Device Security: Missing Device security alerts
I discovered only by chance that Settings > Privacy > Device security
reports that my hardware security level has been graded as HSI:0 ("Hardware does not pass checks"). The corresponding specification defines HSI:0 as an "insecure" state, in which users "should adjust firmware setup options, contact [the] manufacturer or replace the hardware". Specifically,
Any system with a Host Security ID of 0 can easily be modified from userspace. PCs with confidential documents should have a HSI:3 or higher level of protection. In a graphical tool that would show details about the computer (such as GNOME Control Center’s details tab) the OS could display a field indicating Host Security ID. The ID should be shown with an alert color if the security is not at least HSI:1 or the suffix is !.
I think that:
- This check should run automatically and in regular intervals.
- When discovering either an "insecure state" or a downgrade of the hardware security level (e.g. from HSI:3 to HSI:1), users should be informed by a prominent (sticky) warning via the notification center.
- On clicking the notification, users should be provided specific and helpful information on what the problem is and how to fix it (or who to contact for help).1
- The warning for a specific security issue should need to be manually disabled for it to disappear from the notification center.
Please note that I have already reported this on the Fedora Workstation bugtracker because of the issue's high severity ("Any system with a Host Security ID of 0 can easily be modified from userspace."). The Fedora Workstation deferred tracking this issue to upstream (i.e. fwupd and GNOME) though ("[because of] this area […] being actively developed"), so I am now recreating the issue here.
-
Looking around on this tracker, it seems that 3) is currently tracked in #1990, with @superm1 suggesting in #2482 (comment 1745511) that there are multiple features of fwupd's command line tools that could potentially adress e.g. an HSI:0 state – among them the prompt to enable UEFI Secure Boot – that are currently not exposed to users.
↩