Device security reports "checks failed" even achiving HSI:3
Bug #2039314 reported by
Marcos Alano
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnome-control-center (Ubuntu) |
Expired
|
Low
|
Unassigned |
Bug Description
If I execute "fwupdmgr security", I get the information that my device complies with HSI:3, but even then the Privacy > Device Security on GNOME Control Center reports "Failed Checks".
affects: | ubuntu → gnome-control-center (Ubuntu) |
To post a comment you must log in.
This is the exit of the command. SecureBoot isn't actived, but the checks are valid if "Runtime Suffix" verifications are true?
➜ fwupdmgr security
Host Security ID: HSI:3! (v1.9.5)
HSI-1
✔ MEI key manifest: Valid
✔ Platform debugging: Disabled
✔ SPI BIOS region: Locked
✔ SPI lock: Enabled
✔ SPI write: Disabled
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ csme manufacturing mode: Locked
✔ csme override: Locked
✔ csme v0:15.0.45.2411: Valid
HSI-2
✔ BIOS rollback protection: Enabled
✔ IOMMU: Enabled
✔ Intel BootGuard: Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard OTP fuse: Valid
✔ Intel BootGuard verified boot: Valid
✔ Intel GDS mitigation: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
HSI-3
✔ Intel BootGuard error policy: Valid
✔ Intel CET Enabled: Enabled
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Intel SMAP: Enabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ Intel CET Active: Not supported
✔ Linux swap: Disabled
✔ fwupd plugins: Untainted
✘ Linux kernel: Tainted
✘ Linux kernel lockdown: Disabled
✘ UEFI secure boot: Disabled
This system has HSI runtime issues. /fwupd. github. io/hsi. html#hsi- runtime- suffix
» https:/
Host Security Events
2023-09-16 22:51:13: ✔ Pre-boot DMA protection is enabled
2023-09-13 18:20:16: ✘ Secure Boot disabled
2023-09-13 18:20:16: ✘ Pre-boot DMA protection is disabled
2023-09-13 12:27:38: ✔ TPM v2.0 changed: Not found → Found
2023-09-13 12:11:31: ✘ TPM v2.0 changed: Found → Not found
2023-09-11 13:40:01: ✘ Kernel lockdown disabled
2023-09-11 13:40:01: ✔ TPM v2.0 changed: Not found → Found
2023-09-11 13:31:29: ✘ Kernel is tainted
2023-09-11 13:12:55: ✔ Kernel is no longer tainted
2023-09-11 13:12:55: ✔ Kernel lockdown enabled
2023-09-11 13:12:55: ✔ Secure Boot enabled
2023-09-11 03:02:26: ✘ TPM v2.0 changed: Found → Not found
2023-09-11 03:00:59: ✔ TPM v2.0 changed: Not found → Found