Results 1 to 7 of 7

Thread: Device Security

  1. #1
    Join Date
    Oct 2024
    Beans
    2

    Device Security

    Hello there!

    My device security indicates that my hardware does not pass the security checks and that my secure boot is off. Am I running high risk for security breaches? How do I resolve this?


  2. #2
    Join Date
    May 2018
    Location
    Here and There
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Device Security

    Not unless your trolling....
    <snip OP edited their post>
    Can you elaborate on "My device security indicates that my hardware does not pass the security checks and that my secure boot is off."
    Last edited by 1fallen; October 11th, 2024 at 12:29 AM.
    "When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama

  3. #3
    Join Date
    Oct 2024
    Beans
    2

    Re: Device Security

    Device Security Report
    ======================


    Report details
    Date generated: 2024-10-11 03:20:49
    fwupd version: 1.9.24


    System details
    Hardware model: LENOVO 21HMCTO1WW
    Processor: 13th Gen Intel(R) Core(TM) i7-1370P
    OS: Ubuntu 24.04.1 LTS
    Security level: HSI:3! (v1.9.24)


    HSI-1 Tests
    UEFI Platform Key: Pass (Valid)
    Firmware BIOS Region: Pass (Locked)
    UEFI Bootservice Variables: Pass (Locked)
    MEI Key Manifest: Pass (Valid)
    Intel Management Engine Version: Pass (Valid)
    Firmware Write Protection Lock: Pass (Enabled)
    Platform Debugging: Pass (Not Enabled)
    BIOS Firmware Updates: Pass (Enabled)
    Intel Management Engine Manufacturing Mode: Pass (Locked)
    UEFI Secure Boot: ! Fail (Not Enabled)
    Firmware Write Protection: Pass (Not Enabled)
    TPM Platform Configuration: Pass (Valid)
    Intel Management Engine Override: Pass (Locked)
    TPM v2.0: Pass (Found)


    HSI-2 Tests
    Platform Debugging: Pass (Locked)
    Intel BootGuard ACM Protected: Pass (Valid)
    IOMMU Protection: Pass (Enabled)
    Intel BootGuard Fuse: Pass (Valid)
    BIOS Rollback Protection: Pass (Enabled)
    Intel BootGuard Verified Boot: Pass (Valid)
    TPM Reconstruction: Pass (Valid)
    Intel BootGuard: Pass (Enabled)


    HSI-3 Tests
    Suspend To RAM: Pass (Not Enabled)
    Intel BootGuard Error Policy: Pass (Valid)
    Pre-boot DMA Protection: Pass (Enabled)
    Control-flow Enforcement Technology: Pass (Supported)
    Suspend To Idle: Pass (Enabled)


    HSI-4 Tests
    Encrypted RAM: ! Fail (Not Enabled)
    Supervisor Mode Access Prevention: Pass (Enabled)


    Runtime Tests
    Linux Kernel Lockdown: ! Fail (Not Enabled)
    Firmware Updater Verification: Pass (Not Tainted)
    Linux Swap: ! Fail (Not Encrypted)
    Linux Kernel Verification: Pass (Not Tainted)
    Control-flow Enforcement Technology: Pass (Supported)

  4. #4
    Join Date
    May 2018
    Location
    Here and There
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Device Security

    I see nothing wrong there. enabling kernel lockdown mode varies depending on the Linux distribution and version you are using. In general, you can enable kernel lockdown mode by adding the following boot parameter to your kernel command line:
    Code:
    lockdown=confidentiality
    This parameter tells the kernel to enable confidentiality mode, which is the most restrictive level of kernel lockdown. Keep in mind that enabling kernel lockdown mode may cause certain features or applications to stop working, as they may rely on kernel functionality that is restricted by lockdown mode.
    And swap is unencrypted(which is the norm on the majority of Linux machines ... We only encrypt swap in possibly highly vulnerable environments e.g. multi-user machines that may swap sensitive data)
    "When you practice gratefulness, there is a sense of respect toward others." >>Dalai Lama

  5. #5
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    5,035

    Re: Device Security

    1fallen2 is totally right on on this.

    Think about what you wrote:

    Your HARDWARE doesn't pass all those checks. (Most hardware doesn't)
    Many hardware fails cannot be "resolved" or "fixed" with software. You bought the hardware that way. Ubuntu didn't create your hardware.
    However, many of your specific hardware fails maybe due to your configuration choices. For example, looks like your chose to disable Secure Boot.

    Look at each failure.
    Can that failure be exploited by a remote attacker? (Rarely, It's much easier for most attackers to use non-hardware vectors.)
    Can that failure be mitigated by a different configuration of your firmware? (In your case, several are "yes")


    Security is a set of good habits and a willingness to learn.
    Security is not the rote of automated tests or magic firewalls.
    Last edited by ian-weisser; October 11th, 2024 at 05:51 PM.

  6. #6
    Join Date
    Sep 2007
    Beans
    Hidden!
    Distro
    Ubuntu Mate 24.04 Noble Numbat

    Re: Device Security

    Quote Originally Posted by ian-weisser View Post
    Security is a set of good habits and a willingness to learn.
    That^^^

    This can and should be applied to so many things in life.
    UP THE IRONS!

  7. #7
    Join Date
    Jun 2024
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Device Security

    These problems are all software related.

    It appears you're not booting with secure boot enabled with UEFI. To enable this, you will need to boot from UEFI with secure boot feature enabled from the BIOS. You may also be booting from legacy mode.

    https://wiki.ubuntu.com/UEFI/SecureBoot

    Your swap could also be encrypted, which you can do to mitigate paged data (data saved to disk that overflows from memory) to an encrypted disk.

    Here's a recent complete method to try:

    https://techblog.dev/posts/2023/08/e...-resume-linux/

    Let me know if you have anymore questions about passing your security scan.

    Kernel lockdown is perhaps too much restriction than you want. I haven't tried it myself, but I believe it will cause many of your applications to have problems. I'm curious now to try it on a virtual machine. I assume it will stop things like virtual machines.

    The encrypted RAM feature isn't something I'm familiar with, but a little searching, I found that people have experimented with encrypted RAM on Linux. I don't know how to configure this.

    Edit. I noticed this is a new machine (2023), so the hardware shouldn't fail. I just think your configuration could be different (like BIOS and OS).

    Edit. Here's info about the scan for the thread: https://fwupd.github.io/libfwupdplug...l#introduction
    Last edited by 0f4d0335; October 11th, 2024 at 05:12 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •