Ubuntu Isn't Yet Onboard With GNOME's "Device Security" Screen

Ubuntu Isn’t Yet Onboard With GNOME’s “Device Security” Screen

Coming with GNOME 43 is a “Device Security” panel within the GNOME Control Center. While intended to help ensure their system is protected, Ubuntu isn’t onboard with this Device Security functionality yet and has stripped it out from their GNOME build for Ubuntu 22.10.

The GNOME Device Security area warns users if Secure Boot is disabled and other platform-related security settings that are less than ideal. This GNOME integration has been working on by Red Hat engineers along with the lower-level platform checks tied into Fwupd and the like. Eventually the hope is this Device Security area could assist users in improving their security settings beyond just warning them over the current system state.

This week Ubuntu 22.10’s GNOME Control Center package (gnome-control-center) package patched out the Device Security panel entirely.

This was done per this bug report on the basis of the Device Security feature being “confusing and unhelpful currently.”

Due to not yet helping users addressing the exposed problems and Ubuntu reportedly only able to attain the highest security level score of 1 out of 3, it was decided by Canonical engineers to remove this functionality at least for Ubuntu 22.10. Obtaining a higher security level score requires the likes of Intel BootGuard, TPM reconstruction, IOMMU protections, pre-boot DMA protections, Intel CET, suspend-to-idle, and encrypted RAM.

A default Ubuntu install only gets us “Security Level 1”. The highest level is “Security Level 3”.

There isn’t anything an Ubuntu user can do to get to a higher security level from the Device Security screen.

If a user attempts to get their system to a higher security level, I think they could break their system since this isn’t something we currently support.

Therefore, I think we must hide/disable the screen for Ubuntu 22.10. We can work towards better integrating this screen for Ubuntu in future releases.

The “Security Level 1” under GNOME means TPM 2.0 presence, UEFI Secure Boot enabled, Intel ME override is locked, platform debugging is disabled, and other basics.

For those desiring a security dump of their system firmware state, from the command-line fwupdmgr security does provide some information in the absence of the GNOME Control Center’s Device Security area in Ubuntu 22.10.


Leave a Comment

Your email address will not be published. Required fields are marked *