Received the following warning after wipe & install of 18 Core onto Lenovo T540p. Do I need to update my firmware or anything?

image431×420 15.5 KB

Here is the report (failures in bold):

Device Security Report

Report details
Date generated: 2026-01-28 09:22:47
fwupd version: 1.9.31

System details
Hardware model: LENOVO 20BFS46L00
Processor: Intel(R) Core(TM) i7-4600M CPU @ 2.90GHz
OS: Zorin OS 18
Security level: HSI:0! (v1.9.31)

HSI-1 Tests
TPM v2.0: ! Fail (Not Enabled)
UEFI Bootservice Variables: Pass (Locked)
Firmware BIOS Region: Pass (Locked)
Firmware Write Protection Lock: Pass (Enabled)
Platform Debugging: Pass (Not Enabled)
UEFI Secure Boot: ! Fail (Not Enabled)
Firmware Write Protection: Pass (Not Enabled)
TPM Platform Configuration: Pass (Valid)

HSI-2 Tests
BIOS Rollback Protection: ! Fail (Not Enabled)
Intel BootGuard: ! Fail (Not Supported)
TPM Reconstruction: Pass (Valid)
IOMMU Protection: Pass (Enabled)
Platform Debugging: Pass (Locked)

HSI-3 Tests
Suspend To RAM: ! Fail (Enabled)
Pre-boot DMA Protection: ! Fail (Not Enabled)
Control-flow Enforcement Technology: ! Fail (Not Supported)
Suspend To Idle: ! Fail (Not Enabled)

HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Supervisor Mode Access Prevention: ! Fail (Not Supported)

Runtime Tests
Firmware Updater Verification: Pass (Not Tainted)
Linux Swap: ! Fail (Not Encrypted)
Linux Kernel Lockdown: ! Fail (Not Enabled)
Linux Kernel Verification: Pass (Not Tainted)

Host security events

For information on the contents of this report, see Redirecting to https://fwupd.github.io/libfwupdplugin/hsi.html

It is just ScareWare from Gnome.

For example:
You "Failed" because TPM is disabled. This is the backdoor that Microsoft wants you to have enabled.

Secure Boot is disabled - another fail... Except that Secure Boot interferes with many Linux processes because it fundamentally serves Microsoft signature validation.

Scaring users back into control...

Thx Aravisian... so none of the other "fails" need anything done?

I realize, re-reading my post, that I was a bit harsh.
You can see my frustration, rather plainly.

No. You are not required to do anything else. End User choices are based on the needs of the End User. Not corporations.

Can some of the above increase your computer's security? Yes. Throwing it in a dumpster would increase it magnitudes more.
The fact is, for them to successfully increase your security, they must also successfully function.
And setting up SWAP... that is purely a user choice. And on Some SSD's, not a good idea.

What that message says is "You users are brainless. But, relax. We will think for you.
We will keep you safe.
We promise."

Remind you of a system you came here to escape from?

Ratsnagdabbit, I went and showed muh frustrations, again.

I recently purchased a TPM module to see if I could enrol Ventoy's MOK key (as I may come across this if installing GNU/Linux for a client). It didn't. Now the funny thing is, when I installed LMDE 7 for a client, I mentioned elsewhere that I thought it was Acer's EFI function centralising text, it isn't it did it on mine too; the query is to which part of the line to select to hit enter with. It didn't work, and have not made other attempts since, opting for TPM Discrete instead of TPM firmware in the BIOS allows Ventoy to run as normal. Just thought I would share this as I had the same HSI warnings in Plasma so it is not a Gnome thing.

Doing some research:

"The Host Security ID (HSI) specification for Linux was authored by a team of contributors from the Linux Foundation and fwupd project, including Richard Hughes , Mario Limonciello , Alex Bazhaniuk , and Alex Matrosov. This specification was developed to provide a standardized, easy-to-understand way to assess platform security levels through firmware updates, leveraging the fwupd and LVFS (Linux Vendor Firmware Service) ecosystem.

The HSI levels defined in the specification range from HSI:0 (Insecure) to HSI:5 (Secure Proven) , with each level representing increasing degrees of firmware protection and security features such as UEFI Secure Boot, TPM 2.0 presence, and firmware encryption.

While the HSI specification itself is not a research report, it is part of broader efforts by the Linux Foundation and OpenSSF to improve open source security. For example, recent research reports from the Linux Foundation (in partnership with OpenSSF and LF Europe) have addressed topics like the Cyber Resilience Act (CRA) compliance and open source security best practices, though these are distinct from the HSI specification.

AI-generated answer. Please verify critical facts."

So this now begs the question, will individuals have to comply with the Cyber Resiliance Act or will it only apply to Enterprise Organisations?

Where does that word come from?
AI can't help "Sorry, no relevant information was found in our search."

This is normal when the Stuff is disabled. I have that, too:

grafik1252×519 28.3 KB

In my Opinion not the best Way to handle that - especially without any Explanations.

I combined "rats" and "Dag Nabbit", then "lysdexified" the second word, being inventive.
I do not have dyslexia, this is a complicated "in" joke.

Hahaha, ratsnagdabbit ... totally understand your frustration, Aravisian! And REALLY appreciate your straightforwardness & clarity. And omg, yes, reminds me of that OTHER system I'm trying to rid meself of, lol... THANK YOU

Love your "word origin" !!