Hello there!
My device security indicates that my hardware does not pass the security checks and that my secure boot is off. Am I running high risk for security breaches? How do I resolve this?
Hello there!
My device security indicates that my hardware does not pass the security checks and that my secure boot is off. Am I running high risk for security breaches? How do I resolve this?
Not unless your trolling....
<snip OP edited their post>
Can you elaborate on "My device security indicates that my hardware does not pass the security checks and that my secure boot is off."
Last edited by 1fallen; October 11th, 2024 at 12:29 AM.
"When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama
Device Security Report
======================
Report details
Date generated: 2024-10-11 03:20:49
fwupd version: 1.9.24
System details
Hardware model: LENOVO 21HMCTO1WW
Processor: 13th Gen Intel(R) Core(TM) i7-1370P
OS: Ubuntu 24.04.1 LTS
Security level: HSI:3! (v1.9.24)
HSI-1 Tests
UEFI Platform Key: Pass (Valid)
Firmware BIOS Region: Pass (Locked)
UEFI Bootservice Variables: Pass (Locked)
MEI Key Manifest: Pass (Valid)
Intel Management Engine Version: Pass (Valid)
Firmware Write Protection Lock: Pass (Enabled)
Platform Debugging: Pass (Not Enabled)
BIOS Firmware Updates: Pass (Enabled)
Intel Management Engine Manufacturing Mode: Pass (Locked)
UEFI Secure Boot: ! Fail (Not Enabled)
Firmware Write Protection: Pass (Not Enabled)
TPM Platform Configuration: Pass (Valid)
Intel Management Engine Override: Pass (Locked)
TPM v2.0: Pass (Found)
HSI-2 Tests
Platform Debugging: Pass (Locked)
Intel BootGuard ACM Protected: Pass (Valid)
IOMMU Protection: Pass (Enabled)
Intel BootGuard Fuse: Pass (Valid)
BIOS Rollback Protection: Pass (Enabled)
Intel BootGuard Verified Boot: Pass (Valid)
TPM Reconstruction: Pass (Valid)
Intel BootGuard: Pass (Enabled)
HSI-3 Tests
Suspend To RAM: Pass (Not Enabled)
Intel BootGuard Error Policy: Pass (Valid)
Pre-boot DMA Protection: Pass (Enabled)
Control-flow Enforcement Technology: Pass (Supported)
Suspend To Idle: Pass (Enabled)
HSI-4 Tests
Encrypted RAM: ! Fail (Not Enabled)
Supervisor Mode Access Prevention: Pass (Enabled)
Runtime Tests
Linux Kernel Lockdown: ! Fail (Not Enabled)
Firmware Updater Verification: Pass (Not Tainted)
Linux Swap: ! Fail (Not Encrypted)
Linux Kernel Verification: Pass (Not Tainted)
Control-flow Enforcement Technology: Pass (Supported)
I see nothing wrong there. enabling kernel lockdown mode varies depending on the Linux distribution and version you are using. In general, you can enable kernel lockdown mode by adding the following boot parameter to your kernel command line:
This parameter tells the kernel to enable confidentiality mode, which is the most restrictive level of kernel lockdown. Keep in mind that enabling kernel lockdown mode may cause certain features or applications to stop working, as they may rely on kernel functionality that is restricted by lockdown mode.Code:lockdown=confidentiality
And swap is unencrypted(which is the norm on the majority of Linux machines ... We only encrypt swap in possibly highly vulnerable environments e.g. multi-user machines that may swap sensitive data)
"When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama
1fallen2 is totally right on on this.
Think about what you wrote:
Your HARDWARE doesn't pass all those checks. (Most hardware doesn't)
Many hardware fails cannot be "resolved" or "fixed" with software. You bought the hardware that way. Ubuntu didn't create your hardware.
However, many of your specific hardware fails maybe due to your configuration choices. For example, looks like your chose to disable Secure Boot.
Look at each failure.
Can that failure be exploited by a remote attacker? (Rarely, It's much easier for most attackers to use non-hardware vectors.)
Can that failure be mitigated by a different configuration of your firmware? (In your case, several are "yes")
Security is a set of good habits and a willingness to learn.
Security is not the rote of automated tests or magic firewalls.
Last edited by ian-weisser; October 11th, 2024 at 05:51 PM.
These problems are all software related.
It appears you're not booting with secure boot enabled with UEFI. To enable this, you will need to boot from UEFI with secure boot feature enabled from the BIOS. You may also be booting from legacy mode.
https://wiki.ubuntu.com/UEFI/SecureBoot
Your swap could also be encrypted, which you can do to mitigate paged data (data saved to disk that overflows from memory) to an encrypted disk.
Here's a recent complete method to try:
https://techblog.dev/posts/2023/08/e...-resume-linux/
Let me know if you have anymore questions about passing your security scan.
Kernel lockdown is perhaps too much restriction than you want. I haven't tried it myself, but I believe it will cause many of your applications to have problems. I'm curious now to try it on a virtual machine. I assume it will stop things like virtual machines.
The encrypted RAM feature isn't something I'm familiar with, but a little searching, I found that people have experimented with encrypted RAM on Linux. I don't know how to configure this.
Edit. I noticed this is a new machine (2023), so the hardware shouldn't fail. I just think your configuration could be different (like BIOS and OS).
Edit. Here's info about the scan for the thread: https://fwupd.github.io/libfwupdplug...l#introduction
Last edited by 0f4d0335; October 11th, 2024 at 05:12 PM.
Bookmarks