When I run
fwupdmgr security on Fedora Workstation 36, it provides an audit of the firmware. I get the following output:
Host Security ID: HSI:0 (v1.8.5) HSI-1 ✔ CSME manufacturing mode: Locked ✔ CSME override: Locked ✔ Platform Debugging: Disabled ✔ SPI BIOS region: Locked ✔ SPI lock: Enabled ✔ SPI write: Disabled ✔ Supported CPU: Valid ✔ TPM empty PCRs: Valid ✔ TPM v2.0: Found ✔ UEFI platform key: Valid ✔ UEFI secure boot: Enabled ✘ CSME v0:22.214.171.1246: Invalid HSI-2 ✔ IOMMU: Enabled ✔ Intel BootGuard: Enabled ✔ Intel BootGuard ACM protected: Valid ✔ Intel BootGuard OTP fuse: Valid ✔ Intel BootGuard verified boot: Valid ✔ Platform Debugging: Locked ✔ TPM PCR0 reconstruction: Valid HSI-3 ✔ Intel BootGuard error policy: Valid ✔ Intel CET Enabled: Enabled ✔ Pre-boot DMA protection: Enabled ✔ Suspend-to-idle: Enabled ✔ Suspend-to-ram: Disabled HSI-4 ✔ Encrypted RAM: Enabled ✔ Intel SMAP: Enabled Runtime Suffix -! ✔ Intel CET Active: Supported ✔ Linux kernel: Untainted ✔ Linux kernel lockdown: Enabled ✔ Linux swap: Encrypted ✔ fwupd plugins: Untainted This system has a low HSI security level. » https://fwupd.github.io/hsi.html#low-security-level Host Security Events ...
The only thing that it flags as an issue is
CSME version. Looking at the documentation for this tool: FwupdPlugin – 1.0: Host Security ID Specification It seems like this is something that has to be updated in the BIOS.
Is this something I should be worried about, or can it be disregarded?