Hello,
I own a GTR7 Pro with BIOS version GTR_P5C6V37.
System notified me that I have poor security configuration of the BIOS.
Here is what I found using fwupdmgr security --force command:
Host Security ID: HSI:0 (v1.9.20)
HSI-1
✔ BIOS firmware updates: Enabled
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI secure boot: Enabled
✘ UEFI platform key: Invalid
HSI-2
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
✘ SPI write protection: Disabled
HSI-3
✔ CET Platform: Supported
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
✘ SPI replay protection: Not supported
✘ Pre-boot DMA protection: Disabled
HSI-4
✔ SMAP: Enabled
✘ Processor rollback protection: Disabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ CET OS Support: Supported
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
What particularly bothered me:
- UEFI platform key - I was able to workaround the problem by replacing keys using github/microsoft/secureboot_objects keys. Now UEFI platform key test is marked valid. It would be good if Beelink released a BIOS update that includes the latest and valid certificates. At this moment there is Platform Key named “DO NOT TRUST - Ami Test PK” 🤦♂️
- SPI write protection and SPI replay protection - I can’t find BIOS option for that. Is it possible to enable it?
