diff --git a/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json b/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json new file mode 100644 index 000000000..c8d278344 --- /dev/null +++ b/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json @@ -0,0 +1,19 @@ +{ + "id" : "org.fwupd.hsi.Kernel.Lockdown", + "name" : "Kernel Lockdown", + "description" : [ + "Kernel lockdown is an important mechanism to limit what hardware actions userspace programs can perform.", + "Turning on this feature means that often-used mechanisms like /dev/mem used to raise privileges or exfiltrate data are no longer available." + ], + "failure-impact" : [ + "An unlocked kernel can be easily abused by a malicious userspace program running as root, which can include replacing system firmware." + ], + "failure-results" : { + "not-valid" : "could not read lockdown status, perhaps from an old kernel", + "not-enabled" : "lockdown is set to `none`" + }, + "success-results" : { + "enabled" : "lockdown is set to either `integrity` or `confidentiality`." + }, + "fwupd-version" : "1.5.0" +} diff --git a/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json b/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json new file mode 100644 index 000000000..0c666b7cc --- /dev/null +++ b/docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json @@ -0,0 +1,19 @@ +{ + "id" : "org.fwupd.hsi.Kernel.Tainted", + "name" : "Kernel Tainted", + "description" : [ + "When calculating the HSI value fwupd has to ask the Linux Kernel for information.", + "If the kernel has been tainted by overriding a firmware table or by loading a proprietary module then we cannot trust the data it reports." + ], + "failure-impact" : [ + "Using a tainted kernel means that values obtained from the kernel cannot be trusted." + ], + "failure-results" : { + "not-valid" : "could not detect kernel taint status", + "tainted" : "the kernel is untrusted, perhaps because a proprietary module was loaded" + }, + "success-results" : { + "not-tainted" : "the kernel is trusted" + }, + "fwupd-version" : "1.5.0" +} diff --git a/docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json b/docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json new file mode 100644 index 000000000..ff708634f --- /dev/null +++ b/docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json @@ -0,0 +1,20 @@ +{ + "id" : "org.fwupd.hsi.SupportedCpu", + "name" : "Supported CPU", + "description" : [ + "Most platform checks are specific to the CPU vendor.", + "To avoid giving a very high HSI result for a platform we do not know how to verify, we include this attribute to ensure that the result is meaningful." + ], + "failure-impact" : [ + "If using an unsupported CPU then fwupd is unable to verify the platform security.", + "You should contact your platform vendor and ask them to contribute HSI tests for this CPU type." + ], + "failure-results" : { + "unknown" : "platform security is unknown" + }, + "success-results" : { + "valid" : "the CPU platform is supported and has HSI tests" + }, + "hsi-level" : 1, + "fwupd-version" : "1.8.0" +}