HSI2! level of security - Do I need to worry?

Support
,
1

Dear Friends,

I noticed in the Device Security Report that my device is at a level of HSI:2! and the following are the failed tests:

HSI-1 Tests:
UEFI Secure Boot: ! Fail (Not Enabled)

HSI-2 Tests:
None

HSI-3 Tests:
Control-flow Enforcement Technology: ! Fail (Not Supported)

HSI-4 Tests:
Encrypted RAM: ! Fail (Not Supported)
AMD Secure Processor Rollback Protection: ! Fail (Not Enabled)

Runtime Tests:
Linux Kernel Lockdown: ! Fail (Not Enabled)

It has been mentioned at the end to refer to this link (Redirecting to https://fwupd.github.io/libfwupdplugin/hsi.html) for more information. However, it is quite difficult for me to interpret the consequences of my report.

Would you please advise me, based on this, do I need to tweak any parameters or make any modifications?

PS. Sorry I forgot to add the system details. It is a Asus Flow X13 laptop (GV302XA) with AMD Ryzen 9 7940HS w/ Radeon 780M Graphics.

2

It seems pretty explanatory to me;

According to that ranking these vulnerabilities are only theoretical, and therefor of little concern to a casual user.

I dont know if I agree with that ranking/description … however;

Secure boot is off. There exists endless information on this topic.

CET is not supported on your device. There is literally nothing you can do about this … and this vulnerability can only be leveraged by someone with local or physical access.

Encrypted RAM is not supported.
And ‘rollback protection’ is not enabled … meaning your system does not disallow downgrading firmware.

What it says … ‘lockdown’ (introduced in kernel 5.4) is not enabled.
Note it changes or disables a number of common features … hibernation among them.
See here about it and how to enable if you want
https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode

3

Manjato does not natively support secure boot.

1 Like
4

Thank you very much. Indeed, it is very helpful. I am new to most of these terminologies and a bit nervous with the phrase “Risky state”.