Quite the hilarious "security advisory" [0] that Lenovo put out. They manage to take zero responsibility, shift blame to the researcher/IBV/Intel, and admit that they ship SMM code of both unknown author and purpose.
> and admit that they ship code of both unknown author and purpose.
That's literally what every vendor does nowadays. Do you think LG can get the code for the firmware of the SoCs they use in their phones? Do you think the coreboot guys can get the source for the Intel Management Engine firmware? Do you think any of the firmware in your system comes from your OEM and is secure?
This is a failure in the entire industry, and it's getting worse every day.
The proper solution would be simple, too: Allow everything to be flashed with custom software, but allow the user to set a cryptographic key with which updates have to be signed. By default, the system could accept the OEM key, the user could lock it further down.
Provides additional security for corporations and nerds, provides additional flexibility, provides the ability to modify the firmware.
That's going to get complicated for network interactions and legislative bodies. Two examples come to mind.
First is the FCC vs WIFI channel selection in firmware. They want the choice to interfere be removed from the user in this occasion.
Second is cell carriers are not wild about unknown basebands conversing with their networks. In theory the network should defend against bad phones but they'd rather not test that.
THERE IS NO SECURITY FOR THE HARDWARE OR SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
SHOULD THE HARDWARE OR SOFTWARE BE COMPROMISED, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
[0] https://support.lenovo.com/us/en/solutions/LEN-8324