lunarlattice0
commented
6 months ago fwupd security report:
HSI-1
✔ BIOS firmware updates: Enabled
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ BIOS rollback protection: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
✘ SPI write protection: Disabled
HSI-3
✔ SPI replay protection: Enabled
✔ CET Platform: Supported
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Processor rollback protection: Enabled
✔ Encrypted RAM: Encrypted
✔ SMAP: Enabled
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
✘ CET OS Support: Not supported
This system has HSI runtime issues.
» https://fwupd.github.io/hsi.html#hsi-runtime-suffix
hughsie
superm1
Describe the bug fwdupmgr security reports that SPI write protection is disabled, when it should be enabled. Additionally, CET OS support is marked as "Not supported".
Steps to Reproduce Run
fwupdmgr securityExpected behavior It is expected that SPI write protection is enabled.
fwupd version information
Please note how you installed it (
apt,dnf,pacman, source, etc): Fedora Silverblue Flatpak Repository**fwupd device information**
Please provide the output of the fwupd devices recognized in your system. ```LENOVO 20XF004RUS │ ├─Lenovo USB-C Mini Dock: │ │ Device ID: da77984c82b59c6fc69516431f467fd9a8d39a7f │ │ Summary: USB 3.x hub │ │ Current version: 4.154 │ │ Vendor: VIA Labs, Inc. (USB:0x17EF) │ │ Install Duration: 15 seconds │ │ GUIDs: fd4b20d3-2612-5743-ad85-5c3065361c51 │ │ f281c1df-c3d5-5f8a-984d-e9548ffc95fe ← USB\VID_17EF&PID_3094 │ │ ce8b3f6c-9ddd-5d50-b3f8-e87e72d2aacc ← USB\VID_17EF&PID_3094&HUB_0012 │ │ e62c5403-daa6-5482-9e9e-74666884ce43 ← USB\VID_17EF&PID_3094&SPI_C223 │ │ 75b11f2d-86b6-5ecc-912e-a2a649f334d5 ← USB\VID_17EF&PID_3094&SPI_C223&REV_04F4 │ │ Device Flags: • Updatable │ │ • Cryptographic hash verification is available │ │ • Device stages updates │ │ • Device can recover flash failures │ │ • Unsigned Payload │ │ │ ├─Lenovo USB-C Mini Dock: │ │ │ Device ID: 983c3cffc6fd36d32b00b62928d30721eaeb93db │ │ │ Summary: USB 3.x hub │ │ │ Current version: 4.154 │ │ │ Vendor: VIA Labs, Inc. (USB:0x17EF) │ │ │ Install Duration: 15 seconds │ │ │ GUIDs: fd4b20d3-2612-5743-ad85-5c3065361c51 ← USB\VID_17EF&PID_3095 │ │ │ 2b337b4f-fc17-520d-8d93-095a9bfd6ba8 ← USB\VID_17EF&PID_3095&HUB_32 │ │ │ 152db1ae-acd6-5b6d-aad2-178ec2af5199 ← USB\VID_17EF&PID_3095&SPI_C223 │ │ │ 8ce1ac09-39f9-51a5-9468-74433dfa575f ← USB\VID_17EF&PID_3095&SPI_C223&REV_04F4 │ │ │ Device Flags: • Updatable │ │ │ • Cryptographic hash verification is available │ │ │ • Device stages updates │ │ │ • Device can recover flash failures │ │ │ • Unsigned Payload │ │ │ │ │ ├─Lenovo USB-C Mini Dock: │ │ │ Device ID: d0950b8556ed65b4b8e8bfa3809fdb849005f298 │ │ │ Summary: USB 3.x hub │ │ │ Current version:4.93 │ │ │ Vendor: VIA Labs, Inc. (USB:0x17EF) │ │ │ Install Duration:15 seconds │ │ │ GUIDs: d636c717-44c4-5fcf-9d7f-b96f9c5f6608 ← USB\VID_17EF&PID_3097 │ │ │ baad4a7c-54ab-5e9e-87e5-d01951331c47 ← USB\VID_17EF&PID_3097&HUB_20 │ │ │ 64e5798a-d055-5c45-a64e-9d8997785f6b ← USB\VID_17EF&PID_3097&SPI_C223 │ │ │ 8ecbf33f-a3a5-5125-af6c-473a51552ba1 ← USB\VID_17EF&PID_3097&SPI_C223&REV_0493 │ │ │ Device Flags: • Updatable │ │ │ • Cryptographic hash verification is available │ │ │ • Device stages updates │ │ │ • Device can recover flash failures │ │ │ • Unsigned Payload │ │ │ │ │ └─Lenovo USB-C Mini Dock: │ │ │ Device ID: 42f81e42b1e21ceb211b345766cfd39439cb242f │ │ │ Summary: USB 2.x hub │ │ │ Current version:0.1 │ │ │ Vendor: VIA Labs, Inc. (USB:0x17EF) │ │ │ Install Duration:15 seconds │ │ │ GUIDs: e4938bb1-4d94-506d-b5c2-f246c5ab678f ← USB\VID_17EF&PID_3093 │ │ │ 5e51f122-8cfa-5f38-b44f-65aeb7a10cdb ← USB\VID_17EF&PID_3093&SPI_C223 │ │ │ 9e15c2bc-b293-55d7-827f-63e32c7edbfd ← USB\VID_17EF&PID_3093&SPI_C223&REV_0001 │ │ │ Device Flags: • Updatable │ │ │ • Cryptographic hash verification is available │ │ │ • Device stages updates │ │ │ • Device can recover flash failures │ │ │ • Unsigned Payload │ │ │ │ │ └─rtd21xx: │ │ Device ID: acdd770bff9e8a79a03cab054be4ad01faaec4e4 │ │ Current version:1.3 │ │ Vendor: VIA Labs, Inc. (USB:0x17EF) │ │ Install Duration:1 minute │ │ GUID: 4850cd49-308e-588a-851b-e61e8069a8ae ← USB\VID_17EF&PID_3093&I2C_rtd21xx │ │ Device Flags: • Updatable │ │ • Device stages updates │ │ │ └─vl103: │ Device ID: fe008de085345975906d64be2af7cc99f36724ca │ Summary: USB-C power delivery device │ Current version: 138.4.25.38 │ Vendor: VIA Labs, Inc. (USB:0x17EF) │ Install Duration: 15 seconds │ GUIDs: 3ae6610b-5c33-5714-96e3-05735eb9b2a5 ← USB\VID_17EF&PID_721C │ 45c1e8ab-6e61-548e-ae06-5a35394e5c02 ← USB\VID_17EF&PID_721C&DEV_vl103 │ 316f754e-057b-57e9-b820-9020c44a04eb ← USB\VID_17EF&PID_721C&APP_26 │ Device Flags: • Updatable │ • Cryptographic hash verification is available │ • Device can recover flash failures │ ├─AMD Ryzen 5 PRO 5650U with Radeon Graphics: │ │ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027 │ │ Current version: 0x0a50000d │ │ Vendor: Advanced Micro Devices, Inc. │ │ GUIDs: 79759cdc-94db-5098-be7b-eb02521fbbec ← CPUID\PRO_0&FAM_19&MOD_50 │ │ 20b595b0-5892-5870-8e4c-688133ad6e34 ← CPUID\PRO_0&FAM_19&MOD_50&STP_0 │ │ Device Flags: • Internal device │ │ │ ├─Graphics Processing Unit (GPU): │ │ │ Device ID: 310f45f1f223064b5c16bf6dff31146755a64480 │ │ │ Summary: Cezanne Generic VBIOS │ │ │ Current version: 017.010.000.031.000000 │ │ │ Vendor: Advanced Micro Devices, Inc. [AMD/ATI] (PCI:0x1002) │ │ │ GUID: 85ceb154-4376-5557-bdc1-46d9eac0f5f0 ← AMD\113-CEZANNE-021 │ │ │ Device Flags: • Internal device │ │ │ │ │ └─N140HCG-GQ2: │ │ Device ID: aec1a869eb0df71b7cea6b3ac71d39b830faf164 │ │ GUID: 448dbe25-c15c-562a-9329-0b27d235194f ← DRM\VEN_CMN&DEV_14F2 │ │ Device Flags: • Internal device │ │ │ ├─Secure Processor: │ │ Device ID: c54ab0237d7a8db8c717b68e0be78e4374a2a079 │ │ Current version: 00.11.00.81 │ │ Bootloader Version:00.11.00.81 │ │ Vendor: Advanced Micro Devices, Inc. (PCI:0x1022) │ │ GUIDs: 0e8dc554-a0a2-51fb-b439-1eb72b14ec38 ← PCI\VEN_1022&DEV_15DF │ │ 32bb3b55-393f-5c5b-a7ea-6232419a4436 ← PCI\VEN_1022&DEV_15DF&SUBSYS_17AA5095 │ │ Device Flags: • Internal device │ │ │ └─System Management Unit (SMU): │ Device ID: db0330716216c629bb2c07256e5d018f499eb6ce │ Summary: Microcontroller used within CPU/APU program 0 │ Current version: 64.71.0 │ Vendor: Advanced Micro Devices, Inc. │ GUID: 165feb35-d368-5388-b2ab-c513021bf019 ← /sys/devices/platform/AMDI0005:00 │ Device Flags: • Internal device │ ├─GPIO controller: │ Device ID: f685512aa07369c9e77742acef941d779d31e766 │ GUID: 37b440a9-2473-5087-a39b-db84f32a8ed8 ← GPIO\ID_AMDI0030:00 │ ├─Integrated Camera: │ Device ID: 301046452a49d84af6356d23e43a684b8f10660f │ Current version: 58.18 │ Vendor: Chicony Electronics Co.,Ltd. (USB:0x04F2) │ Serial Number: 0001 │ GUID: 95b07a8e-2063-5025-80b5-1fcf4ca8e9e3 ← USB\VID_04F2&PID_B6CB │ Device Flags: • Updatable │ ├─System Firmware: │ │ Device ID: 349bb341230b1a86e5effe7dfe4337e1590227bd │ │ Summary: UEFI ESRT device │ │ Current version: 0.1.28 │ │ Vendor: Lenovo (DMI:LENOVO) │ │ Update State: Success │ │ GUID: 66d47c53-a746-4495-a444-e6b26a04906d │ │ Device Flags: • Internal device │ │ • Updatable │ │ • System requires external power source │ │ • Supported on remote server │ │ • Needs a reboot after installation │ │ • Cryptographic hash verification is available │ │ • Device is usable for the duration of the update │ │ Device Requests: • Message │ │ │ └─UEFI dbx: │ Device ID: 362301da643102b9f38477387e2193e57abaa590 │ Summary: UEFI revocation database │ Current version: 220 │ Minimum Version: 220 │ Vendor: UEFI:Linux Foundation │ Install Duration: 1 second │ GUIDs: 5971a208-da00-5fce-b5f5-1234342f9cf7 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64 │ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 │ Device Flags: • Internal device │ • Updatable │ • Supported on remote server │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Only version upgrades are allowed │ • Signed Payload │ ├─TPM: │ Device ID: c6a80ac3a22083423992a3cb15018989f37834d6 │ Current version: 7.2.2.0 │ Vendor: Nuvoton Technology (TPM:NTC) │ GUIDs: fac1c8f3-73c8-5cd6-8330-07a3690b5140 ← TPM\VEN_NTC&DEV_0000 │ e4a6bfd6-81ba-5d6a-bb28-84be07ee7a29 ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls │ e9ccc1dc-960a-5e09-afe9-e59a904b776d ← TPM\VEN_NTC&DEV_0000&VER_2.0 │ 5a6b5ab6-c483-5eec-8a34-23a6d6d120bd ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls&VER_2.0 │ Device Flags: • Internal device │ • System requires external power source │ • Needs a reboot after installation │ • Device can recover flash failures │ • Full disk encryption secrets may be invalidated when updating │ • Signed Payload │ ├─UEFI Device Firmware: │ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f │ Summary: UEFI ESRT device │ Current version: 22552 │ Minimum Version: 1 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: c57877cd-5f62-4d07-a449-06a15cbb1d8e │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─UEFI Device Firmware: │ Device ID: 2292ae5236790b47884e37cf162dcf23bfcd1c60 │ Summary: UEFI ESRT device │ Current version: 252051731 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 88440680-8493-43d8-b1cb-51992223a226 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─UEFI Device Firmware: │ Device ID: f95c9218acd12697af946874bfe4239587209232 │ Summary: UEFI ESRT device │ Current version: 16777221 │ Minimum Version: 1 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 79716052-11cc-49c8-a36e-b23f3e6e5936 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─UEFI Device Firmware: │ Device ID: d96de5c124b60ed6241ebcb6bb2c839cb5580786 │ Summary: UEFI ESRT device │ Current version: 117572096 │ Minimum Version: 117572096 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: cba4dba6-7351-ba69-7d7c-994f0c84f98d │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─UEFI Device Firmware: │ Device ID: f37fb01122dd62c773f4e84ec89737e059712d59 │ Summary: UEFI ESRT device │ Current version: 65564 │ Minimum Version: 65564 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 4bea12df-56e3-4cdb-97dd-f133768c9051 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─UEFI Device Firmware: │ Device ID: 36efb79c255f402f619fa9eb53cd659db51f2a04 │ Summary: UEFI ESRT device │ Current version: 0 │ Vendor: DMI:LENOVO │ Update State: Success │ GUID: 3954e118-d997-4499-b917-d4c454e4b124 │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─UEFI Platform Key: │ Device ID: 6924110cde4fa051bfdc600a60620dc7aa9d3c6a │ Summary: Lenovo Ltd. PK CA 2012 │ Vendor: Lenovo Ltd. │ GUID: 71599d14-9b31-5270-b3bd-74c494585820 ← UEFI\CRT_9AEF2123F4DE7C19AFABD909BB2C8CAC4411E07E │ ├─Unifying Receiver: │ Device ID: 4caa6e59d5a867dbb4e8f699b39a875f63afc6ec │ Summary: Miniaturised USB wireless receiver │ Current version: RQR12.10_B0032 │ Bootloader Version: BOT01.02_B0014 │ Vendor: Logitech, Inc. (HIDRAW:0x046D, USB:0x046D) │ Install Duration: 30 seconds │ GUIDs: 9d131a0c-a606-580f-8eda-80587250b8d6 │ 279ed287-3607-549e-bacc-f873bb9838c4 ← HIDRAW\VEN_046D&DEV_C52B │ Device Flags: • Updatable │ • Supported on remote server │ • Unsigned Payload │ └─WDC PC SN730 SDBQNTY-512G-1001: Device ID: 71b677ca0f1bc2c5b804fa1d59e52064ce589293 Summary: NVM Express solid state drive Current version: 11170101 Vendor: Sandisk Corp (NVME:0x15B7) Serial Number: 213758801583 GUIDs: fccbb6ea-e20e-58ad-bf8a-7fb7d43ff4c2 ← NVME\VEN_15B7&DEV_5006 12c86995-0b90-5ec5-98f3-7a6ed4ca50e0 ← NVME\VEN_15B7&DEV_5006&SUBSYS_15B75006 06b4e2aa-91af-508b-b06e-65e3b3189e97 ← WDC PC SN730 SDBQNTY-512G-1001 Device Flags: • Internal device • Updatable • System requires external power source • Supported on remote server • Needs a reboot after installation • Device is usable for the duration of the update ──────────────────────────────────────────────── Devices that have been updated successfully: • System Firmware (0.1.27 → 0.1.28) • UEFI dbx (371 → 371) Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices. ```Additional questions