Hi,
I’m new to Fedora. I just installed it today, but there seem to be some security problems. In settings, privacy, security, the security level is 0. This is due to problems with the Intel Management Engine version (level 1), IOMMU protection (level 2) and Encrypted RAM (level 3).
How can i get my security up and solve these issues?
Thanks in advance.
Many of the issues require updates from the system vendor or BIOS settings that may not be available from all vendors and/or older hardware. If you provide more details for your hardware, others with similar hardware may be able to tell you which measures are available to you, or you can look for information on your vendor’s web site.
To get started: Intel provides a Linux IME Version Detection Tool
This will give something along the lines of:
./intel_csme_version_detection_tool
Intel(R) CSME Version Detection Tool
Copyright(C) 2017-2022, Intel Corporation, All rights reserved.
Application Version: 8.0.1.0
Scan date: 2023-01-16 19:00:02 GMT
*** Host Computer Information ***
Name: [...]
Manufacturer: [...]
Model: [...]
Processor Name: [...]
OS Version: Fedora Linux 37 (Workstation Edition) (6.1.5-200.fc37.x86_64)
*** Intel(R) ME Information ***
Engine: Intel(R) Converged Security and Management Engine
Version: 12.0.90.2072
Intel(R) Core(TM) i5-9500 CPU @ 3.00GHz
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Converged Security and Management Engine firmware
has a vulnerability listed in one or more of the public Security Advisories.
Contact your system manufacturer for support and remediation of this system.
For more information refer to the Intel(R) CSME Version Detection Tool User Guide
or the related Intel Security Advisory list at:
https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html
For the above example, the vendor says the update is not compatible with the model used, so a solution may not always be available.
update your uefi bios it will solve most issues will be gone if you show us your model no and brand and some hw info itw will be easier to solve
Thanks for the reply. So I managed to run the script and it gave me the following:
Tool Started 2023-01-17 09:48:14 GMT
Name: jordis-laptop
Manufacturer: ASUSTeK COMPUTER INC.
Model: ASUS P1512CEA_P1512CEA
Processor Name: 11th Gen Intel(R) Core™ i3-1115G4 @ 3.00GHz
OS Version: Fedora Linux 37 (Workstation Edition) (6.1.5-200.fc37.x86_64)
Engine: Intel(R) CSME
Version: 15.0.10.1414
Status: DISCOVERY_VULNERABLE
Tool Stopped
The only thing is, from the ASUS website, they only offer the drivers for windows; that means in .exe files. As far as I could find, these don’t work on a Linux system. Is there a work around method for this?
I am a bit worried I caused this by fully erasing all the existing partitions on installing Fedora…
Hi Martin Luther,
So I managed to update the BIOS, following ASUS instructions. But dispite this, the samen security issues remained.
For the pc information:
ASUSTeK COMPUTER INC. ASUS P1512CEA_P1512CEA
8,0 GiB Memory
11th Gen Intel® Core™ i3-1115G4 × 4
Mesa Intel® UHD Graphics (TGL GT2)
256,1 GB capacity
watch intel ME has many controversy we dont actually know what it does in some laptops vendors actually disables that intel me
this is something you do not need to worry whatever os you are using so i think it is best to ask asus to help and for sure they will and all are bios level issues i think there is nothing to do with os
Intel ME Windows drivers are customized based on how the CPU, chipset, and the motherboard are designed. It is highly recommended to contact your laptop or desktop manufacturer to get the customized Intel ME Windows drivers.
This is completely beyond the control of linux developers.
Vendors may not want to put effort into customizing Intel ME Windows drivers and dealing with other security issues. They would prefer to sell you a newer system. If you are not at high risk (e.g., know to have valuable secretes on your system, system on a small network with non-routable address versus directly connected to the WWW, college campus network, etc.) then normal good security practices may be enough.