Add documentation for three existing HSI attributes

Fixes https://github.com/fwupd/fwupd/issues/5233
2025-08-14 21:50:25 +00:00 · 2022-11-02 13:10:24 +00:00 · 2022-11-02 13:10:24 +00:00 · 8f904cac17
commit 8f904cac17
parent 1fafa92218
3 changed files with 58 additions and 0 deletions
--- a/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json
+++ b/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json
@ -0,0 +1,19 @@
+{
+  "id" : "org.fwupd.hsi.Kernel.Lockdown",
+  "name" : "Kernel Lockdown",
+  "description" : [
+    "Kernel lockdown is an important mechanism to limit what hardware actions userspace programs can perform.",
+    "Turning on this feature means that often-used mechanisms like /dev/mem used to raise privileges or exfiltrate data are no longer available."
+  ],
+  "failure-impact" : [
+    "An unlocked kernel can be easily abused by a malicious userspace program running as root, which can include replacing system firmware."
+  ],
+  "failure-results" : {
+    "not-valid" : "could not read lockdown status, perhaps from an old kernel",
+    "not-enabled" : "lockdown is set to `none`"
+  },
+  "success-results" : {
+    "enabled" : "lockdown is set to either `integrity` or `confidentiality`."
+  },
+  "fwupd-version" : "1.5.0"
+}
--- a/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json
+++ b/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json
@ -0,0 +1,19 @@
+{
+  "id" : "org.fwupd.hsi.Kernel.Tainted",
+  "name" : "Kernel Tainted",
+  "description" : [
+    "When calculating the HSI value fwupd has to ask the Linux Kernel for information.",
+    "If the kernel has been tainted by overriding a firmware table or by loading a proprietary module then we cannot trust the data it reports."
+  ],
+  "failure-impact" : [
+    "Using a tainted kernel means that values obtained from the kernel cannot be trusted."
+  ],
+  "failure-results" : {
+    "not-valid" : "could not detect kernel taint status",
+    "tainted" : "the kernel is untrusted, perhaps because a proprietary module was loaded"
+  },
+  "success-results" : {
+    "not-tainted" : "the kernel is trusted"
+  },
+  "fwupd-version" : "1.5.0"
+}
--- a/docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json
+++ b/docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json
@ -0,0 +1,20 @@
+{
+  "id" : "org.fwupd.hsi.SupportedCpu",
+  "name" : "Supported CPU",
+  "description" : [
+    "Most platform checks are specific to the CPU vendor.",
+    "To avoid giving a very high HSI result for a platform we do not know how to verify, we include this attribute to ensure that the result is meaningful."
+  ],
+  "failure-impact" : [
+    "If using an unsupported CPU then fwupd is unable to verify the platform security.",
+    "You should contact your platform vendor and ask them to contribute HSI tests for this CPU type."
+  ],
+  "failure-results" : {
+    "unknown" : "platform security is unknown"
+  },
+  "success-results" : {
+    "valid" : "the CPU platform is supported and has HSI tests"
+  },
+  "hsi-level" : 1,
+  "fwupd-version" : "1.8.0"
+}