You're going to have to be more specific on why a failing HSI attribute contributes to the undoing of your privacy? You're aware the security attributes are each based on mitigating actual real-world attacks, right?
You're aware that ME itself is considered a security hole, and that a lot of people disabled it, right? Not to mention, most of the hsi2 and 3 stuff need ME as a dependency?
Edit: again, why is this any part of a firmware updater?
Edit2: this doesn't even get into unsigned kernels, out of tree modules, and unencrypted swaps (or at least not encrypted in the special way fwupd wants them to be)
I feel I must apologize, but my first experience with fwupd was switching from MATE to KDE, opening kinfocenter and seeing all of this... While some of this is a KDE problem, I don't even see a place to update said firmware without using the CLI.
