A new HSI security attribute showing the system boot mode (Legacy or UEFI) #4530
Replies: 2 comments 4 replies
-
I would argue this is something that should be done at installation time not by the time someone is already installed and using the system. I acknowledge this is deflecting the problem but the reality is that "repairing" for booting in UEFI mode is not trivial. The installer will need to have created an EFI system partition and installed a bootloader. Typically there is a bifurcated experience where ESP isn't created and set up unless you boot in UEFI mode to start. |
Beta Was this translation helpful? Give feedback.
-
I think @smallorange was asking for some kind of HSI test failure when in CSM or legacy mode -- but I wonder if |
Beta Was this translation helpful? Give feedback.
-
Could a system boot mode attribute be added to HSI security attribute?
Since secure boot can work properly under the UEFI boot mode, if the system is booted under the legacy mode, the secure boot may partially or not work under this boot mode configuration. Showing the boot mode can help users notice their system is not configured properly and allows them to tweak the configuration to improve the system security.
An AppstreamId called "org.fwupd.hsi.boot.mode" can be added and used to show the boot mode status. It also can be a condition of HSI-1. fwupd detects the system boot mode and put the results into this attribute. If fwupd finds the system is booted under the legacy mode, the HSI will be 0. So, the user can notice this and start to repair their system. By showing both secure boot and boot mode status, the ordinary users can fully understand their system security level and also introduce the correct system configuration to the ordinary users to protect their system. :)
Beta Was this translation helpful? Give feedback.
All reactions