Firmware Security: CSME Version

When I run fwupdmgr security on Fedora Workstation 36, it provides an audit of the firmware. I get the following output:

Host Security ID: HSI:0 (v1.8.5)

HSI-1
✔ CSME manufacturing mode:       Locked
✔ CSME override:                 Locked
✔ Platform Debugging:            Disabled
✔ SPI BIOS region:               Locked
✔ SPI lock:                      Enabled
✔ SPI write:                     Disabled
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled
✘ CSME v0:15.0.23.1706:          Invalid

HSI-2
✔ IOMMU:                         Enabled
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✔ Platform Debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid

HSI-3
✔ Intel BootGuard error policy:  Valid
✔ Intel CET Enabled:             Enabled
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled

HSI-4
✔ Encrypted RAM:                 Enabled
✔ Intel SMAP:                    Enabled

Runtime Suffix -!
✔ Intel CET Active:              Supported
✔ Linux kernel:                  Untainted
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ fwupd plugins:                 Untainted

This system has a low HSI security level.
 » https://fwupd.github.io/hsi.html#low-security-level

Host Security Events
  ...

The only thing that it flags as an issue is CSME version. Looking at the documentation for this tool: FwupdPlugin – 1.0: Host Security ID Specification It seems like this is something that has to be updated in the BIOS.

Is this something I should be worried about, or can it be disregarded?

Something to note: this CLI tool will be getting a GUI in GNOME’s settings in a future version:

So, it would be great to see it get to HSI-4.

What did you do to get Encrypted RAM? That’s showing as disabled for me, so not sure what I missed (swap and my boot disk are both encrypted as far as I can see)

IIRC there’s an option for it in the BIOS if you have the 11th gen i7-1185G7. I could be wrong, though, so it’s always worth checking. It should be near other settings related to the CPU.

Quick update:

There’s discussion here about the CSME version:

An issue was posted to the CLI tool’s GitHub: CSME Invalid · Issue #4999 · fwupd/fwupd · GitHub

It seems like we either have to wait for Intel and or Framework to release an update. I’m not really sure which one, since I’m struggling to find if patches are CPU-specific and if one is available for the 11th gen i7-1185G7.

Thanks, I’ll give a look but may be out of luck as a cheapskate who only has a i5-1135G7.

1 Like

IIRC encrypted memory requires Intel vPro.

1 Like

Quick update:

Framework Support got back to me about this!

Thank you for your patience, I’ve escalated this report to our Lead Engineer who has confirmed that this will not be updated in the forthcoming 3.17 BIOS update, but is now planned to be updated/fixed in BIOS 3.18 hopefully due later this year.
Regards,

This is great to hear. I really appreciate that they escalated the issue and that they were able to respond so quickly! Thanks Framework Support, I’m looking forward to BIOS 3.18!

4 Likes