proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-08 07:22:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add a new HSI attributes for SPI protections

Browse Source
This commit is contained in:
Mario Limonciello 2022-01-31 17:33:12 -06:00 committed by Mario Limonciello
parent 04efb0b0cb
commit 9adb5380b3
3 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
docs/hsi.md
View File

@ -661,6 +661,36 @@ To meet HSI-1 on AMD systems that run this test, the result must be `enabled`. *
<a id="org.fwupd.hsi.IntelSmap"></a> <a id="org.fwupd.hsi.IntelSmap"></a>
### [AMD SPI Write protections](#org.fwupd.hsi.Amd.SpiWriteProtection)
SOCs may enforce control of the SPI bus to prevent writes other than by verified entities.
**Impact:** SOCs without this feature may be attacked by an attacker modifying the SPI.
**Possible results:**
- `enabled`: spi protections enabled
- `not-enabled`: spi protections disabled
To meet HSI-2 on systems that run this test, the result must be `enabled`. *[v1.8.0]*
<a id="org.fwupd.hsi.Amd.SpiWriteProtection"></a>
### [AMD SPI Replay protections](#org.fwupd.hsi.Amd.SpiReplayProtection)
SOCs may include support for replay-protected monotonic counters to prevent replay attacks.
**Impact:** SOCs without this feature may be attacked by an attacker modifying the SPI.
**Possible results:**
- `enabled`: spi protections enabled
- `not-enabled`: spi protections disabled
To meet HSI-3 on systems that run this test, the result must be `enabled`. *[v1.8.0]*
<a id="org.fwupd.hsi.Amd.SpiReplayProtection"></a>
### [Supervisor Mode Access Prevention](#org.fwupd.hsi.IntelSmap) ### [Supervisor Mode Access Prevention](#org.fwupd.hsi.IntelSmap)
Without Supervisor Mode Access Prevention, the supervisor code usually has full read and write access to user-space memory mappings. Without Supervisor Mode Access Prevention, the supervisor code usually has full read and write access to user-space memory mappings.

16
libfwupd/fwupd-security-attr-private.h
View File

@ -296,6 +296,22 @@ G_BEGIN_DECLS
* Since: 1.8.0 * Since: 1.8.0
**/ **/
#define FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION "org.fwupd.hsi.Amd.RollbackProtection" #define FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION "org.fwupd.hsi.Amd.RollbackProtection"
/**
* FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION
*
* Host Security ID attribute for SPI Write protection
*
* Since: 1.8.0
**/
#define FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION "org.fwupd.hsi.Amd.SpiWriteProtection"
/**
* FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION
*
* Host Security ID attribute for SPI replay protection
*
* Since: 1.8.0
**/
#define FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION "org.fwupd.hsi.Amd.SpiReplayProtection"
GVariant * GVariant *
fwupd_security_attr_to_variant(FwupdSecurityAttr *self); fwupd_security_attr_to_variant(FwupdSecurityAttr *self);

8
src/fu-security-attr.c
View File

@ -187,6 +187,14 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: if firmware enforces rollback protection */ /* TRANSLATORS: Title: if firmware enforces rollback protection */
return g_strdup(_("Rollback protection")); return g_strdup(_("Rollback protection"));
} }
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
/* TRANSLATORS: Title: if hardware enforces control of SPI replays */
return g_strdup(_("SPI replay protection"));
}
if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION) == 0) {
/* TRANSLATORS: Title: if hardware enforces control of SPI writes */
return g_strdup(_("SPI write protection"));
}
/* we should not get here */ /* we should not get here */
return g_strdup(fwupd_security_attr_get_name(attr)); return g_strdup(fwupd_security_attr_get_name(attr));