proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-13 23:22:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add security attribute for OEM specific implementations of BIOS rollback protection

Browse Source
This commit is contained in:
Mario Limonciello 2022-11-16 16:23:26 -06:00 committed by Richard Hughes
parent daac8b31da
commit 5d25661727
7 changed files with 49 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/hsi-tests.d/meson.build
View File

@ -34,5 +34,6 @@ hsi_test_jsons = files([
'org.fwupd.hsi.Tpm.Version20.json', 'org.fwupd.hsi.Tpm.Version20.json',
'org.fwupd.hsi.Uefi.Pk.json', 'org.fwupd.hsi.Uefi.Pk.json',
'org.fwupd.hsi.Uefi.SecureBoot.json', 'org.fwupd.hsi.Uefi.SecureBoot.json',
'org.fwupd.hsi.Bios.RollbackProtection.json',
]) ])

4
docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json
View File

@ -1,8 +1,8 @@
{ {
"id": "org.fwupd.hsi.Amd.PlatformRollbackProtection", "id": "org.fwupd.hsi.Amd.PlatformRollbackProtection",
"name": "AMD Security Processor Rollback protection", "name": "AMD Secure Processor Rollback protection",
"description": [ "description": [
"AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the security processor.", "AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the secure processor.",
"This feature prevents an attacker from loading an older firmware onto the part after a security vulnerability has been fixed." "This feature prevents an attacker from loading an older firmware onto the part after a security vulnerability has been fixed."
], ],
"failure-impact": [ "failure-impact": [

21
docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json Normal file
View File

@ -0,0 +1,21 @@
{
"id": "org.fwupd.hsi.Bios.RollbackProtection",
"name": "BIOS Firmware Rollback protection",
"description": [
"Some OEMs include an optional firmware protection feature in their BIOS that would prevent installation of older firmware that may have security vulnerabilities."
],
"failure-impact": [
"Firmware without this feature enabled may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability."
],
"failure-results": {
"not-enabled": "rollback protection disabled"
},
"success-results": {
"enabled": "rollback protection enabled"
},
"hsi-level": 2,
"references": {
"https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection"
},
"fwupd-version": "1.8.8"
}

8
libfwupd/fwupd-security-attr-private.h
View File

@ -341,6 +341,14 @@ G_BEGIN_DECLS
* Since: 1.8.3 * Since: 1.8.3
**/ **/
#define FWUPD_SECURITY_ATTR_ID_HOST_EMULATION "org.fwupd.hsi.HostEmulation" #define FWUPD_SECURITY_ATTR_ID_HOST_EMULATION "org.fwupd.hsi.HostEmulation"
/**
* FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION
*
* Host Security ID attribute for Rollback protection of BIOS firmware
*
* Since: 1.8.8
**/
#define FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION "org.fwupd.hsi.Bios.RollbackProtection"
GVariant * GVariant *
fwupd_security_attr_to_variant(FwupdSecurityAttr *self); fwupd_security_attr_to_variant(FwupdSecurityAttr *self);

1
libfwupdplugin/fu-security-attrs.c
View File

@ -348,6 +348,7 @@ static struct {
{FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, {FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL},
{FWUPD_SECURITY_ATTR_ID_UEFI_PK, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, {FWUPD_SECURITY_ATTR_ID_UEFI_PK, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL},
{FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, {FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL},
{FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT},
{NULL, FWUPD_SECURITY_ATTR_LEVEL_NONE}}; {NULL, FWUPD_SECURITY_ATTR_LEVEL_NONE}};
static void static void

2
plugins/pci-psp/README.md
View File

@ -2,7 +2,7 @@
## Introduction ## Introduction
This plugin checks all information reported from the AMD Platform Security processor into This plugin checks all information reported from the AMD Platform Secure processor into
the operating system on select SOCs. the operating system on select SOCs.
The lack of these sysfs files does *NOT* indicate the lack of these security features, it only The lack of these sysfs files does *NOT* indicate the lack of these security features, it only

21
src/fu-security-attr-common.c
View File

@ -181,7 +181,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED) == 0 || if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED) == 0 ||
g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED) == 0) { g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED) == 0) {
/* TRANSLATORS: Title: Allows debugging of parts using proprietary hardware */ /* TRANSLATORS: Title: Allows debugging of parts using proprietary hardware */
return g_strdup(_("Platform Debugging")); return g_strdup(_("Platform debugging"));
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU) == 0) { if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU) == 0) {
/* TRANSLATORS: Title: if fwupd supports HSI on this chip */ /* TRANSLATORS: Title: if fwupd supports HSI on this chip */
@ -189,7 +189,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) { if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) {
/* TRANSLATORS: Title: if firmware enforces rollback protection */ /* TRANSLATORS: Title: if firmware enforces rollback protection */
return g_strdup(_("Rollback protection")); return g_strdup(_("Processor rollback protection"));
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) { if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
/* TRANSLATORS: Title: if hardware enforces control of SPI replays */ /* TRANSLATORS: Title: if hardware enforces control of SPI replays */
@ -207,7 +207,10 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: if we are emulating a different host */ /* TRANSLATORS: Title: if we are emulating a different host */
return g_strdup(_("Emulated host")); return g_strdup(_("Emulated host"));
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) {
/* TRANSLATORS: Title: if firmware enforces rollback protection */
return g_strdup(_("BIOS rollback protection"));
}
/* we should not get here */ /* we should not get here */
return g_strdup(fwupd_security_attr_get_name(attr)); return g_strdup(fwupd_security_attr_get_name(attr));
} }
@ -359,7 +362,7 @@ fu_security_attr_get_title(FwupdSecurityAttr *attr)
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) { if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) {
/* TRANSLATORS: Title: if firmware enforces rollback protection */ /* TRANSLATORS: Title: if firmware enforces rollback protection */
return _("AMD Rollback Protection"); return _("AMD Secure Processor Rollback Protection");
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) { if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
/* TRANSLATORS: Title: if hardware enforces control of SPI replays */ /* TRANSLATORS: Title: if hardware enforces control of SPI replays */
@ -373,6 +376,10 @@ fu_security_attr_get_title(FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: if the part has been fused */ /* TRANSLATORS: Title: if the part has been fused */
return _("Fused Platform"); return _("Fused Platform");
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) {
/* TRANSLATORS: Title: if firmware enforces rollback protection */
return _("BIOS Rollback Protection");
}
return NULL; return NULL;
} }
@ -542,11 +549,13 @@ fu_security_attr_get_description(FwupdSecurityAttr *attr)
return _("Each system should have tests to ensure firmware security."); return _("Each system should have tests to ensure firmware security.");
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0 || if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0 ||
g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) { g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0 ||
g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) {
/* TRANSLATORS: longer description */ /* TRANSLATORS: longer description */
return _("AMD Rollback Protection prevents device software from being downgraded " return _("Rollback Protection prevents device software from being downgraded "
"to an older version that has security problems."); "to an older version that has security problems.");
} }
return NULL; return NULL;
} }