How to secure my system?

chrislg · 31 December 2022 10:24

I use proprietary Nvidia drivers

> fwupdmgr security
Host Security ID: HSI:1! (v1.8.8)

HSI-1
✔ CSME manufacturing mode:       Locked
✔ CSME override:                 Locked
✔ CSME v0:15.0.41.2158:          Valid
✔ MEI key manifest:              Valid
✔ Platform debugging:            Disabled
✔ SPI BIOS region:               Locked
✔ SPI lock:                      Enabled
✔ SPI write:                     Disabled
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI platform key:             Valid

HSI-2
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid
✘ IOMMU:                         Not found

HSI-3
✔ Intel BootGuard error policy:  Valid
✔ Intel CET Enabled:             Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled
✘ Pre-boot DMA protection:       Disabled

HSI-4
✔ Intel SMAP:                    Enabled
✘ Encrypted RAM:                 Not supported

Runtime Suffix -!
✔ Intel CET Active:              Supported
✔ fwupd plugins:                 Untainted
✘ Linux kernel:                  Tainted
✘ Linux kernel lockdown:         Disabled
✘ Linux swap:                    Invalid
✘ UEFI secure boot:              Disabled

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

Mirdarthos · 31 December 2022 10:36

This would be, at least, because of the proprietary nvidia drivers, possibly others as well, if you use any third-party drivers that’s not baked into the kernel.

Isn’t supported by Manjaro, AFAIK. And by very little other distributions, IIRC.

Linux, and thus Manjaro is by default very secure. So I wouldn’t worry if I were you.

TriMoon · 31 December 2022 11:55

Last time i tried Manjaro it worked with SecureBoot enabled in UEFI-BIOS, they seemed to use a properly signed shim/grub from ubuntu i think…

Keruskerfuerst · 31 December 2022 12:03

Is this computer connected to the internet ?
If yes, then you should use a firewall.

Nachlese · 31 December 2022 12:31

The question is ambiguous.
What kind of security do you have in mind?
Are you asking because of the messages about tainted kernel? That is because of the proprietary nvidia drivers you use.

Or are you asking about disabled secure boot?
The system does not get insecure through that - it’s only the boot process that is or is not “secure”.
You can remedy that, through quite some work.
For no benefit whatsoever though - IMO.

koshikas · 31 December 2022 12:48

https://wiki.archlinux.org/title/Security

TriMoon · 31 December 2022 13:04

You hit the nail on the head, the OP needs to define what he means by the topic title…

ps:

That can be enabled via a kernel command-line option used in your bootloader, but is not required for normal operation except very few special purposes.

Anyhow the output of that command fwupdmgr security does NOT show if your system is secure or not, it just shows the results of some checks it does and provides info.

The red crosses in the suffix listing are all related to SecureBoot being disabled, which can be enabled in your UEFI-BIOS.
But only do so if you use a signed boot loader !
(Else you will get a red screen with an error)

A safe baseline for security should be HSI-1. If your system isn’t at least meeting this criteria, you should adjust firmware setup options, contact your manufacturer or replace the hardware.

So you’re OKAY

Just as a reference on my system:

Host Security ID: HSI:INVALID:chassis[0xffffffff]

HSI-1
✔ ME manufacturing mode:         Locked
✔ ME override:                   Locked
✔ Platform Debugging:            Disabled
✔ SPI write:                     Disabled
✔ Supported CPU:                 Valid
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled
✘ MEI version:                   Failed
✘ SPI BIOS region:               Unlocked
✘ SPI lock:                      Disabled
✘ TPM v2.0:                      Not found

HSI-2
✔ IOMMU:                         Enabled
✔ Platform Debugging:            Locked
✘ Intel BootGuard:               Disabled
✘ Intel BootGuard ACM protected: Disabled
✘ Intel BootGuard OTP fuse:      Disabled
✘ Intel BootGuard verified boot: Disabled

HSI-3
✘ Intel BootGuard error policy:  Disabled
✘ Intel CET Enabled:             Not supported
✘ Pre-boot DMA protection:       Disabled
✘ Suspend-to-idle:               Disabled
✘ Suspend-to-ram:                Enabled

HSI-4
✘ Encrypted RAM:                 Not supported
✘ Intel SMAP:                    Not supported

Runtime Suffix -!
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Disabled
✔ fwupd plugins:                 Untainted
✘ Linux kernel:                  Tainted

This system has a low HSI security level.
 » https://fwupd.github.io/hsi.html#low-security-level

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

The chasis is normal cause it’s a self-build computer, and the tainted kernel due to nVidia…