Public bug reported:
GUI: Linux Ubuntu gives at Settings->Privacy & Security:
Device Security
Checks Failed:
Hardware does not pass checks.
This means that you are not protected against common hardware issues.
This can be regarded as a false positive in the case the internal flasher is
locked down because it is not possible then to write to the firmware memory.
But the fwupd does not check for this situation.
flashrom does this.
False alarms are annoying and a waste of time.
According to Google Gemini this situation is common on cheap household systems.
CLI: sudo flashrom -p internal
Enabling flash write... SPI Configuration is locked down.
Enabling hardware sequencing because some important opcode is locked.
CLI: sudo fwupdmgr security
✘ csme manufacturing mode: Unlocked
✘ SPI lock: Disabled
✘ SPI BIOS region: Unlocked
There is discrepancy here. flashrom says SPI lock is enabled. But fwupdmgr says
it is Disabled.
flashrom says important opcode is locked. But fwupdmgr says csme is Unlocked.
flashrom enabled hardware sequencing in order to open the firmware read only in
order to be able to make a dump from the firmware.
So the logic should be first to check with flashrom to check if the
internal flash rom writer allows writing to the flash rom. And if that
is possible then to check with fwupd the security.
CLI: lsb_release -rd
Description: Ubuntu 24.04.3 LTS
CLI: apt-cache policy fwupd
Installed: 1.9.31-0ubuntu1~24.04.1
CLI: apt-cache policy flashrom
Installed: 1.3.0-2.1ubuntu2
** Affects: fwupd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2125511
Title:
false positive claming device is unsecure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2125511/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
