proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-06 09:00:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove support for UEFI dbx security attribute

Browse Source 
This is no longer relevant as fwupd is providing dbxtool now.
This commit is contained in:
Mario Limonciello 2020-08-18 19:48:05 -05:00 committed by Richard Hughes
parent 58ba785915
commit 82c3e3471d
13 changed files with 1 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
contrib/debian/rules
View File

@ -20,7 +20,6 @@ ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
SB_STYLE := ubuntu
tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
export FLASHROM=-Dplugin_flashrom=false
export DBX=-Defi_dbxdir=/usr/share/secureboot/updates/dbx
else
TMPLDIR := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template
export FLASHROM=-Dplugin_flashrom=true
@ -43,7 +42,7 @@ override_dh_auto_configure:
export DELL="-Dplugin_dell=false"; \
fi; \
if pkg-config --exists efivar; then \
export UEFI="-Dplugin_uefi=true -Dplugin_redfish=true -Dplugin_nvme=true -Dplugin_msr=true $$DBX"; \
export UEFI="-Dplugin_uefi=true -Dplugin_redfish=true -Dplugin_nvme=true -Dplugin_msr=true"; \
else \
export UEFI="-Dplugin_uefi=false -Dplugin_redfish=false -Dplugin_nvme=false -Dplugin_msr=false"; \
fi; \

1
contrib/fwupd.spec.in
View File

@ -177,7 +177,6 @@ Data files for installed tests.
--werror \
%endif
-Dgtkdoc=true \
-Defi_dbxdir=%{_datadir}/dbxtool \
%if 0%{?enable_tests}
-Dtests=true \
%else

34
docs/hsi.xml
View File

@ -343,40 +343,6 @@
</note>
</refsect3>
<refsect3 id="org.fwupd.hsi.Uefi.Dbx">
<title>UEFI Secure Boot Revocation database (dbx)</title>
<para>
The UEFI Secure boot Revocation database is a list of banned hashes that
must not be allowed to execute when Secure Boot is turned on.
Vulnerabilities like the Kaspersky signed bootloader remove all
protections of SecureBoot and this is why an up-to-date dbx is
considered such an important part of firmware security.
</para>
<para>
The dbx list is updated infrequently and is normally part of the system
firmware updates issued by system manufacturers or operating system vendors.
</para>
<itemizedlist>
<listitem>
<para>
For HSI-1 this should be provided <emphasis>v1.5.0</emphasis>
</para>
</listitem>
</itemizedlist>
<note>
<para>
See also:
<itemizedlist>
<listitem>
<ulink url="https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance">
Microsoft Windows Secure Boot Guidance
</ulink>
</listitem>
</itemizedlist>
</para>
</note>
</refsect3>
<refsect3 id="org.fwupd.hsi.Tpm.Version20">
<title>TPM 2.0 Present</title>
<para>

1
libfwupd/fwupd-security-attr.h
View File

@ -138,7 +138,6 @@ typedef enum {
#define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM "org.fwupd.hsi.SuspendToRam" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0 "org.fwupd.hsi.Tpm.ReconstructionPcr0" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20 "org.fwupd.hsi.Tpm.Version20" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_UEFI_DBX "org.fwupd.hsi.Uefi.Dbx" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT "org.fwupd.hsi.Uefi.SecureBoot" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_INTEL_DCI_ENABLED "org.fwupd.hsi.IntelDci.Enabled" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_INTEL_DCI_LOCKED "org.fwupd.hsi.IntelDci.Locked" /* Since: 1.5.0 */

14
libfwupdplugin/fu-common.c
View File

@ -1112,20 +1112,6 @@ fu_common_get_path (FuPathKind path_kind)
return g_strdup (EFI_APP_LOCATION);
#else
return NULL;
#endif
/* /usr/share/fwupd/dbx */
case FU_PATH_KIND_EFIDBXDIR:
tmp = g_getenv ("FWUPD_EFIDBXDIR");
if (tmp != NULL)
return g_strdup (tmp);
#ifdef FWUPD_EFI_DBXDIR
tmp = g_getenv ("SNAP");
if (tmp != NULL)
return g_build_filename (tmp, FWUPD_EFI_DBXDIR, NULL);
return g_strdup (FWUPD_EFI_DBXDIR);
#else
basedir = fu_common_get_path (FU_PATH_KIND_LOCALSTATEDIR_PKG);
return g_build_filename (basedir, "dbx", NULL);
#endif
/* /etc/fwupd */
case FU_PATH_KIND_SYSCONFDIR_PKG:

2
libfwupdplugin/fu-common.h
View File

@ -59,7 +59,6 @@ typedef guint FuEndianType;
* @FU_PATH_KIND_POLKIT_ACTIONS: The directory for policy kit actions (IE /usr/share/polkit-1/actions/)
* @FU_PATH_KIND_OFFLINE_TRIGGER: The file for the offline trigger (IE /system-update)
* @FU_PATH_KIND_SYSFSDIR_SECURITY: The sysfs security location (IE /sys/kernel/security)
* @FU_PATH_KIND_EFIDBXDIR: The location of the EFI dbx files
* @FU_PATH_KIND_ACPI_TABLES: The location of the ACPI tables
*
* Path types to use when dynamically determining a path at runtime
@ -80,7 +79,6 @@ typedef enum {
FU_PATH_KIND_POLKIT_ACTIONS,
FU_PATH_KIND_OFFLINE_TRIGGER,
FU_PATH_KIND_SYSFSDIR_SECURITY,
FU_PATH_KIND_EFIDBXDIR,
FU_PATH_KIND_ACPI_TABLES,
/*< private >*/
FU_PATH_KIND_LAST

13
meson.build
View File

@ -304,19 +304,6 @@ if build_standalone and get_option('plugin_uefi')
efi_app_location = join_paths(libexecdir, 'fwupd', 'efi')
conf.set_quoted ('EFI_APP_LOCATION', efi_app_location)
efi_dbxdir = get_option('efi_dbxdir')
if efi_dbxdir == ''
foreach dir : ['/usr/share/secureboot/updates/dbx', '/usr/share/dbxtool']
if run_command('[', '-d', dir, ']').returncode() == 0
efi_dbxdir = dir
endif
endforeach
endif
if efi_dbxdir != ''
message('efi-dbxdir: "@0@"'.format(efi_dbxdir))
conf.set_quoted ('FWUPD_EFI_DBXDIR', efi_dbxdir)
endif
if host_cpu == 'x86'
EFI_MACHINE_TYPE_NAME = 'ia32'
gnu_efi_arch = 'ia32'

1
meson_options.txt
View File

@ -28,7 +28,6 @@ option('systemd_root_prefix', type: 'string', value: '', description: 'Directory
option('elogind', type : 'boolean', value : false, description : 'enable elogind support')
option('tests', type : 'boolean', value : true, description : 'enable tests')
option('udevdir', type: 'string', value: '', description: 'Directory for udev rules')
option('efi_dbxdir', type: 'string', value: '', description: 'Directory for UEFI dbx files')
option('efi-cc', type : 'string', value : 'gcc', description : 'the compiler to use for EFI modules')
option('efi-ld', type : 'string', value : 'ld', description : 'the linker to use for EFI modules')
option('efi-libdir', type : 'string', description : 'path to the EFI lib directory')

74
plugins/uefi-dbx/fu-plugin-uefi-dbx.c
View File

@ -31,77 +31,3 @@ fu_plugin_coldplug (FuPlugin *plugin, GError **error)
fu_plugin_device_add (plugin, FU_DEVICE (device));
return TRUE;
}
void
fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
{
gsize bufsz = 0;
g_autofree guint8 *buf_system = NULL;
g_autofree guint8 *buf_update = NULL;
g_autoptr(GPtrArray) dbx_system = NULL;
g_autoptr(GPtrArray) dbx_update = NULL;
g_autoptr(FwupdSecurityAttr) attr = NULL;
g_autoptr(GError) error_local = NULL;
g_autofree gchar *fn = NULL;
/* find the latest DBX on the system */
fn = fu_uefi_dbx_get_dbxupdate (&error_local);
if (fn == NULL) {
g_warning ("cannot find any updates: %s", error_local->message);
return;
}
/* create attr */
attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_DBX);
fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL);
fu_security_attrs_append (attrs, attr);
/* no binary blob */
if (!fu_plugin_get_enabled (plugin)) {
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
fwupd_security_attr_set_url (attr, "https://github.com/fwupd/fwupd/wiki/Missingdbx");
return;
}
/* get update dbx */
if (!g_file_get_contents (fn, (gchar **) &buf_update, &bufsz, &error_local)) {
g_warning ("failed to load %s: %s", fn, error_local->message);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
return;
}
dbx_update = fu_efi_signature_parser_new (buf_update, bufsz,
FU_EFI_SIGNATURE_PARSER_FLAGS_IGNORE_HEADER,
&error_local);
if (dbx_update == NULL) {
g_warning ("failed to parse %s: %s", fn, error_local->message);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
return;
}
/* get system dbx */
if (!fu_efivar_get_data (FU_EFIVAR_GUID_SECURITY_DATABASE, "dbx",
&buf_system, &bufsz, NULL, &error_local)) {
g_warning ("failed to load EFI dbx: %s", error_local->message);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
return;
}
dbx_system = fu_efi_signature_parser_new (buf_system, bufsz,
FU_EFI_SIGNATURE_PARSER_FLAGS_NONE,
&error_local);
if (dbx_system == NULL) {
g_warning ("failed to parse EFI dbx: %s", error_local->message);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
return;
}
/* look for each checksum in the update in the system version */
if (!fu_efi_signature_list_array_inclusive (dbx_system, dbx_update)) {
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
return;
}
/* success */
fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_FOUND);
}

35
plugins/uefi-dbx/fu-self-test.c
View File

@ -43,40 +43,6 @@ fu_efi_image_func (void)
g_assert_cmpstr (csum, ==, "e99707d4378140c01eb3f867240d5cc9e237b126d3db0c3b4bbcd3da1720ddff");
}
static void
fu_efi_signature_list_parse_func (void)
{
FuEfiSignatureList *siglist;
gboolean ret;
gsize bufsz = 0;
g_autofree gchar *fn = NULL;
g_autofree guint8 *buf = NULL;
g_autoptr(GPtrArray) siglists = NULL;
g_autoptr(GError) error = NULL;
/* load file */
fn = fu_uefi_dbx_get_dbxupdate (NULL);
if (fn == NULL) {
g_test_skip ("no dbx file, use -Defi_dbxdir=");
return;
}
ret = g_file_get_contents (fn, (gchar **) &buf, &bufsz, &error);
g_assert_no_error (error);
g_assert_true (ret);
/* parse the update */
siglists = fu_efi_signature_parser_new (buf, bufsz,
FU_EFI_SIGNATURE_PARSER_FLAGS_IGNORE_HEADER,
&error);
g_assert_no_error (error);
g_assert_nonnull (siglists);
g_assert_cmpint (siglists->len, ==, 1);
siglist = g_ptr_array_index (siglists, 0);
g_assert_cmpint (fu_efi_signature_list_get_all(siglist)->len, ==, 77);
g_assert_true (fu_efi_signature_list_has_checksum (siglist, "72e0bd1867cf5d9d56ab158adf3bddbc82bf32a8d8aa1d8c5e2f6df29428d6d8"));
g_assert_false (fu_efi_signature_list_has_checksum (siglist, "dave"));
}
int
main (int argc, char **argv)
{
@ -88,6 +54,5 @@ main (int argc, char **argv)
/* tests go here */
g_test_add_func ("/uefi-dbx/image", fu_efi_image_func);
g_test_add_func ("/uefi-dbx/file-parse", fu_efi_signature_list_parse_func);
return g_test_run ();
}

18
plugins/uefi-dbx/fu-uefi-dbx-common.c
View File

@ -13,24 +13,6 @@
#include "fu-uefi-dbx-common.h"
gchar *
fu_uefi_dbx_get_dbxupdate (GError **error)
{
g_autofree gchar *dbxdir = NULL;
g_autofree gchar *glob = NULL;
g_autoptr(GPtrArray) files = NULL;
/* get the newest files from dbxtool, prefer the per-arch ones first */
dbxdir = fu_common_get_path (FU_PATH_KIND_EFIDBXDIR);
glob = g_strdup_printf ("*%s*.bin", EFI_MACHINE_TYPE_NAME);
files = fu_common_filename_glob (dbxdir, glob, NULL);
if (files == NULL)
files = fu_common_filename_glob (dbxdir, "*.bin", error);
if (files == NULL)
return NULL;
return g_strdup (g_ptr_array_index (files, 0));
}
gchar *
fu_uefi_dbx_get_authenticode_hash (const gchar *fn, GError **error)
{

1
plugins/uefi-dbx/fu-uefi-dbx-common.h
View File

@ -8,7 +8,6 @@
#include <gio/gio.h>
gchar *fu_uefi_dbx_get_dbxupdate (GError **error);
gchar *fu_uefi_dbx_get_authenticode_hash (const gchar *fn,
GError **error);
gboolean fu_uefi_dbx_signature_list_validate (GPtrArray *siglists,

4
src/fu-security-attr.c
View File

@ -95,10 +95,6 @@ fu_security_attr_get_name (FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: a better sleep state */
return g_strdup (_("Suspend-to-idle"));
}
if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_DBX) == 0) {
/* TRANSLATORS: Title: dbx is the database with revoked hashes */
return g_strdup (_("UEFI dbx"));
}
if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0) {
/* TRANSLATORS: Title: SB is a way of locking down UEFI */
return g_strdup (_("UEFI secure boot"));