Privacy and Security Tab in Settings

[BoneCream]

When I went into the privacy and security tabs in the settings of Ubuntu 25.10 as I was just navigating through all the tabs to see if anything was of during my frequent tests.
I came across what said: Security Checks failed. Hardwaoes not pass basic security tests. Along with another that says: Secure boot is off, No protection when the device is started.

So I clicked the small windows below and copied the hardware test report and this is what it says.
AND is it possible someone could just tell me the basic things I should be worried about?

Device Security Report
======================

Report details
Date generated: 2025-11-23 15:03:56
fwupd version: 2.0.16

System details
Hardware model: GPU Company GWTC116-2
Processor: Intel(R) Celeron(R) N4020 CPU @ 1.10GHz
OS: Ubuntu 25.10
Security level: HSI:0! (v2.0.16)

HSI-1 Tests
Firmware BIOS Region: ! Fail (Not Locked)
UEFI Platform Key: ! Fail (Not Valid)
UEFI Bootservice Variables: Pass (Locked)
TPM v2.0: Pass (Found)
Firmware Write Protection Lock: ! Fail (Not Enabled)
Platform Debugging: Pass (Not Enabled)
BIOS Firmware Updates: Pass (Enabled)
UEFI Secure Boot: ! Fail (Not Enabled)
Firmware Write Protection: Pass (Not Enabled)
TPM Platform Configuration: Pass (Valid)

HSI-2 Tests
Intel BootGuard: ! Fail (Not Supported)
TPM Reconstruction: Pass (Valid)
IOMMU Protection: Pass (Enabled)
Platform Debugging: Pass (Locked)

HSI-3 Tests
Pre-boot DMA Protection: Pass (Enabled)
Suspend To RAM: ! Fail (Enabled)
Control-flow Enforcement Technology: ! Fail (Not Supported)
Suspend To Idle: ! Fail (Not Enabled)

HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Supervisor Mode Access Prevention: Pass (Enabled)

Runtime Tests
Linux Swap: ! Fail (Not Encrypted)
Firmware Updater Verification: Pass (Not Tainted)
UEFI db: Pass (Valid)
Linux Kernel Lockdown: ! Fail (Not Enabled)
Linux Kernel Verification: Pass (Not Tainted)

Host security events
2025-11-16 21:01:13 UEFI db Pass (Not Valid → Valid)

For information on the contents of this report, see https://fwupd.github.io/hsi.html

And support would be greatly appreciated.

 

[KGIII]

It looks like you disabled Secure Boot in your BIOS, or installed it by bypassing during the installation process.

It also looks like Secure Boot was an option.

What's the output from this command:

mokutil --sb-state

 

[BoneCream]

Yes I did disable it. I had to disable it to Install Ubuntu After having Parro OS installed (obviously not a GUI based OS.)

I did a little more research and now I'm trying to figure out how to update my BIOS.

My laptop was originally windows 11 pre-installed It is a Gateway laptop GWTC-116
Its actually a very lightweight PC with 8gb of ram and still runs very smoothly.

But ever since Updating to Ubuntu, I just figured everything was dandy untill I went in the settings and started to update all software. Software is completly updated everything is fine.

But I haven't began to be hardware savy just yet.

So I'm fairly confused on how to update my BIOS and am kind of nervous about doing it because this is the laptop I use to do school work on and if I messed it up Id be forced to buy another laptop and then use just my cell phone to recover all my old passwords and all my files on my laptop would be absolutely destroyed.

 

[KGIII]

Yes I did disable it.

Well, that's what the security check is telling you.

I did a little more research and now I'm trying to figure out how to update my BIOS.

It's an older, and very basic, CPU. I'm not sure that you'd even have BIOS updates. If you do, it won't change anything with regards to your current installation. You can't enable Secure Boot after the fact. Well, you can't realistically do that.

So, if you want Secure Boot enabled, you'll need to do a new installation. When asked, don't disable it. Secure Boot works fairly well in Linux. It's largely a signature that says, "Yes, I'm booting the OS that was rightfully installed and it has not been tampered with by unknown parties."

 

[Condobloke]

if you are worried about your system going sideways (failing) save a backup to an external drive.

By using an external drive you are safeguarding against the current drive dying

 

[BoneCream]

Bro I just re enabled secure boot in my BIOS. I know how a BIOS works.

 

[Condobloke]

So I'm fairly confused on how to update my BIOS and am kind of nervous about doing it because this is the laptop I use to do school work on and if I messed it up Id be forced to buy another laptop and then use just my cell phone to recover all my old passwords and all my files on my laptop would be absolutely destroyed.

The above showed your concern.
At the very least, it would be wise to have Timeshift set up and saving snapshots to an external. (System only, but you can include /home if necessary)
All your files would not be included in Timeshift, which is why i recommended you make a backup to an external drive....probably using something like Rescuezilla. It makes an Image....which means it backs up everything, system files and your own personal files as well.

Saving this to an external drive is a safeguard, in case your main drive fails. The backups and snapshots also take up quite a bit of room/space....which can cause a problem on your main drive

 

[BoneCream]

can't I just backup my entire system to an External SSD???? I've never heard of timeshift, But i will look into how to use it including filezilla.Also the external drive I ordered is gonna be here tommorow so as soon as I get home from work ill be getting striaght online and back to work lol also thanks

 

[BoneCream]

*Rescuezilla

 

[BoneCream]

also. does filezilla clone os images even if they werehacked? because Im more than likely sure someone is chasing me online constantly trying to hack me because of a past aqaintence that new some people who had direct access to email services including googles services ya kno the people who know the backdoors a little too easily because of who they work for

 

[Condobloke]

Rescuezilla will take an image (not clone) of everything that is on the drive and save to a place nominated by you.

Your new ssd drive needs to be formatted as ext4 to accept rescuezulla. Timeshift fits on ext4 as well

Security for your PC is governed by you and yur activities while online. There is an addon called 'Facebook Container' which can be added to firefox which may help

Stay away from the dodgy sites.

 

[Trml]

Bro I just re enabled secure boot in my BIOS. I know how a BIOS works.

You can actually do that and see if your Ubuntu boots. If it does not, you have the options to either boot a regular Ubuntu ISO and take steps to change the kernel / boot loader of your system to a secure boot compatible state, or turn it off again (and do the same within the booted system, if desired). The question what you gain from it. If it is a stationary PC at home, not much.

A caveat is this part:

UEFI Platform Key: ! Fail (Not Valid)

It should be valid even if secure boot is disabled. The reason may be a misconfiguration of the UEFI bios, or the vendor/manufacturer doing vendor things. Unlikely it does affect whether you toggle secure boot on/off (Ubuntu secure boot does not care about the validity of the key).

The only thing you can try is to update the Bios and/or reset secure boot to defaults within it, and see if it changes the validity.

 

[CaffeineAddict]

I came across what said: Security Checks failed. Hardwaoes not pass basic security tests.

What you've stumbled upon is output which you can also get with:

fwupdmgr security

fwupdmgr is firmware update tool and HSI value is hardware security level.
don't bother trying to make those red lines green and your HSI higher, for that you need new more expensive hardware, you can fix 1-2 issues but that's all.

You can read more about it here:

FwupdPlugin: Host Security ID Specification

Reference for FwupdPlugin-1.0: Host Security ID Specification

fwupd.github.io

fwupd - Wikipedia

en.wikipedia.org

fwupd

Documentation for fwupd

fwupd.github.io

fwupd - ArchWiki

 

[BoneCream]

if you are worried about your system going sideways (failing) save a backup to an external drive.

By using an external drive you are safeguarding against the current drive dying

I have an external hd, just cant find a simple tutorial on how to create a backup file to the external hd.

 

[Brickwizard]

Just use time shift or similar, connect your external drive and in the set-up point it to back up on the external drive

 

[Condobloke]

Timeshift.

The external .....Timeshift will format it to ext4 for you automatically. RZ uses the same format, so nothing etra needs to be done. That format will also accept 90% of anything you choose to store on there.

Grab an external drive. Open Timeshift, ...click on Settings....rsync is the snapshot type....Set the Location for your snapshots to be that external drive. Schedule:..keep at least 2 daily and 1 weekly. Timeshift will delete snapshots as necessary to maintain those numbers. (or keep as few or as many as you like)

Users:If you dont tick/mark any of the little circles you get basic....if you tick/mark Include Only hidden Files....and the end one...Include all Files gives you your home folder etc etc

Be aware, Timeshift ONLY restores system files....not pics or music etc etc....STRICTLY system files...no games etc

If you want to save an image backup....

Rescuezilla (but...store at least one Timeshift snapshot on the external drive, first )

download the .iso from here : https://github.com/rescuezilla/rescuezilla/releases/tag/2.6.1

'burn' it to a usb stick in the same way you 'burned' the Linux Mint/ubuntu .iso to a usb before installing linux/ubuntu

usb stick...at least 4GB.... keep the usb stick for only that purpose.

When you have the usb stick prepared, shut down and then boot the pc to that usb stick.

RZ (rescuezilla) will open be patient.

Select to BACKUP

follow the prompts: select the drive you wish to backup (the prompts will appear at the top of the page)....click next...if prompted to also choose to bacup various partitions, select them and click next

Select the drive where you wish to store the backup....click on your external drive.....next

(On either this page or the next one you can select to create a new folder on your external. Either do that or cancel and go to the external and right click an empty space and 'create new folder...and name it)

The next pages are generally default setting, compression etc ...I recommend to leave them as they are)

Read the various blurbs...click next.....and eventually it will start the backup...it will give you a time elapsed and a time to go etc etc....be patient...go get coffee (or beer)....

When it finishes....then click on Verify ...follow the prompts... be sure to verify the backup ....Then, close rescuezilla and shut it down in the same manner as you would shut your OS down....reboot.

Go have a look in your external drive....right click on the folder (you may have to open it as root (right click, open as root).....then right click on the folder there and select properties....the size shown there should be a bit less than half of what is actually the full size of your OS on the main drive.

Done

 

[wizardfromoz]

BTW @InvaderSumo , Timeshift can be installed from Ubuntu's Software Centre, or with

sudo apt install timeshift

Linux Lite have a reasonable tutorial here

https://www.linuxliteos.com/manual/tutorials.html#timeshiftrestore

Wizard