Support for /sys/class/dmi/id/product_uuid

[iansltx]

Trying to use osquery (as part of Vanta Agent) and they need this file to exist and be populated. With open firmware, the file doesn't exist at this point, and the machine in question doesn't seem to have a proprietary firmware equivalent to work with (lemp10).

Happy to hack on this, but not sure where to start.

[crawfxrd]

Why? What does Vanta use the UUID for?

Set by smbios_system_set_uuid() in coreboot.

[iansltx]

Unique device ID for asset management, more or less. Standard compliance stuff.

[iansltx]

Same problem, different vendor (also using coreboot), slightly different application: https://forums.puri.sm/t/coreboot-populating-sys-class-dmi-id-product-uuid/7506

[iansltx]

Apologies for bumping this without much info, but looks like we can't use a kernel module to get around this, and I'm getting flak on allowing new hires to spec System76 machines until this gets fixed, as anything they pick is likely Open Firmware only at this point and other vendors' firmware includes the entry :/

[frankk74]

This might or might not be a related issue:

acidanthera/bugtracker#711

Seems this might be a buikd issue?

Same issue from corporate. If we can't track it.

[crawfxrd]

3mdeb's solution for Dasharo: https://review.coreboot.org/c/coreboot/+/64639

[antonshmakov]

Any way the solution above is applicable to original problem? Having the exact same issue -- trying to activate Vanta Agent on Lemur Pro (lemp11)

[colinbird]

Also having this issue on brand new Gazelle

[allan-simon]

same issue here with the gazelle and vanta

[allan-simon]

seems it's about implementing the method smbios_system_set_uuid in https://github.com/system76/coreboot/

with something like

void smbios_system_set_uuid(u8 *uuid)
{
    memcpy(uuid,  UUID_DEFINED_BY_A_COMPILER_CONSTANT, 16);
}

[scottbisker]

Having a similar issue on an oryx pro 10 as well.

[fetherolfjd]

Just ran into this as well attempting to install the Vanta agent on Oryx Pro.

[crawfxrd]

system76/coreboot#182 will enable support for reading it from a CBFS file. firmware-update will then need to be updated to either copy it from the current firmware, or generate it if it doesn't exist, and then inject it into the new firmware image before flashing it.

[tupshin]

This is blocking me from using a system76 laptop with the Vanta agent, needed for hipaa/sox compliance. Makes it impossible to use them for corporate/startup activities

[iansltx]

FWIW it's entirely possible to have an alternative remediation to "our systems all check into Vanta" and still be compliant. We got SOC2 Type II, via Vanta, with multiple System76 boxes, this way. You just have to document your controls. Same with HIPPA (disclosures apply that IANAL but Vanta should tell you the same thing).