43: New Device Security feature is confusing and unhelpful currently

Bug #1987162 reported by Jeremy Bícha
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnome-control-center (Ubuntu)
Fix Released
High
Unassigned

Bug Description

GNOME 43 added a new Device Security feature in the Settings app.

You can access it in gnome-control-center 1:43~beta-1ubuntu1
1. Open the Settings app
2. Click Privacy then Device Security

The Security Events aren't clickable.

A default Ubuntu install only gets us "Security Level 1". The highest level is "Security Level 3".

There isn't anything an Ubuntu user can do to get to a higher security level from the Device Security screen.

If a user attempts to get their system to a higher security level, I think they could break their system since this isn't something we currently support.

Therefore, I think we ought to hide/disable the screen for Ubuntu 22.10. We can work towards better integrating this screen for Ubuntu in future releases.

I'm attaching several screenshots although it's worth trying out the feature for yourself too.

Tags: kinetic
Revision history for this message
Jeremy Bícha (jbicha) wrote :
tags: added: kinetic
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Changed in gnome-control-center (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I don't understand not only why those advanced features would be exposed in a GUI, but why ordinary users would care at all about most of those settings.

If we're going to expose "security information" to users, we should probably start by showing basic stuff, like if they are properly getting security updates, if remote login via ssh is turned on with passwords instead of certificates, whether they are using disk encryption or not, etc.

If regular users can't easily fix the issues listed in there, from the GUI itself, I don't think it's appropriate to display that in the settings app.

Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Indeed - I don't think it is useful to have such information displayed prominently when there is nothing that user's can do to affect this (in general) and so this will only cause alarm. Like Marc said, it is then not useful to display this without offering actionable tasks that a user an perform to increase their security, since then as jbicha suggested, some users will likely try and manually workaround these findings to 'increase' their security and potentially break their systems.

Whilst it is commendable that GNOME is trying to perhaps raise security awareness for users, doing this in a way where users don't really have any control over the results is likely to cause more harm than good.

So I agree, this should not be part of the standard gnome-control-center at this stage for Ubuntu.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Sharing some references, the panel was added as part of

https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1570

the intend from the design seems that the items description include a suggestion of how problems could be resolved.

there are some report about improving the UI as https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1938

disabling for now if we think the UI is more likely to confuse users seems fine though

Revision history for this message
Jeremy Bícha (jbicha) wrote :

The feature was also discussed at

https://blogs.gnome.org/hughsie/2022/07/29/emulated-host-profiles-in-fwupd/

Yes, we can go ahead and hide this feature now for Ubuntu 22.10. I wanted to have a few other people see the current state of the feature before we disabled it. Perhaps it will be more usable in a future release.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Another issue to consider here is that there is no secure way to display the information in the first place. If some of those settings are disabled, malware can simply modify the app to display a green checkbox next to Level 3, leading to a false sense of security.

Jeremy Bícha (jbicha)
Changed in gnome-control-center (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Richard Hughes (richard-hughes) wrote :

> If regular users can't easily fix the issues listed in there

You can fix some, but they do currently require the user to open up the system firmware settings. You need the latest (git master) version of fwupd installed to get the [translated] long descriptions of each hardware security problem.

>, from the GUI itself

We are working on that, although this is only going to work on Lenovo and Dell laptops.

> I don't think it's appropriate to display that in the settings app.

I suppose that not knowing is more secure?

> Yes, we can go ahead and hide this feature now for Ubuntu 22.10

It's literally your choice, but some of these are critical security issues.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-control-center - 1:43~beta-1ubuntu2

---------------
gnome-control-center (1:43~beta-1ubuntu2) kinetic; urgency=medium

  * Add patch to disable the new Device Security panel (LP: #1987162)

 -- Jeremy Bicha <email address hidden> Mon, 22 Aug 2022 10:09:25 -0400

Changed in gnome-control-center (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Alex Murray (alexmurray) wrote :

>> I don't think it's appropriate to display that in the settings app.

> I suppose that not knowing is more secure?

Yes if you consider the risk of users DoS'ing themselves by having to potentially hack around in the CLI / BIOS settings to try and find the right incantations to get a green check mark to appear. The status quo is a lack of awareness - so we need to trade of the risks of showing something which is unactionable and potentially alarming vs. keeping things as they are. Once there is support to rectify these issues from the GUI then I am not at all opposed to showing this information and would welcome it. However even then, we will want to ensure this is a robust process since we don't want to say make it easy to enable Secure Boot and then prevent machines from booting since the user doesn't actually run a signed kernel, or say end up having hardware devices silently disabled on a subsequent reboot since they were previously using unsigned modules etc. There is a lot of complexity and corner cases here so it is prudent to be conservative in our approach IMO.

Revision history for this message
William Dietrich (billdietrich444) wrote (last edit ):

I think the whole concept of numeric security "levels" is wrong. Instead there should be a list of threats:

- physical (address by using LUKS, disabling USB ports, locking screen after N minutes inactivity, etc)

- bad apps (address by enabling AppArmor or SELinux etc, using Snaps or Flatpaks, using fewer PPAs, doing updates, etc)

- OS vulns (address by doing updates)

- network attacks (address by enabling firewall on computer, enabling firewall in router, turning off unused services, blockers in browser, etc)

- user mistakes (address by not running as root, using immutable OS, etc)

And I would lump in some partially-security things too:

- data loss due to hardware failure or user error (backups: suggest TimeShift etc)

- network security/privacy attacks (suggest VPN)

Revision history for this message
Jeremy Bícha (jbicha) wrote :

At least in Ubuntu 22.10, you can also get the same information by opening a terminal and running this command.

fwupdmgr security

Revision history for this message
Alexander E. Patrakov (patrakov-gmail) wrote :

@billdietrich444

Note: my comment is a trolling attempt, and hopefully an obvious one due to the choice of an obviously unimplementable-in-a-useful-way standard. Please take only 10% seriously.

It may be a good idea to stop talking about pure security according to our own set of criteria (because it's up to discussion what's good enough) and start talking about compliance to recognized standards. We can start with the UK standard named Cyber Essentials, which is required for all organizations that need to deal with the UK government. The standard itself is available at https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf

It has the following testable requirements related to technical controls:

* Firewalls - we can check that the firewall is installed and configured to "block unauthenticated inbound connections by default".

* Secure configuration - this also includes removing unneeded or unused services (and this means that it is forbidden to run the SSH server unless there is a documented business need) and uninstalling unused software. So we might want to display when each piece of software was last used so that to ease the audit. Another testable requirement is that any auto-run feature is disabled or configured to "ask". And also there are some checkable requirements related to device unlocking.

* User access control - we could list administrative accounts. Also, if a fingerprint reader is detected, or another form of 2FA is available, we can list all all non-enrolled accounts as non-compliant. We can also check if the password quality requirements are implemented and the mandatory unsuccessful login throttling (or lock-out) policy is enforced by PAM.

* Malware protection - with specific requirements, related to on-access scanning of all files (including those on network shares, so sorry, ClamAV is not compliant) and web pages. This was the reason I had to tell one of my clients that they have to stop using Linux or stop dealing with the UK government.

* Security update management - we can check Ubuntu-specific settings related to the freshness of the database, whether a reboot is needed for something to apply (e.g. are there running copies of deleted and replaced binaries, or do they use deleted libraries), and whether the updates are configured to install automatically.

* Backups - we can test whether they configured through known backup applications.

Revision history for this message
Alexander E. Patrakov (patrakov-gmail) wrote :

Also note that there is no requirement to have Secure Boot enabled in Cyber Essentials.

Revision history for this message
Marcos Alano (mhalano) wrote :

I achieved level 2 just setting "intel_iommu=on" on GRUB.

Revision history for this message
Marcos Alano (mhalano) wrote :

There are some features maybe I couldn't get, like encrypted RAM, because they're related to corporate level features.

Revision history for this message
Marcos Alano (mhalano) wrote :

I achieved level 3 with a fix that will be released for fwupd to correctly detect the presence of Intel CET feature. That is my original bug report: https://github.com/fwupd/fwupd/issues/4960

Revision history for this message
Marcos Alano (mhalano) wrote :

The fix has landed with version 1.8.4.

Revision history for this message
Mario Limonciello (superm1) wrote :

FYI - 1.8.4 synced from Debian to Ubuntu kinetic now.

Revision history for this message
Mario Limonciello (superm1) wrote :

> A default Ubuntu install only gets us "Security Level 1". The highest level is "Security Level 3".

It's not a function of the OS, it's a function of the underlying hardware, firmware, and firmware configuration for your given system.
The "!" in the HSI string is controlled by OS behavior (such as encrypted swap, taint, etc).

At least on a pre-production Lenovo Z13 I can get HSI-2, depending on whether Lenovo has SPI replay protection in the production hardware I might be able to get all the way to HSI 4.

Host Security ID: HSI:2! (v1.8.4)

HSI-1
✔ Fused platform: Locked
✔ Rollback protection: Enabled
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI platform key: Valid

HSI-2
✔ IOMMU: Enabled
✔ Platform Debugging: Locked
✔ SPI write protection: Enabled
✔ TPM PCR0 reconstruction: Valid

HSI-3
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
✘ SPI replay protection: Disabled

HSI-4
✔ Encrypted RAM: Encrypted

Revision history for this message
Jeremy Bícha (jbicha) wrote :

The Device Security panel has been simplified in GNOME 44 Alpha and Ubuntu 23.04 no longer disables showing the panel.

https://launchpad.net/ubuntu/+source/gnome-control-center/1:44~alpha-0ubuntu1

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.