Hi I noticed when I reinstalled Thumbleweed again in the Gnome desktop security it says my secure boot is not safe, this is my first time I had this issue so my question to you all, how to fix this issue ? and how to update so I no longer will have this issue ? I hope someone would be so kind to explain me step by step how to fix this so I can learn how to handle this in future.
@EmilioL Hi, care to copy the Technical Report and post here?
Device Security Report
======================
Report details
Date generated: 2025-04-17 09:21:03
fwupd version: 2.0.8
System details
Hardware model: ASUSTeK COMPUTER INC. ASUS Zenbook 14 UX3405MA_UX3405MA
Processor: Intel(R) Core(TM) Ultra 7 155H
OS: openSUSE Tumbleweed
Security level: HSI:0! (v2.0.8)
HSI-1 Tests
UEFI Secure Boot: Pass (Enabled)
TPM v2.0: ! Fail (Not Found)
UEFI Bootservice Variables: Pass (Locked)
Firmware BIOS Region: Pass (Locked)
Intel Management Engine Version: Pass (Valid)
Firmware Write Protection Lock: Pass (Enabled)
Platform Debugging: Pass (Not Enabled)
Intel Management Engine Manufacturing Mode: Pass (Locked)
BIOS Firmware Updates: Pass (Enabled)
Firmware Write Protection: Pass (Not Enabled)
Intel Management Engine Override: Pass (Locked)
HSI-2 Tests
Intel BootGuard Fuse: Pass (Valid)
Intel BootGuard ACM Protected: Pass (Valid)
Intel BootGuard: Pass (Enabled)
IOMMU Protection: Pass (Enabled)
Platform Debugging: Pass (Locked)
HSI-3 Tests
Pre-boot DMA Protection: Pass (Enabled)
Suspend To RAM: Pass (Not Enabled)
Control-flow Enforcement Technology: Pass (Supported)
Suspend To Idle: Pass (Enabled)
HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Supervisor Mode Access Prevention: Pass (Enabled)
Runtime Tests
Linux Swap: ! Fail (Not Encrypted)
Firmware Updater Verification: Pass (Not Tainted)
Control-flow Enforcement Technology: Pass (Supported)
Linux Kernel Verification: Pass (Not Tainted)
Linux Kernel Lockdown: Pass (Enabled)
Host security events
2025-04-09 12:40:24 Linux Kernel Lockdown Pass (Not Enabled → Enabled)
2025-04-09 12:40:24 UEFI Secure Boot Pass (Not Enabled → Enabled)
For information on the contents of this report, see https://fwupd.github.io/hsi.html
Ok here it comes
@EmilioL So enable TPM 2.0 in the BIOS, do you have a swap partition, if so consider switching to zram instead and disable the swap partition and check again.
ok I will try to do so but how to do I just go into the bios and look for TPM ? I use a ASUS Zenbook 14 oled MA
Hi I forgot to mention that I did not install it with swap partition at least I don’t think so, and checked in the bios tpm was already enabled but I also enable tpm clear but it did not fix the issue
@EmilioL Is it TPM 2.0 or 1.2 on the system? Check the output from free does it show swap?
Hi I will check it again and I found out yes its TPM 2.0 total used free shared buff/cache available
Mem: 30Gi 3.2Gi 25Gi 899Mi 3.1Gi 27Gi
Swap: 30Gi 0B 30Gi
@EmilioL so what about the output inxi -Mz --swap and also fwupdmgr get-updates
inxi -Mz --swap and also fwupdmgr get-updates
Error 22: Unsupported option: and
Check -h for correct useage.
It gives me this message
@EmilioL inxi should work? thefwupdmgr command needs to be done as root user.
I just rebooted and checked again and here is the latest status good news but not 100 percent
Device Security Report
======================
Report details
Date generated: 2025-04-17 10:22:16
fwupd version: 2.0.8
System details
Hardware model: ASUSTeK COMPUTER INC. ASUS Zenbook 14 UX3405MA_UX3405MA
Processor: Intel(R) Core(TM) Ultra 7 155H
OS: openSUSE Tumbleweed
Security level: HSI:3! (v2.0.8)
HSI-1 Tests
UEFI Secure Boot: Pass (Enabled)
TPM v2.0: Pass (Found)
UEFI Bootservice Variables: Pass (Locked)
Firmware BIOS Region: Pass (Locked)
Intel Management Engine Version: Pass (Valid)
Firmware Write Protection Lock: Pass (Enabled)
Platform Debugging: Pass (Not Enabled)
Intel Management Engine Manufacturing Mode: Pass (Locked)
BIOS Firmware Updates: Pass (Enabled)
Firmware Write Protection: Pass (Not Enabled)
TPM Platform Configuration: Pass (Valid)
Intel Management Engine Override: Pass (Locked)
HSI-2 Tests
Intel BootGuard Fuse: Pass (Valid)
Intel BootGuard ACM Protected: Pass (Valid)
Intel BootGuard: Pass (Enabled)
TPM Reconstruction: Pass (Valid)
IOMMU Protection: Pass (Enabled)
Platform Debugging: Pass (Locked)
HSI-3 Tests
Pre-boot DMA Protection: Pass (Enabled)
Suspend To RAM: Pass (Not Enabled)
Control-flow Enforcement Technology: Pass (Supported)
Suspend To Idle: Pass (Enabled)
HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Supervisor Mode Access Prevention: Pass (Enabled)
Runtime Tests
Linux Swap: ! Fail (Not Encrypted)
Firmware Updater Verification: Pass (Not Tainted)
Control-flow Enforcement Technology: Pass (Supported)
Linux Kernel Verification: Pass (Not Tainted)
Linux Kernel Lockdown: Pass (Enabled)
Host security events
2025-04-17 09:44:45 TPM v2.0 Pass (Not Found → Found)
2025-04-09 12:40:24 Linux Kernel Lockdown Pass (Not Enabled → Enabled)
2025-04-09 12:40:24 UEFI Secure Boot Pass (Not Enabled → Enabled)
For information on the contents of this report, see https://fwupd.github.io/hsi.html
@EmilioL so it’s only;
Linux Swap: ! Fail (Not Encrypted)
AFAIK running zram and then removing the swap partition should resolve that, or removing swap completely…
System with no swap (grub/apparmor);
Linux Swap: Pass (Not Enabled)
System with zram (systemd-boot/selinux);
Linux Swap: Pass (Encrypted)
1 Like
Hi thank you very much its all fixed now, have a great day from here
2 Likes