UEFI ESP, Secure Boot, HSI Issues: Elucidation and Solutions

Ask Fedora
, ,
1

Fedora 39 (KDE Spin)
Acer Aspire A517-53

Info Centre reports that:

  1. the UEFI ESP “may not be set up correctly”. It says I should ‘set 1 esp on’. I checked with parted and the flag is already on, but I issued the command anyway, rebooted, and the warning is still there.

Could this be because I left the original (Windows) EFI intact? I am not dual-booting, but I worried that formatting EFI partition might lock me out of the system, due to the Secure Boot function in the firmware. Were I to reformat the EFI partition, would this warning go away?

When reinstalling Fedora, is it safe to format the EFI partition? Will the firmware automatically be aware of whatever it needs to know? I read an article in Fedora Magazine some months ago about secure boot and how one configures it and I do not want to enter this minefield.

  1. the system has a low HSI security level. I see that all of the Intel BootGuard points are flagged ‘invalid’. I presume this is Secure Boot in the firmware? I have it enabled and unchanged, just the way it was when I bought the computer.

Were I to reformat the EFI partition next time I install, likely for Fedora 40, given that these issues appear to be weighty, would this be resolved? Or is there something else at play?

Again, as I mentioned in point #1, I do not care to get into configuring the Secure Boot in the firmware (unless it turns out to be super easy and without risk of me being unable to boot into my computer).

  1. the system has HSI runtime issues. I see further red flags:

    csme manufacturing mode: unlocked
    encrypted RAM: not supported
    Linux Swap: unencrypted

The last point could be because I also have a swap partition. I know that Fedora has used some sort of virtual swap for the last 2 or so releases, but I have enabled the swap partition as well, because ‘hibernate (suspend to disk)’ has in the past required it.

Conclusion: So, what does all of this mean? Are the security concerns especially concerning for a the average individual? What can I do to resolve these warnings?

2

Absolutely as far as fedora is concerned and you are only installing one OS on the machine.
If you simply tell the installer to recover space and install it should wipe out everything and install new.

Without more info we cannot tell. What is giving you this message? Is it inside the bios setup screens? Is it in the OS? What exactly are you doing that gives this info? If this is from the Info Center output see my note at the end.

Hibernate does require a physical swap space so if you intend to hibernate the system it would be required. If you do not intend to hibernate then a physical swap space is not normally required.

Secure boot is normally quite safe to leave enabled. However, if you are installing software that compiles locally built kernel modules (drivers) such as for a GPU or maybe VirtualBox for supporting VMs then you would have to choose between A: disabling secure boot so the unsigned modules could load, or B: creating your own key and enabling signing the kernel modules before they would be able to load with secure boot enabled

Note that the Aspire Info Center is based on a user running windows and often does not really apply when using any Linux distro…

3

Info Centre is the name of the KDE program that displays system information. I presume that, among other things, it uses fwupdmgr to obtain the three issues I wrote about.

OK, thanks! It is too late for Fedora 39, as I did a clean install a few days ago, but for Fedora 40, I will again do a clean install and this time around, I will allow the installer to reformat /boot/efi as well. As the partition had been created by Windows, likely a lot of what is there is not needed.

So, again, the message about Intel BootGuard appears in the KDE Info Centre. The system runs fine, have no major issues (camera and fingerprint sensor don’t work, but I will mention these in some future post, as I really don’t need them at this time).

I don’t use hibernate much, in fact, since I got this computer with SSD ‘drives’, booting is so fast, likely under a minute, so I always turn the computer off. Still, the swap partition gives me the option to hibernate if I should want to just flip the lid.

I was certainly NOT considering disabling Secure Boot. Years ago, I used to compile modules and even kernels, as I used to buy NVidea graphics cards, fool around with virtualization, etc, but in the last 10 or more years, Fedora has matured and everything I would need is supported out-of-the-box (except, apparently, the built-in webcam and fingerprint reader, but, as I said, I will tackle those at some future time). My concern was that formatting /boot/efi might impact Secure Boot and I would not know how to get it all working again.

So, this returns me to my original post. I guess you are basically telling me I can just disregard all of these messages?

4

As you note, not everything. If a user has a newer laptop with an nvidia GPU it is not supported, if using VMs and installing VirtualBox that is not instantly supported, and both do require that the kernel modules be signed or that secure boot be disabled.

In fact, for any distro out there, if the hardware is new and/or only supported by restricted software then the drivers may not be available “out of the box”.

There was just a couple days ago an issue with a laptop having a newer nvidia GPU and the FOSS driver nouveau that is provided by nvidia was not able to support it.