Security problems

Ask Fedora
, , ,
1

Hi all, I have security problem related to my hardware. I have a Gigabyte motherboard. Attach the report of the security:

Device Safety Report

======================


Report details

  Generated date: 2023-10-30 16:34:08

  Version of fwupd 1.9.6


System details

  Hardware model: Gigabyte Technology Co., Ltd. B450M DS3H V2

  Processor: AMD Ryzen 9 3900 12-Core Processor

  OS: Fedora Linux 38 (Workstation Edition)

  Security Level: HSI:INVALID:missing-data


HSI-1 Tests

  UEFI Boot Service Variables: Correct (Locked)

  UEFI Platform Key: Correct (Valid)

  TPM v2.0: Correct (Found)

  BIOS Firmware updates: Correct (Enabled)

  UEFI Secure Boot: Correct (Enabled)

  TPM Platform Configuration: Successful (Valid)


HSI-2 Tests

  TPM rebuild: OK (Valid)

  IOMMU Device Protection: OK (Enabled)


HSI-3 Tests

  Pre-boot DMA Protection: Failed (Not Enabled)

  Suspend to RAM: Failed (Enabled)

  Suspend to Sleep: Failed (Not Enabled)


HSI-4 Tests

  Encrypted RAM: Failed (Not Supported)


Runtime Tests

  Firmware Updater Check: Successful (Not Poisoned)

  Linux Swap:                     Successful (Encrypted)

  Linux Kernel Check:                  Failed (Poisoned)

  Linux Kernel Locked: Successful (Enabled)


Computer security events

  2023-10-30 15:00:38 Linux kernel locked Correct (Not enabled → Enabled)

  2023-10-30 15:00:38 UEFI Secure Boot Correct (Not Enabled → Enabled)

  2023-10-30 14:23:06 TPM v2.0 Correct (Not found → Found)

  2023-10-30 08:32:09 UEFI Secure Boot Failed (Enabled → Not Enabled)

  2023-10-30 08:32:09 Kernel Verification LinuFailed (Not Poisoned → Poisoned)

  2023-10-30 08:32:09 Locked Linux Kernel Failed (Enabled → Not Enabled)

  2023-10-30 06:58:54 Linux Kernel Verification Succeeded (Poisoned → Not Poisoned)

  2023-10-30 06:58:54 Linux kernel locked Correct (Not enabled → Enabled)

  2023-10-30 06:58:54 UEFI Secure Boot Correct (Not Enabled → Enabled)

  2023-10-29 20:59:31 UEFI Secure Boot Failed (Enabled → Not Enabled)

  2023-10-29 20:59:31 Kernel Verification LinuFailed (Not Poisoned → Poisoned)

  2023-10-29 20:59:31 Locked Linux Kernel Failed (Enabled → Not Enabled)

  2023-10-29 18:57:11 Linux Kernel Verification Successful (Poisoned → Not Poisoned)

  2023-10-29 18:57:11 Locked Linux Kernel Correct (Not Enabled → Enabled)

  2023-10-29 18:57:11 UEFI Secure Boot Correct (Not Enabled → Enabled)

  2023-10-26 15:05:06 Kernel LinuFailed Kernel Verification (Not Poisoned → Poisoned)


For information on the contents of this report, see https://fwupd.github.io/hsi.html

How to solve this problem?

Thanks.

All the best.

2

You did not tell us the app nor the command used to obtain that report.
I am not familiar with the posted info so without being able to repeat the test you used with the same tool it is difficult to guess what you are asking about.

Also, it would be nice if you were to be clear about exactly what you are asking. Those reading your data may draw differing conclusions so please ask a question instead of making an assumption that we will read the data and make the same conclusions you do.

Looking at the most recent data 10/30/2023 @ 14:23 & @ 15:00 it would seem there is no problem.

3

2551×488 38.8 KB

I mean how to activate DMA protection, memory encryption and so on.

Thanks.

All the best.

4

Ok, you have provided a hint that it started with the gnome settings–> privacy–> device security panel, but still did not state how you got the text report you posted above.

I personally do not know how to add anything to the default security configs the system provides, and those appear to me to be snapshot reports at boot time.

The link at the very bottom of your posted report tells about that tool and has a warning that it is incomplete and may be inaccurate at the very top.

According to that link it would seem your system meets the HSI:1 & HSI:2 levels . It would seem very unlikely that your system is at risk since the analysis says “any exploit would be difficult or impractical to use.”

Is your question related to using fwupdmgr?