[Bug 2125511] Re: false positive claming device is unsecure

Mario Limonciello 2125511 at bugs.launchpad.net
Tue Sep 23 20:09:11 UTC 2025 

** Bug watch added: github.com/fwupd/fwupd/issues #9278
   https://github.com/fwupd/fwupd/issues/9278

** Also affects: fwupd via
   https://github.com/fwupd/fwupd/issues/9278
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2125511

Title:
  false positive claming device is unsecure

Status in Fwupd:
  Unknown
Status in fwupd package in Ubuntu:
  Triaged

Bug description:
  GUI: Linux Ubuntu gives at Settings->Privacy & Security:
  Device Security
  Checks Failed:
  Hardware does not pass checks.
  This means that you are not protected against common hardware issues.

  This can be regarded as a false positive in the case the internal flasher is locked down because it is not possible then to write to the firmware memory. But the fwupd does not check for this situation.
  flashrom does this.
  False alarms are annoying and a waste of time.
  According to Google Gemini this situation is common on cheap household systems.

  CLI: sudo flashrom -p internal
  Enabling flash write... SPI Configuration is locked down.
  Enabling hardware sequencing because some important opcode is locked.

  CLI: sudo fwupdmgr security
  ✘ csme manufacturing mode:       Unlocked
  ✘ SPI lock:                      Disabled
  ✘ SPI BIOS region:               Unlocked

  There is discrepancy here. flashrom says SPI lock is enabled. But fwupdmgr says it is Disabled.
  flashrom says important opcode is locked. But fwupdmgr says csme is Unlocked.
  flashrom enabled hardware sequencing in order to open the firmware read only in order to be able to make a dump from the firmware.

  So the logic should be first to check with flashrom to check if the
  internal flash rom writer allows writing to the flash rom. And if that
  is possible then to check with fwupd the security.

  CLI: lsb_release -rd
  Description:	Ubuntu 24.04.3 LTS

  CLI: apt-cache policy fwupd
  Installed: 1.9.31-0ubuntu1~24.04.1

  CLI: apt-cache policy flashrom
    Installed: 1.3.0-2.1ubuntu2

To manage notifications about this bug go to:
https://bugs.launchpad.net/fwupd/+bug/2125511/+subscriptions

More information about the foundations-bugs mailing list