43: New Device Security feature is confusing and unhelpful currently

I don't understand not only why those advanced features would be exposed in a GUI, but why ordinary users would care at all about most of those settings.

If we're going to expose "security information" to users, we should probably start by showing basic stuff, like if they are properly getting security updates, if remote login via ssh is turned on with passwords instead of certificates, whether they are using disk encryption or not, etc.

If regular users can't easily fix the issues listed in there, from the GUI itself, I don't think it's appropriate to display that in the settings app.

Indeed - I don't think it is useful to have such information displayed prominently when there is nothing that user's can do to affect this (in general) and so this will only cause alarm. Like Marc said, it is then not useful to display this without offering actionable tasks that a user an perform to increase their security, since then as jbicha suggested, some users will likely try and manually workaround these findings to 'increase' their security and potentially break their systems.

Whilst it is commendable that GNOME is trying to perhaps raise security awareness for users, doing this in a way where users don't really have any control over the results is likely to cause more harm than good.

So I agree, this should not be part of the standard gnome-control-center at this stage for Ubuntu.

Sharing some references, the panel was added as part of

https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1570

the intend from the design seems that the items description include a suggestion of how problems could be resolved.

there are some report about improving the UI as https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1938

disabling for now if we think the UI is more likely to confuse users seems fine though

The feature was also discussed at

https://blogs.gnome.org/hughsie/2022/07/29/emulated-host-profiles-in-fwupd/

Yes, we can go ahead and hide this feature now for Ubuntu 22.10. I wanted to have a few other people see the current state of the feature before we disabled it. Perhaps it will be more usable in a future release.

Another issue to consider here is that there is no secure way to display the information in the first place. If some of those settings are disabled, malware can simply modify the app to display a green checkbox next to Level 3, leading to a false sense of security.

> If regular users can't easily fix the issues listed in there

You can fix some, but they do currently require the user to open up the system firmware settings. You need the latest (git master) version of fwupd installed to get the [translated] long descriptions of each hardware security problem.

>, from the GUI itself

We are working on that, although this is only going to work on Lenovo and Dell laptops.

> I don't think it's appropriate to display that in the settings app.

I suppose that not knowing is more secure?

> Yes, we can go ahead and hide this feature now for Ubuntu 22.10

It's literally your choice, but some of these are critical security issues.

This bug was fixed in the package gnome-control-center - 1:43~beta-1ubuntu2

---------------
gnome-control-center (1:43~beta-1ubuntu2) kinetic; urgency=medium

  * Add patch to disable the new Device Security panel (LP: #1987162)

 -- Jeremy Bicha <email address hidden> Mon, 22 Aug 2022 10:09:25 -0400

>> I don't think it's appropriate to display that in the settings app.

> I suppose that not knowing is more secure?

Yes if you consider the risk of users DoS'ing themselves by having to potentially hack around in the CLI / BIOS settings to try and find the right incantations to get a green check mark to appear. The status quo is a lack of awareness - so we need to trade of the risks of showing something which is unactionable and potentially alarming vs. keeping things as they are. Once there is support to rectify these issues from the GUI then I am not at all opposed to showing this information and would welcome it. However even then, we will want to ensure this is a robust process since we don't want to say make it easy to enable Secure Boot and then prevent machines from booting since the user doesn't actually run a signed kernel, or say end up having hardware devices silently disabled on a subsequent reboot since they were previously using unsigned modules etc. There is a lot of complexity and corner cases here so it is prudent to be conservative in our approach IMO.

I think the whole concept of numeric security "levels" is wrong. Instead there should be a list of threats:

- physical (address by using LUKS, disabling USB ports, locking screen after N minutes inactivity, etc)

- bad apps (address by enabling AppArmor or SELinux etc, using Snaps or Flatpaks, using fewer PPAs, doing updates, etc)

- OS vulns (address by doing updates)

- network attacks (address by enabling firewall on computer, enabling firewall in router, turning off unused services, blockers in browser, etc)

- user mistakes (address by not running as root, using immutable OS, etc)

And I would lump in some partially-security things too:

- data loss due to hardware failure or user error (backups: suggest TimeShift etc)

- network security/privacy attacks (suggest VPN)

At least in Ubuntu 22.10, you can also get the same information by opening a terminal and running this command.

fwupdmgr security

@billdietrich444

Note: my comment is a trolling attempt, and hopefully an obvious one due to the choice of an obviously unimplementable-in-a-useful-way standard. Please take only 10% seriously.

It may be a good idea to stop talking about pure security according to our own set of criteria (because it's up to discussion what's good enough) and start talking about compliance to recognized standards. We can start with the UK standard named Cyber Essentials, which is required for all organizations that need to deal with the UK government. The standard itself is available at https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf

It has the following testable requirements related to technical controls:

* Firewalls - we can check that the firewall is installed and configured to "block unauthenticated inbound connections by default".

* Secure configuration - this also includes removing unneeded or unused services (and this means that it is forbidden to run the SSH server unless there is a documented business need) and uninstalling unused software. So we might want to display when each piece of software was last used so that to ease the audit. Another testable requirement is that any auto-run feature is disabled or configured to "ask". And also there are some checkable requirements related to device unlocking.

* User access control - we could list administrative accounts. Also, if a fingerprint reader is detected, or another form of 2FA is available, we can list all all non-enrolled accounts as non-compliant. We can also check if the password quality requirements are implemented and the mandatory unsuccessful login throttling (or lock-out) policy is enforced by PAM.

* Malware protection - with specific requirements, related to on-access scanning of all files (including those on network shares, so sorry, ClamAV is not compliant) and web pages. This was the reason I had to tell one of my clients that they have to stop using Linux or stop dealing with the UK government.

* Security update management - we can check Ubuntu-specific settings related to the freshness of the database, whether a reboot is needed for something to apply (e.g. are there running copies of deleted and replaced binaries, or do they use deleted libraries), and whether the updates are configured to install automatically.

* Backups - we can test whether they configured through known backup applications.

Also note that there is no requirement to have Secure Boot enabled in Cyber Essentials.

I achieved level 2 just setting "intel_iommu=on" on GRUB.

There are some features maybe I couldn't get, like encrypted RAM, because they're related to corporate level features.

I achieved level 3 with a fix that will be released for fwupd to correctly detect the presence of Intel CET feature. That is my original bug report: https://github.com/fwupd/fwupd/issues/4960

The fix has landed with version 1.8.4.

FYI - 1.8.4 synced from Debian to Ubuntu kinetic now.

> A default Ubuntu install only gets us "Security Level 1". The highest level is "Security Level 3".

It's not a function of the OS, it's a function of the underlying hardware, firmware, and firmware configuration for your given system.
The "!" in the HSI string is controlled by OS behavior (such as encrypted swap, taint, etc).

At least on a pre-production Lenovo Z13 I can get HSI-2, depending on whether Lenovo has SPI replay protection in the production hardware I might be able to get all the way to HSI 4.

Host Security ID: HSI:2! (v1.8.4)

HSI-1
✔ Fused platform: Locked
✔ Rollback protection: Enabled
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI platform key: Valid

HSI-2
✔ IOMMU: Enabled
✔ Platform Debugging: Locked
✔ SPI write protection: Enabled
✔ TPM PCR0 reconstruction: Valid

HSI-3
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
✘ SPI replay protection: Disabled

HSI-4
✔ Encrypted RAM: Encrypted

The Device Security panel has been simplified in GNOME 44 Alpha and Ubuntu 23.04 no longer disables showing the panel.

https://launchpad.net/ubuntu/+source/gnome-control-center/1:44~alpha-0ubuntu1