Failed to get device security check

In Settings > Privacy > Device Security failed to check device security.

Technical reports:

Device Security Report
======================

Report details
  Date generated:                                  2024-01-31 09:55:50
  fwupd version:                                   1.9.11

System details
  Hardware model:                                  LENOVO 82KU
  Processor:                                       AMD Ryzen 7 5700U with Radeon Graphics
  OS:                                              Fedora Linux 39 (Workstation Edition)
  Security level:                                  HSI:0 (v1.9.11)

HSI-1 Tests
  UEFI Platform Key:                               Pass (Valid)
  UEFI Bootservice Variables:                      Pass (Locked)
  TPM v2.0:                                        Pass (Found)
  BIOS Firmware Updates:                           Pass (Enabled)
  UEFI Secure Boot:                                Pass (Enabled)
  Fused Platform:                                ! Fail 
  TPM Platform Configuration:                      Pass (Valid)

HSI-2 Tests
  AMD Firmware Write Protection:                 ! Fail 
  TPM Reconstruction:                              Pass (Valid)
  IOMMU Protection:                                Pass (Enabled)
  Platform Debugging:                            ! Fail 

HSI-3 Tests
  Suspend To RAM:                                ! Fail (Enabled)
  AMD Firmware Replay Protection:                ! Fail 
  Pre-boot DMA Protection:                         Pass (Enabled)
  Control-flow Enforcement Technology:           ! Fail (Not Supported)
  Suspend To Idle:                               ! Fail (Not Enabled)

HSI-4 Tests
  Encrypted RAM:                                 ! Fail 
  Supervisor Mode Access Prevention:               Pass (Enabled)
  AMD Secure Processor Rollback Protection:      ! Fail 

Runtime Tests
  Firmware Updater Verification:                   Pass (Not Tainted)
  Linux Swap:                                      Pass (Encrypted)
  Linux Kernel Verification:                       Pass (Not Tainted)
  Linux Kernel Lockdown:                           Pass (Enabled)

Host security events

For information on the contents of this report, see https://fwupd.github.io/hsi.html

A quick look at the items marked as failed seem to require Lenovo to fix things.

Do you have a specific question?

This problem is from manufacture?

Or from design not including security as a feature.

This, for example, requires a CPU feature I think.

This is a UEFI BIOS implementation problem I think.

Hopefully if you read up on the details in the link at the bottom of the report it will explain what the tests are checking for: Redirecting to https://fwupd.github.io/libfwupdplugin/hsi.html

1 Like