FW 13 Core Ultra and Bluefin Gnome Security Check

What is going on with framework 13 Intel Core Ultra and Bluefin Gnome Security checks?

It passes all the checks on reboot, but if I do another reboot, it will fail again. So every second reboot it fails, and every second reboot passes the test! Seems to be the same with cold-start:

Screenshot From 2025-04-14 17-11-041990×1188 203 KB

Screenshot From 2025-04-14 18-17-142116×1446 249 KB

I have removed the universalblue security key, re-enrolled it, removed the LUKS TPM unlock, and re-added it. Also regenerated the grub. It didn’t make any difference:

Screenshot From 2025-04-14 18-19-28802×402 13.7 KB

It doesn’t seem to be a BIOS issue, as it’s always passed the security check with Ubuntu 24.04.

Detailed report:

Device Security Report
======================

Report details
  Date generated:                                  2025-04-14 18:35:37
  fwupd version:                                   1.9.26

System details
  Hardware model:                                  Framework Laptop 13 (Intel Core Ultra Series 1)
  Processor:                                       Intel(R) Core(TM) Ultra 7 155H
  OS:                                              Bluefin (Version: 41.20250413.1 / FROM Fedora Silverblue 41)
  Security level:                                  HSI:1! (v1.9.26)

HSI-1 Tests
  UEFI Platform Key:                               Pass (Valid)
  Firmware BIOS Region:                            Pass (Locked)
  UEFI Bootservice Variables:                      Pass (Locked)
  MEI Key Manifest:                                Pass (Valid)
  Intel Management Engine Version:                 Pass (Valid)
  TPM v2.0:                                        Pass (Found)
  Firmware Write Protection Lock:                  Pass (Enabled)
  Platform Debugging:                              Pass (Not Enabled)
  UEFI Secure Boot:                                Pass (Enabled)
  Intel Management Engine Manufacturing Mode:      Pass (Locked)
  BIOS Firmware Updates:                           Pass (Enabled)
  Firmware Write Protection:                       Pass (Not Enabled)
  TPM Platform Configuration:                      Pass (Valid)
  Intel Management Engine Override:                Pass (Locked)

HSI-2 Tests
  Intel BootGuard Fuse:                          ! Fail (Not Valid)
  Intel BootGuard ACM Protected:                   Pass (Valid)
  Intel BootGuard:                                 Pass (Enabled)
  TPM Reconstruction:                              Pass (Valid)
  IOMMU Protection:                                Pass (Enabled)
  Platform Debugging:                              Pass (Locked)

HSI-3 Tests
  Suspend To RAM:                                  Pass (Not Enabled)
  Pre-boot DMA Protection:                         Pass (Enabled)
  Control-flow Enforcement Technology:             Pass (Supported)
  Suspend To Idle:                                 Pass (Enabled)

HSI-4 Tests
  Encrypted RAM:                                 ! Fail (Not Supported)
  Supervisor Mode Access Prevention:               Pass (Enabled)

Runtime Tests
  Linux Kernel Verification:                     ! Fail (Tainted)
  Firmware Updater Verification:                   Pass (Not Tainted)
  Linux Swap:                                      Pass (Encrypted)
  Linux Kernel Lockdown:                           Pass (Enabled)
  Control-flow Enforcement Technology:             Pass (Supported)

Host security events
  2025-04-14 08:20:23   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-14 00:17:06   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-13 20:21:05   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-13 12:24:19   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-13 00:08:07   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-13 00:05:54   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-13 00:02:35   Linux Kernel Verification  ! Fail (Not Tainted → Tainted)
  2025-04-12 23:53:16   Linux Kernel Verification    Pass (Tainted → Not Tainted)
  2025-04-12 23:49:56   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-12 23:47:45   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-12 23:45:00   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-10 19:13:42   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-10 10:54:13   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-09 20:42:45   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-08 20:14:44   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-06 14:59:14   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-06 13:32:19   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-04-02 08:07:22   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-04-01 19:57:07   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-31 18:01:27   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-31 17:38:32   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-31 17:31:06   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-31 08:45:56   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-30 20:46:19   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-30 12:03:13   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-30 12:02:14   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-30 11:16:16   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-29 21:44:21   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-29 21:43:32   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-29 21:41:55   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-29 21:30:21   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)
  2025-03-29 19:53:19   Intel BootGuard Fuse         Pass (Not Valid → Valid)
  2025-03-29 19:46:47   Intel BootGuard Fuse       ! Fail (Valid → Not Valid)

For information on the contents of this report, see https://fwupd.github.io/hsi.html