proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-15 06:33:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add documentation for three existing HSI attributes

Browse Source 
Fixes https://github.com/fwupd/fwupd/issues/5233
This commit is contained in:
Richard Hughes 2022-11-02 13:10:24 +00:00
parent 1fafa92218
commit 8f904cac17
3 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/hsi-tests.d/org.fwupd.hsi.Kernel.Lockdown.json Normal file
View File

@ -0,0 +1,19 @@
{
"id" : "org.fwupd.hsi.Kernel.Lockdown",
"name" : "Kernel Lockdown",
"description" : [
"Kernel lockdown is an important mechanism to limit what hardware actions userspace programs can perform.",
"Turning on this feature means that often-used mechanisms like /dev/mem used to raise privileges or exfiltrate data are no longer available."
],
"failure-impact" : [
"An unlocked kernel can be easily abused by a malicious userspace program running as root, which can include replacing system firmware."
],
"failure-results" : {
"not-valid" : "could not read lockdown status, perhaps from an old kernel",
"not-enabled" : "lockdown is set to `none`"
},
"success-results" : {
"enabled" : "lockdown is set to either `integrity` or `confidentiality`."
},
"fwupd-version" : "1.5.0"
}

19
docs/hsi-tests.d/org.fwupd.hsi.Kernel.Tainted.json Normal file
View File

@ -0,0 +1,19 @@
{
"id" : "org.fwupd.hsi.Kernel.Tainted",
"name" : "Kernel Tainted",
"description" : [
"When calculating the HSI value fwupd has to ask the Linux Kernel for information.",
"If the kernel has been tainted by overriding a firmware table or by loading a proprietary module then we cannot trust the data it reports."
],
"failure-impact" : [
"Using a tainted kernel means that values obtained from the kernel cannot be trusted."
],
"failure-results" : {
"not-valid" : "could not detect kernel taint status",
"tainted" : "the kernel is untrusted, perhaps because a proprietary module was loaded"
},
"success-results" : {
"not-tainted" : "the kernel is trusted"
},
"fwupd-version" : "1.5.0"
}

20
docs/hsi-tests.d/org.fwupd.hsi.SupportedCpu.json Normal file
View File

@ -0,0 +1,20 @@
{
"id" : "org.fwupd.hsi.SupportedCpu",
"name" : "Supported CPU",
"description" : [
"Most platform checks are specific to the CPU vendor.",
"To avoid giving a very high HSI result for a platform we do not know how to verify, we include this attribute to ensure that the result is meaningful."
],
"failure-impact" : [
"If using an unsupported CPU then fwupd is unable to verify the platform security.",
"You should contact your platform vendor and ask them to contribute HSI tests for this CPU type."
],
"failure-results" : {
"unknown" : "platform security is unknown"
},
"success-results" : {
"valid" : "the CPU platform is supported and has HSI tests"
},
"hsi-level" : 1,
"fwupd-version" : "1.8.0"
}