Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.
GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help
Within the GNOME Control Center there is a firmware security area being worked on to show whether UEFI Secure Boot is active, various security protection details like the TPM status, whether Intel BootGuard is present and enabled, IOMMU protection state, and more. Ultimately those involved hope to allow triggering actions in some areas for fixing these issues when found to be in a less than ideal state.
The Plymouth boot splash screen is also preparing a warning image that would be displayed if Secure Boot is not enabled. That open merge request from Red Hat argues, "Secure boot is used against several security threats when malware tries to infect the firmware of the system. Users may inadvertently disable or software may intentionally disable the secure boot. Consequently, the system is running on an insecure platform with incorrect configuration. If Plymouth could offer a warning to the user, the user could reboot and reconfigure their system or asks for help immediately."
GNOME is preparing to warn users if Secure Boot is disabled, among other steps for trying to ensure the system state is at least secure at the platform level.
Similarly within the GDM display manager is this MR that is open for adding a Secure Boot check and warning notification so the user is alerted at log-in time whether their system could be vulnerable.
Building off that, Richard Hughes of Red Hat has blogged about work being done with Fwupd for allowing emulated host profiles. This emulated support is for helping to test firmware security states in arbitrary configurations for testing of the proposed GNOME Control Center additions and other work.