fwupdmgr security reports disabled SPI write protection
lunarlattice0 opened this issue · 7 comments
Describe the bug
fwdupmgr security reports that SPI write protection is disabled, when it should be enabled. Additionally, CET OS support is marked as "Not supported".
Steps to Reproduce
Run fwupdmgr security
Expected behavior
It is expected that SPI write protection is enabled.
fwupd version information
compile com.hughsie.libxmlb 0.3.15
compile com.hughsie.libjcat 0.2.1
runtime org.freedesktop.fwupd-efi 1.4
compile org.freedesktop.gusb 0.4.8
runtime com.hughsie.libjcat 0.2.1
runtime org.freedesktop.gusb 0.4.8
runtime org.freedesktop.fwupd 1.9.15
runtime org.kernel 6.7.9-200.fc39.x86_64
Please note how you installed it (apt
, dnf
, pacman
, source, etc):
Fedora Silverblue Flatpak Repository
**fwupd device information**
Please provide the output of the fwupd devices recognized in your system.
│
├─Lenovo USB-C Mini Dock:
│ │ Device ID: da77984c82b59c6fc69516431f467fd9a8d39a7f
│ │ Summary: USB 3.x hub
│ │ Current version: 4.154
│ │ Vendor: VIA Labs, Inc. (USB:0x17EF)
│ │ Install Duration: 15 seconds
│ │ GUIDs: fd4b20d3-2612-5743-ad85-5c3065361c51
│ │ f281c1df-c3d5-5f8a-984d-e9548ffc95fe ← USB\VID_17EF&PID_3094
│ │ ce8b3f6c-9ddd-5d50-b3f8-e87e72d2aacc ← USB\VID_17EF&PID_3094&HUB_0012
│ │ e62c5403-daa6-5482-9e9e-74666884ce43 ← USB\VID_17EF&PID_3094&SPI_C223
│ │ 75b11f2d-86b6-5ecc-912e-a2a649f334d5 ← USB\VID_17EF&PID_3094&SPI_C223&REV_04F4
│ │ Device Flags: • Updatable
│ │ • Cryptographic hash verification is available
│ │ • Device stages updates
│ │ • Device can recover flash failures
│ │ • Unsigned Payload
│ │
│ ├─Lenovo USB-C Mini Dock:
│ │ │ Device ID: 983c3cffc6fd36d32b00b62928d30721eaeb93db
│ │ │ Summary: USB 3.x hub
│ │ │ Current version: 4.154
│ │ │ Vendor: VIA Labs, Inc. (USB:0x17EF)
│ │ │ Install Duration: 15 seconds
│ │ │ GUIDs: fd4b20d3-2612-5743-ad85-5c3065361c51 ← USB\VID_17EF&PID_3095
│ │ │ 2b337b4f-fc17-520d-8d93-095a9bfd6ba8 ← USB\VID_17EF&PID_3095&HUB_32
│ │ │ 152db1ae-acd6-5b6d-aad2-178ec2af5199 ← USB\VID_17EF&PID_3095&SPI_C223
│ │ │ 8ce1ac09-39f9-51a5-9468-74433dfa575f ← USB\VID_17EF&PID_3095&SPI_C223&REV_04F4
│ │ │ Device Flags: • Updatable
│ │ │ • Cryptographic hash verification is available
│ │ │ • Device stages updates
│ │ │ • Device can recover flash failures
│ │ │ • Unsigned Payload
│ │ │
│ │ ├─Lenovo USB-C Mini Dock:
│ │ │ Device ID: d0950b8556ed65b4b8e8bfa3809fdb849005f298
│ │ │ Summary: USB 3.x hub
│ │ │ Current version:4.93
│ │ │ Vendor: VIA Labs, Inc. (USB:0x17EF)
│ │ │ Install Duration:15 seconds
│ │ │ GUIDs: d636c717-44c4-5fcf-9d7f-b96f9c5f6608 ← USB\VID_17EF&PID_3097
│ │ │ baad4a7c-54ab-5e9e-87e5-d01951331c47 ← USB\VID_17EF&PID_3097&HUB_20
│ │ │ 64e5798a-d055-5c45-a64e-9d8997785f6b ← USB\VID_17EF&PID_3097&SPI_C223
│ │ │ 8ecbf33f-a3a5-5125-af6c-473a51552ba1 ← USB\VID_17EF&PID_3097&SPI_C223&REV_0493
│ │ │ Device Flags: • Updatable
│ │ │ • Cryptographic hash verification is available
│ │ │ • Device stages updates
│ │ │ • Device can recover flash failures
│ │ │ • Unsigned Payload
│ │ │
│ │ └─Lenovo USB-C Mini Dock:
│ │ │ Device ID: 42f81e42b1e21ceb211b345766cfd39439cb242f
│ │ │ Summary: USB 2.x hub
│ │ │ Current version:0.1
│ │ │ Vendor: VIA Labs, Inc. (USB:0x17EF)
│ │ │ Install Duration:15 seconds
│ │ │ GUIDs: e4938bb1-4d94-506d-b5c2-f246c5ab678f ← USB\VID_17EF&PID_3093
│ │ │ 5e51f122-8cfa-5f38-b44f-65aeb7a10cdb ← USB\VID_17EF&PID_3093&SPI_C223
│ │ │ 9e15c2bc-b293-55d7-827f-63e32c7edbfd ← USB\VID_17EF&PID_3093&SPI_C223&REV_0001
│ │ │ Device Flags: • Updatable
│ │ │ • Cryptographic hash verification is available
│ │ │ • Device stages updates
│ │ │ • Device can recover flash failures
│ │ │ • Unsigned Payload
│ │ │
│ │ └─rtd21xx:
│ │ Device ID: acdd770bff9e8a79a03cab054be4ad01faaec4e4
│ │ Current version:1.3
│ │ Vendor: VIA Labs, Inc. (USB:0x17EF)
│ │ Install Duration:1 minute
│ │ GUID: 4850cd49-308e-588a-851b-e61e8069a8ae ← USB\VID_17EF&PID_3093&I2C_rtd21xx
│ │ Device Flags: • Updatable
│ │ • Device stages updates
│ │
│ └─vl103:
│ Device ID: fe008de085345975906d64be2af7cc99f36724ca
│ Summary: USB-C power delivery device
│ Current version: 138.4.25.38
│ Vendor: VIA Labs, Inc. (USB:0x17EF)
│ Install Duration: 15 seconds
│ GUIDs: 3ae6610b-5c33-5714-96e3-05735eb9b2a5 ← USB\VID_17EF&PID_721C
│ 45c1e8ab-6e61-548e-ae06-5a35394e5c02 ← USB\VID_17EF&PID_721C&DEV_vl103
│ 316f754e-057b-57e9-b820-9020c44a04eb ← USB\VID_17EF&PID_721C&APP_26
│ Device Flags: • Updatable
│ • Cryptographic hash verification is available
│ • Device can recover flash failures
│
├─AMD Ryzen 5 PRO 5650U with Radeon Graphics:
│ │ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│ │ Current version: 0x0a50000d
│ │ Vendor: Advanced Micro Devices, Inc.
│ │ GUIDs: 79759cdc-94db-5098-be7b-eb02521fbbec ← CPUID\PRO_0&FAM_19&MOD_50
│ │ 20b595b0-5892-5870-8e4c-688133ad6e34 ← CPUID\PRO_0&FAM_19&MOD_50&STP_0
│ │ Device Flags: • Internal device
│ │
│ ├─Graphics Processing Unit (GPU):
│ │ │ Device ID: 310f45f1f223064b5c16bf6dff31146755a64480
│ │ │ Summary: Cezanne Generic VBIOS
│ │ │ Current version: 017.010.000.031.000000
│ │ │ Vendor: Advanced Micro Devices, Inc. [AMD/ATI] (PCI:0x1002)
│ │ │ GUID: 85ceb154-4376-5557-bdc1-46d9eac0f5f0 ← AMD\113-CEZANNE-021
│ │ │ Device Flags: • Internal device
│ │ │
│ │ └─N140HCG-GQ2:
│ │ Device ID: aec1a869eb0df71b7cea6b3ac71d39b830faf164
│ │ GUID: 448dbe25-c15c-562a-9329-0b27d235194f ← DRM\VEN_CMN&DEV_14F2
│ │ Device Flags: • Internal device
│ │
│ ├─Secure Processor:
│ │ Device ID: c54ab0237d7a8db8c717b68e0be78e4374a2a079
│ │ Current version: 00.11.00.81
│ │ Bootloader Version:00.11.00.81
│ │ Vendor: Advanced Micro Devices, Inc. (PCI:0x1022)
│ │ GUIDs: 0e8dc554-a0a2-51fb-b439-1eb72b14ec38 ← PCI\VEN_1022&DEV_15DF
│ │ 32bb3b55-393f-5c5b-a7ea-6232419a4436 ← PCI\VEN_1022&DEV_15DF&SUBSYS_17AA5095
│ │ Device Flags: • Internal device
│ │
│ └─System Management Unit (SMU):
│ Device ID: db0330716216c629bb2c07256e5d018f499eb6ce
│ Summary: Microcontroller used within CPU/APU program 0
│ Current version: 64.71.0
│ Vendor: Advanced Micro Devices, Inc.
│ GUID: 165feb35-d368-5388-b2ab-c513021bf019 ← /sys/devices/platform/AMDI0005:00
│ Device Flags: • Internal device
│
├─GPIO controller:
│ Device ID: f685512aa07369c9e77742acef941d779d31e766
│ GUID: 37b440a9-2473-5087-a39b-db84f32a8ed8 ← GPIO\ID_AMDI0030:00
│
├─Integrated Camera:
│ Device ID: 301046452a49d84af6356d23e43a684b8f10660f
│ Current version: 58.18
│ Vendor: Chicony Electronics Co.,Ltd. (USB:0x04F2)
│ Serial Number: 0001
│ GUID: 95b07a8e-2063-5025-80b5-1fcf4ca8e9e3 ← USB\VID_04F2&PID_B6CB
│ Device Flags: • Updatable
│
├─System Firmware:
│ │ Device ID: 349bb341230b1a86e5effe7dfe4337e1590227bd
│ │ Summary: UEFI ESRT device
│ │ Current version: 0.1.28
│ │ Vendor: Lenovo (DMI:LENOVO)
│ │ Update State: Success
│ │ GUID: 66d47c53-a746-4495-a444-e6b26a04906d
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • System requires external power source
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Cryptographic hash verification is available
│ │ • Device is usable for the duration of the update
│ │ Device Requests: • Message
│ │
│ └─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 220
│ Minimum Version: 220
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ GUIDs: 5971a208-da00-5fce-b5f5-1234342f9cf7 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│
├─TPM:
│ Device ID: c6a80ac3a22083423992a3cb15018989f37834d6
│ Current version: 7.2.2.0
│ Vendor: Nuvoton Technology (TPM:NTC)
│ GUIDs: fac1c8f3-73c8-5cd6-8330-07a3690b5140 ← TPM\VEN_NTC&DEV_0000
│ e4a6bfd6-81ba-5d6a-bb28-84be07ee7a29 ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls
│ e9ccc1dc-960a-5e09-afe9-e59a904b776d ← TPM\VEN_NTC&DEV_0000&VER_2.0
│ 5a6b5ab6-c483-5eec-8a34-23a6d6d120bd ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls&VER_2.0
│ Device Flags: • Internal device
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device can recover flash failures
│ • Full disk encryption secrets may be invalidated when updating
│ • Signed Payload
│
├─UEFI Device Firmware:
│ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f
│ Summary: UEFI ESRT device
│ Current version: 22552
│ Minimum Version: 1
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: c57877cd-5f62-4d07-a449-06a15cbb1d8e
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
├─UEFI Device Firmware:
│ Device ID: 2292ae5236790b47884e37cf162dcf23bfcd1c60
│ Summary: UEFI ESRT device
│ Current version: 252051731
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 88440680-8493-43d8-b1cb-51992223a226
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
├─UEFI Device Firmware:
│ Device ID: f95c9218acd12697af946874bfe4239587209232
│ Summary: UEFI ESRT device
│ Current version: 16777221
│ Minimum Version: 1
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 79716052-11cc-49c8-a36e-b23f3e6e5936
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
├─UEFI Device Firmware:
│ Device ID: d96de5c124b60ed6241ebcb6bb2c839cb5580786
│ Summary: UEFI ESRT device
│ Current version: 117572096
│ Minimum Version: 117572096
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: cba4dba6-7351-ba69-7d7c-994f0c84f98d
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
├─UEFI Device Firmware:
│ Device ID: f37fb01122dd62c773f4e84ec89737e059712d59
│ Summary: UEFI ESRT device
│ Current version: 65564
│ Minimum Version: 65564
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 4bea12df-56e3-4cdb-97dd-f133768c9051
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
├─UEFI Device Firmware:
│ Device ID: 36efb79c255f402f619fa9eb53cd659db51f2a04
│ Summary: UEFI ESRT device
│ Current version: 0
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 3954e118-d997-4499-b917-d4c454e4b124
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
├─UEFI Platform Key:
│ Device ID: 6924110cde4fa051bfdc600a60620dc7aa9d3c6a
│ Summary: Lenovo Ltd. PK CA 2012
│ Vendor: Lenovo Ltd.
│ GUID: 71599d14-9b31-5270-b3bd-74c494585820 ← UEFI\CRT_9AEF2123F4DE7C19AFABD909BB2C8CAC4411E07E
│
├─Unifying Receiver:
│ Device ID: 4caa6e59d5a867dbb4e8f699b39a875f63afc6ec
│ Summary: Miniaturised USB wireless receiver
│ Current version: RQR12.10_B0032
│ Bootloader Version: BOT01.02_B0014
│ Vendor: Logitech, Inc. (HIDRAW:0x046D, USB:0x046D)
│ Install Duration: 30 seconds
│ GUIDs: 9d131a0c-a606-580f-8eda-80587250b8d6
│ 279ed287-3607-549e-bacc-f873bb9838c4 ← HIDRAW\VEN_046D&DEV_C52B
│ Device Flags: • Updatable
│ • Supported on remote server
│ • Unsigned Payload
│
└─WDC PC SN730 SDBQNTY-512G-1001:
Device ID: 71b677ca0f1bc2c5b804fa1d59e52064ce589293
Summary: NVM Express solid state drive
Current version: 11170101
Vendor: Sandisk Corp (NVME:0x15B7)
Serial Number: 213758801583
GUIDs: fccbb6ea-e20e-58ad-bf8a-7fb7d43ff4c2 ← NVME\VEN_15B7&DEV_5006
12c86995-0b90-5ec5-98f3-7a6ed4ca50e0 ← NVME\VEN_15B7&DEV_5006&SUBSYS_15B75006
06b4e2aa-91af-508b-b06e-65e3b3189e97 ← WDC PC SN730 SDBQNTY-512G-1001
Device Flags: • Internal device
• Updatable
• System requires external power source
• Supported on remote server
• Needs a reboot after installation
• Device is usable for the duration of the update
────────────────────────────────────────────────
Devices that have been updated successfully:
• System Firmware (0.1.27 → 0.1.28)
• UEFI dbx (371 → 371)
Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices.
Additional questions
- Operating system and version: Fedora Silverblue 39
- Have you tried rebooting? Yes, and I have tried resetting BIOS to defaults, and resetting secure boot keys to defaults.
- Is this a regression? Unsure if this is an issue with the laptop, or with fwupd.
fwupd security report:
HSI-1
✔ BIOS firmware updates: Enabled
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ BIOS rollback protection: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
✘ SPI write protection: Disabled
HSI-3
✔ SPI replay protection: Enabled
✔ CET Platform: Supported
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ Processor rollback protection: Enabled
✔ Encrypted RAM: Encrypted
✔ SMAP: Enabled
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
✘ CET OS Support: Not supported
This system has HSI runtime issues.
» https://fwupd.github.io/hsi.html#hsi-runtime-suffix
What hardware is that? Both failures look legitimate to me..
What hardware is that? Both failures look legitimate to me..
It is a Thinkpad T14s Gen 2 (AMD), with model code 20XF004RUS.
@lunarlettuce can you attach us the full sudo fwupdtool security -vv
output please.
Good to know, thanks for transferring