Ubuntu Isn't Yet Onboard With GNOME's "Device Security" Screen

Written by Michael Larabel in Ubuntu on 28 August 2022 at 06:47 AM EDT. 59 Comments
Coming with GNOME 43 is a "Device Security" panel within the GNOME Control Center. While intended to help ensure their system is protected, Ubuntu isn't onboard with this Device Security functionality yet and has stripped it out from their GNOME build for Ubuntu 22.10.

The GNOME Device Security area warns users if Secure Boot is disabled and other platform-related security settings that are less than ideal. This GNOME integration has been worked on by Red Hat engineers along with the lower-level platform checks tied into Fwupd and the like. Eventually the hope is this Device Security area could assist users in improving their security settings beyond just warning them over the current system state.

This week Ubuntu 22.10's GNOME Control Center package (gnome-control-center) package patched out the Device Security panel entirely.

This was done per this bug report on the basis of the Device Security feature being "confusing and unhelpful currently."

Due to not yet helping users addressing the exposed problems and Ubuntu reportedly only able to attain a highest security level score of 1 out of 3, it was decided by Canonical engineers to remove this functionality at least for Ubuntu 22.10. Obtaining a higher security level score requires the likes of Intel BootGuard, TPM reconstruction, IOMMU protections, pre-boot DMA protections, Intel CET, suspend-to-idle, and encrypted RAM.
A default Ubuntu install only gets us "Security Level 1". The highest level is "Security Level 3".

There isn't anything an Ubuntu user can do to get to a higher security level from the Device Security screen.

If a user attempts to get their system to a higher security level, I think they could break their system since this isn't something we currently support.

Therefore, I think we ought to hide/disable the screen for Ubuntu 22.10. We can work towards better integrating this screen for Ubuntu in future releases.

The "Security Level 1" under GNOME means TPM 2.0 presence, UEFI Secure Boot enabled, Intel ME override is locked, platform debugging is disabled, and other basics.

For those desiring a security dump of their system firmware state, from the command-line fwupdmgr security does provide some information in the absence of the GNOME Control Center's Device Security area in Ubuntu 22.10.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week