Bug#1055163: gnome-control-center: Intel Management Engine disabled in BIOS but reporting out-of-date (active)
Steven Jay Cohen
steven.jay.cohen at gmail.com
Wed Nov 1 12:37:41 GMT 2023
Package: gnome-control-center
Version: 1:45.1-1
Severity: normal
X-Debbugs-Cc: steven.jay.cohen at gmail.com
Dear Maintainer,
Gnome-Control-Center > Privacy > Device Security
Security Events:
Intel Management Engine Version
The Intel Management Engine controls device components and needs to have a
recent version to avoid security issues.
I booted into the BIOS and found that IME was already disabled and has been
since before the original Linux Install on this device.
SUGGESTION:
Can IME state be detected?
If so, is this still an issue?
If it is not an issue, then it should not be reported or it should be reported
differently and not treated as a Security Event Failure.
Disabling IME reports as LOCKED (see below). Which is why a valid IME version
is not being reported back.
So, if both IME Mode and IME Override report back Pass(Locked) and IME Version
reports back (Not Valid) then IME is Disabled, right?
Device Security Report
======================
Report details
Date generated: 2023-11-01 08:28:16
fwupd version: 1.9.6
System details
Hardware model: Dell Inc. Latitude 7210
2-in-1
Processor: Intel(R) Core(TM) i7-10610U
CPU @ 1.80GHz
OS: Debian GNU/Linux trixie/sid
Security level: HSI:0! (v1.9.6)
HSI-1 Tests
Firmware BIOS Region: Pass (Locked)
UEFI Platform Key: Pass (Valid)
UEFI Bootservice Variables: Pass (Locked)
MEI Key Manifest: Pass (Valid)
TPM v2.0: ! Fail (Not Found)
Firmware Write Protection Lock: Pass (Enabled)
Platform Debugging: Pass (Not Enabled)
Intel Management Engine Manufacturing Mode: Pass (Locked)
UEFI Secure Boot: Pass (Enabled)
BIOS Firmware updates: Pass (Enabled)
Firmware Write Protection: Pass (Not Enabled)
Intel Management Engine Override: Pass (Locked)
Intel Management Engine Version: ! Fail (Not Valid)
HSI-2 Tests
Platform Debugging: Pass (Locked)
Intel BootGuard ACM Protected: Pass (Valid)
IOMMU Protection: Pass (Enabled)
Intel BootGuard Fuse: Pass (Valid)
Intel GDS Mitigation: Pass (Enabled)
BIOS Rollback Protection: ! Fail (Not Enabled)
Intel BootGuard Verified Boot: Pass (Valid)
Intel BootGuard: Pass (Enabled)
HSI-3 Tests
Intel CET: ! Fail (Not Supported)
Intel BootGuard Error Policy: Pass (Valid)
Pre-boot DMA Protection: Pass (Enabled)
Suspend To RAM: Pass (Not Enabled)
Suspend To Idle: Pass (Enabled)
HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Intel SMAP: Pass (Enabled)
Runtime Tests
Firmware Updater Verification: Pass (Not Tainted)
Linux Swap: ! Fail (Not Encrypted)
Linux Kernel Lockdown: Pass (Enabled)
Linux Kernel Verification: Pass (Not Tainted)
Host security events
2022-07-05 18:46:50 Intel Management Engine Versi! Fail (Valid → Not Valid)
For information on the contents of this report, see
https://fwupd.github.io/hsi.html
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-control-center depends on:
ii accountsservice 23.13.9-4
ii apg 2.2.3.dfsg.1-5+b2
ii colord 1.4.6-3
ii desktop-base 12.0.6+nmu1
ii desktop-file-utils 0.26-1
ii gnome-control-center-data 1:45.1-1
ii gnome-desktop3-data 44.0-2
ii gnome-settings-daemon 45.0-1
ii gsettings-desktop-schemas 45.0-1
ii libaccountsservice0 23.13.9-4
ii libadwaita-1-0 1.4.0-1
ii libc6 2.37-12
ii libcairo2 1.18.0-1
ii libcolord-gtk4-1 0.3.0-4
ii libcolord2 1.4.6-3
ii libcups2 2.4.7-1
ii libepoxy0 1.5.10-1
ii libfontconfig1 2.14.2-6
ii libgcr-base-3-1 3.41.1-3
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libglib2.0-0 2.78.0-2
ii libgnome-bg-4-2 44.0-2
ii libgnome-bluetooth-ui-3.0-13 42.6-1
ii libgnome-desktop-4-2 44.0-2
ii libgnome-rr-4-2 44.0-2
ii libgnutls30 3.8.1-4+b1
ii libgoa-1.0-0b 3.48.0-2
ii libgoa-backend-1.0-1 3.48.0-2
ii libgsound0 1.0.3-2
ii libgtk-3-0 3.24.38-5
ii libgtk-4-1 4.12.3+ds-1
ii libgtop-2.0-11 2.40.0-2
ii libgudev-1.0-0 238-2
ii libibus-1.0-5 1.5.29~rc1-1
ii libkrb5-3 1.20.1-5
ii libmalcontent-0-0 0.11.1-1
ii libmm-glib0 1.22.0-1
ii libnm0 1.44.2-3
ii libnma-gtk4-0 1.10.6-1
ii libpango-1.0-0 1.51.0+ds-2
ii libpangocairo-1.0-0 1.51.0+ds-2
ii libpolkit-gobject-1-0 123-3
ii libpulse-mainloop-glib0 16.1+dfsg1-2+b1
ii libpulse0 16.1+dfsg1-2+b1
ii libpwquality1 1.4.5-1+b1
ii libsecret-1-0 0.21.1-1
ii libsmbclient 2:4.19.2+dfsg-1
ii libsnapd-glib-2-1 1.63-5
ii libudisks2-0 2.10.1-2
ii libupower-glib3 1.90.2-6
ii libwacom9 2.8.0-1
ii libx11-6 2:1.8.7-1
ii libxi6 2:1.8-1+b1
ii libxml2 2.9.14+dfsg-1.3
ii tecla 45.0-1
ii webp-pixbuf-loader 0.2.4-2
Versions of packages gnome-control-center recommends:
ii cracklib-runtime 2.9.6-5+b1
ii cups-pk-helper 0.2.6-1+b1
ii fwupd 1.9.6-1
ii gnome-bluetooth-sendto 42.6-1
ii gnome-online-accounts 3.48.0-2
ii gnome-remote-desktop 44.2-6
ii gnome-user-docs 45.1-1
ii gnome-user-share 43.0-1
ii iso-codes 4.15.0-1
ii libcanberra-pulse 0.30-11
ii libnss-myhostname 254.5-1
ii libspa-0.2-bluetooth 0.3.83-1
pn malcontent-gui <none>
ii network-manager-gnome 1.34.0-1
ii polkitd 123-3
ii power-profiles-daemon 0.13-2
ii realmd 0.17.1-2
ii rygel 0.42.4-1+b1
ii rygel-tracker 0.42.4-1+b1
ii system-config-printer-common 1.5.18-1
Versions of packages gnome-control-center suggests:
ii gnome-software 45.1-1
ii gstreamer1.0-pulseaudio 1.22.6-1+b1
ii pkexec 123-3
ii x11-xserver-utils 7.7+9+b1
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list