Hardware Security

 1# Check if TPM exists
 2ls /dev/tpm*
 3
 4# TPM version
 5cat /sys/class/tpm/tpm0/tpm_version_major
 6
 7# TPM info
 8sudo tpm2_getcap properties-fixed
 9
10# Install TPM tools
11sudo apt install tpm2-tools
12
13# List PCR values
14sudo tpm2_pcrread

 1# TPM status
 2Get-Tpm
 3
 4# Detailed TPM info
 5Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm
 6
 7# TPM version
 8(Get-Tpm).TpmPresent
 9(Get-Tpm).TpmReady
10(Get-Tpm).TpmEnabled
11
12# Open TPM Management
13tpm.msc

 1# Check if Secure Boot is enabled
 2mokutil --sb-state
 3
 4# Check Secure Boot from EFI
 5cat /sys/firmware/efi/efivars/SecureBoot-*
 6
 7# Install mokutil
 8sudo apt install mokutil
 9
10# List enrolled keys
11mokutil --list-enrolled
12
13# Check if in setup mode
14mokutil --sb-state

1# Secure Boot status
2Confirm-SecureBootUEFI
3
4# Detailed info
5Get-SecureBootPolicy
6
7# System information
8msinfo32
9# Look for "Secure Boot State"

 1# Check if drive supports hardware encryption (SED)
 2sudo hdparm -I /dev/sda | grep -i "security"
 3
 4# Check for AES-NI (CPU encryption acceleration)
 5grep -o 'aes' /proc/cpuinfo
 6
 7# LUKS encryption status
 8sudo cryptsetup status /dev/mapper/encrypted
 9
10# List encrypted devices
11lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

 1# Encrypt partition
 2sudo cryptsetup luksFormat /dev/sdb1
 3
 4# Open encrypted partition
 5sudo cryptsetup luksOpen /dev/sdb1 encrypted
 6
 7# Create filesystem
 8sudo mkfs.ext4 /dev/mapper/encrypted
 9
10# Mount
11sudo mount /dev/mapper/encrypted /mnt/encrypted

 1# Intel features
 2grep -E 'aes|sgx|txt|smx' /proc/cpuinfo
 3
 4# AMD features
 5grep -E 'aes|sev|sme' /proc/cpuinfo
 6
 7# Spectre/Meltdown mitigations
 8cat /sys/devices/system/cpu/vulnerabilities/*
 9
10# Or detailed view
11grep . /sys/devices/system/cpu/vulnerabilities/*

 1# Check all vulnerabilities
 2ls /sys/devices/system/cpu/vulnerabilities/
 3
 4# Spectre v1
 5cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
 6
 7# Spectre v2
 8cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
 9
10# Meltdown
11cat /sys/devices/system/cpu/vulnerabilities/meltdown
12
13# Check mitigations
14dmesg | grep -i "mitigation"

 1# Check if IOMMU is enabled
 2dmesg | grep -i iommu
 3
 4# Enable in GRUB
 5sudo nano /etc/default/grub
 6
 7# For Intel:
 8GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_iommu=on iommu=pt"
 9
10# For AMD:
11GRUB_CMDLINE_LINUX_DEFAULT="quiet splash amd_iommu=on iommu=pt"
12
13# Update GRUB
14sudo update-grub
15
16# Reboot
17sudo reboot
18
19# Verify
20dmesg | grep -i "IOMMU enabled"

 1# Install tools
 2sudo apt install yubikey-manager
 3
 4# List YubiKeys
 5ykman list
 6
 7# YubiKey info
 8ykman info
 9
10# Configure FIDO2
11ykman fido info
12
13# Configure OTP
14ykman otp info
15
16# Configure PIV (smart card)
17ykman piv info

 1# Install libfido2
 2sudo apt install libfido2-dev fido2-tools
 3
 4# List FIDO devices
 5fido2-token -L
 6
 7# Get device info
 8fido2-token -I /dev/hidraw0
 9
10# Register credential
11fido2-token -M -i challenge.txt /dev/hidraw0

 1# fwupd (Linux firmware updater)
 2sudo apt install fwupd
 3
 4# Check for updates
 5fwupdmgr get-updates
 6
 7# Update firmware
 8sudo fwupdmgr update
 9
10# List devices
11fwupdmgr get-devices
12
13# Check security attributes
14fwupdmgr security

 1# Check UEFI variables
 2efibootmgr -v
 3
 4# List EFI variables
 5ls /sys/firmware/efi/efivars/
 6
 7# Check boot order
 8efibootmgr
 9
10# Secure Boot keys
11ls /sys/firmware/efi/efivars/ | grep -i "PK\|KEK\|db"

1# AMD SME/SEV
2dmesg | grep -i sme
3dmesg | grep -i sev
4
5# Check if enabled
6cat /sys/devices/system/cpu/sme/active
7
8# Intel TME
9dmesg | grep -i tme

1# ASLR status (0=off, 1=conservative, 2=full)
2cat /proc/sys/kernel/randomize_va_space
3
4# Enable full ASLR
5echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
6
7# Make permanent
8echo "kernel.randomize_va_space = 2" | sudo tee -a /etc/sysctl.conf

 1# Generate hardware baseline
 2sudo lshw > baseline.txt
 3
 4# Compare later
 5sudo lshw > current.txt
 6diff baseline.txt current.txt
 7
 8# Monitor PCI devices
 9watch -n 1 'lspci'
10
11# Monitor USB devices
12watch -n 1 'lsusb'
13
14# USB device events
15udevadm monitor --subsystem-match=usb

1# List USB input devices
2ls -l /dev/input/by-id/
3
4# Monitor input events
5sudo evtest
6
7# Check for unexpected USB devices
8lsusb -t

 1# Check if drive supports secure erase
 2sudo hdparm -I /dev/sda | grep -i "erase"
 3
 4# Set password
 5sudo hdparm --user-master u --security-set-pass password /dev/sda
 6
 7# Secure erase
 8sudo hdparm --user-master u --security-erase password /dev/sda
 9
10# Or use shred
11sudo shred -vfz -n 3 /dev/sda
12
13# Or dd with random data
14sudo dd if=/dev/urandom of=/dev/sda bs=1M status=progress

 1# Check BitLocker status
 2Get-BitLockerVolume
 3
 4# Enable BitLocker
 5Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
 6
 7# Backup recovery key
 8BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId "{ID}"
 9
10# Check TPM
11Get-Tpm
12
13# Suspend BitLocker (for updates)
14Suspend-BitLocker -MountPoint "C:"
15
16# Resume BitLocker
17Resume-BitLocker -MountPoint "C:"