Join Log in
Score:2
Lalatendu Sahu avatar Ubuntu

security check fails. Is this OK?

gn flag
Lalatendu Sahu 
Device Security Report
======================

Report details
  Date generated:                                  2023-06-03 10:15:33
  fwupd version:                                   1.8.12

System details
  Hardware model:                                  LENOVO 81DE
  Processor:                                       Intel(R) Core(TM) i3-7020U CPU @ 2.30GHz
  OS:                                              Ubuntu 23.04
  Security level:                                  HSI:0! (v1.8.12)

HSI-1 Tests
  Intel Management Engine Version:               ! Fail (Not Valid)
  UEFI Platform Key:                               Pass (Valid)
  TPM v2.0:                                        Pass (Found)
  Firmware BIOS Region:                            Pass (Locked)
  Firmware Write Protection Lock:                  Pass (Enabled)
  Platform Debugging:                              Pass (Not Enabled)
  Intel Management Engine Manufacturing Mode:      Pass (Locked)
  UEFI Secure Boot:                                Pass (Enabled)
  Firmware Write Protection:                       Pass (Not Enabled)
  Intel Management Engine Override:                Pass (Locked)
  TPM Platform Configuration:                      Pass (Valid)

HSI-2 Tests
  Intel BootGuard Fuse:                            Pass (Valid)
  Intel BootGuard Verified Boot:                 ! Fail (Not Valid)
  Intel BootGuard ACM Protected:                 ! Fail (Not Valid)
  Intel BootGuard:                                 Pass (Enabled)
  IOMMU Protection:                              ! Fail (Not Found)
  TPM Reconstruction:                              Pass (Valid)
  Platform Debugging:                              Pass (Locked)

HSI-3 Tests
  Suspend To RAM:                                ! Fail (Enabled)
  Intel BootGuard Error Policy:                  ! Fail (Not Valid)
  Pre-boot DMA Protection:                       ! Fail (Not Enabled)
  Intel CET:                                     ! Fail (Not Supported)
  Suspend To Idle:                               ! Fail (Not Enabled)

HSI-4 Tests
  Encrypted RAM:                                 ! Fail (Not Supported)
  Intel SMAP:                                      Pass (Enabled)

Runtime Tests
  Firmware Updater Verification:                   Pass (Not Tainted)
  Linux Swap:                                    ! Fail (Not Encrypted)
  Linux Kernel Lockdown:                           Pass (Enabled)
  Linux Kernel Verification:                       Pass (Not Tainted)

Host security events

For information on the contents of this report, see https://fwupd.github.io/hsi.html
1286
1 + 1
Artur Meinild avatar
vn flag
Artur Meinild
Define "OK". This is entirely subjective.
4
Reply
Score:10
Raffa avatar Ubuntu
jp flag
Raffa

These are UEFI/BIOS reported configurations/settings that differ based on hardware support and not much can be done about them from within Ubuntu(apart from updating your UEFI/BIOS firmware) ... These also are the kind of information that would be listed in the extended product specifications of your machine ... Operating System type makes little to sometimes none effect on how those are reported by the UEFI/BIOS.

That report is a result of a security assessment by the fwupdmgr security tool ... It classifies a machine(based on how UEFI/BIOS report it's hardware/firmware components) and as stated in Verifying Host Firmware Security:

To start out some core protections must be assigned a relative importance.

The above mentioned relativity can and does change from one version to the next and as a result security class might be upgraded or downgraded.

Then an evaluation must be done to determine how each vendor is conforming to the model.

The report you see is the result of the above two procedures.

And should be parsed/read in the stated context:

For instance, a user might say that for home use any hardware the bare minimum security level (HSI:1) is good enough. For a work laptop the company IT department might restrict the choice of models to anything meeting the criteria of level HSI:2 or above. A journalist or a security researcher would only buy level HSI:3 and above.

And, as a mostly none-technical side effect:

The reality is that HSI:4 is going to be more expensive than some unbranded hardware that is rated HSI:0.

even if that unbranded/unreported hardware is of high quality and may satisfy high security requirements.

However, there are conditions and limitations as also stated:

To be trusted, this rating information should be distributed in a centralized agnostic database such as the LVFS.

Not all vendors support LVFS(Linux Vendor Firmware Service) and not all those who support it do that for all their products and not all of the latter do that in a timely prompt manner.

In addition Runtime Behavior is also taken into consideration in that security assessment process.

That said, back to your question:

security check fails. Is this OK?

As far as Runtime Behavior goes, the only reported Fail is:

Linux Swap:                                    ! Fail (Not Encrypted)

Which in fact is based on that swap is unencrypted(which is the norm on the majority of Linux machines ... We only encrypt swap in possibly highly vulnerable environments e.g. multi-user machines that may swap sensitive data) ... So, decide for yourself if it's okay or encrypt your swap.

As far as security levels go, you need to first decide which security level you aim for and then read the report accordingly ... For example, if your aim is a security level of HSI:1 (Critical State) which is described as:

Basic protection but any failure would lead to a critical security impact.

This security level corresponds to the most basic of security protections considered essential by security professionals. Any failures at this level would have critical security impact and could likely be used to compromise the system firmware without physical access.

Then, looking at the relevant part(under HSI-1 Tests) of your report, shows that the only reported Fail entry is:

Intel Management Engine Version:               ! Fail (Not Valid)

The reason appears to be either an unsupported motherboard/CPU main chip(Which is unlikely given your specifications) or an outdated version of Intel Management Engine that can mean a mismatch between the installed version and the one recently updated at LVFS which as described at Intel Management Engine (CSME) version is invalid can be a result of the cached LVFS data on your system that can be solved by forcefully refreshing your local copy with:

fwupdmgr refresh --force

and upgrading your firmware afterwards with:

fwupdmgr update

Apart from that, any failure at higher security levels than your aim, should be irrelevant as far as security ranking goes.

Probably, worth noting as well that if you disable some UEFI/BIOS features like Secure Boot for instance and install some needed proprietary driver, both of these will be reported as a Fail and will lower your machine’s security classification … So, even in that sense, I guess that sometimes "Success is not built on success. It’s built on failure."

However, these ratings are, certainly, not targeted to advanced users, but, as it seems, rather to the majority basic level users and even then some of us(@Austin Hemmelgarn and others myself included) might prefer to call it an informative security guideline rather than a strict ranking system … Useful nonetheless but one ought to keep in mind the basis for this security ranking system made clear by this statement from the official documentation which I had already quoted above and which reads:

... considered essential by security professionals.

+ 4
in flag
Austin Hemmelgarn
It’s worth also pointing out that the various HSI ratings also assume a particular threat model that does not always match up for any given user. For example, I would consider a working IOMMU to be part of the most basic required security for a system that may have untrusted peripherals connected (such as most laptops), but not a system with strict physical security controls in place (such as most servers).
2
Reply
Raffa avatar
jp flag
Raffa
@AustinHemmelgarn I totally agree with you ... The ratings are, certainly, not targeted to advanced users, but, as it seems, rather to the majority basic level users and even then I might call it an informative security guideline rather than a strict ranking system ... However, that is my opinion and obviously yours based on what we know, but it turns out users like it as it might give them a sense of security that is more or less based on the "opinions of the field experts".
0
Reply
in flag
Austin Hemmelgarn
Indeed, experience has simply taught me that any discussion of standardized security ‘levels’ (be it this, or PCI DSS, or some FIPS standard, or something else) should have a disclaimer like that. I’ve seen far too many people blindly trusting that some security standard they read about is a one-size-fits-all silver bullet solution to all their security woes to consider such discussions responsible without mentioning it (that said, this is still an excellent answer, even without such a disclaimer).
1
Reply
Raffa avatar
jp flag
Raffa
@AustinHemmelgarn You are such a convincing man! … And you are right.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.