issue
Open
Open
Disabled USB Boot can easily be bypassed#89
@marten713

Description

@marten713
marten713
opened on Aug 6, 2025

Device Information

System Model or SKU

  • Framework Laptop 13 (11th Gen Intel® Core™)
  • Framework Laptop 13 (12th Gen Intel® Core™)
  • Framework Laptop 13 (13th Gen Intel® Core™)
  • Framework Laptop 13 (AMD Ryzen™ 7040 Series)
  • Framework Laptop 13 (Intel® Core™ Ultra Series 1)
  • Framework Laptop 16 (AMD Ryzen™ 7040 Series)

Probably this applies to other Framework Series as well, but I was only able to test with these models.

BIOS VERSION

13th Gen Intel: 03.08
AMD Ryzen 7040: 03.09
Intel Core Ultra 1: 03.04 (I know updates are available; I just didn't have the time yet)

DIY Edition information

Memory: Crucial Technology (if SKU is really of interest for this let me know and I will look it up)
Storage: Western Digital (same, if SKU is of interest I'll look it up)

Standalone Operation

Are you running your mainboard as a standalone device. Is standalone mode enabled in the BIOS?

  • Yes
  • No

Describe the bug

After disabling the option USB Boot in the BIOS/UEFI setup I am still able to easily boot from a USB stick via the Boot From File option.

The USB stick does not get shown in the boot manager menu anymore but this can be bypassed.

Steps To Reproduce

I'm using a USB drive with a Debian 13 live ISO so I guess steps 5 to 8 may vary depending on the image one uses.

  1. Make sure USB Boot is disabled in UEFI (UEFI -> Boot -> USB Boot -> disabled)
  2. Plugin a bootable USB drive
  3. Boot notebook and press F2
  4. In the menu select Boot From File
  5. In the File Explorer select the volume that says something like PciRoot(0x0)/Pci(0xD,0x0)/USB... (in my case it is listed as the first volume)
  6. Select <EFI>
  7. Select <boot>
  8. Select bootx64.efi or grubx64.efi
  9. Now the boot process starts

Expected behavior

My expectation is that when the option USB Boot is disabled it should be impossible to boot from a USB device (at least as long as one can not provide the UEFI administrator password).

Screenshots

Let me know if pictures would be of any help.

Operating System (please complete the following information):

This happens before the OS gets involved.

Additional context

-/-

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions