proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-05 15:55:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add a new HSI attribute for AMD rollback protection

Browse Source 
This will be used by an upcoming AMD plugin
This commit is contained in:
Mario Limonciello 2022-01-31 17:21:14 -06:00 committed by Mario Limonciello
parent 035490d39e
commit 04efb0b0cb
3 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/hsi.md
View File

@ -639,6 +639,26 @@ To meet HSI-4 on systems that run this test, the result must be `enabled`. *[v1.
- [Intel TME Press Release](https://software.intel.com/content/www/us/en/develop/blogs/intel-releases-new-technology-specification-for-memory-encryption.html) - [Intel TME Press Release](https://software.intel.com/content/www/us/en/develop/blogs/intel-releases-new-technology-specification-for-memory-encryption.html)
- [WikiChip SME Overview](https://en.wikichip.org/wiki/x86/sme) - [WikiChip SME Overview](https://en.wikichip.org/wiki/x86/sme)
<a id="org.fwupd.hsi.Amd.PlatformRollbackProtection"></a>
### [AMD Rollback protection](#org.fwupd.hsi.Amd.RollbackProtection)
AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the firmware. This feature prevents an attacker from loading an older
firmware onto the part after a security vulnerability has been fixed.
**Impact:** SOCs without this feature may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability.
**Possible results:**
- `enabled`: rollback protection enabled
- `not-enabled`: rollback protection disabled
To meet HSI-1 on AMD systems that run this test, the result must be `enabled`. *[v1.8.0]*
**References:**
- [Rollback protection](https://www.psacertified.org/blog/anti-rollback-explained/)
<a id="org.fwupd.hsi.IntelSmap"></a> <a id="org.fwupd.hsi.IntelSmap"></a>
### [Supervisor Mode Access Prevention](#org.fwupd.hsi.IntelSmap) ### [Supervisor Mode Access Prevention](#org.fwupd.hsi.IntelSmap)

9
libfwupd/fwupd-security-attr-private.h
View File

@ -287,6 +287,15 @@ G_BEGIN_DECLS
* Since: 1.8.0 * Since: 1.8.0
**/ **/
#define FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU "org.fwupd.hsi.SupportedCpu" #define FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU "org.fwupd.hsi.SupportedCpu"
/**
* FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION
*
* Host Security ID attribute for Rollback protection of AMD platform
* firmware
*
* Since: 1.8.0
**/
#define FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION "org.fwupd.hsi.Amd.RollbackProtection"
GVariant * GVariant *
fwupd_security_attr_to_variant(FwupdSecurityAttr *self); fwupd_security_attr_to_variant(FwupdSecurityAttr *self);

4
src/fu-security-attr.c
View File

@ -183,6 +183,10 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: if fwupd supports HSI on this chip */ /* TRANSLATORS: Title: if fwupd supports HSI on this chip */
return g_strdup(_("Supported CPU")); return g_strdup(_("Supported CPU"));
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) {
/* TRANSLATORS: Title: if firmware enforces rollback protection */
return g_strdup(_("Rollback protection"));
}
/* we should not get here */ /* we should not get here */
return g_strdup(fwupd_security_attr_get_name(attr)); return g_strdup(fwupd_security_attr_get_name(attr));