libfwupdplugin: Export FuEfiSignatureList for plugins to use

docs/fwupd-docs.xml

@@ -53,6 +53,8 @@
     <xi:include href="xml/fu-device-metadata.xml"/>
     <xi:include href="xml/fu-device.xml"/>
     <xi:include href="xml/fu-dfu-firmware.xml"/>
+    <xi:include href="xml/fu-efi-signature.xml"/>
+    <xi:include href="xml/fu-efi-signature-list.xml"/>
     <xi:include href="xml/fu-firmware-common.xml"/>
     <xi:include href="xml/fu-firmware-image.xml"/>
     <xi:include href="xml/fu-firmware.xml"/>

libfwupdplugin/fu-efi-signature-list.c

@@ -9,9 +9,18 @@
 #include <fwupd.h>
 
 #include "fu-common.h"
-#include "fu-efi-signature.h"
+#include "fu-efi-signature-private.h"
 #include "fu-efi-signature-list.h"
 
+/**
+ * SECTION:fu-efi-signature-list
+ * @short_description: Parser for EFI_SIGNATURE_LIST
+ *
+ * An object that represents a UEFI SignatureList.
+ *
+ * See also: #FuFirmware
+ */
+
 struct _FuEfiSignatureList {
 	FuFirmware		 parent_instance;
 };
@@ -239,6 +248,13 @@ fu_efi_signature_list_write (FuFirmware *firmware, GError **error)
 	return g_byte_array_free_to_bytes (buf);
 }
 
+/**
+ * fu_efi_signature_list_new:
+ *
+ * Creates a new #FuFirmware that can parse an EFI_SIGNATURE_LIST
+ *
+ * Since: 1.5.5
+ **/
 FuFirmware *
 fu_efi_signature_list_new (void)
 {

libfwupdplugin/fu-efi-signature-private.h

@@ -0,0 +1,12 @@
+/*
+ * Copyright (C) 2020 Richard Hughes <richard@hughsie.com>
+ *
+ * SPDX-License-Identifier: LGPL-2.1+
+ */
+
+#pragma once
+
+#include "fu-efi-signature.h"
+
+FuEfiSignature	*fu_efi_signature_new			(FuEfiSignatureKind kind,
+							 const gchar	*owner);

libfwupdplugin/fu-efi-signature.c

@@ -6,7 +6,16 @@
 
 #include "config.h"
 
-#include "fu-efi-signature.h"
+#include "fu-efi-signature-private.h"
+
+/**
+ * SECTION:fu-efi-signature
+ * @short_description: Parser for EFI_SIGNATURE
+ *
+ * An object that represents a UEFI Signature.
+ *
+ * See also: #FuFirmware
+ */
 
 struct _FuEfiSignature {
 	FuFirmwareImage		 parent_instance;
@@ -16,6 +25,16 @@ struct _FuEfiSignature {
 
 G_DEFINE_TYPE (FuEfiSignature, fu_efi_signature, FU_TYPE_FIRMWARE_IMAGE)
 
+/**
+ * fu_efi_signature_kind_to_string:
+ * @kind: A #FuEfiSignatureKind, e.g. %FU_EFI_SIGNATURE_KIND_X509
+ *
+ * Converts the signature kind to a text representation.
+ *
+ * Returns: text, e.g. `x509_cert`
+ *
+ * Since: 1.5.5
+ **/
 const gchar *
 fu_efi_signature_kind_to_string (FuEfiSignatureKind kind)
 {
@@ -26,18 +45,17 @@ fu_efi_signature_kind_to_string (FuEfiSignatureKind kind)
 	return "unknown";
 }
 
-const gchar *
+/**
-fu_efi_signature_guid_to_string (const gchar *guid)
+ * fu_efi_signature_new: (skip):
-{
+ * @kind: A #FuEfiSignatureKind
-	if (g_strcmp0 (guid, FU_EFI_SIGNATURE_GUID_ZERO) == 0)
+ * @owner: A GUID, e.g. %FU_EFI_SIGNATURE_GUID_MICROSOFT
-		return "zero";
+ *
-	if (g_strcmp0 (guid, FU_EFI_SIGNATURE_GUID_MICROSOFT) == 0)
+ * Creates a new EFI_SIGNATURE.
-		return "microsoft";
+ *
-	if (g_strcmp0 (guid, FU_EFI_SIGNATURE_GUID_OVMF) == 0)
+ * Returns: (transfer full): signature
-		return "ovmf";
+ *
-	return guid;
+ * Since: 1.5.5
-}
+ **/
-
 FuEfiSignature *
 fu_efi_signature_new (FuEfiSignatureKind kind, const gchar *owner)
 {
@@ -47,13 +65,33 @@ fu_efi_signature_new (FuEfiSignatureKind kind, const gchar *owner)
 	return g_steal_pointer (&self);
 }
 
+/**
+ * fu_efi_signature_get_kind:
+ * @self: A #FuEfiSignature
+ *
+ * Returns the signature kind.
+ *
+ * Returns: #FuEfiSignatureKind, e.g. %FU_EFI_SIGNATURE_KIND_SHA256
+ *
+ * Since: 1.5.5
+ **/
 FuEfiSignatureKind
 fu_efi_signature_get_kind (FuEfiSignature *self)
 {
-	g_return_val_if_fail (FU_IS_EFI_SIGNATURE (self), 0);
+	g_return_val_if_fail (FU_IS_EFI_SIGNATURE (self), FU_EFI_SIGNATURE_KIND_UNKNOWN);
 	return self->kind;
 }
 
+/**
+ * fu_efi_signature_get_owner:
+ * @self: A #FuEfiSignature
+ *
+ * Returns the GUID of the signature owner.
+ *
+ * Returns: GUID owner, perhaps %FU_EFI_SIGNATURE_GUID_MICROSOFT
+ *
+ * Since: 1.5.5
+ **/
 const gchar *
 fu_efi_signature_get_owner (FuEfiSignature *self)
 {

libfwupdplugin/fu-efi-signature.h

@@ -17,6 +17,7 @@ typedef enum {
 	FU_EFI_SIGNATURE_KIND_UNKNOWN,
 	FU_EFI_SIGNATURE_KIND_SHA256,
 	FU_EFI_SIGNATURE_KIND_X509,
+	/*< private >*/
 	FU_EFI_SIGNATURE_KIND_LAST
 } FuEfiSignatureKind;
 
@@ -24,10 +25,7 @@ typedef enum {
 #define FU_EFI_SIGNATURE_GUID_MICROSOFT		"77fa9abd-0359-4d32-bd60-28f4e78f784b"
 #define FU_EFI_SIGNATURE_GUID_OVMF		"a0baa8a3-041d-48a8-bc87-c36d121b5e3d"
 
-const gchar	*fu_efi_signature_kind_to_string	(FuEfiSignatureKind kind);
+const gchar	*fu_efi_signature_kind_to_string	(FuEfiSignatureKind	 kind);
-const gchar	*fu_efi_signature_guid_to_string	(const gchar	*guid);
 
-FuEfiSignature	*fu_efi_signature_new			(FuEfiSignatureKind kind,
+FuEfiSignatureKind fu_efi_signature_get_kind		(FuEfiSignature		*self);
-							 const gchar	*owner);
+const gchar 	*fu_efi_signature_get_owner		(FuEfiSignature		*self);
-FuEfiSignatureKind fu_efi_signature_get_kind		(FuEfiSignature	*self);
-const gchar 	*fu_efi_signature_get_owner		(FuEfiSignature	*self);

libfwupdplugin/fwupdplugin.h

@@ -35,6 +35,8 @@
 #include <libfwupdplugin/fu-security-attrs.h>
 #include <libfwupdplugin/fu-smbios.h>
 #include <libfwupdplugin/fu-srec-firmware.h>
+#include <libfwupdplugin/fu-efi-signature.h>
+#include <libfwupdplugin/fu-efi-signature-list.h>
 #include <libfwupdplugin/fu-efivar.h>
 #include <libfwupdplugin/fu-udev-device.h>
 #include <libfwupdplugin/fu-usb-device.h>

libfwupdplugin/fwupdplugin.map

@@ -704,6 +704,12 @@ LIBFWUPDPLUGIN_1.5.5 {
   global:
     fu_common_strsafe;
     fu_device_retry_full;
+    fu_efi_signature_get_kind;
+    fu_efi_signature_get_owner;
+    fu_efi_signature_get_type;
+    fu_efi_signature_kind_to_string;
+    fu_efi_signature_list_get_type;
+    fu_efi_signature_list_new;
     fu_firmware_get_image_by_checksum;
     fu_firmware_image_get_checksum;
   local: *;

libfwupdplugin/meson.build

@@ -22,6 +22,8 @@ fwupdplugin_src = [
   'fu-security-attrs.c',
   'fu-smbios.c',
   'fu-srec-firmware.c',
+  'fu-efi-signature.c',
+  'fu-efi-signature-list.c',
   'fu-efivar.c',
   'fu-udev-device.c',
   'fu-usb-device.c',
@@ -53,6 +55,8 @@ fwupdplugin_headers = [
   'fu-security-attrs.h',
   'fu-smbios.h',
   'fu-srec-firmware.h',
+  'fu-efi-signature.h',
+  'fu-efi-signature-list.h',
   'fu-efivar.h',
   'fu-udev-device.h',
   'fu-usb-device.h',

plugins/uefi-dbx/fu-dbxtool.c

@@ -17,7 +17,6 @@
 #include "fu-common.h"
 #include "fu-efivar.h"
 #include "fu-uefi-dbx-common.h"
-#include "fu-efi-signature-common.h"
 #include "fu-efi-signature.h"
 
 /* custom return code */
@@ -55,6 +54,37 @@ fu_dbxtool_get_siglist_local (const gchar *filename, GError **error)
 	return g_steal_pointer (&siglist);
 }
 
+static gboolean
+fu_dbxtool_siglist_inclusive (FuFirmware *outer, FuFirmware *inner)
+{
+	g_autoptr(GPtrArray) sigs = fu_firmware_get_images (inner);
+	for (guint i = 0; i < sigs->len; i++) {
+		FuEfiSignature *sig = g_ptr_array_index (sigs, i);
+		g_autofree gchar *checksum = NULL;
+		g_autoptr(FuFirmwareImage) img = NULL;
+		checksum = fu_firmware_image_get_checksum (FU_FIRMWARE_IMAGE (sig),
+							   G_CHECKSUM_SHA256, NULL);
+		if (checksum == NULL)
+			continue;
+		img = fu_firmware_get_image_by_checksum (outer, checksum, NULL);
+		if (img == NULL)
+			return FALSE;
+	}
+	return TRUE;
+}
+
+static const gchar *
+fu_dbxtool_guid_to_string (const gchar *guid)
+{
+	if (g_strcmp0 (guid, FU_EFI_SIGNATURE_GUID_ZERO) == 0)
+		return "zero";
+	if (g_strcmp0 (guid, FU_EFI_SIGNATURE_GUID_MICROSOFT) == 0)
+		return "microsoft";
+	if (g_strcmp0 (guid, FU_EFI_SIGNATURE_GUID_OVMF) == 0)
+		return "ovmf";
+	return guid;
+}
+
 int
 main (int argc, char *argv[])
 {
@@ -155,7 +185,7 @@ main (int argc, char *argv[])
 								   NULL);
 			g_print ("%4u: {%s} {%s} %s\n",
 				 cnt++,
-				 fu_efi_signature_guid_to_string (fu_efi_signature_get_owner (sig)),
+				 fu_dbxtool_guid_to_string (fu_efi_signature_get_owner (sig)),
 				 fu_efi_signature_kind_to_string (fu_efi_signature_get_kind (sig)),
 				 checksum);
 		}
@@ -206,7 +236,7 @@ main (int argc, char *argv[])
 		}
 
 		/* check this is a newer dbx update */
-		if (!force && fu_efi_signature_list_inclusive (FU_EFI_SIGNATURE_LIST (dbx_system), FU_EFI_SIGNATURE_LIST (dbx_update))) {
+		if (!force && fu_dbxtool_siglist_inclusive (dbx_system, dbx_update)) {
 			/* TRANSLATORS: same or newer update already applied */
 			g_printerr ("%s\n", _("Cannot apply as dbx update has already been applied."));
 			return EXIT_FAILURE;

plugins/uefi-dbx/fu-efi-signature-common.c

@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2020 Richard Hughes <richard@hughsie.com>
- *
- * SPDX-License-Identifier: LGPL-2.1+
- */
-
-#include "config.h"
-
-#include "fu-efi-signature-common.h"
-#include "fu-efi-signature-list.h"
-#include "fu-efi-signature.h"
-
-gboolean
-fu_efi_signature_list_has_checksum (FuEfiSignatureList *siglist, const gchar *checksum)
-{
-	g_autoptr(FuFirmwareImage) img = NULL;
-	img = fu_firmware_get_image_by_checksum (FU_FIRMWARE (siglist), checksum, NULL);
-	return img != NULL;
-}
-
-gboolean
-fu_efi_signature_list_inclusive (FuEfiSignatureList *outer, FuEfiSignatureList *inner)
-{
-	g_autoptr(GPtrArray) sigs = fu_firmware_get_images (FU_FIRMWARE (inner));
-	for (guint i = 0; i < sigs->len; i++) {
-		FuEfiSignature *sig = g_ptr_array_index (sigs, i);
-		g_autofree gchar *checksum = NULL;
-		checksum = fu_firmware_image_get_checksum (FU_FIRMWARE_IMAGE (sig),
-							   G_CHECKSUM_SHA256, NULL);
-		if (checksum == NULL)
-			continue;
-		if (!fu_efi_signature_list_has_checksum (outer, checksum))
-			return FALSE;
-	}
-	return TRUE;
-}

plugins/uefi-dbx/fu-efi-signature-common.h

@@ -1,14 +0,0 @@
-/*
- * Copyright (C) 2020 Richard Hughes <richard@hughsie.com>
- *
- * SPDX-License-Identifier: LGPL-2.1+
- */
-
-#pragma once
-
-#include "fu-efi-signature-list.h"
-
-gboolean	 fu_efi_signature_list_inclusive	(FuEfiSignatureList	*outer,
-							 FuEfiSignatureList	*inner);
-gboolean	 fu_efi_signature_list_has_checksum	(FuEfiSignatureList	*siglist,
-							 const gchar		*checksum);

plugins/uefi-dbx/fu-uefi-dbx-common.c

@@ -10,7 +10,6 @@
 
 #include "fu-common.h"
 #include "fu-efi-image.h"
-#include "fu-efi-signature-common.h"
 #include "fu-volume.h"
 
 #include "fu-uefi-dbx-common.h"
@@ -53,6 +52,7 @@ fu_uefi_dbx_signature_list_validate_volume (FuEfiSignatureList *siglist, FuVolum
 	for (guint i = 0; i < files->len; i++) {
 		const gchar *fn = g_ptr_array_index (files, i);
 		g_autofree gchar *checksum = NULL;
+		g_autoptr(FuFirmwareImage) img = NULL;
 		g_autoptr(GError) error_local = NULL;
 
 		/* get checksum of file */
@@ -64,7 +64,8 @@ fu_uefi_dbx_signature_list_validate_volume (FuEfiSignatureList *siglist, FuVolum
 
 		/* Authenticode signature is present in dbx! */
 		g_debug ("fn=%s, checksum=%s", fn, checksum);
-		if (fu_efi_signature_list_has_checksum (siglist, checksum)) {
+		img = fu_firmware_get_image_by_checksum (FU_FIRMWARE (siglist), checksum, NULL);
+		if (img != NULL) {
 			g_set_error (error,
 				     FWUPD_ERROR,
 				     FWUPD_ERROR_NEEDS_USER_ACTION,

plugins/uefi-dbx/fu-uefi-dbx-device.c

@@ -8,7 +8,6 @@
 
 #include "fu-efivar.h"
 
-#include "fu-efi-signature-common.h"
 #include "fu-efi-signature.h"
 #include "fu-uefi-dbx-common.h"
 #include "fu-uefi-dbx-device.h"

plugins/uefi-dbx/meson.build

@@ -7,9 +7,6 @@ shared_module('fu_plugin_uefi_dbx',
     'fu-uefi-dbx-common.c',
     'fu-uefi-dbx-device.c',
     'fu-efi-image.c',
-    'fu-efi-signature.c',
-    'fu-efi-signature-common.c',
-    'fu-efi-signature-list.c',
   ],
   include_directories : [
     root_incdir,
@@ -39,9 +36,6 @@ if get_option('tests')
       'fu-self-test.c',
       'fu-uefi-dbx-common.c',
       'fu-efi-image.c',
-      'fu-efi-signature.c',
-      'fu-efi-signature-common.c',
-      'fu-efi-signature-list.c',
     ],
     include_directories : [
       root_incdir,
@@ -68,9 +62,6 @@ dbxtool = executable(
     'fu-dbxtool.c',
     'fu-uefi-dbx-common.c',
     'fu-efi-image.c',
-    'fu-efi-signature.c',
-    'fu-efi-signature-common.c',
-    'fu-efi-signature-list.c',
   ],
   include_directories : [
     root_incdir,