Add external interface messages

plugins/acpi-dmar/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if DMA remapping for Thunderbolt devices is available. The
 result will be stored in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/firmware/acpi/tables`.

plugins/acpi-facp/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if S2I sleep is available. The result will be stored in an
 security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/firmware/acpi/tables`.

plugins/altos/README.md

@@ -67,3 +67,7 @@ Command:    `W $addr\n` where `$addr` is a memory address `0x8001000->0x8008000`
 Command:    `v\n`
 The device will reboot into application mode. This is typically performed after
 flashing firmware completes successfully.
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/amt/README.md

@@ -25,3 +25,7 @@ Vendor ID Security
 ------------------
 
 The device is not upgradable and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires read only access to `/dev/mei0`.

plugins/ata/README.md

@@ -47,3 +47,7 @@ This plugin uses the following plugin-specific quirks:
 |------------------------|-------------------------------------------|-----------------------|
 | `AtaTransferBlocks`    | Blocks to transfer, or `0xffff` for max   | 1.2.4                 |
 | `AtaTransferMode`      | The transfer mode, `0x3`, `0x7` or `0xe`  | 1.2.4                 |
+
+External interface access
+-------------------------
+This plugin requires the `SG_IO` ioctl interface.

plugins/bcm57xx/README.md

@@ -26,3 +26,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the PCI vendor, in this instance set to `PCI:0x14E4`
+
+External interface access
+-------------------------
+This plugin requires the `SIOCETHTOOL` ioctl interface.

plugins/ccgx/README.md

@@ -97,3 +97,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, for example set to `USB:0x04B4`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/colorhug/README.md

@@ -34,3 +34,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x273F`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/coreboot/README.md

@@ -57,3 +57,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the BIOS vendor, in this instance `DMI:coreboot`
+
+External interface access
+-------------------------
+This plugin does not currently use any external access.

plugins/cpu/README.md

@@ -16,3 +16,7 @@ These devices add extra instance IDs from the CPUID values, e.g.
  * `CPUID\PRO_0&FAM_06`
  * `CPUID\PRO_0&FAM_06&MOD_0E`
  * `CPUID\PRO_0&FAM_06&MOD_0E&STP_3`
+
+External interface access
+-------------------------
+This plugin requires no extra access.

plugins/cros-ec/README.md

@@ -38,6 +38,10 @@ values depending on the model and device mode. The list of USB VIDs used is:
 
  * `USB:0x18D1`
 
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.
+
 [1] https://chromium.googlesource.com/chromiumos/platform/ec/+/master/extra/usb_updater/usb_updater2.c
 [2] https://chromium.googlesource.com/chromiumos/platform/ec/+/master/docs/usb_updater.md
 [3] https://www.chromium.org/chromium-os/firmware-porting-guide/fmap

plugins/csr/README.md

@@ -39,3 +39,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x0A12`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/dell-dock/README.md

@@ -68,3 +68,7 @@ This plugin uses the following plugin-specific quirks:
 | `DellDockVersionLowest`      | The minimum component version required to safely operate the plugin     | 1.1.3                 |
 | `DellDockBoard*`             | The board description of a board revision                               | 1.1.3                 |
 | `DellDockInstallDurationI2C` | The duration of time required to install a payload via I2C.             | 1.1.3                 |
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/dell-esrt/README.md

@@ -45,3 +45,9 @@ UEFI dummy device
   Version:              0
   Created:              2018-06-25
 ```
+
+External interface access
+-------------------------
+This plugin requires:
+* read/write access to `/dev/wmi/dell-smbios` and `/sys/bus/platform/devices/dcdbas`.
+* read access to `/sys/firmware/efi/esrt`.

plugins/dell/README.md

@@ -181,3 +181,7 @@ These updates can be performed the standard method of using:
 
 Some components are updatable via other plugins in fwupd such as multi stream
 transport hub (MST) and thunderbolt NVM.
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/wmi/dell-smbios` and `/sys/bus/platform/devices/dcdbas`.

plugins/dfu/README.md

@@ -41,3 +41,7 @@ This plugin uses the following plugin-specific quirks:
 |`DfuFlags`              | Optional quirks for a DFU device which doesn't follow the DFU 1.0 or 1.1 specification | 1.0.1|
 |`DfuForceVersion`       | Forces a specific DFU version for the hardware device. This is required if the device does not set, or sets incorrectly, items in the DFU functional descriptor. |1.0.1|
 |`DfuForceTimeout`       | Forces a specific device timeout, in ms     | 1.4.0                 |
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/ebitdo/README.md

@@ -44,3 +44,7 @@ values depending on the model and device mode. The list of USB VIDs used is:
  * `USB:0x1235`
  * `USB:0x2002`
  * `USB:0x8000`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/elantp/README.md

@@ -31,7 +31,7 @@ Additionally another instance ID is added which corresponds to the module ID:
 These devices also use custom GUID values for the IC configuration, e.g.
 
  * `ELANTP\ICTYPE_09`
- 
+
  Additionally another instance ID is added which corresponds to the IC type & module ID:
 
  * `ELANTP\ICTYPE_09&MOD_1234`
@@ -50,3 +50,7 @@ This plugin uses the following plugin-specific quirks:
 |------------------------|-------------------------------------------|-----------------------|
 | `ElantpIcPageCount`    | The IC page count                         | 1.4.6                 |
 | `ElantpIapPassword`    | The IAP password                          | 1.4.6                 |
+
+External interface access
+-------------------------
+This plugin requires ioctl access to `HIDIOCSFEATURE` and `HIDIOCGFEATURE`.

plugins/emmc/README.md

@@ -24,3 +24,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the EMMC vendor, for example set to `EMMC:{$manfid}`
+
+External interface access
+-------------------------
+This plugin requires ioctl `MMC_IOC_CMD` and `MMC_IOC_MULTI_CMD` access.

plugins/ep963x/README.md

@@ -29,3 +29,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x17EF`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/fastboot/README.md

@@ -43,3 +43,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, for example `USB:0x18D1`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/flashrom/README.md

@@ -28,3 +28,8 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the BIOS vendor, for example `DMI:Google`
+
+External interface access
+---
+This plugin requires access to all interfaces that `libflashrom` has been compiled for.
+This typically is `/sys/bus/spi` but there may be other interfaces as well.

plugins/fresco-pd/README.md

@@ -33,3 +33,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x1D5C`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/goodix-moc/README.md

@@ -29,3 +29,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x27C6`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/iommu/README.md

@@ -5,3 +5,7 @@ Introduction
 ------------
 
 This plugin checks if an IOMMU is available on the system.
+
+External interface access
+-------------------------
+This plugin requires no extra access.

plugins/jabra/README.md

@@ -26,3 +26,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x0A12`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/linux-lockdown/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if the currently running kernel is locked down. The result
 will be stored in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/sys/kernel/security`.

plugins/linux-sleep/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if s3 sleep is available. The result will be stored in an
 security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/power/mem_sleep`.

plugins/linux-swap/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if the currently available swap partitions and files are
 all encrypted. The result will be stored in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/proc`

plugins/linux-tainted/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if the currently running kernel is tainted. The result will
 be stored in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/kernel/tainted`.

plugins/logind/README.md

@@ -11,3 +11,7 @@ Vendor ID Security
 ------------------
 
 This protocol does not create a device and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires access to the dbus interface `org.freedesktop.login1`.

plugins/logitech-hidpp/README.md

@@ -58,3 +58,7 @@ paired devices.
 
 [1] https://www.mousejack.com/
 [2] https://pwr-Solaar.github.io/Solaar/
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/modem-manager/README.md

@@ -48,3 +48,7 @@ partition where the MCFG files are stored can be wiped out before installing
 the new ones.
 
 Update protocol: com.qualcomm.qmi_pdc
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/msr/README.md

@@ -12,3 +12,7 @@ always be disabled and locked on production hardware as it allows the
 attacker to disable other firmware protection methods.
 
 The result will be stored in a security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/class/msr`.

plugins/nitrokey/README.md

@@ -25,3 +25,7 @@ Vendor ID Security
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x20A0`
 in runtime mode and `USB:0x03EB` in bootloader mode.
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/nvme/README.md

@@ -54,3 +54,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the udev vendor, for example set to `NVME:0x1179`
+
+External interface access
+-------------------------
+This plugin requires ioctl `NVME_IOCTL_ADMIN_CMD` access.

plugins/optionrom/README.md

@@ -24,3 +24,7 @@ Vendor ID Security
 ------------------
 
 The device is not upgradable and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires read access to the rom file of PCI devices (`/sys/class/pci_bus/*/device/rom`)

plugins/pci-bcr/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if the system SPI chip is locked. The result will be stored
 in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to the config space of PCI devices (`/sys/class/pci_bus/*/device/config`)

plugins/pci-mei/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if the ME is in Manufacturing Mode. The result will be stored
 in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to the config space of PCI devices (`/sys/class/pci_bus/*/device/config`)

plugins/platform-integrity/README.md

@@ -6,3 +6,7 @@ Introduction
 
 This plugin checks if the system SPI chip is locked. The result will be stored
 in an security attribute for HSI.
+
+External interface access
+-------------------------
+This plugin requires read access to `/sys/class/platform-integrity`

plugins/redfish/README.md

@@ -73,3 +73,7 @@ and verify the uri with
 or
 
     $ curl -k https://192.168.0.133:443/redfish/v1/
+
+External interface access
+-------------------------
+This requires HTTP access to a given URL.

plugins/rts54hid/README.md

@@ -47,3 +47,7 @@ This plugin uses the following plugin-specific quirks:
 | `Rts54TargetAddr`      | The target address of a child module.       | 1.1.3                 |
 | `Rts54I2cSpeed`        | The I2C speed to operate at (0, 1, 2).      | 1.1.3                 |
 | `Rts54RegisterAddrLen` | The I2C register address length of commands | 1.1.3                 |
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/rts54hub/README.md

@@ -33,3 +33,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x0BDA`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/solokey/README.md

@@ -31,3 +31,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x0483`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/steelseries/README.md

@@ -21,3 +21,7 @@ Vendor ID Security
 ------------------
 
 The device is not upgradable and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/superio/README.md

@@ -27,3 +27,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the baseboard vendor, for example `DMI:Star Labs`
+
+External interface access
+-------------------------
+This plugin requires access to raw system memory via `inb`/`outb`.

plugins/synaptics-cxaudio/README.md

@@ -47,3 +47,7 @@ This plugin uses the following plugin-specific quirks:
 | `IsSoftwareResetSupported` | If the chip supports self-reset  | 1.3.2                 |
 | `EepromPatchValidAddr`     | Address of patch location #1     | 1.3.2                 |
 | `EepromPatch2ValidAddr`    | Address of patch location #2     | 1.3.2                 |
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/synaptics-mst/README.md

@@ -84,3 +84,7 @@ Here is a sample list of systems known to support them however:
  *  Latitude Rugged 5414
  *  Latitude Rugged 7214
  *  Latitude Rugged 7414
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/drm_dp_aux*`.

plugins/synaptics-prometheus/README.md

@@ -31,3 +31,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x06CB`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/synaptics-rmi/README.md

@@ -31,3 +31,7 @@ a proprietary (but docucumented) file format.
 This plugin supports the following protocol ID:
 
  * com.synaptics.rmi
+
+External interface access
+-------------------------
+This plugin requires ioctl access to `HIDIOCSFEATURE` and `HIDIOCGFEATURE`.

plugins/test/README.md

@@ -16,3 +16,7 @@ Vendor ID Security
 ------------------
 
 The fake device is only for local testing and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires no extra access.

plugins/thelio-io/README.md

@@ -20,3 +20,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, in this instance set to `USB:0x1209`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/thunderbolt/README.md

@@ -92,3 +92,7 @@ DROM and exposed in the relevant sysfs attributes.
 
 If the controller is in native enumeration mode, the string "-native" is added
 at the end so the format is "TBT-vvvvdddd-native".
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/sys/bus/thunderbolt`.

plugins/tpm-eventlog/README.md

@@ -15,3 +15,7 @@ Vendor ID Security
 ------------------
 
 The device is not upgradable and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires read only access to `/sys/kernel/security/tpm0/binary_bios_measurements`.

plugins/tpm/README.md

@@ -30,3 +30,7 @@ Vendor ID Security
 ------------------
 
 The device is not upgradable and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin uses the tpm2-tss library to access the TPM.  It requires access to `/sys/class/tpm`.

plugins/uefi-dbx/README.md

@@ -39,3 +39,9 @@ Vendor ID Security
 ------------------
 
 The vendor ID is hardcoded to `UEFI:Microsoft` for all devices.
+
+
+External interface access
+-------------------------
+This plugin requires:
+* read/write access to `/sys/firmware/efi/efivars`

plugins/uefi-recovery/README.md

@@ -20,3 +20,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the BIOS vendor, for example `DMI:LENOVO`
+
+External interface access
+-------------------------
+This plugin requires no extra access.

plugins/uefi/README.md

@@ -58,3 +58,11 @@ Since version 1.1.0 fwupd will autodetect the ESP when it is mounted on
 used by modifying *OverrideESPMountPoint* in `/etc/fwupd/uefi.conf`.
 
 Setting an invalid directory will disable the fwupd plugin.
+
+External interface access
+-------------------------
+This plugin requires:
+* read/write access to the EFI system partition.
+* read access to `/sys/firmware/efi/esrt/`
+* read access to `/sys/firmware/efi/fw_platform_size`
+* read/write access to `/sys/firmware/efi/efivars`

plugins/upower/README.md

@@ -10,3 +10,7 @@ Vendor ID Security
 ------------------
 
 This protocol does not create a device and thus requires no vendor ID set.
+
+External interface access
+-------------------------
+This plugin requires access to the dbus interface `org.freedesktop.UPower`.

plugins/vli/README.md

@@ -80,3 +80,7 @@ the other flash chip parameters. For example:
     [Guid=VLI_USBHUB\\SPI_37303840]
     SpiCmdChipErase = 0xc7
     SpiCmdSectorErase = 0x20
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.

plugins/wacom-raw/README.md

@@ -36,3 +36,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the udev vendor, in this instance set to `HIDRAW:0x056A`
+
+External interface access
+-------------------------
+This plugin requires ioctl `HIDIOCSFEATURE` access.

plugins/wacom-usb/README.md

@@ -44,3 +44,7 @@ Vendor ID Security
 ------------------
 
 The vendor ID is set from the USB vendor, for example set to `USB:0x056A`
+
+External interface access
+-------------------------
+This plugin requires read/write access to `/dev/bus/usb`.