-
Notifications
You must be signed in to change notification settings - Fork 411
Host security ID runtime issues
The Host Security ID specification calls out specific firmware, platform and runtime configuration options be properly configured to attest to appropriate security.
If runtime items are not being met on your platform, security level checks should not be trusted.
To determine your host security ID and specific problems, update to fwupd 1.5.0 or later and run:
$ fwupdmgr security
When your host security ID has a ! at the end, this means that runtime checks have failed. All runtime measures can be directly adjusted by a system administrator.
The Linux kernel has been tainted. This means that the kernel has untrusted kernel code loaded which may affect the security of the system. All other security measure can not be trusted.
To fix this issue, reboot your system and avoid loading untrusted kernel modules.
The running Linux kernel doesn't support kernel lockdown. The Lockdown feature in Linux is mainly intended to prevent root account from tampering with kernel code, thus drawing a line between userland processes and the code.
To fix this issue, update to kernel 5.4 or later.
The running Linux kernel supports lockdown but it is disabled. To modify lockdown either modify the sysfs attribute /sys/kernel/security/lockdown
or set it on the kernel command line.
The swap partition is used to store data on the disk when the system is under memory pressure. If the swap partition is not encrypted it may contain sensitive data that can be accessed by an adversary.
To fix this issue either:
- Remove the swap partition
- Choose an encrypted swap partition
- Create and use an encrypted swap file instead.
Some information on how to convert an unencrypted swap partition is available here: https://blogs.gnome.org/hughsie/2020/05/14/converting-to-encrypted-swap/
NOTE: There is a bug in fwupd where encrypted swap stored within LVM2 is not detected properly. If you have this configuration, you can ignore this error for now.
The fwupd daemon on the system is running untrusted code. The calculation for Host Security ID can't be trusted.
To solve this issue remove untrusted code from the fwupd plugin load directory.
The fwupd daemon has been launched with a plugin whitelist or the plugin blacklist has been modified and the results can't be trusted.
To solve this issue launch the daemon without a plugin whitelist and restore the BlacklistPlugins
key in daemon.conf
to the original value.