HalogenOS/image-builder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update System Requirements

River 2025-04-18 14:05:30 -04:00
parent ac350638f1
commit 1df9f08901
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
System-Requirements.md

@ -28,7 +28,9 @@ It is also recommended that your system have:
HalogenOS leverages modern hardware security features to protect the system against tampering, intrusion, exfiltration, and corruption. These features, unfortunately, are not often found on consumer devices, leaving system hardware and firmware vulnerable to attack. This requirement policy is based on [the Linux Firmware Vendor Service](https://fwupd.org/)'s [Host Security Identifier (HSI) Specification](https://chromium.googlesource.com/chromiumos/third_party/fwupd/+/refs/heads/fwupd-1.6.3/docs/hsi.md), which outlines what elements determine a system's resistance to different levels of attack sophistication.
Due to scarcity of sufficiently compliant hardware, HalogenOS targets HSI 3 for its baseline, instead of HSI 4 or HSI 5. Devices compliant with HSI 3 require at least:
Installing HalogenOS on devices that do not meet the minimum security compliance requirements is *possible*, but **unsupported**, as zero guarantees can be made about the integrity of the data stored on the system.
Due to scarcity of sufficiently compliant hardware, HalogenOS targets HSI 2 or greater for its baseline, instead of HSI 3, 4, or 5. Devices compliant with HSI 2 require at least:
- TPM 2.0
- UEFI Secure Boot
@ -37,6 +39,7 @@ Due to scarcity of sufficiently compliant hardware, HalogenOS targets HSI 3 for
- I/O Memory Management Unit
- Debug systems and interfaces disabled
This list is NON EXHAUSTIVE. You can read more about the HSI Specification [here](https://chromium.googlesource.com/chromiumos/third_party/fwupd/+/refs/heads/fwupd-1.6.3/docs/hsi.md). To check your device's compliance, download and install `fwupdmgr` from its [GitHub repository](https://github.com/fwupd/fwupd), or install it via your package manager. After that, you can run `fwupdmgr security` to get information on your system's security.
> [!IMPORTANT]
> This list is NON EXHAUSTIVE. You can read more about the HSI Specification [here](https://chromium.googlesource.com/chromiumos/third_party/fwupd/+/refs/heads/fwupd-1.6.3/docs/hsi.md). To check your device's compliance, download and install `fwupdmgr` from its [GitHub repository](https://github.com/fwupd/fwupd), or install it via your package manager. After that, you can run `fwupdmgr security` to get information on your system's security.
At runtime, `fwupdmgr` performs the necessary checks to determine the installation's HSI status. On first boot, this baseline is saved, and any changes to the baseline can be detected, and forwarded to the user for review. The user will also be notified if the device fails to meet HSI 3 on its first boot.
At runtime, `fwupdmgr` performs the necessary checks to determine the installation's HSI status. On first boot, this baseline is saved, and any changes to the baseline can be detected, and forwarded to the user for review. The user will also be notified if the device fails to meet HSI 2 on its first boot.