True, because it is already enabled by default on Fedora, while Debian, Ubuntu and SUSE ship AppArmor, again, by default.

Whataboutism at its finest. Software distribution isn't something fwupd should be fixing, don't you think?

Which vendor markets WiFi OEM locks as "security"? Secondly, Intel ME or AMD PSP don't care about your WiFi card. Thirdly, nothing stops a fully-functional open-source implementation from providing the same functionality that Gnome's device security screen checks. Such an implementation would certainly be more transparent, but well, transparency very inherently is not security. As an example, enabling IOMMU with closed firmware very likely does make the system more secure against specific DMA attacks, it doesn't make the system less transparent (and open firmware that doesn't, isn't secure in this case).

The principle of not letting perfect be the enemy of good really applies here. Neither does using one feature mean that we can't improve other things at the same time. Not having FDE doesn't mean we can't utilise the benefits of Intel CET for example. Making first steps towards being able to personally verify you've booted Linux and only Linux isn't a negative thing. Being able to trivially virtualise browser instances would be amazing on Linux, but we're not there.

This type of feet-dragging is holding the entire Linux ecosystem back for no good reason.

1. You can disable the VBS in the Windows Security settings.
2. Any Windows 11 Prebuild PC does have a MBEC capable CPU so you have no performance loss, thats what the shiny stickers are for OEM -> Microsoft -> Windows 11 Sticker yay.

Sure, I've been working on this stuff for over five years. I'm not going to, as I think it's probably a waste of my time. If you don't like the panel, or the idea, or the implementation -- just don't use the panel. Just ignore it, it's not going to stop you doing anything you want to do.

Well, it is indeed unhelpful and confusing. What those levels even mean? Secure from what exactly? Did they also publish a threat model they evaluate device "security" to? I would say that's not Device Security feature, that's Device Security theater.

Windows 11 doesn’t prevent you from disabling VBS. You can go to Core Integrity and disable it even on prebuilt

Correct. So there is simply a TODO item: present these non-fwupd security factors conveniently grouped together somewhere in GNOME control center.

That whitepaper is just Microsoft trying to justify their recent Secure Boot (and convenient vendor lockin) successor.

Can you find a more reliable / non-biased source? I'm not being confrontational, I personally can't. Best I can find is:

https://link.springer.com/article/10...46411619080224

And much of this just falls back on closed hardware makes it difficult to protect any further up the stack.

Some of these are still leaving me with, "Yes, but what does that mean, actually?" feeling I get reading the descriptions of some BIOS options. Like, I've read a few of Matthew Garrett's blog posts, and I'm familiar with the basic concept of measuring things into PCRs and sealing secrets with them, but I don't know what TPM reconstruction is, and the description (which is exactly the same as TPM_EMPTY_PCR) doesn't make it any clearer.

It seems like the full detailed documentation of these is here: https://github.com/fwupd/fwupd/blob/...i.Tpm.EmptyPcr. Maybe there's a way for the UI to link there?

P.S. Why is suspend-to-idle supposedly any better than proper S3 suspend-to-RAM? Either way, if the contents of DRAM are unencrypted, an attacker who can remove DIMMs will probably be able to read a lot of your RAM.