Gnome Feature / Device Security feature GuideDevice Security comes with Gnome 43. Thats an awesome feature. It would ver

[Udaba]

Device Security comes with Gnome 43. Thats an awesome feature.
It would very helpful if it was a guide helping you secure the system.
Is there any out there?Post them here and let create a guide.

1. Level 1

* Intel Managemenent Engine Version

* UEFI Platform Key
* TPM v2.0
*You can enable it on your BIOS on Boot settings.*
* Firmware BIOS Region
* Firmware Writ Protection Lock
* Platform Debugging
* Intel Management Engine Manufacturing Mode
* UEFI Secure Boot
* Firmware Write Protection
* Intel Management Engine Override
* TPM Platform Configuration
2. Level 2
* Intel BootGuard Fuse
* Intel BootGuard Verified Boot
* Intel BootGuard Protected
* Intel BootGuard
* TPM Reconstruction
* IOMMU Protection
* Platform Debugging
3. Level 3
* Suspend To RAM
* Intel BootGuard Error Policy
* Pre-boot DMA Protection
* Intel CET Enabled
* Suspend To Idle
* Encrypted RAM
* Intel SMAP

[sunrat]

It would very helpful if it was a guide helping you secure the system.
Is there any out there?

I'm sure there a many on the internet.

[Head_on_a_Stick]

You don't need GNOME to tell you if SecureBoot is enabled:

Code: Select all

# bootctl status

Or

Code: Select all

mokutil --sb-state

[Udaba]

Im totally noob on this. Im looking for ways to make them secure and create a guide for newcomers like me.

[Head_on_a_Stick]

The stable release should use SecureBoot automatically, no need for a guide. EDIT: newer machines may need 3rd party certificates authorised from the firmware ("BIOS") menus.

Version 43 of GNOME might make it into Debian 12 when it is released so you should see the feature there, hopefully.

[Udaba]

I really hope so. Seems a very nice feature to have. Im really noob on this so thats why i created this post.
Im actually using testing thats why i saw it.

[Uptorn]

If the new Gnome security feature does anything other than

!!! Warning !!! Intel hardware rootkit IME/ME detected on your system! Replace your hardware as soon as possible with a freedom respecting solution. Recommendations:
<list of liberated hardware>

then I suggest its output can be safely ignored.

[fabien]

!!! Warning !!! Intel hardware rootkit IME/ME detected on your system! Replace your hardware as soon as possible with a freedom respecting solution. Recommendations:
<list of liberated hardware>

Worrisome, but what is your hardware?
https://en.wikipedia.org/wiki/Intel_Management_Engine

Intel's main competitor AMD has incorporated the equivalent AMD Secure Technology (formally called Platform Security Processor) in virtually all of its post-2013 CPUs.

[Uptorn]

Worrisome, but what is your hardware?

Neither of those things

[fabien]

Neither of those things

I'm happy for you. So, what is the

<list of liberated hardware>

[Uptorn]

It was just a stand-in to illustrate my point. But if I had to begin to construct such a list it might include vendors like Purism, System76, Technoethical, SciFive, Raptor Computing Systems and MiniFree.