dasharo-issues
dasharo-issues copied to clipboard
Dasharo
Dasharo Enterprise roadmap for reaching fwupd HSI-4 security level
The problem you're addressing (if any)
Not all checks pass in the fwupdmgr security:
Host Security ID: HSI:0 (v1.8.15)
HSI-1
✔ CSME override: Locked
✔ CSME v0:16.1.25.1865: Valid
✔ MEI key manifest: Valid
✔ Platform debugging: Disabled
✔ SPI BIOS region: Locked
✔ SPI lock: Enabled
✔ SPI write: Disabled
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
✘ CSME manufacturing mode: Unlocked
HSI-2
✔ IOMMU: Enabled
✔ Intel BootGuard: Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard OTP fuse: Valid
✔ Intel BootGuard verified boot: Valid
✔ Platform debugging: Locked
✘ TPM PCR0 reconstruction: Invalid
HSI-3
✔ Intel BootGuard error policy: Valid
✔ Intel CET Enabled: Enabled
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Intel SMAP: Enabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ Intel CET Active: Supported
✔ Linux kernel: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ fwupd plugins: Untainted
Describe the solution you'd like
Fix the issues to reach HSI-4:
CSME manufacturing mode: Unlocked - requires a locked flash descriptor to pass (will render ME Disabled HAP option unusable, besides HSI requires ME to be available to query the fuses and Boot Guard state)
TPM PCR0 reconstruction: Invalid will be fixed by solving https://github.com/Dasharo/dasharo-issues/issues/455
✘ Encrypted RAM: Not supported ~~for some reason TME seems not to be active when Boot Guard is enabled. Needs further investigation.~~ https://github.com/Dasharo/dasharo-issues/issues/464 TME not supported by the CPUs
Where is the value to a user, and who might that user be?
First professionally secured laptop with open-source firmware reaching HSI-4
Describe alternatives you've considered
No response
Additional context
No response
