Clarify various parts of the HSI specification

Firsly, that HSI isn't expected for embedded devices and then secondary how we require SecureBoot to be available for HSI:1 At the moment we get a runtime failure if it is disabled. Making SB a part of `HSI:1` makes this requiremnt explicit and prevents us getting `HSI:2!` if it is not available.
2025-08-14 15:53:56 +00:00 · 2020-09-15 10:35:24 +01:00 · 2020-09-15 10:35:24 +01:00 · 7d1267fd84
commit 7d1267fd84
parent f64e7a9cb4
5 changed files with 89 additions and 14 deletions
--- a/docs/hsi.xml
+++ b/docs/hsi.xml
@ -128,6 +128,12 @@
        connected, additional software to be installed, or disabling any existing
        security layers to measure.
      </para>
+      <para>
+        The HSI specification is primarily designed for laptop and desktop
+        hardware, although some tests <emphasis>may</emphasis> still make sense
+        on server or embedded hardware.
+        It is not expected that non-consumer hardware will publish an HSI number.
+      </para>
    </refsect1>

    <refsect2 id="runtime-behaviour">
@ -161,7 +167,8 @@
      <para>
        This security level corresponds to the most basic of security protections
        considered essential by security professionals.
-        Any failures at this level would have critical security impact.
+        Any failures at this level would have critical security impact and could
+        likely be used to compromise the system firmware without physical access.
      </para>
    </refsect2>

@ -259,6 +266,38 @@
      </para>
    </refsect2>

+    <refsect3 id="org.fwupd.hsi.Uefi.SecureBoot">
+      <title>UEFI SecureBoot</title>
+      <para>
+        UEFI Secure boot is a verification mechanism for ensuring that code
+        launched by firmware is trusted.
+      </para>
+      <para>
+        Secure Boot requires that each binary loaded at boot is validated
+        against trusted certifictes.
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            For HSI-1 SecureBoot must be available for use on UEFI systems.
+            <emphasis>v1.5.0</emphasis>
+          </para>
+        </listitem>
+      </itemizedlist>
+      <note>
+        <para>
+          See also:
+          <itemizedlist>
+            <listitem>
+              <ulink url="https://wiki.ubuntu.com/UEFI/SecureBoot">
+                UEFI Wiki Entry
+              </ulink>
+            </listitem>
+          </itemizedlist>
+        </para>
+      </note>
+    </refsect3>
+
    <refsect3 id="org.fwupd.hsi.Spi.Bioswe">
      <title>BIOS Write Enable (BWE)</title>
      <para>
--- a/libfwupdplugin/fu-efivar.c
+++ b/libfwupdplugin/fu-efivar.c
@ -407,6 +407,41 @@ fu_efivar_set_data (const gchar *guid, const gchar *name, const guint8 *data,
 #endif
 }

+/**
+ * fu_efivar_secure_boot_enabled_full:
+ * @error: A #GError
+ *
+ * Determines if secure boot was enabled
+ *
+ * Returns: %TRUE on success
+ *
+ * Since: 1.5.0
+ **/
+gboolean
+fu_efivar_secure_boot_enabled_full (GError **error)
+{
+	gsize data_size = 0;
+	g_autofree guint8 *data = NULL;
+
+	if (!fu_efivar_get_data (FU_EFIVAR_GUID_EFI_GLOBAL, "SecureBoot",
+				 &data, &data_size, NULL, NULL)) {
+		g_set_error_literal (error,
+				     FWUPD_ERROR,
+				     FWUPD_ERROR_NOT_SUPPORTED,
+				     "SecureBoot is not available");
+		return FALSE;
+	}
+	if (data_size >= 1 && data[0] & 1)
+		return TRUE;
+
+	/* available, but not enabled */
+	g_set_error_literal (error,
+			     FWUPD_ERROR,
+			     FWUPD_ERROR_NOT_FOUND,
+			     "SecureBoot is not enabled");
+	return FALSE;
+}
+
 /**
 * fu_efivar_secure_boot_enabled:
 *
@ -419,13 +454,5 @@ fu_efivar_set_data (const gchar *guid, const gchar *name, const guint8 *data,
 gboolean
 fu_efivar_secure_boot_enabled (void)
 {
-	gsize data_size = 0;
-	g_autofree guint8 *data = NULL;
-
-	if (!fu_efivar_get_data (FU_EFIVAR_GUID_EFI_GLOBAL, "SecureBoot",
-				    &data, &data_size, NULL, NULL))
-		return FALSE;
-	if (data_size >= 1 && data[0] & 1)
-		return TRUE;
-	return FALSE;
+	return fu_efivar_secure_boot_enabled_full (NULL);
 }
--- a/libfwupdplugin/fu-efivar.h
+++ b/libfwupdplugin/fu-efivar.h
@ -43,4 +43,5 @@ gboolean	 fu_efivar_delete		(const gchar	*guid,
 gboolean	 fu_efivar_delete_with_glob	(const gchar	*guid,
 						 const gchar	*name_glob,
 						 GError		**error);
-gboolean	 fu_efivar_secure_boot_enabled (void);
+gboolean	 fu_efivar_secure_boot_enabled	(void);
+gboolean	 fu_efivar_secure_boot_enabled_full(GError	**error);
--- a/libfwupdplugin/fwupdplugin.map
+++ b/libfwupdplugin/fwupdplugin.map
@ -624,6 +624,7 @@ LIBFWUPDPLUGIN_1.5.0 {
    fu_device_report_metadata_post;
    fu_device_report_metadata_pre;
    fu_device_unbind_driver;
+    fu_efivar_secure_boot_enabled_full;
    fu_firmware_add_flag;
    fu_firmware_build;
    fu_firmware_flag_from_string;
--- a/plugins/uefi/fu-plugin-uefi.c
+++ b/plugins/uefi/fu-plugin-uefi.c
@ -98,15 +98,22 @@ void
 fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
 {
 	g_autoptr(FwupdSecurityAttr) attr = NULL;
+	g_autoptr(GError) error = NULL;

 	/* create attr */
 	attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT);
 	fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
-	fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE);
 	fu_security_attrs_append (attrs, attr);

-	/* SB disabled */
-	if (!fu_efivar_secure_boot_enabled ()) {
+	/* SB not available or disabled */
+	if (!fu_efivar_secure_boot_enabled_full (&error)) {
+		if (g_error_matches (error,
+				     FWUPD_ERROR,
+				     FWUPD_ERROR_NOT_SUPPORTED)) {
+			fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
+			return;
+		}
+		fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE);
 		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED);
 		return;
 	}