lctrr
March 26, 2025, 7:35pm
1
Hello,
I’m on a Thinkpad t495s with Fedora 42 beta, and while looking at device security tests I saw that HSI-1 was failing because of System Management Mode (Fail - Unlocked).
I wanted to ask you if you have any idea how to activate/lock it. It seems like a basic security feature from what I saw on the internet, but all guides to activate it are for Windows.
I should also note that I’m currently dual booting with Win11 on another partition, so maybe this is the problem ?
Thank you very much for any help you can give
Luca
1 Like
Are you sure this is about fwupd?
Can you give us the exact error message?
lctrr
March 29, 2025, 4:54pm
4
Never said it’s about fwupd, fwupd gives the HSI report, but I’d like to know if someone knows how to lock the SMM (System Management Mode). Fwupd wiki was no use unfortunately
This is the security report:
Device Security Report
======================
Report details
Date generated: 2025-03-29 17:51:27
fwupd version: 2.0.7
System details
Hardware model: LENOVO 20QKS0LG00
Processor: AMD Ryzen 5 PRO 3500U w/ Radeon Vega Mobile Gfx
OS: Fedora Linux 42 (Workstation Edition Prerelease)
Security level: HSI:0 (v2.0.7)
HSI-1 Tests
UEFI Bootservice Variables: Pass (Verrouillé)
UEFI Platform Key: Pass (Valide)
TPM v2.0: Pass (Trouvé)
System Management Mode: ! Fail (Non verrouillé)
UEFI Secure Boot: Pass (Activé)
BIOS Firmware Updates: Pass (Activé)
Fused Platform: Pass (Verrouillé)
TPM Platform Configuration: Pass (Valide)
HSI-2 Tests
AMD Firmware Write Protection: ! Fail (Non activé)
TPM Reconstruction: Pass (Valide)
IOMMU Protection: Pass (Activé)
BIOS Rollback Protection: Pass (Activé)
Platform Debugging: Pass (Verrouillé)
I cut the last two levels
I think that is done with a karg, no idea how to set them on regular Fedora
# Add additional boot parameters for hardening (requires reboot)
set-kargs-hardening:
#!/usr/bin/bash
read -rp "Do you need support for 32-bit processes/syscalls? (This is mostly used by legacy software, with some exceptions, such as Steam) [y/N]: " YES
if [[ "$YES" == [Yy]* ]]; then
echo "Keeping 32-bit support."
else
IAEMU_NO="--append-if-missing=ia32_emulation=0"
echo "Disabling 32-bit support, for the next boot."
fi
read -rp "Do you want to force disable Simultaneous Multithreading (SMT) / Hyperthreading? (This can cause a reduction in the performance of certain tasks in favor of security) (Note that in most hardware SMT will be disabled anyways to mitigate a known vulnerability, this turns it off on all hardware regardless) [y/N]: " YES
if [[ "$YES" == [Yy]* ]]; then
NOSMT_YES="--append-if-missing=nosmt=force"
echo "Force disabling SMT/Hyperthreading."
else
echo "Not force disabling SMT/Hyperthreading."
fi
read -rp "Would you like to set additional (unstable) hardening kargs? (Warning: Setting these kargs may lead to boot or stability issues on some hardware.) [y/N]: " YES
if [[ "$YES" == [Yy]* ]]; then
UNSTABLE_YES="--append-if-missing=efi=disable_early_pci_dma \
show original
amd_iommu=force_isolation
iommu=force
iommu.passthrough=0
These should be firmware related
lctrr
April 7, 2025, 7:26am
6
Is IOMMU related to SMM ?
