Would you help me improve the security of my device? currently it is HSI:0


Report details
  Date generated:                                  2023-11-08 00:46:01
  fwupd version:                                   1.9.7

System details
  Hardware model:                                  ASUSTeK COMPUTER INC ASUSLaptop X509DA
  Processor:                                       AMD Ryzen 5 3500
  OS:                                              Fedora Linux 39 (Workstation Edition)
  Security level:                                  HSI:0! (v1.9.7)

HSI-1 Tests
  Variables del servicio de arranque de UEFI:      Pass (Bloqueada)
  Llave de Plataforma UEFI:                        Pass (Válido)
  TPM v2.0:                                        Pass (Encontrada)
  BIOS Firmware Updates:                           Pass (Activada)
  Arranque Seguro UEFI:                            Pass (Activada)
  Plataforma Fusionada:                          ! Fail 
  Configuración de Plataforma TPM:                 Pass (Válido)

HSI-2 Tests
  Escritura Firmware AMD:                        ! Fail 
  Reconstrucción TPM:                              Pass (Válido)
  Protección de dispositivo IOMMU:                 Pass (Activada)
  Depuración de Plataforma:                      ! Fail 

HSI-3 Tests
  Repetición de Protección AMD:                  ! Fail 
  Protección DMA de pre-arranque:                ! Fail (No activada)
  Suspender a RAM:                               ! Fail (Activada)
  Suspendido a Descanso:                         ! Fail (No activada)

HSI-4 Tests
  RAM cifrada:                                   ! Fail 
  Protección de Reversión del Procesador AMD Segur! Fail 

Runtime Tests
  Verificación para Actualizador del Firmware:     Pass (No envenenado)
  Intercambio (swap) de Linux:                     Pass (Cifrado)
  Verificación de Kernel Linux:                  ! Fail (Envenenado)
  Kernel Linux bloqueado:                          Pass (Activada)

Host security events
  2023-10-14 23:12:15   Verificación de Kernel LinuFalló (No envenenado → Envenenado)
  2023-10-10 15:04:34   Verificación de Kernel Linux Correcto (Envenenado → No envenenado)
  2023-10-10 13:31:18   Verificación de Kernel LinuFalló (No envenenado → Envenenado)
  2023-10-10 09:41:04   Verificación de Kernel Linux Correcto (Envenenado → No envenenado)
  2023-10-09 21:36:40   Intercambio (swap) de Linux  Correcto (No cifrado → Cifrado)
  2023-10-09 13:30:02   Verificación de Kernel LinuFalló (No envenenado → Envenenado)

For information on the contents of this report, see https://fwupd.github.io/hsi.html

Can you tell us with which app you make this test?

Please put a:

your command

to get an English output.

$ fwupdmgr security

Host Security ID: HSI:0! (v1.9.7)

✔ BIOS firmware updates:         Enabled
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled
✘ Fused platform:                Unknown
✘ Supported CPU:                 Invalid

✔ IOMMU:                         Enabled
✔ TPM PCR0 reconstruction:       Valid
✘ Platform debugging:            Unknown
✘ SPI write protection:          Unknown

✘ Pre-boot DMA protection:       Disabled
✘ SPI replay protection:         Unknown
✘ Suspend-to-idle:               Disabled
✘ Suspend-to-ram:                Enabled

✘ Encrypted RAM:                 Unknown
✘ Processor rollback protection: Unknown

Runtime Suffix -!
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ fwupd plugins:                 Untainted
✘ Linux kernel:                  Tainted

This system has a low HSI security level.
 » https://fwupd.github.io/hsi.html#low-security-level

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

Host Security Events
  2023-10-15 04:12:15:  ✘ Kernel is tainted
  2023-10-10 20:04:34:  ✔ Kernel is no longer tainted
  2023-10-10 18:31:18:  ✘ Kernel is tainted
  2023-10-10 14:41:04:  ✔ Kernel is no longer tainted
  2023-10-10 02:36:40:  ✔ Intercambio de Linux changed: Unencrypted → Encrypted

BTT… this report can also be found in GNOME Settings > Privacy > Checks Failed > Copy Technical Report. It’s funny, I found the same thing on my device (not quite as bad… tainted kernel?!) and went looking for what HSI tests even were, then found this thread (among others with the same output on OEM forums LOL).

From what I can tell most of these are firmware options. Maybe the suspend options could be the OS. The information on the HSI tests was in that GitHub link at the bottom all along. I’m about to test out this link (found in the GitHub) and report back if it fixed anything.


Device Security Report

Report details
  Date generated:                                  2023-12-27 23:24:09
  fwupd version:                                   1.9.10

System details
  Hardware model:                                  LENOVO 20KVCTO1WW
  Processor:                                       AMD Ryzen 7 2700U with Radeon Vega Mobile Gfx
  OS:                                              Fedora Linux 39.20231227.0 (Silverblue)
  Security level:                                  HSI:0 (v1.9.10)

HSI-1 Tests
  UEFI Platform Key:                               Pass (Valid)
  UEFI Bootservice Variables:                      Pass (Locked)
  TPM v2.0:                                        Pass (Found)
  BIOS Firmware Updates:                           Pass (Enabled)
  UEFI Secure Boot:                                Pass (Enabled)
  Fused Platform:                                ! Fail 
  TPM Platform Configuration:                      Pass (Valid)

HSI-2 Tests
  AMD Firmware Write Protection:                 ! Fail 
  TPM Reconstruction:                              Pass (Valid)
  IOMMU Protection:                                Pass (Enabled)
  BIOS Rollback Protection:                        Pass (Enabled)
  Platform Debugging:                            ! Fail 

HSI-3 Tests
  Pre-boot DMA Protection:                       ! Fail (Not Enabled)
  AMD Firmware Replay Protection:                ! Fail 
  Suspend To RAM:                                ! Fail (Enabled)
  Suspend To Idle:                               ! Fail (Not Enabled)

HSI-4 Tests
  Encrypted RAM:                                 ! Fail 
  AMD Secure Processor Rollback Protection:      ! Fail 

Runtime Tests
  Firmware Updater Verification:                   Pass (Not Tainted)
  Linux Swap:                                      Pass (Encrypted)
  Linux Kernel Verification:                       Pass (Not Tainted)
  Linux Kernel Lockdown:                           Pass (Enabled)

Host security events
  2023-11-22 20:44:36   BIOS Rollback Protection     Pass (Not Enabled → Enabled)

For information on the contents of this report, see https://fwupd.github.io/hsi.html

Unfortunately no luck on my device, nothing changed. I did see where another user had created a new thread about the guidance not working on his platform so there’s that. With all these questions being asked I would bet Lenovo and the other big OEMs will eventually put out updates and/or further guidance regarding these tests, but it might not be as quick as people like :wink:

On a Flathub there is a program called “Firmware”. Maybe it would be able to fetch updates.