trivial: rename the DMAR attribute to be vendor agnostic

The DMAR attribute is for Intel only, but AMD has the same feature in the IVRS table. Rename the attribute to clarify this.
2025-07-24 15:26:40 +00:00 · 2022-04-02 18:45:27 -05:00 · 2022-04-02 18:45:27 -05:00 · a93feda72b
commit a93feda72b
parent 3c48cf464b
5 changed files with 21 additions and 12 deletions
--- a/docs/hsi.md
+++ b/docs/hsi.md
@ -437,14 +437,16 @@ To meet HSI-2 on systems that run this test, the result must be `valid`. *[v1.5.
 - [Linux Kernel TPM Documentation](https://www.kernel.org/doc/html/latest/security/tpm/tpm_event_log.html)

 <a id="org.fwupd.hsi.AcpiDmar"></a>
+<a id="org.fwupd.hsi.PrebootDma"></a>

-### [Pre-boot DMA protection](#org.fwupd.hsi.AcpiDmar)
+### [Pre-boot DMA protection](#org.fwupd.hsi.PrebootDma)

 The IOMMU on modern systems is used to mitigate against DMA attacks.
 All I/O for devices capable of DMA is mapped into a private virtual memory region.
-The ACPI DMAR table is used to set up pre-boot DMA protection which eliminates some firmware attacks.
+On Intel systems the ACPI DMAR table indicated the system is configured with pre-boot DMA protection which eliminates some firmware attacks.
+On AMD systems the ACPI IVRS table indicates the same.

-**Impact:** Without a DMAR table the IOMMU is disabled at boot.
+**Impact:** The IOMMU may is disabled at boot.
 An attacker could connect a malicious peripheral using ThunderBolt and reboot the machine, which would allow the attacker to modify the system memory.
 This would allow subverting the Secure Boot protection, and also invalidate any system attestation.

@ -454,11 +456,15 @@ This would allow subverting the Secure Boot protection, and also invalidate any
 - `not-valid`: could not determine state
 - `not-enabled`: was not enabled

-To meet HSI-3 on systems that run this test, the result must be `enabled`. *[v1.5.0]*
+To meet HSI-3 on systems that run this test, the result must be `enabled`. *[v1.8.0]*
+
+Note: a previous version of this attribute existed in 1.5.0 but was only for Intel systems.
+It was renamed in 1.8.0 to support other vendors.

 **References:**

 - [IOMMU Wikipedia Page](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit)
+- [AMD IVRS Specification](https://www.amd.com/system/files/TechDocs/48882_IOMMU.pdf)

 <a id="org.fwupd.hsi.Kernel.IntelBootguard"></a>
 <a id="org.fwupd.hsi.IntelBootguard.Enabled"></a>
--- a/libfwupd/fwupd-security-attr-private.h
+++ b/libfwupd/fwupd-security-attr-private.h
@ -14,13 +14,16 @@
 G_BEGIN_DECLS

 /**
- * FWUPD_SECURITY_ATTR_ID_ACPI_DMAR:
+ * FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION:
 *
- * Host Security ID attribute for ACPI DMAR table
+ * Host Security ID attribute for Pre-boot DMA protection
 *
- * Since: 1.5.0
+ * This was previously known as org.fwupd.hsi.AcpiDmar for Intel from 1.5.0+.
+ *
+ * Since: 1.5.0 (for Intel only)
+ * Since: 1.8.0 (for all vendors)
 **/
-#define FWUPD_SECURITY_ATTR_ID_ACPI_DMAR "org.fwupd.hsi.AcpiDmar"
+#define FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION "org.fwupd.hsi.PrebootDma"
 /**
 * FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM:
 *
--- a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c
+++ b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c
@ -25,7 +25,7 @@ fu_plugin_acpi_dmar_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs)
 		return;

 	/* create attr */
-	attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_ACPI_DMAR);
+	attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION);
 	fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin));
 	fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL);
 	fu_security_attrs_append(attrs, attr);
--- a/src/fu-security-attr.c
+++ b/src/fu-security-attr.c
@ -34,7 +34,7 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: SPI refers to the flash chip in the computer */
 		return g_strdup(_("SPI BIOS Descriptor"));
 	}
-	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_ACPI_DMAR) == 0) {
+	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION) == 0) {
 		/* TRANSLATORS: Title: DMA as in https://en.wikipedia.org/wiki/DMA_attack  */
 		return g_strdup(_("Pre-boot DMA protection"));
 	}
--- a/src/fu-util-common.c
+++ b/src/fu-util-common.c
@ -2143,12 +2143,12 @@ fu_util_security_event_to_string(FwupdSecurityAttr *attr)
 		      /* TRANSLATORS: HSI event title */
 		      _("Kernel lockdown enabled")},
 		     /* ------------------------------------------*/
-		     {FWUPD_SECURITY_ATTR_ID_ACPI_DMAR,
+		     {FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION,
 		      FWUPD_SECURITY_ATTR_RESULT_ENABLED,
 		      FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED,
 		      /* TRANSLATORS: HSI event title */
 		      _("Pre-boot DMA protection is disabled")},
-		     {FWUPD_SECURITY_ATTR_ID_ACPI_DMAR,
+		     {FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION,
 		      FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED,
 		      FWUPD_SECURITY_ATTR_RESULT_ENABLED,
 		      /* TRANSLATORS: HSI event title */