2022-12-05 Linux workstation security

Using the new Device Security panel in Gnome 43

Goal: Utilize new Gnome 43 features to improve the security of my laptop

Background: Gnome is experimenting with using low level security tools to review and recommend security enhancement for workstation computers. A new Panel is available now in gnome-control-center that permits review of the device security settings and recommend changes.

Gnome Device Security
What Device Security Looks like on a bad day

Detailed learning: First we need to turn on secure boot. Sometimes this can be off due to legacy boot support

Bios Home
Restart and press ENTER to get to BIOS
BIOS Security
Navigate to Security tab and Secure Boot option
BIOS Reset Factory Keys
Enable and Reset Factory Keys

From the following discussion Lockdown Discussion The following will confirm if the kernel lockdown is active.

$ sudo cat /sys/kernel/security/lockdown 
none [integrity] confidentiality

Input-output memory management unit (IOMMU) is required for safely driving DMA-capable hardware from userspace. From the following discussion IOMMU Discussion We need to test that our system is capable, we should see something like

$ dmesg | grep -e DMAR
[ 1.474961] DMAR: Intel(R) Virtualization Technology for Directed I/O

We then need to ensure this is activated on boot so adjust the Grub2 boot loader to activate the module by adding the following to the grub commandline and then run rebuilt the config. Include both the activation option and performance option respectively

sudo sed -i '/GRUB_CMDLINE_LINUX/s/"$/ intel_iommu=on iommu=pt"/' /etc/default/grub
sudo grub2-mkconfig

Outcome: Assuming you have a TPM2 chip these will push the average laptop to SecurityLevel2

Gnome Device Security
What Device Security Looks when complete