proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-03 11:28:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use a more compact JSON format using precommit

Browse Source
This commit is contained in:
Richard Hughes 2023-01-30 12:24:35 +00:00
parent c1ffebae48
commit 00e8aaefc6
44 changed files with 1397 additions and 1409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.pre-commit-config.yaml
View File

@ -1,7 +1,7 @@
default_stages: [commit]
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
rev: v4.4.0
hooks:
- id: no-commit-to-branch
args: [--branch, main, --pattern, 1_.*_X]
@ -12,6 +12,8 @@ repos:
- id: check-yaml
exclude: '.clang-format'
- id: check-json
- id: pretty-format-json
args: ['--no-sort-keys']
- id: check-symlinks
- id: check-xml
- id: end-of-file-fixer
@ -23,12 +25,12 @@ repos:
- id: mixed-line-ending
args: [--fix=lf]
- repo: https://github.com/codespell-project/codespell
rev: v2.1.0
rev: v2.2.2
hooks:
- id: codespell
args: ['--config', './contrib/codespell.cfg', --write-changes]
- repo: https://github.com/ambv/black
rev: 22.3.0
rev: 22.12.0
hooks:
- id: black
- repo: local
@ -78,7 +80,7 @@ repos:
language: script
entry: ./contrib/ci/check-license.py
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.27.1
rev: v0.33.0
hooks:
- id: markdownlint
args: ['--fix', '--ignore', '.github']

126
contrib/vscode/launch.json
View File

@ -1,65 +1,65 @@
{
"version": "0.2.0",
"configurations": [
{
"name": "gdbserver (fwupdtool)",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/dist/libexec/fwupd/fwupdtool",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"miDebuggerServerAddress": "localhost:9091",
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
]
},
{
"name": "gdbserver (fwupd)",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/dist/libexec/fwupd/fwupd",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"miDebuggerServerAddress": "localhost:9091",
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
]
},
{
"name": "gdbserver (fwupdmgr)",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/dist/bin/fwupdmgr",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"miDebuggerServerAddress": "localhost:9091",
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
]
}
]
"version": "0.2.0",
"configurations": [
{
"name": "gdbserver (fwupdtool)",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/dist/libexec/fwupd/fwupdtool",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"miDebuggerServerAddress": "localhost:9091",
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
]
},
{
"name": "gdbserver (fwupd)",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/dist/libexec/fwupd/fwupd",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"miDebuggerServerAddress": "localhost:9091",
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
]
},
{
"name": "gdbserver (fwupdmgr)",
"type": "cppdbg",
"request": "launch",
"program": "${workspaceFolder}/dist/bin/fwupdmgr",
"args": [],
"stopAtEntry": false,
"cwd": "${workspaceFolder}",
"environment": [],
"miDebuggerServerAddress": "localhost:9091",
"externalConsole": false,
"MIMode": "gdb",
"setupCommands": [
{
"description": "Enable pretty-printing for gdb",
"text": "-enable-pretty-printing",
"ignoreFailures": true
}
]
}
]
}

4
contrib/vscode/settings.json
View File

@ -1,4 +1,4 @@
{
"editor.tabSize": 8,
"mesonbuild.buildFolder": "build"
"editor.tabSize": 8,
"mesonbuild.buildFolder": "build"
}

55
docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json
View File

@ -1,30 +1,29 @@
{
"id": "org.fwupd.hsi.Amd.PlatformRollbackProtection",
"name": "AMD Secure Processor Rollback protection",
"description": [
"AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the secure processor.",
"This feature prevents an attacker from loading an older firmware onto the part after a security vulnerability has been fixed."
],
"more-information": [
"This particular check is not for the Microsoft Pluton Security processor which is present on some chips.",
"End users are not able to directly modify rollback protection, this is controlled by the manufacturer.",
"On Lenovo systems it has been reported that if this is disabled it may potentially be enabled by loading 'OS Optimized Defaults' in BIOS setup."
],
"failure-impact": [
"SOCs without this feature may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability."
],
"failure-results": {
"not-enabled": "rollback protection disabled"
},
"success-results": {
"enabled": "rollback protection enabled"
},
"hsi-level": 4,
"references": {
"https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection",
"https://www.amd.com/en/technologies/pro-security": "AMD Secure Processor",
"https://forums.lenovo.com/t5/Fedora/AMD-Rollback-protection-not-detected-by-fwupd-on-T14-G3-AMD/m-p/5182708?page=1#5810366":
"Loading OS Optimized Defaults on Lenovo systems"
},
"fwupd-version": "1.8.0"
"id": "org.fwupd.hsi.Amd.PlatformRollbackProtection",
"name": "AMD Secure Processor Rollback protection",
"description": [
"AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the secure processor.",
"This feature prevents an attacker from loading an older firmware onto the part after a security vulnerability has been fixed."
],
"more-information": [
"This particular check is not for the Microsoft Pluton Security processor which is present on some chips.",
"End users are not able to directly modify rollback protection, this is controlled by the manufacturer.",
"On Lenovo systems it has been reported that if this is disabled it may potentially be enabled by loading 'OS Optimized Defaults' in BIOS setup."
],
"failure-impact": [
"SOCs without this feature may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability."
],
"failure-results": {
"not-enabled": "rollback protection disabled"
},
"success-results": {
"enabled": "rollback protection enabled"
},
"hsi-level": 4,
"references": {
"https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection",
"https://www.amd.com/en/technologies/pro-security": "AMD Secure Processor",
"https://forums.lenovo.com/t5/Fedora/AMD-Rollback-protection-not-detected-by-fwupd-on-T14-G3-AMD/m-p/5182708?page=1#5810366": "Loading OS Optimized Defaults on Lenovo systems"
},
"fwupd-version": "1.8.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.Amd.SpiReplayProtection.json
View File

@ -1,18 +1,18 @@
{
"id" : "org.fwupd.hsi.Amd.SpiReplayProtection",
"name" : "AMD SPI Write protections",
"description" : [
"id": "org.fwupd.hsi.Amd.SpiReplayProtection",
"name": "AMD SPI Write protections",
"description": [
"SOCs may enforce control of the SPI bus to prevent writes other than by verified entities."
],
"failure-impact" : [
"failure-impact": [
"SOCs without this feature may be attacked by an attacker modifying the SPI."
],
"failure-results" : {
"not-enabled" : "SPI protections disabled"
"failure-results": {
"not-enabled": "SPI protections disabled"
},
"success-results" : {
"enabled" : "SPI protections enabled"
"success-results": {
"enabled": "SPI protections enabled"
},
"hsi-level" : 2,
"fwupd-version" : "1.8.0"
"hsi-level": 2,
"fwupd-version": "1.8.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.Amd.SpiWriteProtection.json
View File

@ -1,18 +1,18 @@
{
"id" : "org.fwupd.hsi.Amd.SpiWriteProtection",
"name" : "AMD SPI Replay protections",
"description" : [
"id": "org.fwupd.hsi.Amd.SpiWriteProtection",
"name": "AMD SPI Replay protections",
"description": [
"SOCs may include support for replay-protected monotonic counters to prevent replay attacks."
],
"failure-impact" : [
"failure-impact": [
"SOCs without this feature may be attacked by an attacker modifying the SPI."
],
"failure-results" : {
"not-enabled" : "SPI protections disabled"
"failure-results": {
"not-enabled": "SPI protections disabled"
},
"success-results" : {
"enabled" : "SPI protections enabled"
"success-results": {
"enabled": "SPI protections enabled"
},
"hsi-level" : 3,
"fwupd-version" : "1.8.0"
"hsi-level": 3,
"fwupd-version": "1.8.0"
}

38
docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json
View File

@ -1,21 +1,21 @@
{
"id": "org.fwupd.hsi.Bios.RollbackProtection",
"name": "BIOS Firmware Rollback protection",
"description": [
"Some OEMs include an optional firmware protection feature in their BIOS that would prevent installation of older firmware that may have security vulnerabilities."
],
"failure-impact": [
"Firmware without this feature enabled may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability."
],
"failure-results": {
"not-enabled": "rollback protection disabled"
},
"success-results": {
"enabled": "rollback protection enabled"
},
"hsi-level": 2,
"references": {
"https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection"
},
"fwupd-version": "1.8.8"
"id": "org.fwupd.hsi.Bios.RollbackProtection",
"name": "BIOS Firmware Rollback protection",
"description": [
"Some OEMs include an optional firmware protection feature in their BIOS that would prevent installation of older firmware that may have security vulnerabilities."
],
"failure-impact": [
"Firmware without this feature enabled may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability."
],
"failure-results": {
"not-enabled": "rollback protection disabled"
},
"success-results": {
"enabled": "rollback protection enabled"
},
"hsi-level": 2,
"references": {
"https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection"
},
"fwupd-version": "1.8.8"
}

28
docs/hsi-tests.d/org.fwupd.hsi.EncryptedRam.json
View File

@ -1,25 +1,25 @@
{
"id" : "org.fwupd.hsi.EncryptedRam",
"name" : "DRAM memory encryption",
"description" : [
"id": "org.fwupd.hsi.EncryptedRam",
"name": "DRAM memory encryption",
"description": [
"TME (Intel) or SME (AMD) is used by the hardware on supported SOCs to encrypt all data on external memory buses.",
"It mitigates against an attacker being able to capture memory data while the system is running or to capture memory by removing a DRAM chip.",
"This encryption may be activated by either transparently via firmware configuration or by code running in the Linux kernel."
],
"failure-impact" : [
"failure-impact": [
"A local attacker can either extract unencrypted content by attaching debug probes on the DIMM modules, or by removing them and inserting them into a computer with a modified DRAM controller."
],
"failure-results" : {
"not-encrypted" : "detected but disabled",
"not-supported" : "not available"
"failure-results": {
"not-encrypted": "detected but disabled",
"not-supported": "not available"
},
"success-results" : {
"encrypted" : "detected and enabled"
"success-results": {
"encrypted": "detected and enabled"
},
"hsi-level" : 4,
"references" : {
"https://software.intel.com/content/www/us/en/develop/blogs/intel-releases-new-technology-specification-for-memory-encryption.html" : "Intel TME Press Release",
"https://en.wikichip.org/wiki/x86/sme" : "WikiChip SME Overview"
"hsi-level": 4,
"references": {
"https://software.intel.com/content/www/us/en/develop/blogs/intel-releases-new-technology-specification-for-memory-encryption.html": "Intel TME Press Release",
"https://en.wikichip.org/wiki/x86/sme": "WikiChip SME Overview"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.IntelBootguard.Acm.json
View File

@ -1,19 +1,19 @@
{
"id" : "org.fwupd.hsi.IntelBootguard.Acm",
"name" : "Intel BootGuard: ACM",
"description" : [
"id": "org.fwupd.hsi.IntelBootguard.Acm",
"name": "Intel BootGuard: ACM",
"description": [
"BootGuard is a processor feature that prevents the machine from running firmware images not released by the system manufacturer.",
"It forms a root-of-trust by fusing in cryptographic keys into the processor itself that are used to verify the Authenticated Code Modules found in the SPI flash."
],
"failure-impact" : [
"failure-impact": [
"When BootGuard is not set up correctly then the chain-of-trust between the CPU and the bootloader can not be verified."
],
"failure-results" : {
"not-valid" : "boot is not verified"
"failure-results": {
"not-valid": "boot is not verified"
},
"success-results" : {
"valid" : "ACM protected"
"success-results": {
"valid": "ACM protected"
},
"hsi-level" : 2,
"fwupd-version" : "1.5.0"
"hsi-level": 2,
"fwupd-version": "1.5.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.IntelBootguard.Enabled.json
View File

@ -1,26 +1,26 @@
{
"id" : "org.fwupd.hsi.IntelBootguard.Enabled",
"deprecated-ids" : [
"id": "org.fwupd.hsi.IntelBootguard.Enabled",
"deprecated-ids": [
"org.fwupd.hsi.Kernel.IntelBootguard"
],
"name" : "Intel BootGuard: Enabled",
"description" : [
"name": "Intel BootGuard: Enabled",
"description": [
"BootGuard is a processor feature that prevents the machine from running firmware images not released by the system manufacturer.",
"It forms a root-of-trust by fusing in cryptographic keys into the processor itself that are used to verify the Authenticated Code Modules found in the SPI flash."
],
"failure-impact" : [
"failure-impact": [
"When BootGuard is not set up correctly then the chain-of-trust between the CPU and the bootloader can not be verified.",
"This would allow subverting the Secure Boot protection which gives the attacker full access to your hardware."
],
"failure-results" : {
"not-enabled" : "not detected, or detected but not enabled"
"failure-results": {
"not-enabled": "not detected, or detected but not enabled"
},
"success-results" : {
"enabled" : "detected and enabled"
"success-results": {
"enabled": "detected and enabled"
},
"hsi-level" : 2,
"references" : {
"https://github.com/coreboot/coreboot/blob/master/src/soc/intel/jasperlake/include/soc/me.h" : "Coreboot documentation"
"hsi-level": 2,
"references": {
"https://github.com/coreboot/coreboot/blob/master/src/soc/intel/jasperlake/include/soc/me.h": "Coreboot documentation"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.IntelBootguard.Otp.json
View File

@ -1,20 +1,20 @@
{
"id" : "org.fwupd.hsi.IntelBootguard.Otp",
"name" : "Intel BootGuard: OTP",
"description" : [
"id": "org.fwupd.hsi.IntelBootguard.Otp",
"name": "Intel BootGuard: OTP",
"description": [
"BootGuard is a processor feature that prevents the machine from running firmware images not released by the system manufacturer.",
"It forms a root-of-trust by fusing in cryptographic keys into the processor itself that are used to verify the Authenticated Code Modules found in the SPI flash."
],
"failure-impact" : [
"failure-impact": [
"When BootGuard is not set up correctly then the chain-of-trust between the CPU and the bootloader can not be verified.",
"This would allow subverting the Secure Boot protection which gives the attacker full access to your hardware."
],
"failure-results" : {
"not-valid" : "SOC is not locked"
"failure-results": {
"not-valid": "SOC is not locked"
},
"success-results" : {
"valid" : "SOC is locked"
"success-results": {
"valid": "SOC is locked"
},
"hsi-level" : 2,
"fwupd-version" : "1.5.0"
"hsi-level": 2,
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.IntelBootguard.Policy.json
View File

@ -1,19 +1,19 @@
{
"id" : "org.fwupd.hsi.IntelBootguard.Policy",
"name" : "Intel BootGuard: Policy",
"description" : [
"id": "org.fwupd.hsi.IntelBootguard.Policy",
"name": "Intel BootGuard: Policy",
"description": [
"BootGuard is a processor feature that prevents the machine from running firmware images not released by the system manufacturer.",
"It forms a root-of-trust by fusing in cryptographic keys into the processor itself that are used to verify the Authenticated Code Modules found in the SPI flash."
],
"failure-impact" : [
"failure-impact": [
"The attacker can invalidate the chain of trust (subverting Secure Boot), and the user would get just a console warning and then continue to boot."
],
"failure-results" : {
"not-valid" : "policy is invalid"
"failure-results": {
"not-valid": "policy is invalid"
},
"success-results" : {
"valid" : "error enforce policy is set to shutdown"
"success-results": {
"valid": "error enforce policy is set to shutdown"
},
"hsi-level" : 3,
"fwupd-version" : "1.5.0"
"hsi-level": 3,
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.IntelBootguard.Verified.json
View File

@ -1,20 +1,20 @@
{
"id" : "org.fwupd.hsi.IntelBootguard.Verified",
"name" : "Intel BootGuard: Verified",
"description" : [
"id": "org.fwupd.hsi.IntelBootguard.Verified",
"name": "Intel BootGuard: Verified",
"description": [
"BootGuard is a processor feature that prevents the machine from running firmware images not released by the system manufacturer.",
"It forms a root-of-trust by fusing in cryptographic keys into the processor itself that are used to verify the Authenticated Code Modules found in the SPI flash."
],
"failure-impact" : [
"failure-impact": [
"When BootGuard is not set up correctly then the chain-of-trust between the CPU and the bootloader can not be verified.",
"This would allow subverting the Secure Boot protection which gives the attacker full access to your hardware."
],
"failure-results" : {
"not-valid" : "boot is not verified"
"failure-results": {
"not-valid": "boot is not verified"
},
"success-results" : {
"success" : "verified boot chain"
"success-results": {
"success": "verified boot chain"
},
"hsi-level" : 2,
"fwupd-version" : "1.5.0"
"hsi-level": 2,
"fwupd-version": "1.5.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.IntelCet.Active.json
View File

@ -1,21 +1,21 @@
{
"id" : "org.fwupd.hsi.IntelCet.Active",
"name" : "Intel CET: Active",
"description" : [
"id": "org.fwupd.hsi.IntelCet.Active",
"name": "Intel CET: Active",
"description": [
"Control enforcement technology is available on new Intel platforms and prevents exploits from hijacking the control-flow transfer instructions for both forward-edge (indirect call/jmp) and back-edge transfer (ret)."
],
"failure-impact" : [
"failure-impact": [
"A local or physical attacker with an existing unrelated vulnerability can use a ROP gadget to run arbitrary code."
],
"failure-results" : {
"not-supported" : "CET not being used by the host"
"failure-results": {
"not-supported": "CET not being used by the host"
},
"success-results" : {
"supported" : "CET being used"
"success-results": {
"supported": "CET being used"
},
"hsi-level" : 3,
"references" : {
"https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf" : "Intel CET Technology Preview"
"hsi-level": 3,
"references": {
"https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf": "Intel CET Technology Preview"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.IntelCet.Enabled.json
View File

@ -1,21 +1,21 @@
{
"id" : "org.fwupd.hsi.IntelCet.Enabled",
"name" : "Intel CET: Available",
"description" : [
"id": "org.fwupd.hsi.IntelCet.Enabled",
"name": "Intel CET: Available",
"description": [
"Control enforcement technology is available on new Intel platforms and prevents exploits from hijacking the control-flow transfer instructions for both forward-edge (indirect call/jmp) and back-edge transfer (ret)."
],
"failure-impact" : [
"failure-impact": [
"A local or physical attacker with an existing unrelated vulnerability can use a reliable and well-known method to run arbitrary code."
],
"failure-results" : {
"not-supported" : "CET not supported"
"failure-results": {
"not-supported": "CET not supported"
},
"success-results" : {
"enabled" : "CET feature enabled by the platform"
"success-results": {
"enabled": "CET feature enabled by the platform"
},
"hsi-level" : 3,
"references" : {
"https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf" : "Intel CET Technology Preview"
"hsi-level": 3,
"references": {
"https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf": "Intel CET Technology Preview"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.IntelSmap.json
View File

@ -1,22 +1,22 @@
{
"id" : "org.fwupd.hsi.IntelSmap",
"name" : "Intel SMAP",
"description" : [
"id": "org.fwupd.hsi.IntelSmap",
"name": "Intel SMAP",
"description": [
"Without Supervisor Mode Access Prevention, the supervisor code usually has full read and write access to user-space memory mappings.",
"This can make exploits easier to write, as it allows the kernel to access user-space memory when it did not intend to."
],
"failure-impact" : [
"failure-impact": [
"A local or remote attacker can use a simple exploit to modify the contents of kernel memory which can lead to privilege escalation."
],
"failure-results" : {
"not-supported" : "SMAP not enabled"
"failure-results": {
"not-supported": "SMAP not enabled"
},
"success-results" : {
"enabled" : "SMAP features are detected and enabled"
"success-results": {
"enabled": "SMAP features are detected and enabled"
},
"hsi-level" : 4,
"references" : {
"https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention" : "SMAP Wikipedia Page"
"hsi-level": 4,
"references": {
"https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention": "SMAP Wikipedia Page"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.Iommu.json
View File

@ -1,24 +1,24 @@
{
"id" : "org.fwupd.hsi.Iommu",
"name" : "DMA protection",
"description" : [
"id": "org.fwupd.hsi.Iommu",
"name": "DMA protection",
"description": [
"The IOMMU on modern systems is used to mitigate against DMA attacks.",
"All I/O for devices capable of DMA is mapped into a private virtual memory region.",
"Common implementations are Intel VT-d and AMD-Vi."
],
"failure-impact" : [
"failure-impact": [
"An attacker with inexpensive PCIe development hardware can write to system RAM from the ThunderBolt or Firewire ports which can lead to privilege escalation."
],
"failure-results" : {
"not-found" : "IOMMU hardware was not detected"
"failure-results": {
"not-found": "IOMMU hardware was not detected"
},
"success-results" : {
"enabled" : "IOMMU hardware detected and enabled"
"success-results": {
"enabled": "IOMMU hardware detected and enabled"
},
"hsi-level" : 2,
"resolution" : "If available, turn on IOMMU in the system BIOS. You may also have to use additional kernel boot parameters, for example `iommu=force`.",
"references" : {
"https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit" : "IOMMU Wikipedia Page"
"hsi-level": 2,
"resolution": "If available, turn on IOMMU in the system BIOS. You may also have to use additional kernel boot parameters, for example `iommu=force`.",
"references": {
"https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit": "IOMMU Wikipedia Page"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json
View File

@ -1,19 +1,19 @@
{
"id" : "org.fwupd.hsi.Kernel.Lockdown",
"name" : "Kernel Lockdown",
"description" : [
"id": "org.fwupd.hsi.Kernel.Lockdown",
"name": "Kernel Lockdown",
"description": [
"Kernel lockdown is an important mechanism to limit what hardware actions userspace programs can perform.",
"Turning on this feature means that often-used mechanisms like /dev/mem used to raise privileges or exfiltrate data are no longer available."
],
"failure-impact" : [
"failure-impact": [
"An unlocked kernel can be easily abused by a malicious userspace program running as root, which can include replacing system firmware."
],
"failure-results" : {
"not-valid" : "could not read lockdown status, perhaps from an old kernel",
"not-enabled" : "lockdown is set to `none`"
"failure-results": {
"not-valid": "could not read lockdown status, perhaps from an old kernel",
"not-enabled": "lockdown is set to `none`"
},
"success-results" : {
"enabled" : "lockdown is set to either `integrity` or `confidentiality`."
"success-results": {
"enabled": "lockdown is set to either `integrity` or `confidentiality`."
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json
View File

@ -1,19 +1,19 @@
{
"id" : "org.fwupd.hsi.Kernel.Tainted",
"name" : "Kernel Tainted",
"description" : [
"id": "org.fwupd.hsi.Kernel.Tainted",
"name": "Kernel Tainted",
"description": [
"When calculating the HSI value fwupd has to ask the Linux Kernel for information.",
"If the kernel has been tainted by overriding a firmware table or by loading a proprietary module then we cannot trust the data it reports."
],
"failure-impact" : [
"failure-impact": [
"Using a tainted kernel means that values obtained from the kernel cannot be trusted."
],
"failure-results" : {
"not-valid" : "could not detect kernel taint status",
"tainted" : "the kernel is untrusted, perhaps because a proprietary module was loaded"
"failure-results": {
"not-valid": "could not detect kernel taint status",
"tainted": "the kernel is untrusted, perhaps because a proprietary module was loaded"
},
"success-results" : {
"not-tainted" : "the kernel is trusted"
"success-results": {
"not-tainted": "the kernel is trusted"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.Mei.KeyManifest.json
View File

@ -1,25 +1,25 @@
{
"id" : "org.fwupd.hsi.Mei.KeyManifest",
"name" : "ME BootGuard Platform Key",
"description" : [
"id": "org.fwupd.hsi.Mei.KeyManifest",
"name": "ME BootGuard Platform Key",
"description": [
"The BootGuard Platform Key is fused into the CPU PCH during manufacturing by the OEM.",
"At bootup, an authenticated code module computes a hash of the Platform Key and compares it with the one stored in field-programmable fuses.",
"If the key matches the ACM will pass control to the firmware, otherwise the boot process will stop.",
"In 2022 a number of Platform **secret** Keys were leaked by Lenovo and confirmed by Intel."
],
"failure-impact" : [
"failure-impact": [
"A custom system firmware can be signed using the leaked private key to completely disable UEFI Secure Boot and allow complete persistent compromise of the affected machine."
],
"failure-results" : {
"not-valid" : "device uses a key that is compromised"
"failure-results": {
"not-valid": "device uses a key that is compromised"
},
"success-results" : {
"valid" : "device uses a BootGuard Platform Key that is not known to be compromised"
"success-results": {
"valid": "device uses a BootGuard Platform Key that is not known to be compromised"
},
"hsi-level" : 1,
"references" : {
"https://github.com/phretor/intel-leak-checker/" : "Intel leak checker",
"https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge" : "Tom's Hardware Article"
"hsi-level": 1,
"references": {
"https://github.com/phretor/intel-leak-checker/": "Intel leak checker",
"https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge": "Tom's Hardware Article"
},
"fwupd-version" : "1.8.7"
"fwupd-version": "1.8.7"
}

26
docs/hsi-tests.d/org.fwupd.hsi.Mei.ManufacturingMode.json
View File

@ -1,24 +1,24 @@
{
"id" : "org.fwupd.hsi.Mei.ManufacturingMode",
"name" : "ME not in manufacturing mode",
"description" : [
"id": "org.fwupd.hsi.Mei.ManufacturingMode",
"name": "ME not in manufacturing mode",
"description": [
"There have been some unfortunate cases of the ME being distributed in manufacturing mode.",
"In manufacturing mode many features from the ME can be interacted with that decrease the platform's security."
],
"failure-impact" : [
"failure-impact": [
"If the ME is in manufacturing mode then any user with root access can provision the ME engine with new keys.",
"This gives them full access to the system even when the system is powered off."
],
"failure-results" : {
"not-locked" : "device is in manufacturing mode"
"failure-results": {
"not-locked": "device is in manufacturing mode"
},
"success-results" : {
"locked" : "device has had manufacturing mode disabled"
"success-results": {
"locked": "device has had manufacturing mode disabled"
},
"hsi-level" : 1,
"references" : {
"https://malware.news/t/intel-me-manufacturing-mode-obscured-dangers-and-their-relationship-to-apple-macbook-vulnerability-cve-2018-4251/23214" : "ME Manufacturing Mode: obscured dangers",
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html" : "Intel security advisory SA-00086"
"hsi-level": 1,
"references": {
"https://malware.news/t/intel-me-manufacturing-mode-obscured-dangers-and-their-relationship-to-apple-macbook-vulnerability-cve-2018-4251/23214": "ME Manufacturing Mode: obscured dangers",
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html": "Intel security advisory SA-00086"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.Mei.OverrideStrap.json
View File

@ -1,22 +1,22 @@
{
"id" : "org.fwupd.hsi.Mei.OverrideStrap",
"name" : "ME Flash Descriptor Override",
"description" : [
"id": "org.fwupd.hsi.Mei.OverrideStrap",
"name": "ME Flash Descriptor Override",
"description": [
"The Flash Descriptor Security Override Strap is not accessible to end users on consumer boards and Intel stresses that this is for debugging only."
],
"failure-impact" : [
"failure-impact": [
"The system firmware can be written from userspace by changing the protected region.",
"This gives any attacker with root access a method to write persistent executable code to the firmware, which survives even a full disk wipe and OS reinstall."
],
"failure-results" : {
"not-locked" : "device is in debugging mode"
"failure-results": {
"not-locked": "device is in debugging mode"
},
"success-results" : {
"locked" : "device in in normal runtime mode"
"success-results": {
"locked": "device in in normal runtime mode"
},
"hsi-level" : 1,
"references" : {
"https://chromium.googlesource.com/chromiumos/third_party/flashrom/+/master/Documentation/mysteries_intel.txt" : "Chromium documentation for Intel ME"
"hsi-level": 1,
"references": {
"https://chromium.googlesource.com/chromiumos/third_party/flashrom/+/master/Documentation/mysteries_intel.txt": "Chromium documentation for Intel ME"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

28
docs/hsi-tests.d/org.fwupd.hsi.Mei.Version.json
View File

@ -1,26 +1,26 @@
{
"id" : "org.fwupd.hsi.Mei.Version",
"name" : "CSME Version",
"description" : [
"id": "org.fwupd.hsi.Mei.Version",
"name": "CSME Version",
"description": [
"Converged Security and Manageability Engine is a standalone management module that can manage and control some local devices without the host CPU involvement.",
"The CSME lives in the PCH and can only be updated by the OEM vendor.",
"The version of the CSME module can be checked to detect the most common and serious vulnerabilities."
],
"failure-impact" : [
"failure-impact": [
"Using any one of the critical vulnerabilities, a remote attacker can take full control of the system and all connected devices, even when the system is powered off."
],
"failure-results" : {
"not-valid" : "affected by one of the critical CVEs"
"failure-results": {
"not-valid": "affected by one of the critical CVEs"
},
"success-results" : {
"valid" : "is not affected by the most critical CVEs"
"success-results": {
"valid": "is not affected by the most critical CVEs"
},
"hsi-level" : 1,
"resolution" : "Update your Management Engine firmware",
"references" : {
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html" : "Intel CSME Security Review Cumulative Update"
"hsi-level": 1,
"resolution": "Update your Management Engine firmware",
"references": {
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html": "Intel CSME Security Review Cumulative Update"
},
"issues" : [
"issues": [
"CVE-2017-5705",
"CVE-2017-5706",
"CVE-2017-5707",
@ -30,5 +30,5 @@
"CVE-2017-5711",
"CVE-2017-5712"
],
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

32
docs/hsi-tests.d/org.fwupd.hsi.PlatformDebugEnabled.json
View File

@ -1,30 +1,30 @@
{
"id" : "org.fwupd.hsi.PlatformDebugEnabled",
"deprecated-ids" : [
"id": "org.fwupd.hsi.PlatformDebugEnabled",
"deprecated-ids": [
"org.fwupd.hsi.IntelDci.Enabled"
],
"name" : "Intel DCI",
"description" : [
"name": "Intel DCI",
"description": [
"Newer Intel CPUs support debugging over USB3 via a proprietary Direct Connection Interface (DCI) with the use of off-the-shelf hardware."
],
"failure-impact" : [
"failure-impact": [
"Using DCI an attacker with physical access to the computer has full access to all registers and memory in the system, and is able to make changes.",
"This makes privilege escalation from user to root possible, and also modifying SMM makes it possible to write to system firmware for a persistent backdoor."
],
"failure-results" : {
"enabled" : "debugging is currently enabled"
"failure-results": {
"enabled": "debugging is currently enabled"
},
"success-results" : {
"not-enabled" : "debugging is not currently enabled"
"success-results": {
"not-enabled": "debugging is not currently enabled"
},
"hsi-level" : 1,
"references" : {
"https://www.intel.co.uk/content/www/uk/en/support/articles/000029393/processors.html" : "Intel Direct Connect Interface",
"https://github.com/chipsec/chipsec/blob/master/chipsec/cfg/8086/pch_4xxlp.xml#L270" : "Chipsec 4xxlp register definitions",
"https://github.com/riscv/riscv-edk2-platforms/blob/85a50de1b459d1d6644a402081120770aa6dd8c7/Silicon/Intel/CoffeelakeSiliconPkg/Pch/Include/Register/PchRegsDci.h" : "RISC-V EDK PCH register definitions"
"hsi-level": 1,
"references": {
"https://www.intel.co.uk/content/www/uk/en/support/articles/000029393/processors.html": "Intel Direct Connect Interface",
"https://github.com/chipsec/chipsec/blob/master/chipsec/cfg/8086/pch_4xxlp.xml#L270": "Chipsec 4xxlp register definitions",
"https://github.com/riscv/riscv-edk2-platforms/blob/85a50de1b459d1d6644a402081120770aa6dd8c7/Silicon/Intel/CoffeelakeSiliconPkg/Pch/Include/Register/PchRegsDci.h": "RISC-V EDK PCH register definitions"
},
"more-information" : [
"more-information": [
"This attribute was previously known as `org.fwupd.hsi.IntelDci.Enabled` in 1.5.0, but was renamed in 1.8.0 to support other vendors."
],
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.PlatformDebugLocked.json
View File

@ -1,25 +1,25 @@
{
"id" : "org.fwupd.hsi.PlatformDebugLocked",
"deprecated-ids" : [
"id": "org.fwupd.hsi.PlatformDebugLocked",
"deprecated-ids": [
"org.fwupd.hsi.IntelDci.Locked"
],
"name" : "Part is debug locked",
"description" : [
"name": "Part is debug locked",
"description": [
"Some devices support a concept of whether a part has been unlocked for debugging using proprietary hardware. Such parts allow access to registers that are typically restricted when parts are fused.",
"On Intel systems access to this interface is done via a proprietary Direct Connection Interface (DCI)."
],
"failure-impact" : [
"failure-impact": [
"If using a debug unlocked part, the platform's overall security will be decreased as an attacker may have elevated access to registers and memory within the system and can potentially enable persistent backdoors."
],
"failure-results" : {
"not-locked" : "device is not locked"
"failure-results": {
"not-locked": "device is not locked"
},
"success-results" : {
"locked" : "device is locked"
"success-results": {
"locked": "device is locked"
},
"hsi-level" : 2,
"references" : {
"https://www.intel.co.uk/content/www/uk/en/support/articles/000029393/processors.html" : "Intel Direct Connect Interface"
"hsi-level": 2,
"references": {
"https://www.intel.co.uk/content/www/uk/en/support/articles/000029393/processors.html": "Intel Direct Connect Interface"
},
"fwupd-version" : "1.8.0"
"fwupd-version": "1.8.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.PlatformFused.json
View File

@ -1,18 +1,18 @@
{
"id" : "org.fwupd.hsi.PlatformFused",
"name" : "Part is fused",
"description" : [
"id": "org.fwupd.hsi.PlatformFused",
"name": "Part is fused",
"description": [
"When fuses are blown in parts from some manufacturers the hardware will enforce protections against tampering or accessing of certain registers."
],
"failure-impact" : [
"failure-impact": [
"If using an unfused part, the platform's overall security will be decreased."
],
"failure-results" : {
"not-locked" : "device is not fused"
"failure-results": {
"not-locked": "device is not fused"
},
"success-results" : {
"locked" : "device is fused"
"success-results": {
"locked": "device is fused"
},
"hsi-level" : 1,
"fwupd-version" : "1.8.0"
"hsi-level": 1,
"fwupd-version": "1.8.0"
}

32
docs/hsi-tests.d/org.fwupd.hsi.PrebootDma.json
View File

@ -1,33 +1,33 @@
{
"id" : "org.fwupd.hsi.PrebootDma",
"deprecated-ids" : [
"id": "org.fwupd.hsi.PrebootDma",
"deprecated-ids": [
"org.fwupd.hsi.AcpiDmar"
],
"name" : "Pre-boot DMA protection",
"description" : [
"name": "Pre-boot DMA protection",
"description": [
"The IOMMU on modern systems is used to mitigate against DMA attacks.",
"All I/O for devices capable of DMA is mapped into a private virtual memory region.",
"On Intel systems the ACPI DMAR table indicated the system is configured with pre-boot DMA protection which eliminates some firmware attacks.",
"On AMD systems the ACPI IVRS table indicates the same."
],
"failure-impact" : [
"failure-impact": [
"An attacker could connect a malicious peripheral using ThunderBolt and reboot the machine, which would allow the attacker to modify the system memory.",
"This would allow subverting the Secure Boot protection, and also invalidate any system attestation."
],
"failure-results" : {
"not-valid" : "could not determine state",
"not-enabled" : "was not enabled"
"failure-results": {
"not-valid": "could not determine state",
"not-enabled": "was not enabled"
},
"success-results" : {
"enabled" : "detected correctly"
"success-results": {
"enabled": "detected correctly"
},
"hsi-level" : 3,
"references" : {
"https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit" : "IOMMU Wikipedia Page",
"https://www.amd.com/system/files/TechDocs/48882_IOMMU.pdf" : "AMD IVRS Specification"
"hsi-level": 3,
"references": {
"https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit": "IOMMU Wikipedia Page",
"https://www.amd.com/system/files/TechDocs/48882_IOMMU.pdf": "AMD IVRS Specification"
},
"more-information" : [
"more-information": [
"This attribute was previously known as `org.fwupd.hsi.AcpiDmar` in 1.5.0, but was renamed in 1.8.0 to support other vendors."
],
"fwupd-version" : "1.8.0"
"fwupd-version": "1.8.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.Spi.Bioswe.json
View File

@ -1,24 +1,24 @@
{
"id" : "org.fwupd.hsi.Spi.Bioswe",
"name" : "BIOS Write Enable (BWE)",
"description" : [
"id": "org.fwupd.hsi.Spi.Bioswe",
"name": "BIOS Write Enable (BWE)",
"description": [
"Intel hardware provides this mechanism to protect the SPI ROM chip located on the motherboard from being overwritten by the operating system.",
"The `BIOSWE` bit must be unset otherwise userspace can write to the SPI chip."
],
"failure-impact" : [
"failure-impact": [
"The system firmware can be written from userspace.",
"This gives any attacker with root access a method to write persistent executable code to the firmware, which survives even a full disk wipe and OS reinstall."
],
"failure-results" : {
"not-found" : "the SPI device was not found",
"enabled" : "write enable is enabled"
"failure-results": {
"not-found": "the SPI device was not found",
"enabled": "write enable is enabled"
},
"success-results" : {
"not-enabled" : "write enable is disabled"
"success-results": {
"not-enabled": "write enable is disabled"
},
"hsi-level" : 1,
"references" : {
"https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf" : "Intel C200 Datasheet"
"hsi-level": 1,
"references": {
"https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf": "Intel C200 Datasheet"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.Spi.Ble.json
View File

@ -1,23 +1,23 @@
{
"id" : "org.fwupd.hsi.Spi.Ble",
"name" : "BIOS Lock Enable (BLE)",
"description" : [
"id": "org.fwupd.hsi.Spi.Ble",
"name": "BIOS Lock Enable (BLE)",
"description": [
"If the lock bit is set then System Management Interrupts (SMIs) are raised when setting BIOS Write Enable.",
"The `BLE` bit must be enabled in the PCH otherwise `BIOSWE` can easily be unset."
],
"failure-impact" : [
"failure-impact": [
"The system firmware can be written from userspace.",
"This gives any attacker with root access a method to write persistent executable code to the firmware, which survives even a full disk wipe and OS reinstall."
],
"failure-results" : {
"not-enabled" : "the register is not locked"
"failure-results": {
"not-enabled": "the register is not locked"
},
"success-results" : {
"enabled" : "the register is locked"
"success-results": {
"enabled": "the register is locked"
},
"hsi-level" : 1,
"references" : {
"https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf" : "Intel C200 Datasheet"
"hsi-level": 1,
"references": {
"https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf": "Intel C200 Datasheet"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

22
docs/hsi-tests.d/org.fwupd.hsi.Spi.Descriptor.json
View File

@ -1,21 +1,21 @@
{
"id" : "org.fwupd.hsi.Spi.Descriptor",
"name" : "Read-only SPI Descriptor",
"description" : [
"id": "org.fwupd.hsi.Spi.Descriptor",
"name": "Read-only SPI Descriptor",
"description": [
"The SPI descriptor must always be read only from all other regions.",
"Additionally on Intel architectures the FLOCKDN register must be set to prevent configuration registers in the SPI BAR from being changed."
],
"failure-impact" : [
"failure-impact": [
"The system firmware can be written from userspace by changing the protected region.",
"This gives any attacker with root access a method to write persistent executable code to the firmware, which survives even a full disk wipe and OS reinstall."
],
"failure-results" : {
"not-valid" : "any region can write to the flash descriptor",
"not-locked" : "the SPI BAR is not locked"
"failure-results": {
"not-valid": "any region can write to the flash descriptor",
"not-locked": "the SPI BAR is not locked"
},
"success-results" : {
"locked" : "the SPI BAR is locked and read only from all regions"
"success-results": {
"locked": "the SPI BAR is locked and read only from all regions"
},
"hsi-level" : 1,
"fwupd-version" : "1.6.0"
"hsi-level": 1,
"fwupd-version": "1.6.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.Spi.SmmBwp.json
View File

@ -1,23 +1,23 @@
{
"id" : "org.fwupd.hsi.Spi.SmmBwp",
"name" : "SMM Bios Write Protect (SMM_BWP)",
"description" : [
"id": "org.fwupd.hsi.Spi.SmmBwp",
"name": "SMM Bios Write Protect (SMM_BWP)",
"description": [
"This bit set defines when the BIOS region can be written by the host.",
"The `SMM_BWP` bit must be set to make the BIOS region non-writable unless all processors are in system management mode."
],
"failure-impact" : [
"failure-impact": [
"The system firmware can be written from userspace by exploiting a race condition in checking `BLE`.",
"This gives any attacker with root access a method to write persistent executable code to the firmware, which survives even a full disk wipe and OS reinstall."
],
"failure-results" : {
"not-locked" : "the region is not locked"
"failure-results": {
"not-locked": "the region is not locked"
},
"success-results" : {
"locked" : "the region is locked"
"success-results": {
"locked": "the region is locked"
},
"hsi-level" : 1,
"references" : {
"https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf" : "Intel C200 Datasheet"
"hsi-level": 1,
"references": {
"https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf": "Intel C200 Datasheet"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json
View File

@ -1,19 +1,19 @@
{
"id" : "org.fwupd.hsi.SupportedCpu",
"name" : "Supported CPU",
"description" : [
"id": "org.fwupd.hsi.SupportedCpu",
"name": "Supported CPU",
"description": [
"Most platform checks are specific to the CPU vendor.",
"To avoid giving a very high HSI result for a platform we do not know how to verify, we include this attribute to ensure that the result is meaningful."
],
"failure-impact" : [
"failure-impact": [
"If using an unsupported CPU then fwupd is unable to verify the platform security.",
"You should contact your platform vendor and ask them to contribute HSI tests for this CPU type."
],
"failure-results" : {
"unknown" : "platform security is unknown"
"failure-results": {
"unknown": "platform security is unknown"
},
"success-results" : {
"valid" : "the CPU platform is supported and has HSI tests"
"success-results": {
"valid": "the CPU platform is supported and has HSI tests"
},
"more-information": [
"On AMD APUs or CPUs this information is reported on kernel 5.19 or later via the `ccp` kernel module. ",
@ -21,6 +21,6 @@
"If the kernel module has loaded but you still don't have data this is NOT a fwupd bug. You will have to contact ",
"your motherboard or system manufacturer to enable reporting this information."
],
"hsi-level" : 1,
"fwupd-version" : "1.8.0"
"hsi-level": 1,
"fwupd-version": "1.8.0"
}

22
docs/hsi-tests.d/org.fwupd.hsi.SuspendToIdle.json
View File

@ -1,19 +1,19 @@
{
"id" : "org.fwupd.hsi.SuspendToIdle",
"name" : "Suspend-to-Idle",
"description" : [
"id": "org.fwupd.hsi.SuspendToIdle",
"name": "Suspend-to-Idle",
"description": [
"The platform should be set up with Suspend-to-Idle as the default S3 sleep state."
],
"failure-impact" : [
"failure-impact": [
"A local attacker could overwrite the S3 resume script to modify system RAM which can lead to privilege escalation."
],
"failure-results" : {
"enabled" : "deep sleep enabled",
"not-valid" : "could not determine the default"
"failure-results": {
"enabled": "deep sleep enabled",
"not-valid": "could not determine the default"
},
"success-results" : {
"not-enabled" : "suspend-to-idle being used"
"success-results": {
"not-enabled": "suspend-to-idle being used"
},
"hsi-level" : 3,
"fwupd-version" : "1.5.0"
"hsi-level": 3,
"fwupd-version": "1.5.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.SuspendToRam.json
View File

@ -1,24 +1,24 @@
{
"id" : "org.fwupd.hsi.SuspendToRam",
"name" : "Suspend to RAM disabled",
"description" : [
"id": "org.fwupd.hsi.SuspendToRam",
"name": "Suspend to RAM disabled",
"description": [
"Suspend to Ram (S3) keeps the raw contents of the DRAM refreshed when the system is asleep.",
"This means that the memory modules can be physically removed and the contents recovered, or a cold boot attack can be performed with a USB device.",
"The firmware should be configured to prefer using suspend to idle instead of suspend to ram or to not offer suspend to RAM."
],
"failure-impact" : [
"failure-impact": [
"An attacker with physical access to a system can obtain the un-encrypted contents of the RAM by suspending the machine, removing the DIMM and inserting it into another machine with modified DRAM controller before the memory contents decay."
],
"failure-results" : {
"enabled" : "sleep enabled",
"not-valid" : "could not determine the default"
"failure-results": {
"enabled": "sleep enabled",
"not-valid": "could not determine the default"
},
"success-results" : {
"not-enabled" : "suspend-to-ram being used"
"success-results": {
"not-enabled": "suspend-to-ram being used"
},
"hsi-level" : 3,
"references" : {
"https://en.wikipedia.org/wiki/Cold_boot_attack" : "Cold Boot Attack Wikipedia Page"
"hsi-level": 3,
"references": {
"https://en.wikipedia.org/wiki/Cold_boot_attack": "Cold Boot Attack Wikipedia Page"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

28
docs/hsi-tests.d/org.fwupd.hsi.Tpm.EmptyPcr.json
View File

@ -1,27 +1,27 @@
{
"id" : "org.fwupd.hsi.Tpm.EmptyPcr",
"name" : "Empty PCR in TPM",
"description" : [
"id": "org.fwupd.hsi.Tpm.EmptyPcr",
"name": "Empty PCR in TPM",
"description": [
"The system firmware is responsible for measuring values about its boot stage in PCRs 0 through 7.",
"Some firmwares have bugs that prevent them from measuring some of those values, breaking the fundamental assumption of the Measured Boot chain-of-trust."
],
"failure-impact" : [
"failure-impact": [
"A local attacker could measure fake values into the empty PCR, corresponding to a firmware and OS that do not match the ones actually loaded.",
"This allows hiding a compromised boot chain or fooling a remote-attestation server into believing that a different kernel is running."
],
"failure-results" : {
"not-found" : "no TPM hardware could be found",
"not-valid" : "at least one empty checksum has been found"
"failure-results": {
"not-found": "no TPM hardware could be found",
"not-valid": "at least one empty checksum has been found"
},
"success-results" : {
"valid" : "all PCRs from 0 to 7 must have non-empty measurements"
"success-results": {
"valid": "all PCRs from 0 to 7 must have non-empty measurements"
},
"hsi-level" : 1,
"references" : {
"https://github.com/google/security-research/blob/master/pocs/bios/tpm-carte-blanche/writeup.md" : "TPM Carte Blanche"
"hsi-level": 1,
"references": {
"https://github.com/google/security-research/blob/master/pocs/bios/tpm-carte-blanche/writeup.md": "TPM Carte Blanche"
},
"issues" : [
"issues": [
"CVE-2021-42299"
],
"fwupd-version" : "1.7.2"
"fwupd-version": "1.7.2"
}

28
docs/hsi-tests.d/org.fwupd.hsi.Tpm.ReconstructionPcr0.json
View File

@ -1,27 +1,27 @@
{
"id" : "org.fwupd.hsi.Tpm.ReconstructionPcr0",
"name" : "PCR0 TPM Event Log Reconstruction",
"description" : [
"id": "org.fwupd.hsi.Tpm.ReconstructionPcr0",
"name": "PCR0 TPM Event Log Reconstruction",
"description": [
"The TPM event log records which events are registered for the PCR0 hash.",
"When reconstructed the event log values should always match the TPM PCR0.",
"If extra events are included in the event log, or some are missing, the reconstitution will fail."
],
"failure-impact" : [
"failure-impact": [
"This is not a vulnerability per-se, but it shows that the system firmware checksum cannot be verified as the PCR result has been calculated incorrectly."
],
"more-information" : [
"more-information": [
"Additional information about specific bugs and debugging steps are available here https://github.com/fwupd/fwupd/wiki/TPM-PCR0-differs-from-reconstruction"
],
"failure-results" : {
"not-valid" : "could not reconstitute the hash value",
"not-found" : "no TPM hardware could be found"
"failure-results": {
"not-valid": "could not reconstitute the hash value",
"not-found": "no TPM hardware could be found"
},
"success-results" : {
"valid" : "all correct"
"success-results": {
"valid": "all correct"
},
"hsi-level" : 2,
"references" : {
"https://www.kernel.org/doc/html/latest/security/tpm/tpm_event_log.html" : "Linux Kernel TPM Documentation"
"hsi-level": 2,
"references": {
"https://www.kernel.org/doc/html/latest/security/tpm/tpm_event_log.html": "Linux Kernel TPM Documentation"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

26
docs/hsi-tests.d/org.fwupd.hsi.Tpm.Version20.json
View File

@ -1,23 +1,23 @@
{
"id" : "org.fwupd.hsi.Tpm.Version20",
"name" : "TPM 2.0 Present",
"description" : [
"id": "org.fwupd.hsi.Tpm.Version20",
"name": "TPM 2.0 Present",
"description": [
"A TPM securely stores platform specific secrets that can only be divulged to trusted consumers in a secure environment."
],
"failure-impact" : [
"failure-impact": [
"The PCR registers will not be available for use by the bootloader and kernel.",
"This means userspace cannot either encrypt disks to the specific machine, and also can't know if the system firmware was externally modified."
],
"failure-results" : {
"not-found" : "no TPM device found",
"not-enabled" : "TPM not in v2 mode"
"failure-results": {
"not-found": "no TPM device found",
"not-enabled": "TPM not in v2 mode"
},
"success-results" : {
"found" : "TPM device found in v2 mode"
"success-results": {
"found": "TPM device found in v2 mode"
},
"hsi-level" : 1,
"references" : {
"https://en.wikipedia.org/wiki/Trusted_Platform_Module" : "TPM Wikipedia Page"
"hsi-level": 1,
"references": {
"https://en.wikipedia.org/wiki/Trusted_Platform_Module": "TPM Wikipedia Page"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

24
docs/hsi-tests.d/org.fwupd.hsi.Uefi.Pk.json
View File

@ -1,23 +1,23 @@
{
"id" : "org.fwupd.hsi.Uefi.Pk",
"name" : "UEFI PK",
"description" : [
"id": "org.fwupd.hsi.Uefi.Pk",
"name": "UEFI PK",
"description": [
"UEFI defines a platform key for the system.",
"This should not be a test key, e.g. `DO NOT TRUST - AMI Test PK`"
],
"failure-impact" : [
"failure-impact": [
"It is possible to sign an EFI binary with the test platform key, which invalidates the Secure Boot trust chain.",
"It effectively gives the local attacker full access to your hardware."
],
"failure-results" : {
"not-valid" : "an invalid key has been enrolled"
"failure-results": {
"not-valid": "an invalid key has been enrolled"
},
"success-results" : {
"valid" : "valid key"
"success-results": {
"valid": "valid key"
},
"hsi-level" : 1,
"references" : {
"https://wiki.ubuntu.com/UEFI/SecureBoot/Testing" : "Ubuntu SecureBoot Wiki Page"
"hsi-level": 1,
"references": {
"https://wiki.ubuntu.com/UEFI/SecureBoot/Testing": "Ubuntu SecureBoot Wiki Page"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

28
docs/hsi-tests.d/org.fwupd.hsi.Uefi.SecureBoot.json
View File

@ -1,24 +1,24 @@
{
"id" : "org.fwupd.hsi.Uefi.SecureBoot",
"name" : "UEFI SecureBoot",
"description" : [
"id": "org.fwupd.hsi.Uefi.SecureBoot",
"name": "UEFI SecureBoot",
"description": [
"UEFI Secure boot is a verification mechanism for ensuring that code launched by firmware is trusted.",
"Secure Boot requires that each binary loaded at boot is validated against trusted certificates."
],
"failure-impact" : [
"failure-impact": [
"When Secure Boot is not enabled any EFI binary can be run at startup, which gives the attacker full access to your hardware."
],
"failure-results" : {
"not-found" : "support has not been detected",
"not-enabled" : "detected, but has been turned off"
"failure-results": {
"not-found": "support has not been detected",
"not-enabled": "detected, but has been turned off"
},
"success-results" : {
"enabled" : "supported and enabled"
"success-results": {
"enabled": "supported and enabled"
},
"hsi-level" : 1,
"resolution" : "Turn off CSM boot and enable Secure Boot in the BIOS setup.",
"references" : {
"https://wiki.ubuntu.com/UEFI/SecureBoot" : "Ubuntu SecureBoot Wiki Page"
"hsi-level": 1,
"resolution": "Turn off CSM boot and enable Secure Boot in the BIOS setup.",
"references": {
"https://wiki.ubuntu.com/UEFI/SecureBoot": "Ubuntu SecureBoot Wiki Page"
},
"fwupd-version" : "1.5.0"
"fwupd-version": "1.5.0"
}

1423
src/tests/host-emulate/thinkpad-p1-iommu.json
View File

File diff suppressed because it is too large Load Diff

14
src/tests/usb-devices-bootloader.json
View File

@ -1,9 +1,9 @@
{
"UsbDevices": [
{
"PlatformId": "usb:01:00:06",
"IdVendor": 999,
"IdProduct": 999
}
]
"UsbDevices": [
{
"PlatformId": "usb:01:00:06",
"IdVendor": 999,
"IdProduct": 999
}
]
}

91
src/tests/usb-devices-invalid.json
View File

@ -1,49 +1,46 @@
{
"UsbDevices": [
{
"PlatformId": "usb:00",
"IdVendor": 10047,
"IdProduct": 4100,
"Device": 2,
"USB": 512,
"Manufacturer": 1,
"Product": 2,
"UsbBosDescriptors": [
{
"Comment": "version invalid",
"DevCapabilityType": 5,
"ExtraData": "AGPsCgF09c1SndooUlUNlPAKAAAAIAAqAA=="
},
{
"Comment": "UUID invalid",
"DevCapabilityType": 5,
"ExtraData": "AAAAAAAAAAAAAAAAAAAAAAAFCAEAIAAqAA=="
},
{
"Comment": "plugin invalid",
"DevCapabilityType": 5,
"ExtraData": "AGPsCgF09c1SndooUlUNlPAFCAEAIAArAA=="
}
],
"UsbEvents": [
{
"Id": "GetStringDescriptor:DescIndex=0x02",
"Data":
"Q29sb3JIdWcyAEcAAAAAAACwA4pgfwAAAN+Vneb9GHkAAAAAAAAAAEA42QAAAAAAwHVdKPx/AAAAAAAAAAAAAJiCXSj8fwAAR9bLiWB/AADAdV0o/H8AAOrE/IlgfwAAgHW/AAAAAAAQw9UAAAAAAJiCXSj8fwAAytnLiQEAAAA="
},
{
"Comment": "Plugin=dfu\nIcon=computer\n",
"Id":
"ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x2a,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,Length=0x20",
"Data": "UGx1Z2luPWRmdQpJY29uPWNvbXB1dGVyCgAAAAAAAAA="
},
{
"Comment": "Plugin=XXX",
"Id":
"ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x2b,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,Length=0x20",
"Data": "UGx1Z2luPVhYWAoAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
}
]
}
]
"UsbDevices": [
{
"PlatformId": "usb:00",
"IdVendor": 10047,
"IdProduct": 4100,
"Device": 2,
"USB": 512,
"Manufacturer": 1,
"Product": 2,
"UsbBosDescriptors": [
{
"Comment": "version invalid",
"DevCapabilityType": 5,
"ExtraData": "AGPsCgF09c1SndooUlUNlPAKAAAAIAAqAA=="
},
{
"Comment": "UUID invalid",
"DevCapabilityType": 5,
"ExtraData": "AAAAAAAAAAAAAAAAAAAAAAAFCAEAIAAqAA=="
},
{
"Comment": "plugin invalid",
"DevCapabilityType": 5,
"ExtraData": "AGPsCgF09c1SndooUlUNlPAFCAEAIAArAA=="
}
],
"UsbEvents": [
{
"Id": "GetStringDescriptor:DescIndex=0x02",
"Data": "Q29sb3JIdWcyAEcAAAAAAACwA4pgfwAAAN+Vneb9GHkAAAAAAAAAAEA42QAAAAAAwHVdKPx/AAAAAAAAAAAAAJiCXSj8fwAAR9bLiWB/AADAdV0o/H8AAOrE/IlgfwAAgHW/AAAAAAAQw9UAAAAAAJiCXSj8fwAAytnLiQEAAAA="
},
{
"Comment": "Plugin=dfu\nIcon=computer\n",
"Id": "ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x2a,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,Length=0x20",
"Data": "UGx1Z2luPWRmdQpJY29uPWNvbXB1dGVyCgAAAAAAAAA="
},
{
"Comment": "Plugin=XXX",
"Id": "ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x2b,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,Length=0x20",
"Data": "UGx1Z2luPVhYWAoAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
}
]
}
]
}

14
src/tests/usb-devices-replace.json
View File

@ -1,9 +1,9 @@
{
"UsbDevices": [
{
"PlatformId": "usb:01:00:06",
"IdVendor": 10047,
"IdProduct": 4100
}
]
"UsbDevices": [
{
"PlatformId": "usb:01:00:06",
"IdVendor": 10047,
"IdProduct": 4100
}
]
}

207
src/tests/usb-devices.json
View File

@ -1,110 +1,101 @@
{
"UsbDevices": [
{
"PlatformId": "usb:01:00:06",
"IdVendor": 10047,
"IdProduct": 4100,
"Device": 2,
"USB": 512,
"Manufacturer": 1,
"Product": 2,
"UsbBosDescriptors": [
{
"DevCapabilityType": 5,
"ExtraData": "AN9g3diJRcdMnNJlnZ5kip8AAAMG4AQVAA=="
},
{
"DevCapabilityType": 5,
"ExtraData": "AGPsCgF09c1SndooUlUNlPAFCAEAIAAqAA=="
},
{
"DevCapabilityType": 17,
"ExtraData": "AQMAAAA="
}
],
"UsbInterfaces": [
{
"Length": 9,
"DescriptorType": 4,
"InterfaceNumber": 1,
"InterfaceClass": 255,
"InterfaceSubClass": 70,
"InterfaceProtocol": 87,
"Interface": 3
},
{
"Length": 9,
"DescriptorType": 4,
"InterfaceNumber": 2,
"InterfaceClass": 255,
"InterfaceSubClass": 71,
"InterfaceProtocol": 85,
"Interface": 4
},
{
"Length": 9,
"DescriptorType": 4,
"InterfaceClass": 3,
"UsbEndpoints": [
{
"DescriptorType": 5,
"EndpointAddress": 129,
"Interval": 1,
"MaxPacketSize": 64
},
{
"DescriptorType": 5,
"EndpointAddress": 1,
"Interval": 1,
"MaxPacketSize": 64
}
],
"ExtraData": "CSERAQABIh0A"
}
],
"UsbEvents": [
{
"Id": "GetStringDescriptor:DescIndex=0x01",
"Data":
"SHVnaHNraSBMdGQuAAAAAAAAAAAAAAAAIFjfAAAAAAAAAAAAAAAAAEA42QAAAAAAwHVdKPx/AAAAAAAAAAAAAJiCXSj8fwAAR9bLiWB/AADAdV0o/H8AAOrE/IlgfwAAgHW/AAAAAAAQw9UAAAAAAJiCXSj8fwAAytnLiQEAAAA="
},
{
"Id": "GetStringDescriptor:DescIndex=0x02",
"Data":
"Q29sb3JIdWcyAEcAAAAAAACwA4pgfwAAAN+Vneb9GHkAAAAAAAAAAEA42QAAAAAAwHVdKPx/AAAAAAAAAAAAAJiCXSj8fwAAR9bLiWB/AADAdV0o/H8AAOrE/IlgfwAAgHW/AAAAAAAQw9UAAAAAAJiCXSj8fwAAytnLiQEAAAA="
},
{
"Id":
"GetCustomIndex:ClassId=0xff,SubclassId=0x46,ProtocolId=0x57",
"Data": "Aw=="
},
{
"Id": "GetStringDescriptor:DescIndex=0x03",
"Data":
"Mi4wLjcAAAAD0WmJYH8AAP8AAAAAAAAAA9FpiWB/AACQRNkAAAAAAGCj2wAAAAAAUHZdKPx/AACNC7qJYH8AAAMAAAAAAAAANougiWB/AACYgl0o/H8AAAAAAAAAAAAA/wAAAPx/V0Zgo9sAAAAAAEh5XSj8fwAAEMPVAAAAAAM="
},
{
"Id":
"GetCustomIndex:ClassId=0xff,SubclassId=0x47,ProtocolId=0x55",
"Data": "BA=="
},
{
"Id":
"ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x15,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,Length=0x4e0",
"Data":
"CgAAAAAAAwbgBAgAAQAAANYECAACAAAAkgGAAAQAAQAoAFUAVgBDAC0ARgBTAFMAZQBuAHMAbwByAEcAcgBvAHUAcABJAEQAAABOAHsARgA2ADYARgBBADYANwA0AC0ARgAyAEIARQAtADQARAAxADkALQA5ADgAQwA1AC0ARAAxADMAMgAzADIAOQBDADYANAAyAEYAfQAAAF4ABAABACwAVQBWAEMALQBGAFMAUwBlAG4AcwBvAHIARwByAG8AdQBwAE4AYQBtAGUAAAAoAEwAZQBuAG8AdgBvACAAQwBhAG0AZQByAGEAIABHAHIAbwB1AHAAAAA8AAQABAAuAFUAVgBDAC0ARQBuAGEAYgBsAGUAUABsAGEAdABmAG8AcgBtAEQAbQBmAHQAAAAEAAEAAAA+AAQABAAwAEUAbgBhAGIAbABlAEQAcwBoAG8AdwBSAGUAZABpAHIAZQBjAHQAaQBvAG4AAAAAAAQAAQAAADIABAAEACQAVQBWAEMALQBDAFAAVgAyAEYAYQBjAGUAQQB1AHQAaAAAAAAABAD//wAACAACAAIAwAGAAAQAAQAoAFUAVgBDAC0ARgBTAFMAZQBuAHMAbwByAEcAcgBvAHUAcABJAEQAAABOAHsARgA2ADYARgBBADYANwA0AC0ARgAyAEIARQAtADQARAAxADkALQA5ADgAQwA1AC0ARAAxADMAMgAzADIAOQBDADYANAAyAEYAfQAAAF4ABAABACwAVQBWAEMALQBGAFMAUwBlAG4AcwBvAHIARwByAG8AdQBwAE4AYQBtAGUAAAAoAEwAZQBuAG8AdgBvACAAQwBhAG0AZQByAGEAIABHAHIAbwB1AHAAAAAwAAQABAAiAFMAZQBuAHMAbwByAEMAYQBtAGUAcgBhAE0AbwBkAGUAAAAEAAEAAAA6AAQABAAsAFMAawBpAHAAQwBhAG0AZQByAGEARQBuAHUAbQBlAHIAYQB0AGkAbwBuAAAABAABAAAAPgAEAAQAMABFAG4AYQBiAGwAZQBEAHMAaABvAHcAUgBlAGQAaQByAGUAYwB0AGkAbwBuAAAAAAAEAAEAAAAyAAQABAAkAFUAVgBDAC0AQwBQAFYAMgBGAGEAYwBlAEEAdQB0AGgAAAAAAAQAAAD//wgAAgAEAHwBMgAEAAQAJABEAGUAdgBpAGMAZQBJAGQAbABlAEUAbgBhAGIAbABlAGQAAAAEAAEAAAAyAAQABAAkAEQAZQBmAGEAdQBsAHQASQBkAGwAZQBTAHQAYQB0AGUAAAAAAAQAAQAAADYABAAEACgARABlAGYAYQB1AGwAdABJAGQAbABlAFQAaQBtAGUAbwB1AHQAAAAAAAQAiBMAAEYABAAEADgARABlAHYAaQBjAGUASQBkAGwAZQBJAGcAbgBvAHIAZQBXAGEAawBlAEUAbgBhAGIAbABlAAAAAAAEAAEAAAAUAAMAV0lOVVNCAAAAAAAAAAAAAIAABAABACgARABlAHYAaQBjAGUASQBuAHQAZQByAGYAYQBjAGUARwBVAEkARAAAAE4AewBlAGMAYwBlAGYAZgAzADUALQAxADQANgAzAC0ANABmAGYAMwAtAGEAYwBkADkALQA4AGYAOQA5ADIAZAAwADkAYQBjAGQAZAB9AAAA"
},
{
"Id":
"ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x2a,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,Length=0x20",
"Data": "UGx1Z2luPWRmdQpJY29uPWNvbXB1dGVyCgAAAAAAAAA="
},
{
"Id": "GetStringDescriptor:DescIndex=0x04",
"Data":
"MjA4MmI1ZTAtN2E2NC00NzhhLWIxYjItZTM0MDRmYWI2ZGFkAAAAAICg2QAAAAAAUHZdKPx/AACNC7qJYH8AAAQAAAAAAAAANougiWB/AAAAsAOKYH8AAAAAAAAAAAAA/wAAAAAAVUeAoNkAAAAAAFB2XSj8fwAAsKPbAAAAAAQ="
}
]
}
]
"UsbDevices": [
{
"PlatformId": "usb:01:00:06",
"IdVendor": 10047,
"IdProduct": 4100,
"Device": 2,
"USB": 512,
"Manufacturer": 1,
"Product": 2,
"UsbBosDescriptors": [
{
"DevCapabilityType": 5,
"ExtraData": "AN9g3diJRcdMnNJlnZ5kip8AAAMG4AQVAA=="
},
{
"DevCapabilityType": 5,
"ExtraData": "AGPsCgF09c1SndooUlUNlPAFCAEAIAAqAA=="
},
{
"DevCapabilityType": 17,
"ExtraData": "AQMAAAA="
}
],
"UsbInterfaces": [
{
"Length": 9,
"DescriptorType": 4,
"InterfaceNumber": 1,
"InterfaceClass": 255,
"InterfaceSubClass": 70,
"InterfaceProtocol": 87,
"Interface": 3
},
{
"Length": 9,
"DescriptorType": 4,
"InterfaceNumber": 2,
"InterfaceClass": 255,
"InterfaceSubClass": 71,
"InterfaceProtocol": 85,
"Interface": 4
},
{
"Length": 9,
"DescriptorType": 4,
"InterfaceClass": 3,
"UsbEndpoints": [
{
"DescriptorType": 5,
"EndpointAddress": 129,
"Interval": 1,
"MaxPacketSize": 64
},
{
"DescriptorType": 5,
"EndpointAddress": 1,
"Interval": 1,
"MaxPacketSize": 64
}
],
"ExtraData": "CSERAQABIh0A"
}
],
"UsbEvents": [
{
"Id": "GetStringDescriptor:DescIndex=0x01",
"Data": "SHVnaHNraSBMdGQuAAAAAAAAAAAAAAAAIFjfAAAAAAAAAAAAAAAAAEA42QAAAAAAwHVdKPx/AAAAAAAAAAAAAJiCXSj8fwAAR9bLiWB/AADAdV0o/H8AAOrE/IlgfwAAgHW/AAAAAAAQw9UAAAAAAJiCXSj8fwAAytnLiQEAAAA="
},
{
"Id": "GetStringDescriptor:DescIndex=0x02",
"Data": "Q29sb3JIdWcyAEcAAAAAAACwA4pgfwAAAN+Vneb9GHkAAAAAAAAAAEA42QAAAAAAwHVdKPx/AAAAAAAAAAAAAJiCXSj8fwAAR9bLiWB/AADAdV0o/H8AAOrE/IlgfwAAgHW/AAAAAAAQw9UAAAAAAJiCXSj8fwAAytnLiQEAAAA="
},
{
"Id": "GetCustomIndex:ClassId=0xff,SubclassId=0x46,ProtocolId=0x57",
"Data": "Aw=="
},
{
"Id": "GetStringDescriptor:DescIndex=0x03",
"Data": "Mi4wLjcAAAAD0WmJYH8AAP8AAAAAAAAAA9FpiWB/AACQRNkAAAAAAGCj2wAAAAAAUHZdKPx/AACNC7qJYH8AAAMAAAAAAAAANougiWB/AACYgl0o/H8AAAAAAAAAAAAA/wAAAPx/V0Zgo9sAAAAAAEh5XSj8fwAAEMPVAAAAAAM="
},
{
"Id": "GetCustomIndex:ClassId=0xff,SubclassId=0x47,ProtocolId=0x55",
"Data": "BA=="
},
{
"Id": "ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x15,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,Length=0x4e0",
"Data": "CgAAAAAAAwbgBAgAAQAAANYECAACAAAAkgGAAAQAAQAoAFUAVgBDAC0ARgBTAFMAZQBuAHMAbwByAEcAcgBvAHUAcABJAEQAAABOAHsARgA2ADYARgBBADYANwA0AC0ARgAyAEIARQAtADQARAAxADkALQA5ADgAQwA1AC0ARAAxADMAMgAzADIAOQBDADYANAAyAEYAfQAAAF4ABAABACwAVQBWAEMALQBGAFMAUwBlAG4AcwBvAHIARwByAG8AdQBwAE4AYQBtAGUAAAAoAEwAZQBuAG8AdgBvACAAQwBhAG0AZQByAGEAIABHAHIAbwB1AHAAAAA8AAQABAAuAFUAVgBDAC0ARQBuAGEAYgBsAGUAUABsAGEAdABmAG8AcgBtAEQAbQBmAHQAAAAEAAEAAAA+AAQABAAwAEUAbgBhAGIAbABlAEQAcwBoAG8AdwBSAGUAZABpAHIAZQBjAHQAaQBvAG4AAAAAAAQAAQAAADIABAAEACQAVQBWAEMALQBDAFAAVgAyAEYAYQBjAGUAQQB1AHQAaAAAAAAABAD//wAACAACAAIAwAGAAAQAAQAoAFUAVgBDAC0ARgBTAFMAZQBuAHMAbwByAEcAcgBvAHUAcABJAEQAAABOAHsARgA2ADYARgBBADYANwA0AC0ARgAyAEIARQAtADQARAAxADkALQA5ADgAQwA1AC0ARAAxADMAMgAzADIAOQBDADYANAAyAEYAfQAAAF4ABAABACwAVQBWAEMALQBGAFMAUwBlAG4AcwBvAHIARwByAG8AdQBwAE4AYQBtAGUAAAAoAEwAZQBuAG8AdgBvACAAQwBhAG0AZQByAGEAIABHAHIAbwB1AHAAAAAwAAQABAAiAFMAZQBuAHMAbwByAEMAYQBtAGUAcgBhAE0AbwBkAGUAAAAEAAEAAAA6AAQABAAsAFMAawBpAHAAQwBhAG0AZQByAGEARQBuAHUAbQBlAHIAYQB0AGkAbwBuAAAABAABAAAAPgAEAAQAMABFAG4AYQBiAGwAZQBEAHMAaABvAHcAUgBlAGQAaQByAGUAYwB0AGkAbwBuAAAAAAAEAAEAAAAyAAQABAAkAFUAVgBDAC0AQwBQAFYAMgBGAGEAYwBlAEEAdQB0AGgAAAAAAAQAAAD//wgAAgAEAHwBMgAEAAQAJABEAGUAdgBpAGMAZQBJAGQAbABlAEUAbgBhAGIAbABlAGQAAAAEAAEAAAAyAAQABAAkAEQAZQBmAGEAdQBsAHQASQBkAGwAZQBTAHQAYQB0AGUAAAAAAAQAAQAAADYABAAEACgARABlAGYAYQB1AGwAdABJAGQAbABlAFQAaQBtAGUAbwB1AHQAAAAAAAQAiBMAAEYABAAEADgARABlAHYAaQBjAGUASQBkAGwAZQBJAGcAbgBvAHIAZQBXAGEAawBlAEUAbgBhAGIAbABlAAAAAAAEAAEAAAAUAAMAV0lOVVNCAAAAAAAAAAAAAIAABAABACgARABlAHYAaQBjAGUASQBuAHQAZQByAGYAYQBjAGUARwBVAEkARAAAAE4AewBlAGMAYwBlAGYAZgAzADUALQAxADQANgAzAC0ANABmAGYAMwAtAGEAYwBkADkALQA4AGYAOQA5ADIAZAAwADkAYQBjAGQAZAB9AAAA"
},
{
"Id": "ControlTransfer:Direction=0x00,RequestType=0x02,Recipient=0x00,Request=0x2a,Value=0x0000,Idx=0x0007,Data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,Length=0x20",
"Data": "UGx1Z2luPWRmdQpJY29uPWNvbXB1dGVyCgAAAAAAAAA="
},
{
"Id": "GetStringDescriptor:DescIndex=0x04",
"Data": "MjA4MmI1ZTAtN2E2NC00NzhhLWIxYjItZTM0MDRmYWI2ZGFkAAAAAICg2QAAAAAAUHZdKPx/AACNC7qJYH8AAAQAAAAAAAAANougiWB/AAAAsAOKYH8AAAAAAAAAAAAA/wAAAAAAVUeAoNkAAAAAAFB2XSj8fwAAsKPbAAAAAAQ="
}
]
}
]
}