Clarify various parts of the HSI specification

Firsly, that HSI isn't expected for embedded devices and then secondary how we
require SecureBoot to be available for HSI:1

At the moment we get a runtime failure if it is disabled. Making SB a part of
`HSI:1` makes this requiremnt explicit and prevents us getting `HSI:2!` if it
is not available.

docs/hsi.xml

@@ -128,6 +128,12 @@
         connected, additional software to be installed, or disabling any existing
         security layers to measure.
       </para>
+      <para>
+        The HSI specification is primarily designed for laptop and desktop
+        hardware, although some tests <emphasis>may</emphasis> still make sense
+        on server or embedded hardware.
+        It is not expected that non-consumer hardware will publish an HSI number.
+      </para>
     </refsect1>
 
     <refsect2 id="runtime-behaviour">
@@ -161,7 +167,8 @@
       <para>
         This security level corresponds to the most basic of security protections
         considered essential by security professionals.
-        Any failures at this level would have critical security impact.
+        Any failures at this level would have critical security impact and could
+        likely be used to compromise the system firmware without physical access.
       </para>
     </refsect2>
 
@@ -259,6 +266,38 @@
       </para>
     </refsect2>
 
+    <refsect3 id="org.fwupd.hsi.Uefi.SecureBoot">
+      <title>UEFI SecureBoot</title>
+      <para>
+        UEFI Secure boot is a verification mechanism for ensuring that code
+        launched by firmware is trusted.
+      </para>
+      <para>
+        Secure Boot requires that each binary loaded at boot is validated
+        against trusted certifictes.
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            For HSI-1 SecureBoot must be available for use on UEFI systems.
+            <emphasis>v1.5.0</emphasis>
+          </para>
+        </listitem>
+      </itemizedlist>
+      <note>
+        <para>
+          See also:
+          <itemizedlist>
+            <listitem>
+              <ulink url="https://wiki.ubuntu.com/UEFI/SecureBoot">
+                UEFI Wiki Entry
+              </ulink>
+            </listitem>
+          </itemizedlist>
+        </para>
+      </note>
+    </refsect3>
+
     <refsect3 id="org.fwupd.hsi.Spi.Bioswe">
       <title>BIOS Write Enable (BWE)</title>
       <para>

libfwupdplugin/fu-efivar.c

@@ -407,6 +407,41 @@ fu_efivar_set_data (const gchar *guid, const gchar *name, const guint8 *data,
 #endif
 }
 
+/**
+ * fu_efivar_secure_boot_enabled_full:
+ * @error: A #GError
+ *
+ * Determines if secure boot was enabled
+ *
+ * Returns: %TRUE on success
+ *
+ * Since: 1.5.0
+ **/
+gboolean
+fu_efivar_secure_boot_enabled_full (GError **error)
+{
+	gsize data_size = 0;
+	g_autofree guint8 *data = NULL;
+
+	if (!fu_efivar_get_data (FU_EFIVAR_GUID_EFI_GLOBAL, "SecureBoot",
+				 &data, &data_size, NULL, NULL)) {
+		g_set_error_literal (error,
+				     FWUPD_ERROR,
+				     FWUPD_ERROR_NOT_SUPPORTED,
+				     "SecureBoot is not available");
+		return FALSE;
+	}
+	if (data_size >= 1 && data[0] & 1)
+		return TRUE;
+
+	/* available, but not enabled */
+	g_set_error_literal (error,
+			     FWUPD_ERROR,
+			     FWUPD_ERROR_NOT_FOUND,
+			     "SecureBoot is not enabled");
+	return FALSE;
+}
+
 /**
  * fu_efivar_secure_boot_enabled:
  *
@@ -419,13 +454,5 @@ fu_efivar_set_data (const gchar *guid, const gchar *name, const guint8 *data,
 gboolean
 fu_efivar_secure_boot_enabled (void)
 {
-	gsize data_size = 0;
+	return fu_efivar_secure_boot_enabled_full (NULL);
-	g_autofree guint8 *data = NULL;
-
-	if (!fu_efivar_get_data (FU_EFIVAR_GUID_EFI_GLOBAL, "SecureBoot",
-				    &data, &data_size, NULL, NULL))
-		return FALSE;
-	if (data_size >= 1 && data[0] & 1)
-		return TRUE;
-	return FALSE;
 }

libfwupdplugin/fu-efivar.h

@@ -43,4 +43,5 @@ gboolean	 fu_efivar_delete		(const gchar	*guid,
 gboolean	 fu_efivar_delete_with_glob	(const gchar	*guid,
 						 const gchar	*name_glob,
 						 GError		**error);
-gboolean	 fu_efivar_secure_boot_enabled (void);
+gboolean	 fu_efivar_secure_boot_enabled	(void);
+gboolean	 fu_efivar_secure_boot_enabled_full(GError	**error);

libfwupdplugin/fwupdplugin.map

@@ -624,6 +624,7 @@ LIBFWUPDPLUGIN_1.5.0 {
     fu_device_report_metadata_post;
     fu_device_report_metadata_pre;
     fu_device_unbind_driver;
+    fu_efivar_secure_boot_enabled_full;
     fu_firmware_add_flag;
     fu_firmware_build;
     fu_firmware_flag_from_string;

plugins/uefi/fu-plugin-uefi.c

@@ -98,15 +98,22 @@ void
 fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
 {
 	g_autoptr(FwupdSecurityAttr) attr = NULL;
+	g_autoptr(GError) error = NULL;
 
 	/* create attr */
 	attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT);
 	fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
-	fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE);
 	fu_security_attrs_append (attrs, attr);
 
-	/* SB disabled */
+	/* SB not available or disabled */
-	if (!fu_efivar_secure_boot_enabled ()) {
+	if (!fu_efivar_secure_boot_enabled_full (&error)) {
+		if (g_error_matches (error,
+				     FWUPD_ERROR,
+				     FWUPD_ERROR_NOT_SUPPORTED)) {
+			fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
+			return;
+		}
+		fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE);
 		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED);
 		return;
 	}