Date: 2024dec21 Language: bash OS: Linux Q. Linux: get a security report about the BIOS A. Run this command (you don't have to be root):

fwupdmgr security

Typical output (we altered some statuses to anonymize): Host Security ID: HSI:0! (v1.9.27) HSI-1 ✔ BIOS firmware updates: Enabled ✔ csme manufacturing mode: Locked ✔ csme override: Locked ✔ SPI write: Disabled ✔ Supported CPU: Valid ✔ TPM empty PCRs: Valid ✔ TPM v2.0: Found ✔ UEFI bootservice variables: Locked ✘ csme v0:15.0.22.1622: Invalid ✘ Platform debugging: Enabled ✘ SPI lock: Disabled ✘ SPI BIOS region: Unlocked HSI-2 ✔ Intel BootGuard: Enabled ✔ Intel GDS mitigation: Enabled ✔ Platform debugging: Locked ✔ TPM PCR0 reconstruction: Valid ✘ Intel BootGuard ACM protected: Invalid ✘ Intel BootGuard OTP fuse: Invalid ✘ Intel BootGuard verified boot: Invalid ✘ IOMMU: Not found HSI-3 ✘ Intel BootGuard error policy: Invalid ✘ CET Platform: Not supported ✘ Pre-boot DMA protection: Invalid ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled HSI-4 ✔ SMAP: Enabled ✘ Encrypted RAM: Not supported Runtime Suffix -! ✔ fwupd plugins: Untainted ✔ Linux swap: Encrypted ✔ Linux kernel: Untainted ✘ Linux kernel lockdown: Disabled ✘ UEFI secure boot: Disabled This system has a low HSI security level. » https://fwupd.github.io/hsi.html#low-security-level This system has HSI runtime issues. » https://fwupd.github.io/hsi.html#hsi-runtime-suffix Host Security Events 2023-11-07 15:58:32: ✔ Intel GDS mitigation changed: Invalid → Enabled 2022-09-24 20:21:41: ✘ CSME v0:15.0.22.1622 changed: Valid → Invalid 2022-09-24 20:21:41: ✔ TPM PCR0 reconstruction changed: Not found → Valid This only works on real hardware - not a VM.