From 5d256617274a5afa1a93dfcfbb8671c84d4ce8b0 Mon Sep 17 00:00:00 2001 From: Mario Limonciello Date: Wed, 16 Nov 2022 16:23:26 -0600 Subject: [PATCH] Add security attribute for OEM specific implementations of BIOS rollback protection --- docs/hsi-tests.d/meson.build | 1 + ...pd.hsi.Amd.PlatformRollbackProtection.json | 4 ++-- ...org.fwupd.hsi.Bios.RollbackProtection.json | 21 +++++++++++++++++++ libfwupd/fwupd-security-attr-private.h | 8 +++++++ libfwupdplugin/fu-security-attrs.c | 1 + plugins/pci-psp/README.md | 2 +- src/fu-security-attr-common.c | 21 +++++++++++++------ 7 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json diff --git a/docs/hsi-tests.d/meson.build b/docs/hsi-tests.d/meson.build index 088b20554..5c5db29a0 100644 --- a/docs/hsi-tests.d/meson.build +++ b/docs/hsi-tests.d/meson.build @@ -34,5 +34,6 @@ hsi_test_jsons = files([ 'org.fwupd.hsi.Tpm.Version20.json', 'org.fwupd.hsi.Uefi.Pk.json', 'org.fwupd.hsi.Uefi.SecureBoot.json', + 'org.fwupd.hsi.Bios.RollbackProtection.json', ]) diff --git a/docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json b/docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json index 92707f961..b404ed1ef 100644 --- a/docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json +++ b/docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json @@ -1,8 +1,8 @@ { "id": "org.fwupd.hsi.Amd.PlatformRollbackProtection", - "name": "AMD Security Processor Rollback protection", + "name": "AMD Secure Processor Rollback protection", "description": [ - "AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the security processor.", + "AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the secure processor.", "This feature prevents an attacker from loading an older firmware onto the part after a security vulnerability has been fixed." ], "failure-impact": [ diff --git a/docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json b/docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json new file mode 100644 index 000000000..b01cf10e2 --- /dev/null +++ b/docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json @@ -0,0 +1,21 @@ +{ + "id": "org.fwupd.hsi.Bios.RollbackProtection", + "name": "BIOS Firmware Rollback protection", + "description": [ + "Some OEMs include an optional firmware protection feature in their BIOS that would prevent installation of older firmware that may have security vulnerabilities." + ], + "failure-impact": [ + "Firmware without this feature enabled may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability." + ], + "failure-results": { + "not-enabled": "rollback protection disabled" + }, + "success-results": { + "enabled": "rollback protection enabled" + }, + "hsi-level": 2, + "references": { + "https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection" + }, + "fwupd-version": "1.8.8" +} diff --git a/libfwupd/fwupd-security-attr-private.h b/libfwupd/fwupd-security-attr-private.h index 5057f2546..6962c5934 100644 --- a/libfwupd/fwupd-security-attr-private.h +++ b/libfwupd/fwupd-security-attr-private.h @@ -341,6 +341,14 @@ G_BEGIN_DECLS * Since: 1.8.3 **/ #define FWUPD_SECURITY_ATTR_ID_HOST_EMULATION "org.fwupd.hsi.HostEmulation" +/** + * FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION + * + * Host Security ID attribute for Rollback protection of BIOS firmware + * + * Since: 1.8.8 + **/ +#define FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION "org.fwupd.hsi.Bios.RollbackProtection" GVariant * fwupd_security_attr_to_variant(FwupdSecurityAttr *self); diff --git a/libfwupdplugin/fu-security-attrs.c b/libfwupdplugin/fu-security-attrs.c index 0817ddd0b..de45f361f 100644 --- a/libfwupdplugin/fu-security-attrs.c +++ b/libfwupdplugin/fu-security-attrs.c @@ -348,6 +348,7 @@ static struct { {FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, {FWUPD_SECURITY_ATTR_ID_UEFI_PK, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, {FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, {NULL, FWUPD_SECURITY_ATTR_LEVEL_NONE}}; static void diff --git a/plugins/pci-psp/README.md b/plugins/pci-psp/README.md index e2956a8ee..c4d474e07 100644 --- a/plugins/pci-psp/README.md +++ b/plugins/pci-psp/README.md @@ -2,7 +2,7 @@ ## Introduction -This plugin checks all information reported from the AMD Platform Security processor into +This plugin checks all information reported from the AMD Platform Secure processor into the operating system on select SOCs. The lack of these sysfs files does *NOT* indicate the lack of these security features, it only diff --git a/src/fu-security-attr-common.c b/src/fu-security-attr-common.c index 11626c448..c54c2cae2 100644 --- a/src/fu-security-attr-common.c +++ b/src/fu-security-attr-common.c @@ -181,7 +181,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr) if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED) == 0 || g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED) == 0) { /* TRANSLATORS: Title: Allows debugging of parts using proprietary hardware */ - return g_strdup(_("Platform Debugging")); + return g_strdup(_("Platform debugging")); } if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU) == 0) { /* TRANSLATORS: Title: if fwupd supports HSI on this chip */ @@ -189,7 +189,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr) } if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) { /* TRANSLATORS: Title: if firmware enforces rollback protection */ - return g_strdup(_("Rollback protection")); + return g_strdup(_("Processor rollback protection")); } if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) { /* TRANSLATORS: Title: if hardware enforces control of SPI replays */ @@ -207,7 +207,10 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr) /* TRANSLATORS: Title: if we are emulating a different host */ return g_strdup(_("Emulated host")); } - + if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) { + /* TRANSLATORS: Title: if firmware enforces rollback protection */ + return g_strdup(_("BIOS rollback protection")); + } /* we should not get here */ return g_strdup(fwupd_security_attr_get_name(attr)); } @@ -359,7 +362,7 @@ fu_security_attr_get_title(FwupdSecurityAttr *attr) } if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) { /* TRANSLATORS: Title: if firmware enforces rollback protection */ - return _("AMD Rollback Protection"); + return _("AMD Secure Processor Rollback Protection"); } if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) { /* TRANSLATORS: Title: if hardware enforces control of SPI replays */ @@ -373,6 +376,10 @@ fu_security_attr_get_title(FwupdSecurityAttr *attr) /* TRANSLATORS: Title: if the part has been fused */ return _("Fused Platform"); } + if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) { + /* TRANSLATORS: Title: if firmware enforces rollback protection */ + return _("BIOS Rollback Protection"); + } return NULL; } @@ -542,11 +549,13 @@ fu_security_attr_get_description(FwupdSecurityAttr *attr) return _("Each system should have tests to ensure firmware security."); } if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0 || - g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) { + g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0 || + g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) { /* TRANSLATORS: longer description */ - return _("AMD Rollback Protection prevents device software from being downgraded " + return _("Rollback Protection prevents device software from being downgraded " "to an older version that has security problems."); } + return NULL; }