Checks failed ! Hardware does not pass checks

subha909 · April 15, 2024, 12:17pm

Device Security Report
======================

Report details
  Date generated:                                  2024-04-15 17:44:52
  fwupd version:                                   1.9.16

System details
  Hardware model:                                  Micro-Star International Co., Ltd. MS-7C09
  Processor:                                       Intel(R) Core(TM) i3-9100F CPU @ 3.60GHz
  OS:                                              Fedora Linux 39 (Workstation Edition)
  Security level:                                  HSI:0! (v1.9.16)

HSI-1 Tests
  Intel Management Engine Version:               ! Fail (Not Valid)
  UEFI Platform Key:                               Pass (Valid)
  UEFI Bootservice Variables:                      Pass (Locked)
  TPM v2.0:                                        Pass (Found)
  Firmware BIOS Region:                          ! Fail (Not Locked)
  Firmware Write Protection Lock:                ! Fail (Not Enabled)
  Platform Debugging:                              Pass (Not Enabled)
  Intel Management Engine Manufacturing Mode:    ! Fail (Not Locked)
  UEFI Secure Boot:                                Pass (Enabled)
  BIOS Firmware Updates:                           Pass (Enabled)
  Firmware Write Protection:                       Pass (Not Enabled)
  Intel Management Engine Override:                Pass (Locked)
  TPM Platform Configuration:                      Pass (Valid)

HSI-2 Tests
  Platform Debugging:                              Pass (Locked)
  Intel BootGuard ACM Protected:                 ! Fail (Not Valid)
  IOMMU Protection:                              ! Fail (Not Found)
  Intel BootGuard Fuse:                          ! Fail (Not Valid)
  Intel GDS Mitigation:                            Pass (Enabled)
  Intel BootGuard Verified Boot:                 ! Fail (Not Valid)
  TPM Reconstruction:                              Pass (Valid)
  Intel BootGuard:                                 Pass (Enabled)

HSI-3 Tests
  Suspend To RAM:                                ! Fail (Enabled)
  Intel BootGuard Error Policy:                  ! Fail (Not Valid)
  Pre-boot DMA Protection:                       ! Fail (Not Enabled)
  Control-flow Enforcement Technology:           ! Fail (Not Supported)
  Suspend To Idle:                               ! Fail (Not Enabled)

HSI-4 Tests
  Encrypted RAM:                                 ! Fail (Not Supported)
  Supervisor Mode Access Prevention:               Pass (Enabled)

Runtime Tests
  Firmware Updater Verification:                   Pass (Not Tainted)
  Linux Swap:                                      Pass (Encrypted)
  Linux Kernel Verification:                     ! Fail (Tainted)
  Linux Kernel Lockdown:                           Pass (Enabled)

Host security events
  2024-04-15 14:17:47   Linux Kernel Verification  ! Fail (Not Tainted → Tainted)

For information on the contents of this report, see https://fwupd.github.io/hsi.html

How can I fix this issue ??

catanzaro · April 15, 2024, 1:42pm

Sometimes you can get a better device security score by updating your device’s firmware or by changing UEFI firmware settings, but more often you cannot and you would need to either buy a newer device or just accept that your current device is vulnerable. Nowadays HSI-2 is recommended as the desired security level that provides a good level of protection against bootkits and malicious Thunderbolt devices.

In your case, none of the above matters because you have MSI hardware, and MSI’s BootGuard private key is now public. Even if you were to somehow get a passing grade from the device security report, it would be meaningless because any attacker can sign firmware as if it were released by MSI. You’ll just have to accept that this is a lower security device, and consider not purchasing from MSI in the future.

catanzaro · April 15, 2024, 1:49pm

The primary consequences of a lower device security score:

If malicious code is able to run as root on your computer, it can install a “bootkit” (rootkit) to permanently infect your firmware, such that the malware can persist even if you reinstall your operating system or replace your storage device. That is, OS level malware can escalate to firmware level malware.
If your computer has Thunderbolt support, then Thunderbolt devices are able to run code as root because you have no IOMMU to prevent direct memory access.

(There are other risks too, but you’re probably not too worried about secret agents getting physical access to your device, so I’ll leave it at that.)

My understanding of hardware security is rudimentary, and I’d welcome corrections or clarifications.

Topic		Replies	Views
Failed to get device security check Ask Fedora amd , radeon , lenovo , f39 , workstation	3	1424	February 1, 2024
Device Security Checks Failed in F38 (TPM 2.0) Ask Fedora f37 , f38 , security , intel , workstation	4	6996	April 22, 2023
Failed Linux Kernel checks Ask Fedora f38 , amd , gnome	5	750	October 21, 2023
Would you help me improve the security of my device? currently it is HSI:0 Ask Fedora amd , gnome , f39 , workstation	5	2371	December 28, 2023
Security problems Ask Fedora f38 , amd , security , workstation	3	648	October 30, 2023

Checks failed ! Hardware does not pass checks

Related topics