GNOME and Red Hat developers are working to integrate firmware security tips and advice to the desktop to warn users of platform/firmware security issues, such as whether UEFI Secure Boot is disabled, and other possible avenues for system exploitation. In the GNOME Control Center, a firmware security area is working to show whether UEFI Secure Boot is active, various security protection details such as TPM status, whether Intel BootGuard is present and enabled IOMMU protection status, and more.
The Plymouth boot screen is also preparing a warning image that will be displayed if Secure Boot is not enabled in the BIOS. Red Hat’s latest published merge request argues that “Secure Boot is used to combating several security threats when malware attempts to infect the system’s firmware. Users may inadvertently disable or software may intentionally disable Secure Boot. As a result, the system is running on an insecure platform that is incorrectly configured. If Plymouth can provide a warning to the user, the user can reboot and reconfigure their system, or seek help immediately.”
GNOME is preparing to warn users if Secure Boot is disabled, as well as other steps to try to ensure that the system state is secure, at least at the platform level. Similarly, in the GDM Display Manager, this MR is open for adding Secure Boot checks and warning notifications so that users are alerted to whether their systems are vulnerable when they log in.
Building on this, Richard Hughes of Red Hat blogged about the work being done by Fwupd to allow the emulation of host profiles. This emulation support is intended to help test the security state of firmware in arbitrary configurations to test the proposed GNOME Control Center add-on and other work.