From a5749f4d232da1549abce2fde6c15a223874539e Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Fri, 15 Jul 2022 17:20:59 +0100 Subject: [PATCH] Set the HSI levels in a central place This means we don't need to worry about changing multiple implementations if the HSI levels change for a specific ID. It also means we can fake HSI results in the future without having to also store the 'correct' level in the input file. --- libfwupd/fwupd-security-attr.c | 1 + libfwupdplugin/fu-security-attrs.c | 70 +++++++++++++++++++++ plugins/acpi-dmar/fu-plugin-acpi-dmar.c | 1 - plugins/acpi-facp/fu-plugin-acpi-facp.c | 1 - plugins/acpi-ivrs/fu-plugin-acpi-ivrs.c | 1 - plugins/cpu/fu-cpu-device.c | 5 -- plugins/intel-spi/fu-intel-spi-device.c | 1 - plugins/iommu/fu-plugin-iommu.c | 1 - plugins/linux-sleep/fu-plugin-linux-sleep.c | 1 - plugins/msr/fu-plugin-msr.c | 3 - plugins/pci-bcr/fu-plugin-pci-bcr.c | 3 - plugins/pci-mei/fu-plugin-pci-mei.c | 8 --- plugins/pci-psp/fu-plugin-pci-psp.c | 7 --- plugins/tpm/fu-plugin-tpm.c | 3 - plugins/uefi-pk/fu-plugin-uefi-pk.c | 1 - 15 files changed, 71 insertions(+), 36 deletions(-) diff --git a/libfwupd/fwupd-security-attr.c b/libfwupd/fwupd-security-attr.c index 6f3ea996e..01553b2f4 100644 --- a/libfwupd/fwupd-security-attr.c +++ b/libfwupd/fwupd-security-attr.c @@ -1380,6 +1380,7 @@ static void fwupd_security_attr_init(FwupdSecurityAttr *self) { FwupdSecurityAttrPrivate *priv = GET_PRIVATE(self); + priv->level = FWUPD_SECURITY_ATTR_LEVEL_NONE; priv->obsoletes = g_ptr_array_new_with_free_func(g_free); priv->guids = g_ptr_array_new_with_free_func(g_free); priv->created = (guint64)g_get_real_time() / G_USEC_PER_SEC; diff --git a/libfwupdplugin/fu-security-attrs.c b/libfwupdplugin/fu-security-attrs.c index e2d1600c2..0a348c074 100644 --- a/libfwupdplugin/fu-security-attrs.c +++ b/libfwupdplugin/fu-security-attrs.c @@ -313,6 +313,70 @@ fu_security_attrs_sort_cb(gconstpointer item1, gconstpointer item2) return g_strcmp0(sort1, sort2); } +static struct { + const gchar *appstream_id; + FwupdSecurityAttrLevel level; +} appstream_id_level_map[] = { + {FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION}, + {FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ACM, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ENABLED, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_OTP, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_POLICY, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_VERIFIED, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_INTEL_CET_ACTIVE, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_INTEL_CET_ENABLED, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_INTEL_SMAP, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION}, + {FWUPD_SECURITY_ATTR_ID_IOMMU, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_MEI_OVERRIDE_STRAP, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_MEI_VERSION, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_PLATFORM_FUSED, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_SPI_BLE, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_SPI_DESCRIPTOR, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL}, + {FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT}, + {FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_UEFI_PK, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL}, + {NULL, FWUPD_SECURITY_ATTR_LEVEL_NONE}}; + +static void +fu_security_attrs_ensure_level(FwupdSecurityAttr *attr) +{ + const gchar *appstream_id = fwupd_security_attr_get_appstream_id(attr); + + /* already set */ + if (fwupd_security_attr_get_level(attr) != FWUPD_SECURITY_ATTR_LEVEL_NONE) + return; + + /* not required */ + if (fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE)) + return; + + /* map ID to level in one place */ + for (guint i = 0; appstream_id_level_map[i].appstream_id != NULL; i++) { + if (g_strcmp0(appstream_id, appstream_id_level_map[i].appstream_id) == 0) { + fwupd_security_attr_set_level(attr, appstream_id_level_map[i].level); + return; + } + } + + /* somebody forgot to add to the level map... */ + g_warning("cannot map %s to a HSI level, assuming critical", appstream_id); + fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); +} + /** * fu_security_attrs_depsolve: * @self: a #FuSecurityAttrs @@ -330,6 +394,12 @@ fu_security_attrs_depsolve(FuSecurityAttrs *self) { g_return_if_fail(FU_IS_SECURITY_ATTRS(self)); + /* assign HSI levels if not already done */ + for (guint i = 0; i < self->attrs->len; i++) { + FwupdSecurityAttr *attr = g_ptr_array_index(self->attrs, i); + fu_security_attrs_ensure_level(attr); + } + /* set flat where required */ for (guint i = 0; i < self->attrs->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index(self->attrs, i); diff --git a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c index 5d18f881e..eb597d452 100644 --- a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c +++ b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c @@ -27,7 +27,6 @@ fu_plugin_acpi_dmar_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fu_security_attrs_append(attrs, attr); /* load DMAR table */ diff --git a/plugins/acpi-facp/fu-plugin-acpi-facp.c b/plugins/acpi-facp/fu-plugin-acpi-facp.c index a9f6186ff..90e78ac4c 100644 --- a/plugins/acpi-facp/fu-plugin-acpi-facp.c +++ b/plugins/acpi-facp/fu-plugin-acpi-facp.c @@ -23,7 +23,6 @@ fu_plugin_acpi_facp_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fu_security_attrs_append(attrs, attr); /* load FACP table */ diff --git a/plugins/acpi-ivrs/fu-plugin-acpi-ivrs.c b/plugins/acpi-ivrs/fu-plugin-acpi-ivrs.c index fe87af9e6..0ca5e545b 100644 --- a/plugins/acpi-ivrs/fu-plugin-acpi-ivrs.c +++ b/plugins/acpi-ivrs/fu-plugin-acpi-ivrs.c @@ -28,7 +28,6 @@ fu_plugin_acpi_ivrs_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fu_security_attrs_append(attrs, attr); /* load IVRS table */ diff --git a/plugins/cpu/fu-cpu-device.c b/plugins/cpu/fu-cpu-device.c index b845c06ed..ba0552938 100644 --- a/plugins/cpu/fu-cpu-device.c +++ b/plugins/cpu/fu-cpu-device.c @@ -300,7 +300,6 @@ fu_cpu_device_add_security_attrs_intel_cet_enabled(FuCpuDevice *self, FuSecurity /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_CET_ENABLED); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fu_security_attrs_append(attrs, attr); @@ -332,7 +331,6 @@ fu_cpu_device_add_security_attrs_intel_cet_active(FuCpuDevice *self, FuSecurityA /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_CET_ACTIVE); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append(attrs, attr); @@ -365,7 +363,6 @@ fu_cpu_device_add_security_attrs_intel_tme(FuCpuDevice *self, FuSecurityAttrs *a /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fu_security_attrs_append(attrs, attr); @@ -388,7 +385,6 @@ fu_cpu_device_add_security_attrs_intel_smap(FuCpuDevice *self, FuSecurityAttrs * /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_SMAP); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fu_security_attrs_append(attrs, attr); @@ -410,7 +406,6 @@ fu_cpu_device_add_supported_cpu_attribute(FuCpuDevice *self, FuSecurityAttrs *at attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); switch (fu_cpu_get_vendor()) { diff --git a/plugins/intel-spi/fu-intel-spi-device.c b/plugins/intel-spi/fu-intel-spi-device.c index 06156472f..d517d195e 100644 --- a/plugins/intel-spi/fu-intel-spi-device.c +++ b/plugins/intel-spi/fu-intel-spi-device.c @@ -216,7 +216,6 @@ fu_intel_spi_device_add_security_attrs(FuDevice *device, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_DESCRIPTOR); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); diff --git a/plugins/iommu/fu-plugin-iommu.c b/plugins/iommu/fu-plugin-iommu.c index bee81791a..1a10401ee 100644 --- a/plugins/iommu/fu-plugin-iommu.c +++ b/plugins/iommu/fu-plugin-iommu.c @@ -42,7 +42,6 @@ fu_plugin_iommu_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_IOMMU); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fu_security_attrs_append(attrs, attr); diff --git a/plugins/linux-sleep/fu-plugin-linux-sleep.c b/plugins/linux-sleep/fu-plugin-linux-sleep.c index 073273358..d1b273de5 100644 --- a/plugins/linux-sleep/fu-plugin-linux-sleep.c +++ b/plugins/linux-sleep/fu-plugin-linux-sleep.c @@ -20,7 +20,6 @@ fu_plugin_linux_sleep_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attr /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fu_security_attrs_append(attrs, attr); /* load file */ diff --git a/plugins/msr/fu-plugin-msr.c b/plugins/msr/fu-plugin-msr.c index c635ef9a9..d809d1ee0 100644 --- a/plugins/msr/fu-plugin-msr.c +++ b/plugins/msr/fu-plugin-msr.c @@ -240,7 +240,6 @@ fu_plugin_add_security_attr_dci_enabled(FuPlugin *plugin, FuSecurityAttrs *attrs /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); if (device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); @@ -282,7 +281,6 @@ fu_plugin_add_security_attr_dci_locked(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); if (device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); @@ -359,7 +357,6 @@ fu_plugin_add_security_attr_amd_sme_enabled(FuPlugin *plugin, FuSecurityAttrs *a /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); if (device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); diff --git a/plugins/pci-bcr/fu-plugin-pci-bcr.c b/plugins/pci-bcr/fu-plugin-pci-bcr.c index aecfedb43..9c3c4d5b1 100644 --- a/plugins/pci-bcr/fu-plugin-pci-bcr.c +++ b/plugins/pci-bcr/fu-plugin-pci-bcr.c @@ -78,7 +78,6 @@ fu_plugin_add_security_attr_bioswe(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); if (msf_device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); @@ -117,7 +116,6 @@ fu_plugin_add_security_attr_ble(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_BLE); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); if (msf_device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); @@ -155,7 +153,6 @@ fu_plugin_add_security_attr_smm_bwp(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); if (msf_device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); diff --git a/plugins/pci-mei/fu-plugin-pci-mei.c b/plugins/pci-mei/fu-plugin-pci-mei.c index 78726922b..106d4d9b6 100644 --- a/plugins/pci-mei/fu-plugin-pci-mei.c +++ b/plugins/pci-mei/fu-plugin-pci-mei.c @@ -252,7 +252,6 @@ fu_plugin_add_security_attrs_manufacturing_mode(FuPlugin *plugin, FuSecurityAttr /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -291,7 +290,6 @@ fu_plugin_add_security_attrs_override_strap(FuPlugin *plugin, FuSecurityAttrs *a /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_MEI_OVERRIDE_STRAP); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -330,7 +328,6 @@ fu_plugin_add_security_attrs_bootguard_enabled(FuPlugin *plugin, FuSecurityAttrs /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ENABLED); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -372,7 +369,6 @@ fu_plugin_add_security_attrs_bootguard_verified(FuPlugin *plugin, FuSecurityAttr /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_VERIFIED); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -420,7 +416,6 @@ fu_plugin_add_security_attrs_bootguard_acm(FuPlugin *plugin, FuSecurityAttrs *at /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ACM); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -468,7 +463,6 @@ fu_plugin_add_security_attrs_bootguard_policy(FuPlugin *plugin, FuSecurityAttrs /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_POLICY); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -516,7 +510,6 @@ fu_plugin_add_security_attrs_bootguard_otp(FuPlugin *plugin, FuSecurityAttrs *at /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_OTP); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append(attrs, attr); /* not enabled */ @@ -575,7 +568,6 @@ fu_plugin_add_security_attrs_mei_version(FuPlugin *plugin, FuSecurityAttrs *attr /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_MEI_VERSION); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fu_security_attrs_append(attrs, attr); /* not enabled */ diff --git a/plugins/pci-psp/fu-plugin-pci-psp.c b/plugins/pci-psp/fu-plugin-pci-psp.c index eeb743f57..4b311862a 100644 --- a/plugins/pci-psp/fu-plugin-pci-psp.c +++ b/plugins/pci-psp/fu-plugin-pci-psp.c @@ -60,7 +60,6 @@ fu_plugin_add_security_attrs_tsme(const gchar *path, FuSecurityAttrs *attrs) attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); fu_security_attrs_append(attrs, attr); if (!fu_plugin_pci_psp_get_attr(attr, path, "tsme_status", &val, &error_local)) { @@ -88,7 +87,6 @@ fu_plugin_add_security_attrs_fused_part(const gchar *path, FuSecurityAttrs *attr attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PLATFORM_FUSED); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fu_security_attrs_append(attrs, attr); if (!fu_plugin_pci_psp_get_attr(attr, path, "fused_part", &val, &error_local)) { @@ -117,7 +115,6 @@ fu_plugin_add_security_attrs_debug_locked_part(const gchar *path, FuSecurityAttr attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append(attrs, attr); if (!fu_plugin_pci_psp_get_attr(attr, path, "debug_lock_on", &val, &error_local)) { @@ -146,7 +143,6 @@ fu_plugin_add_security_attrs_rollback_protection(const gchar *path, FuSecurityAt attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fu_security_attrs_append(attrs, attr); if (!fu_plugin_pci_psp_get_attr(attr, path, "anti_rollback_status", &val, &error_local)) { @@ -175,7 +171,6 @@ fu_plugin_add_security_attrs_rom_armor(const gchar *path, FuSecurityAttrs *attrs /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append(attrs, attr); if (!fu_plugin_pci_psp_get_attr(attr, path, "rom_armor_enforced", &val, &error_local)) { @@ -205,7 +200,6 @@ fu_plugin_add_security_attrs_rpmc(const gchar *path, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fu_security_attrs_append(attrs, attr); if (!fu_plugin_pci_psp_get_attr(attr, path, "rpmc_spirom_available", &val, &error_local)) { @@ -246,7 +240,6 @@ fu_plugin_pci_psp_set_missing_data(FuSecurityAttrs *attrs) attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU); fwupd_security_attr_set_plugin(attr, "pci_psp"); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_add_obsolete(attr, "cpu"); fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_MISSING_DATA); fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_ACTION_CONTACT_OEM); diff --git a/plugins/tpm/fu-plugin-tpm.c b/plugins/tpm/fu-plugin-tpm.c index 1577a4953..963848443 100644 --- a/plugins/tpm/fu-plugin-tpm.c +++ b/plugins/tpm/fu-plugin-tpm.c @@ -111,7 +111,6 @@ fu_plugin_tpm_add_security_attr_version(FuPlugin *plugin, FuSecurityAttrs *attrs /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fu_security_attrs_append(attrs, attr); /* check exists, and in v2.0 mode */ @@ -148,7 +147,6 @@ fu_plugin_tpm_add_security_attr_eventlog(FuPlugin *plugin, FuSecurityAttrs *attr /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fwupd_security_attr_add_guids(attr, fu_device_get_guids(priv->tpm_device)); fu_security_attrs_append(attrs, attr); @@ -211,7 +209,6 @@ fu_plugin_tpm_add_security_attr_empty(FuPlugin *plugin, FuSecurityAttrs *attrs) /* add attributes */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_add_guids(attr, fu_device_get_guids(priv->tpm_device)); fu_security_attrs_append(attrs, attr); diff --git a/plugins/uefi-pk/fu-plugin-uefi-pk.c b/plugins/uefi-pk/fu-plugin-uefi-pk.c index d7f1b5285..cf650ae5f 100644 --- a/plugins/uefi-pk/fu-plugin-uefi-pk.c +++ b/plugins/uefi-pk/fu-plugin-uefi-pk.c @@ -173,7 +173,6 @@ fu_plugin_uefi_pk_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_UEFI_PK); - fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); if (msf_device != NULL) fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device));