Add security attribute for OEM specific implementations of BIOS rollback protection

2025-08-13 21:35:02 +00:00 · 2022-11-16 16:23:26 -06:00 · 2022-11-16 16:23:26 -06:00 · 5d25661727
commit 5d25661727
parent daac8b31da
7 changed files with 49 additions and 9 deletions
--- a/docs/hsi-tests.d/meson.build
+++ b/docs/hsi-tests.d/meson.build
@ -34,5 +34,6 @@ hsi_test_jsons = files([
  'org.fwupd.hsi.Tpm.Version20.json',
  'org.fwupd.hsi.Uefi.Pk.json',
  'org.fwupd.hsi.Uefi.SecureBoot.json',
+  'org.fwupd.hsi.Bios.RollbackProtection.json',
 ])

--- a/docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json
+++ b/docs/hsi-tests.d/org.fwupd.hsi.Amd.PlatformRollbackProtection.json
@ -1,8 +1,8 @@
 {
 	"id": "org.fwupd.hsi.Amd.PlatformRollbackProtection",
-	"name": "AMD Security Processor Rollback protection",
+	"name": "AMD Secure Processor Rollback protection",
 	"description": [
-		"AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the security processor.",
+		"AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the secure processor.",
 		"This feature prevents an attacker from loading an older firmware onto the part after a security vulnerability has been fixed."
 	],
 	"failure-impact": [
--- a/docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json
+++ b/docs/hsi-tests.d/org.fwupd.hsi.Bios.RollbackProtection.json
@ -0,0 +1,21 @@
+{
+	"id": "org.fwupd.hsi.Bios.RollbackProtection",
+	"name": "BIOS Firmware Rollback protection",
+	"description": [
+		"Some OEMs include an optional firmware protection feature in their BIOS that would prevent installation of older firmware that may have security vulnerabilities."
+	],
+	"failure-impact": [
+		"Firmware without this feature enabled may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability."
+	],
+	"failure-results": {
+		"not-enabled": "rollback protection disabled"
+	},
+	"success-results": {
+		"enabled": "rollback protection enabled"
+	},
+	"hsi-level": 2,
+	"references": {
+		"https://www.psacertified.org/blog/anti-rollback-explained/": "Rollback protection"
+	},
+	"fwupd-version": "1.8.8"
+}
--- a/libfwupd/fwupd-security-attr-private.h
+++ b/libfwupd/fwupd-security-attr-private.h
@ -341,6 +341,14 @@ G_BEGIN_DECLS
 * Since: 1.8.3
 **/
 #define FWUPD_SECURITY_ATTR_ID_HOST_EMULATION "org.fwupd.hsi.HostEmulation"
+/**
+ * FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION
+ *
+ * Host Security ID attribute for Rollback protection of BIOS firmware
+ *
+ * Since: 1.8.8
+ **/
+#define FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION "org.fwupd.hsi.Bios.RollbackProtection"

 GVariant *
 fwupd_security_attr_to_variant(FwupdSecurityAttr *self);
--- a/libfwupdplugin/fu-security-attrs.c
+++ b/libfwupdplugin/fu-security-attrs.c
@ -348,6 +348,7 @@ static struct {
    {FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL},
    {FWUPD_SECURITY_ATTR_ID_UEFI_PK, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL},
    {FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL},
+    {FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT},
    {NULL, FWUPD_SECURITY_ATTR_LEVEL_NONE}};

 static void
--- a/plugins/pci-psp/README.md
+++ b/plugins/pci-psp/README.md
@ -2,7 +2,7 @@

 ## Introduction

-This plugin checks all information reported from the AMD Platform Security processor into
+This plugin checks all information reported from the AMD Platform Secure processor into
 the operating system on select SOCs.

 The lack of these sysfs files does *NOT* indicate the lack of these security features, it only
--- a/src/fu-security-attr-common.c
+++ b/src/fu-security-attr-common.c
@ -181,7 +181,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED) == 0 ||
 	    g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED) == 0) {
 		/* TRANSLATORS: Title: Allows debugging of parts using proprietary hardware */
-		return g_strdup(_("Platform Debugging"));
+		return g_strdup(_("Platform debugging"));
 	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU) == 0) {
 		/* TRANSLATORS: Title: if fwupd supports HSI on this chip */
@ -189,7 +189,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
 	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) {
 		/* TRANSLATORS: Title: if firmware enforces rollback protection */
-		return g_strdup(_("Rollback protection"));
+		return g_strdup(_("Processor rollback protection"));
 	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
 		/* TRANSLATORS: Title: if hardware enforces control of SPI replays */
@ -207,7 +207,10 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: if we are emulating a different host */
 		return g_strdup(_("Emulated host"));
 	}
-
+	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) {
+		/* TRANSLATORS: Title: if firmware enforces rollback protection */
+		return g_strdup(_("BIOS rollback protection"));
+	}
 	/* we should not get here */
 	return g_strdup(fwupd_security_attr_get_name(attr));
 }
@ -359,7 +362,7 @@ fu_security_attr_get_title(FwupdSecurityAttr *attr)
 	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) {
 		/* TRANSLATORS: Title: if firmware enforces rollback protection */
-		return _("AMD Rollback Protection");
+		return _("AMD Secure Processor Rollback Protection");
 	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
 		/* TRANSLATORS: Title: if hardware enforces control of SPI replays */
@ -373,6 +376,10 @@ fu_security_attr_get_title(FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: if the part has been fused */
 		return _("Fused Platform");
 	}
+	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) {
+		/* TRANSLATORS: Title: if firmware enforces rollback protection */
+		return _("BIOS Rollback Protection");
+	}
 	return NULL;
 }

@ -542,11 +549,13 @@ fu_security_attr_get_description(FwupdSecurityAttr *attr)
 		return _("Each system should have tests to ensure firmware security.");
 	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0 ||
-	    g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
+	    g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0 ||
+	    g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_BIOS_ROLLBACK_PROTECTION) == 0) {
 		/* TRANSLATORS: longer description */
-		return _("AMD Rollback Protection prevents device software from being downgraded "
+		return _("Rollback Protection prevents device software from being downgraded "
 			 "to an older version that has security problems.");
 	}
+
 	return NULL;
 }