diff --git a/libfwupd/fwupd-enums-private.h b/libfwupd/fwupd-enums-private.h index abb556895..7d2bc8136 100644 --- a/libfwupd/fwupd-enums-private.h +++ b/libfwupd/fwupd-enums-private.h @@ -24,7 +24,7 @@ G_BEGIN_DECLS #define FWUPD_RESULT_KEY_FLASHES_LEFT "FlashesLeft" /* u */ #define FWUPD_RESULT_KEY_URGENCY "Urgency" /* u */ #define FWUPD_RESULT_KEY_HSI_LEVEL "HsiLevel" /* u */ -#define FWUPD_RESULT_KEY_HSI_RESULT "HsiResult" /* s */ +#define FWUPD_RESULT_KEY_HSI_RESULT "HsiResult" /* u */ #define FWUPD_RESULT_KEY_INSTALL_DURATION "InstallDuration" /* u */ #define FWUPD_RESULT_KEY_GUID "Guid" /* as */ #define FWUPD_RESULT_KEY_INSTANCE_IDS "InstanceIds" /* as */ diff --git a/libfwupd/fwupd-security-attr.c b/libfwupd/fwupd-security-attr.c index 5a0a2b094..6e618f894 100644 --- a/libfwupd/fwupd-security-attr.c +++ b/libfwupd/fwupd-security-attr.c @@ -25,8 +25,9 @@ typedef struct { GPtrArray *obsoletes; gchar *name; gchar *plugin; - gchar *result; + gchar *url; FwupdSecurityAttrLevel level; + FwupdSecurityAttrResult result; FwupdSecurityAttrFlags flags; } FwupdSecurityAttrPrivate; @@ -61,6 +62,50 @@ fwupd_security_attr_flag_to_string (FwupdSecurityAttrFlags flag) return NULL; } +/** + * fwupd_security_attr_result_to_string: + * @result: A #FwupdSecurityAttrResult, e.g. %FWUPD_SECURITY_ATTR_RESULT_ENABLED + * + * Returns the printable string for the result enum. + * + * Returns: string, or %NULL + * + * Since: 1.5.0 + **/ +const gchar * +fwupd_security_attr_result_to_string (FwupdSecurityAttrResult result) +{ + if (result == FWUPD_SECURITY_ATTR_RESULT_VALID) + return "valid"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_VALID) + return "not-valid"; + if (result == FWUPD_SECURITY_ATTR_RESULT_ENABLED) + return "enabled"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED) + return "not-enabled"; + if (result == FWUPD_SECURITY_ATTR_RESULT_LOCKED) + return "locked"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED) + return "not-locked"; + if (result == FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED) + return "encrypted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED) + return "not-encrypted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_TAINTED) + return "tainted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED) + return "not-tainted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_FOUND) + return "found"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND) + return "not-found"; + if (result == FWUPD_SECURITY_ATTR_RESULT_SUPPORTED) + return "supported"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED) + return "not-supported"; + return NULL; +} + /** * fwupd_security_attr_flag_to_suffix: * @flag: A #FwupdSecurityAttrFlags, e.g. %FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES @@ -105,7 +150,7 @@ fwupd_security_attr_get_obsoletes (FwupdSecurityAttr *self) /** * fwupd_security_attr_add_obsolete: * @self: A #FwupdSecurityAttr - * @appstream_id: the appstream_id + * @appstream_id: the appstream_id or plugin name * * Adds an attribute appstream_id to obsolete. The obsoleted attribute will not * contribute to the calculated HSI value or be visible in command line tools. @@ -180,26 +225,31 @@ fwupd_security_attr_set_appstream_id (FwupdSecurityAttr *self, const gchar *apps { FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); g_return_if_fail (FWUPD_IS_SECURITY_ATTR (self)); + + /* sanity check */ + if (!g_str_has_prefix (appstream_id, "org.fwupd.hsi.")) + g_critical ("HSI attributes need to have a 'org.fwupd.hsi.' prefix"); + g_free (priv->appstream_id); priv->appstream_id = g_strdup (appstream_id); } /** - * fwupd_security_attr_get_result: + * fwupd_security_attr_get_url: * @self: A #FwupdSecurityAttr * - * Gets the attribute result. + * Gets the attribute URL. * * Returns: the attribute result, or %NULL if unset * * Since: 1.5.0 **/ const gchar * -fwupd_security_attr_get_result (FwupdSecurityAttr *self) +fwupd_security_attr_get_url (FwupdSecurityAttr *self) { FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); g_return_val_if_fail (FWUPD_IS_SECURITY_ATTR (self), NULL); - return priv->result; + return priv->url; } /** @@ -239,21 +289,21 @@ fwupd_security_attr_set_plugin (FwupdSecurityAttr *self, const gchar *plugin) } /** - * fwupd_security_attr_set_result: + * fwupd_security_attr_set_url: * @self: A #FwupdSecurityAttr - * @result: the attribute one line result + * @url: the attribute URL * * Sets the attribute result. * * Since: 1.5.0 **/ void -fwupd_security_attr_set_result (FwupdSecurityAttr *self, const gchar *result) +fwupd_security_attr_set_url (FwupdSecurityAttr *self, const gchar *url) { FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); g_return_if_fail (FWUPD_IS_SECURITY_ATTR (self)); - g_free (priv->result); - priv->result = g_strdup (result); + g_free (priv->url); + priv->url = g_strdup (url); } /** @@ -399,6 +449,42 @@ fwupd_security_attr_set_level (FwupdSecurityAttr *self, FwupdSecurityAttrLevel l priv->level = level; } +/** + * fwupd_security_attr_set_result: + * @self: A #FwupdSecurityAttr + * @result: A #FwupdSecurityAttrResult, e.g. %FWUPD_SECURITY_ATTR_LEVEL_LOCKED + * + * Sets the optional HSI result. This is required because some attributes may + * be a "success" when something is `locked` or may be "failed" if `found`. + * + * Since: 1.5.0 + **/ +void +fwupd_security_attr_set_result (FwupdSecurityAttr *self, FwupdSecurityAttrResult result) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); + g_return_if_fail (FWUPD_IS_SECURITY_ATTR (self)); + priv->result = result; +} + +/** + * fwupd_security_attr_get_result: + * @self: A #FwupdSecurityAttr + * + * Gets the optional HSI result. + * + * Returns: the #FwupdSecurityAttrResult, e.g %FWUPD_SECURITY_ATTR_LEVEL_LOCKED + * + * Since: 1.5.0 + **/ +FwupdSecurityAttrResult +fwupd_security_attr_get_result (FwupdSecurityAttr *self) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); + g_return_val_if_fail (FWUPD_IS_SECURITY_ATTR (self), 0); + return priv->result; +} + /** * fwupd_security_attr_to_variant: * @self: A #FwupdSecurityAttr @@ -428,10 +514,10 @@ fwupd_security_attr_to_variant (FwupdSecurityAttr *self) FWUPD_RESULT_KEY_NAME, g_variant_new_string (priv->name)); } - if (priv->result != NULL) { + if (priv->url != NULL) { g_variant_builder_add (&builder, "{sv}", - FWUPD_RESULT_KEY_HSI_RESULT, - g_variant_new_string (priv->result)); + FWUPD_RESULT_KEY_URI, + g_variant_new_string (priv->url)); } if (priv->obsoletes->len > 0) { g_autofree const gchar **strv = g_new0 (const gchar *, priv->obsoletes->len + 1); @@ -451,6 +537,11 @@ fwupd_security_attr_to_variant (FwupdSecurityAttr *self) FWUPD_RESULT_KEY_HSI_LEVEL, g_variant_new_uint32 (priv->level)); } + if (priv->result > 0) { + g_variant_builder_add (&builder, "{sv}", + FWUPD_RESULT_KEY_HSI_RESULT, + g_variant_new_uint32 (priv->result)); + } return g_variant_new ("a{sv}", &builder); } @@ -465,8 +556,8 @@ fwupd_security_attr_from_key_value (FwupdSecurityAttr *self, const gchar *key, G fwupd_security_attr_set_name (self, g_variant_get_string (value, NULL)); return; } - if (g_strcmp0 (key, FWUPD_RESULT_KEY_HSI_RESULT) == 0) { - fwupd_security_attr_set_result (self, g_variant_get_string (value, NULL)); + if (g_strcmp0 (key, FWUPD_RESULT_KEY_URI) == 0) { + fwupd_security_attr_set_url (self, g_variant_get_string (value, NULL)); return; } if (g_strcmp0 (key, FWUPD_RESULT_KEY_FLAGS) == 0) { @@ -477,6 +568,10 @@ fwupd_security_attr_from_key_value (FwupdSecurityAttr *self, const gchar *key, G fwupd_security_attr_set_level (self, g_variant_get_uint32 (value)); return; } + if (g_strcmp0 (key, FWUPD_RESULT_KEY_HSI_RESULT) == 0) { + fwupd_security_attr_set_result (self, g_variant_get_uint32 (value)); + return; + } } static void @@ -559,9 +654,11 @@ fwupd_security_attr_to_json (FwupdSecurityAttr *self, JsonBuilder *builder) fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_APPSTREAM_ID, priv->appstream_id); fwupd_security_attr_json_add_int (builder, FWUPD_RESULT_KEY_HSI_LEVEL, priv->level); + fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_HSI_RESULT, + fwupd_security_attr_result_to_string (priv->result)); fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_NAME, priv->name); fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_PLUGIN, priv->plugin); - fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_HSI_RESULT, priv->result); + fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_URI, priv->url); if (priv->flags != FWUPD_SECURITY_ATTR_FLAG_NONE) { json_builder_set_member_name (builder, FWUPD_RESULT_KEY_FLAGS); json_builder_begin_array (builder); @@ -598,11 +695,13 @@ fwupd_security_attr_to_string (FwupdSecurityAttr *self) str = g_string_new (""); fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_APPSTREAM_ID, priv->appstream_id); fwupd_pad_kv_int (str, FWUPD_RESULT_KEY_HSI_LEVEL, priv->level); + fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_HSI_RESULT, + fwupd_security_attr_result_to_string (priv->result)); if (priv->flags != FWUPD_SECURITY_ATTR_FLAG_NONE) fwupd_pad_kv_tfl (str, FWUPD_RESULT_KEY_FLAGS, priv->flags); fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_NAME, priv->name); fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_PLUGIN, priv->plugin); - fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_HSI_RESULT, priv->result); + fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_URI, priv->url); for (guint i = 0; i < priv->obsoletes->len; i++) { const gchar *appstream_id = g_ptr_array_index (priv->obsoletes, i); fwupd_pad_kv_str (str, "Obsolete", appstream_id); @@ -634,7 +733,7 @@ fwupd_security_attr_finalize (GObject *object) g_free (priv->appstream_id); g_free (priv->name); g_free (priv->plugin); - g_free (priv->result); + g_free (priv->url); g_ptr_array_unref (priv->obsoletes); G_OBJECT_CLASS (fwupd_security_attr_parent_class)->finalize (object); diff --git a/libfwupd/fwupd-security-attr.h b/libfwupd/fwupd-security-attr.h index 4ced33435..44033ebed 100644 --- a/libfwupd/fwupd-security-attr.h +++ b/libfwupd/fwupd-security-attr.h @@ -71,6 +71,68 @@ typedef enum { FWUPD_SECURITY_ATTR_LEVEL_LAST = 6 /* perhaps increased in the future */ } FwupdSecurityAttrLevel; +/** + * FwupdSecurityAttrResult: + * @FWUPD_SECURITY_ATTR_RESULT_UNKNOWN: Not known + * @FWUPD_SECURITY_ATTR_RESULT_ENABLED: Enabled + * @FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED: Not enabled + * @FWUPD_SECURITY_ATTR_RESULT_VALID: Valid + * @FWUPD_SECURITY_ATTR_RESULT_NOT_VALID: Not valid + * @FWUPD_SECURITY_ATTR_RESULT_LOCKED: Locked + * @FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED: Not locked + * @FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED: Encrypted + * @FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED: Not encrypted + * @FWUPD_SECURITY_ATTR_RESULT_TAINTED: Tainted + * @FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED: Not tainted + * @FWUPD_SECURITY_ATTR_RESULT_FOUND: Found + * @FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND: NOt found + * @FWUPD_SECURITY_ATTR_RESULT_SUPPORTED: Supported + * @FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED: Not supported + * + * The HSI result. + **/ +typedef enum { + FWUPD_SECURITY_ATTR_RESULT_UNKNOWN, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_ENABLED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_VALID, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_VALID, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_LOCKED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_TAINTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_FOUND, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_SUPPORTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED, /* Since: 1.5.0 */ + /*< private >*/ + FWUPD_SECURITY_ATTR_RESULT_LAST +} FwupdSecurityAttrResult; + +#define FWUPD_SECURITY_ATTR_ID_ACPI_DMAR "org.fwupd.hsi.AcpiDmar" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM "org.fwupd.hsi.EncryptedRam" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION "org.fwupd.hsi.FwupdAttestation" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS "org.fwupd.hsi.FwupdPlugins" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES "org.fwupd.hsi.FwupdUpdates" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_INTEL_AMT "org.fwupd.hsi.IntelAmt" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_INTEL_CET "org.fwupd.hsi.IntelCet" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_IOMMU "org.fwupd.hsi.Iommu" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN "org.fwupd.hsi.KernelLockdown" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP "org.fwupd.hsi.KernelSwap" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED "org.fwupd.hsi.KernelTainted" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE "org.fwupd.hsi.MeiManufacturingMode" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE "org.fwupd.hsi.SpiBioswe" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SPI_BLE "org.fwupd.hsi.SpiBle" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP "org.fwupd.hsi.SpiSmmBwp" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE "org.fwupd.hsi.SuspendToIdle" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM "org.fwupd.hsi.SuspendToRam" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0 "org.fwupd.hsi.TpmReconstructionPcr0" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20 "org.fwupd.hsi.TpmVersion20" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_UEFI_DBX "org.fwupd.hsi.UefiDbx" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT "org.fwupd.hsi.UefiSecureBoot" /* Since: 1.5.0 */ + FwupdSecurityAttr *fwupd_security_attr_new (const gchar *appstream_id); gchar *fwupd_security_attr_to_string (FwupdSecurityAttr *self); @@ -80,15 +142,18 @@ void fwupd_security_attr_set_appstream_id (FwupdSecurityAttr *self, FwupdSecurityAttrLevel fwupd_security_attr_get_level (FwupdSecurityAttr *self); void fwupd_security_attr_set_level (FwupdSecurityAttr *self, FwupdSecurityAttrLevel level); +FwupdSecurityAttrResult fwupd_security_attr_get_result (FwupdSecurityAttr *self); +void fwupd_security_attr_set_result (FwupdSecurityAttr *self, + FwupdSecurityAttrResult result); const gchar *fwupd_security_attr_get_name (FwupdSecurityAttr *self); void fwupd_security_attr_set_name (FwupdSecurityAttr *self, const gchar *name); const gchar *fwupd_security_attr_get_plugin (FwupdSecurityAttr *self); void fwupd_security_attr_set_plugin (FwupdSecurityAttr *self, const gchar *plugin); -const gchar *fwupd_security_attr_get_result (FwupdSecurityAttr *self); -void fwupd_security_attr_set_result (FwupdSecurityAttr *self, - const gchar *result); +const gchar *fwupd_security_attr_get_url (FwupdSecurityAttr *self); +void fwupd_security_attr_set_url (FwupdSecurityAttr *self, + const gchar *url); GPtrArray *fwupd_security_attr_get_obsoletes (FwupdSecurityAttr *self); void fwupd_security_attr_add_obsolete (FwupdSecurityAttr *self, const gchar *appstream_id); @@ -103,6 +168,7 @@ gboolean fwupd_security_attr_has_flag (FwupdSecurityAttr *self, FwupdSecurityAttrFlags flag); const gchar *fwupd_security_attr_flag_to_string (FwupdSecurityAttrFlags flag); const gchar *fwupd_security_attr_flag_to_suffix (FwupdSecurityAttrFlags flag); +const gchar *fwupd_security_attr_result_to_string (FwupdSecurityAttrResult result); FwupdSecurityAttr *fwupd_security_attr_from_variant (GVariant *value); GPtrArray *fwupd_security_attr_array_from_variant (GVariant *value); diff --git a/libfwupd/fwupd.map b/libfwupd/fwupd.map index 54dbe74b5..3a3bf6402 100644 --- a/libfwupd/fwupd.map +++ b/libfwupd/fwupd.map @@ -465,15 +465,18 @@ LIBFWUPD_1.5.0 { fwupd_security_attr_get_plugin; fwupd_security_attr_get_result; fwupd_security_attr_get_type; + fwupd_security_attr_get_url; fwupd_security_attr_has_flag; fwupd_security_attr_has_obsolete; fwupd_security_attr_new; + fwupd_security_attr_result_to_string; fwupd_security_attr_set_appstream_id; fwupd_security_attr_set_flags; fwupd_security_attr_set_level; fwupd_security_attr_set_name; fwupd_security_attr_set_plugin; fwupd_security_attr_set_result; + fwupd_security_attr_set_url; fwupd_security_attr_to_json; fwupd_security_attr_to_string; fwupd_security_attr_to_variant; diff --git a/libfwupdplugin/fu-security-attrs.c b/libfwupdplugin/fu-security-attrs.c index 6ae739366..16b0da571 100644 --- a/libfwupdplugin/fu-security-attrs.c +++ b/libfwupdplugin/fu-security-attrs.c @@ -262,12 +262,25 @@ fu_security_attrs_depsolve (FuSecurityAttrs *self) for (guint j = 0; j < obsoletes->len; j++) { const gchar *obsolete = g_ptr_array_index (obsoletes, j); FwupdSecurityAttr *attr_tmp = g_hash_table_lookup (attrs_by_id, obsolete); + + /* by AppStream ID */ if (attr_tmp != NULL) { g_debug ("security attr %s obsoleted by %s", obsolete, - fwupd_security_attr_get_appstream_id (attr)); + fwupd_security_attr_get_appstream_id (attr_tmp)); fwupd_security_attr_add_flag (attr_tmp, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED); } + + /* by plugin name */ + for (guint k = 0; k < self->attrs->len; k++) { + attr_tmp = g_ptr_array_index (self->attrs, k); + if (g_strcmp0 (obsolete, fwupd_security_attr_get_plugin (attr_tmp)) == 0) { + g_debug ("security attr %s obsoleted by %s", obsolete, + fwupd_security_attr_get_appstream_id (attr_tmp)); + fwupd_security_attr_add_flag (attr_tmp, + FWUPD_SECURITY_ATTR_FLAG_OBSOLETED); + } + } } } diff --git a/libfwupdplugin/fu-self-test.c b/libfwupdplugin/fu-self-test.c index 0406ce112..f820a6f01 100644 --- a/libfwupdplugin/fu-self-test.c +++ b/libfwupdplugin/fu-self-test.c @@ -1762,9 +1762,9 @@ fu_security_attrs_hsi_func (void) g_assert_cmpstr (hsi1, ==, "HSI:0"); /* just success from HSI:1 */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.BIOSWE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin (attr, "test"); - fwupd_security_attr_set_level (attr, 1); + fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); fu_security_attrs_append (attrs, attr); hsi2 = fu_security_attrs_calculate_hsi (attrs); @@ -1772,20 +1772,20 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add failed from HSI:2, so still HSI:1 */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.PRX"); + attr = fwupd_security_attr_new ("org.fwupd.hsi.PRX"); fwupd_security_attr_set_plugin (attr, "test"); - fwupd_security_attr_set_level (attr, 2); + fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append (attrs, attr); hsi3 = fu_security_attrs_calculate_hsi (attrs); g_assert_cmpstr (hsi3, ==, "HSI:1"); g_clear_object (&attr); /* add attr from HSI:3, obsoleting the failure */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.BIOSGuard"); + attr = fwupd_security_attr_new ("org.fwupd.hsi.BIOSGuard"); fwupd_security_attr_set_plugin (attr, "test"); - fwupd_security_attr_set_level (attr, 3); + fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.Hsi.PRX"); + fwupd_security_attr_add_obsolete (attr, "org.fwupd.hsi.PRX"); fu_security_attrs_append (attrs, attr); fu_security_attrs_depsolve (attrs); hsi4 = fu_security_attrs_calculate_hsi (attrs); @@ -1793,7 +1793,7 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add taint that was fine */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.PluginsTainted"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS); fwupd_security_attr_set_plugin (attr, "test"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); @@ -1803,7 +1803,7 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add updates and attestation */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.LVFS"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES); fwupd_security_attr_set_plugin (attr, "test"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ATTESTATION); @@ -1814,7 +1814,7 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add issue that was uncool */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.Swap"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP); fwupd_security_attr_set_plugin (attr, "test"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append (attrs, attr); diff --git a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c index 255c9a843..4f637cd70 100644 --- a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c +++ b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c @@ -31,10 +31,9 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) return; /* create attr */ - attr = fwupd_security_attr_new ("org.uefi.ACPI.Dmar"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_ACPI_DMAR); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Pre-boot kernel DMA protection"); fu_security_attrs_append (attrs, attr); /* load DMAR table */ @@ -43,20 +42,21 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) blob = fu_common_get_contents_bytes (fn, &error_local); if (blob == NULL) { g_warning ("failed to load %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not load DMAR"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } dmar = fu_acpi_dmar_new (blob, &error_local); if (dmar == NULL) { g_warning ("failed to parse %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not parse DMAR"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (!fu_acpi_dmar_get_opt_in (dmar)) { - fwupd_security_attr_set_result (attr, "Unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); } diff --git a/plugins/acpi-facp/fu-plugin-acpi-facp.c b/plugins/acpi-facp/fu-plugin-acpi-facp.c index 09927db56..e0fef9189 100644 --- a/plugins/acpi-facp/fu-plugin-acpi-facp.c +++ b/plugins/acpi-facp/fu-plugin-acpi-facp.c @@ -27,10 +27,9 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.uefi.ACPI.Facp"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Suspend To Idle"); fu_security_attrs_append (attrs, attr); /* load FACP table */ @@ -39,20 +38,21 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) blob = fu_common_get_contents_bytes (fn, &error_local); if (blob == NULL) { g_warning ("failed to load %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not load FACP"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } facp = fu_acpi_facp_new (blob, &error_local); if (facp == NULL) { g_warning ("failed to parse %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not parse FACP"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (!fu_acpi_facp_get_s2i (facp)) { - fwupd_security_attr_set_result (attr, "Default set as suspend-to-ram (S3)"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); } diff --git a/plugins/amt/fu-plugin-amt.c b/plugins/amt/fu-plugin-amt.c index 74b8a47b8..ed568f2a2 100644 --- a/plugins/amt/fu-plugin-amt.c +++ b/plugins/amt/fu-plugin-amt.c @@ -579,15 +579,16 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) return; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.AMT"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_AMT); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); - fwupd_security_attr_set_name (attr, "Intel AMT"); fu_security_attrs_append (attrs, attr); if (data->provisioned) { - fwupd_security_attr_set_result (attr, "Provisioned"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } + /* success */ + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); } diff --git a/plugins/cpu/fu-plugin-cpu.c b/plugins/cpu/fu-plugin-cpu.c index 453a6b835..b293b9e60 100644 --- a/plugins/cpu/fu-plugin-cpu.c +++ b/plugins/cpu/fu-plugin-cpu.c @@ -59,21 +59,20 @@ fu_plugin_add_security_attrs_intel_cet (FuPlugin *plugin, FuSecurityAttrs *attrs g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.CET"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_CET); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Intel control enforcement technology (CET)"); fu_security_attrs_append (attrs, attr); /* check for CET */ if (!data->has_cet) { - fwupd_security_attr_set_result (attr, "Unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Available"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static void @@ -83,21 +82,20 @@ fu_plugin_add_security_attrs_intel_tme (FuPlugin *plugin, FuSecurityAttrs *attrs g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.TME"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); - fwupd_security_attr_set_name (attr, "Intel total memory encryption (TME)"); fu_security_attrs_append (attrs, attr); /* check for TME */ if (!data->has_tme) { - fwupd_security_attr_set_result (attr, "Unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Available"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } void diff --git a/plugins/iommu/fu-plugin-iommu.c b/plugins/iommu/fu-plugin-iommu.c index 3d1a6921e..bfbaf4aa9 100644 --- a/plugins/iommu/fu-plugin-iommu.c +++ b/plugins/iommu/fu-plugin-iommu.c @@ -41,17 +41,17 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.IOMMU"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_IOMMU); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); - fwupd_security_attr_set_name (attr, "IOMMU"); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fu_security_attrs_append (attrs, attr); if (!data->has_iommu) { - fwupd_security_attr_set_result (attr, "Not found"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } diff --git a/plugins/linux-lockdown/fu-plugin-linux-lockdown.c b/plugins/linux-lockdown/fu-plugin-linux-lockdown.c index 8c2e21e47..ccfdefe40 100644 --- a/plugins/linux-lockdown/fu-plugin-linux-lockdown.c +++ b/plugins/linux-lockdown/fu-plugin-linux-lockdown.c @@ -70,9 +70,8 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.CheckLockdown"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); - fwupd_security_attr_set_name (attr, "Linux Kernel Lockdown"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append (attrs, attr); @@ -80,16 +79,16 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!g_file_load_contents (data->file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Not supported"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strstr_len (buf, bufsz, "[integrity]") == NULL && g_strstr_len (buf, bufsz, "[confidentiality]") == NULL) { - fwupd_security_attr_set_result (attr, "Not locked down"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Locked down"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } diff --git a/plugins/linux-sleep/fu-plugin-linux-sleep.c b/plugins/linux-sleep/fu-plugin-linux-sleep.c index f54ed2be5..09cbd485b 100644 --- a/plugins/linux-sleep/fu-plugin-linux-sleep.c +++ b/plugins/linux-sleep/fu-plugin-linux-sleep.c @@ -25,24 +25,24 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GFile) file = g_file_new_for_path ("/sys/power/mem_sleep"); /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.CheckS3Sleep"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Linux Kernel S3 Sleep"); fu_security_attrs_append (attrs, attr); /* load file */ if (!g_file_load_contents (file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Deep sleep status unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strstr_len (buf, bufsz, "[deep]") != NULL) { - fwupd_security_attr_set_result (attr, "System configured to suspend-to-ram (S3)"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); } diff --git a/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c b/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c index 2f0dec11d..479c0cd73 100644 --- a/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c +++ b/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c @@ -28,28 +28,33 @@ fu_plugin_add_security_attr_bioswe (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.BIOSWE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.pci-bcr"); + fwupd_security_attr_add_obsolete (attr, "pci_bcr"); fu_security_attrs_append (attrs, attr); + /* maybe the kernel module does not exist */ + if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ fn = g_build_filename (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, "bioswe", NULL); if (!g_file_get_contents (fn, &buf, &bufsz, &error_local)) { g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "0\n") != 0) { - fwupd_security_attr_set_result (attr, "Write enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Write disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static void @@ -62,27 +67,32 @@ fu_plugin_add_security_attr_ble (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.BLE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BLE); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.pci-bcr"); + fwupd_security_attr_add_obsolete (attr, "pci_bcr"); fu_security_attrs_append (attrs, attr); + /* maybe the kernel module does not exist */ + if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ fn = g_build_filename (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, "ble", NULL); if (!g_file_get_contents (fn, &buf, &bufsz, &error_local)) { g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "1\n") != 0) { - fwupd_security_attr_set_result (attr, "Lock disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Lock enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); } static void @@ -95,27 +105,32 @@ fu_plugin_add_security_attr_smm_bwp (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.SMM_BWP"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "BIOS region of SPI"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.pci-bcr"); + fwupd_security_attr_add_obsolete (attr, "pci_bcr"); fu_security_attrs_append (attrs, attr); + /* maybe the kernel module does not exist */ + if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ fn = g_build_filename (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, "smm_bwp", NULL); if (!g_file_get_contents (fn, &buf, &bufsz, &error_local)) { g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "1\n") != 0) { - fwupd_security_attr_set_result (attr, "Writable by OS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Writable only through BIOS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_LOCKED); } void @@ -125,17 +140,6 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!fu_common_is_cpu_intel ()) return; - /* maybe the kernel module does not exist */ - if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { - g_autoptr(FwupdSecurityAttr) attr = NULL; - attr = fwupd_security_attr_new ("org.fwupd.plugin.linux-spi-lpc"); - fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_set_result (attr, "Kernel support not present"); - fu_security_attrs_append (attrs, attr); - return; - } - /* look for the three files in sysfs */ fu_plugin_add_security_attr_bioswe (plugin, attrs); fu_plugin_add_security_attr_ble (plugin, attrs); diff --git a/plugins/linux-swap/fu-plugin-linux-swap.c b/plugins/linux-swap/fu-plugin-linux-swap.c index c54d293d1..a92d86de2 100644 --- a/plugins/linux-swap/fu-plugin-linux-swap.c +++ b/plugins/linux-swap/fu-plugin-linux-swap.c @@ -72,40 +72,40 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.Swap"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); - fwupd_security_attr_set_name (attr, "Linux Swap"); fu_security_attrs_append (attrs, attr); /* load list of swaps */ if (!g_file_load_contents (data->file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } swap = fu_linux_swap_new (buf, bufsz, &error_local); if (swap == NULL) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not parse %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not parse file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } /* none configured */ if (!fu_linux_swap_get_enabled (swap)) { fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* add security attribute */ if (!fu_linux_swap_get_encrypted (swap)) { - fwupd_security_attr_set_result (attr, "Not encrypted"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Encrypted"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED); } diff --git a/plugins/linux-tainted/fu-plugin-linux-tainted.c b/plugins/linux-tainted/fu-plugin-linux-tainted.c index c1317256f..86c69655e 100644 --- a/plugins/linux-tainted/fu-plugin-linux-tainted.c +++ b/plugins/linux-tainted/fu-plugin-linux-tainted.c @@ -70,9 +70,8 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.CheckTainted"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); - fwupd_security_attr_set_name (attr, "Linux Kernel Taint"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append (attrs, attr); @@ -80,14 +79,15 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!g_file_load_contents (data->file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "0\n") != 0) { - fwupd_security_attr_set_result (attr, "Tainted"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_TAINTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED); } diff --git a/plugins/pci-bcr/fu-plugin-pci-bcr.c b/plugins/pci-bcr/fu-plugin-pci-bcr.c index 41433548f..fa2f8e50a 100644 --- a/plugins/pci-bcr/fu-plugin-pci-bcr.c +++ b/plugins/pci-bcr/fu-plugin-pci-bcr.c @@ -34,23 +34,27 @@ fu_plugin_add_security_attr_bioswe (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.BIOSWE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.kernel.BIOSWE"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.linux-spi-lpc"); + fwupd_security_attr_add_obsolete (attr, "linux_spi_lpc"); fu_security_attrs_append (attrs, attr); + /* no device */ + if (!priv->has_device) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ if ((priv->bcr & BCR_WPD) == 1) { - fwupd_security_attr_set_result (attr, "Write enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Write disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); } static void @@ -60,23 +64,27 @@ fu_plugin_add_security_attr_ble (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.BLE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BLE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.kernel.BLE"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.linux-spi-lpc"); + fwupd_security_attr_add_obsolete (attr, "linux_spi_lpc"); fu_security_attrs_append (attrs, attr); + /* no device */ + if (!priv->has_device) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ if ((priv->bcr & BCR_BLE) == 0) { - fwupd_security_attr_set_result (attr, "Lock disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Lock enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static void @@ -86,23 +94,27 @@ fu_plugin_add_security_attr_smm_bwp (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.SMM_BWP"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "BIOS region of SPI"); - fwupd_security_attr_add_obsolete (attr, "org.kernel.SMM_BWP"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.linux-spi-lpc"); + fwupd_security_attr_add_obsolete (attr, "linux_spi_lpc"); fu_security_attrs_append (attrs, attr); + /* no device */ + if (!priv->has_device) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ if ((priv->bcr & BCR_SMM_BWP) == 0) { - fwupd_security_attr_set_result (attr, "Writable by OS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Writable only through BIOS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_LOCKED); } gboolean @@ -125,7 +137,7 @@ fu_plugin_udev_device_added (FuPlugin *plugin, FuUdevDevice *device, GError **er /* grab BIOS Control Register */ if (!fu_udev_device_pread (device, BCR, &priv->bcr, error)) { - g_prefix_error (error, "could not read MEI"); + g_prefix_error (error, "could not read BCR"); return FALSE; } priv->has_device = TRUE; @@ -135,24 +147,10 @@ fu_plugin_udev_device_added (FuPlugin *plugin, FuUdevDevice *device, GError **er void fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) { - FuPluginData *priv = fu_plugin_get_data (plugin); - /* only Intel */ if (!fu_common_is_cpu_intel ()) return; - /* only Intel */ - if (!priv->has_device) { - g_autoptr(FwupdSecurityAttr) attr = NULL; - attr = fwupd_security_attr_new ("org.fwupd.plugin.pci-bcr"); - fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); - fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_set_result (attr, "No PCI devices with BCR"); - fu_security_attrs_append (attrs, attr); - return; - } - /* add attrs */ fu_plugin_add_security_attr_bioswe (plugin, attrs); fu_plugin_add_security_attr_ble (plugin, attrs); diff --git a/plugins/pci-mei/fu-plugin-pci-mei.c b/plugins/pci-mei/fu-plugin-pci-mei.c index c7443b78e..9d4735850 100644 --- a/plugins/pci-mei/fu-plugin-pci-mei.c +++ b/plugins/pci-mei/fu-plugin-pci-mei.c @@ -64,18 +64,18 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) return; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.MEI"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "MEI"); fu_security_attrs_append (attrs, attr); /* load file */ if ((priv->mei_cfg & (1 << 4)) != 0) { - fwupd_security_attr_set_result (attr, "Manufacturing Mode"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_LOCKED); } diff --git a/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c b/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c index 4e7ff0803..a4ae71f8f 100644 --- a/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c +++ b/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c @@ -132,23 +132,22 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.trustedcomputinggroup.TpmEventLog"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); - fwupd_security_attr_set_name (attr, "TPM Reconstruction"); fu_security_attrs_append (attrs, attr); /* check reconstructed to PCR0 */ if (!fu_plugin_get_enabled (plugin)) { - fwupd_security_attr_set_result (attr, "No binary bios measurements available"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } if (!data->reconstructed) { - fwupd_security_attr_set_result (attr, "Did not match PCR0 reading"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Matched PCR0 reading"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_VALID); } diff --git a/plugins/tpm/fu-plugin-tpm.c b/plugins/tpm/fu-plugin-tpm.c index 18b0d263e..83e9534d8 100644 --- a/plugins/tpm/fu-plugin-tpm.c +++ b/plugins/tpm/fu-plugin-tpm.c @@ -41,23 +41,22 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.trustedcomputinggroup.Tpm"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "TPM"); fu_security_attrs_append (attrs, attr); /* check exists, and in v2.0 mode */ if (!data->has_tpm) { - fwupd_security_attr_set_result (attr, "Not found"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } if (!data->has_tpm_v20) { - fwupd_security_attr_set_result (attr, "Not in v2.0 mode"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "v2.0"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_FOUND); } diff --git a/plugins/uefi-dbx/fu-plugin-uefi-dbx.c b/plugins/uefi-dbx/fu-plugin-uefi-dbx.c index 84dafd5ef..4aed0eb48 100644 --- a/plugins/uefi-dbx/fu-plugin-uefi-dbx.c +++ b/plugins/uefi-dbx/fu-plugin-uefi-dbx.c @@ -56,27 +56,22 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.uefi.SecureBoot.dbx"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_DBX); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "UEFI dbx"); fu_security_attrs_append (attrs, attr); /* no binary blob */ if (!fu_plugin_get_enabled (plugin)) { - g_autofree gchar *dbxdir = NULL; - g_autofree gchar *result = NULL; - dbxdir = fu_common_get_path (FU_PATH_KIND_EFIDBXDIR); - result = g_strdup_printf ("DBX can be downloaded from %s and decompressed into %s", - FU_UEFI_DBX_DATA_URL, dbxdir); - fwupd_security_attr_set_result (attr, result); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + fwupd_security_attr_set_url (attr, "https://github.com/fwupd/fwupd/wiki/Missingdbx"); return; } /* get update dbx */ if (!g_file_get_contents (data->fn, (gchar **) &buf_update, &bufsz, &error_local)) { g_warning ("failed to load %s: %s", data->fn, error_local->message); - fwupd_security_attr_set_result (attr, "Failed to load update DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } dbx_update = fu_uefi_dbx_file_new (buf_update, bufsz, @@ -84,7 +79,7 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) &error_local); if (dbx_update == NULL) { g_warning ("failed to parse %s: %s", data->fn, error_local->message); - fwupd_security_attr_set_result (attr, "Failed to parse update DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } @@ -92,7 +87,7 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!fu_efivar_get_data ("d719b2cb-3d3a-4596-a3bc-dad00e67656f", "dbx", &buf_system, &bufsz, NULL, &error_local)) { g_warning ("failed to load EFI dbx: %s", error_local->message); - fwupd_security_attr_set_result (attr, "Failed to load EFI DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } dbx_system = fu_uefi_dbx_file_new (buf_system, bufsz, @@ -100,7 +95,7 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) &error_local); if (dbx_system == NULL) { g_warning ("failed to parse EFI dbx: %s", error_local->message); - fwupd_security_attr_set_result (attr, "Failed to parse EFI DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } @@ -116,11 +111,11 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) /* add security attribute */ if (missing_cnt > 0) { - g_autofree gchar *summary = g_strdup_printf ("%u hashes missing", missing_cnt); - fwupd_security_attr_set_result (attr, summary); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_FOUND); } diff --git a/plugins/uefi-dbx/fu-uefi-dbx-common.h b/plugins/uefi-dbx/fu-uefi-dbx-common.h index 7b02181c9..fd4243217 100644 --- a/plugins/uefi-dbx/fu-uefi-dbx-common.h +++ b/plugins/uefi-dbx/fu-uefi-dbx-common.h @@ -8,6 +8,4 @@ #include -#define FU_UEFI_DBX_DATA_URL "https://uefi.org/revocationlistfile" - gchar *fu_uefi_dbx_get_dbxupdate (GError **error); diff --git a/plugins/uefi/fu-plugin-uefi.c b/plugins/uefi/fu-plugin-uefi.c index a80ed250e..f953e0c98 100644 --- a/plugins/uefi/fu-plugin-uefi.c +++ b/plugins/uefi/fu-plugin-uefi.c @@ -97,21 +97,20 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.uefi.SecureBoot"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "UEFI Secure Boot"); fu_security_attrs_append (attrs, attr); /* SB disabled */ if (!fu_efivar_secure_boot_enabled ()) { - fwupd_security_attr_set_result (attr, "Disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static GBytes * diff --git a/po/POTFILES.in b/po/POTFILES.in index ff7003b3f..95ac721db 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -12,6 +12,7 @@ src/fu-main.c src/fu-offline.c src/fu-progressbar.c src/fu-remote-list.c +src/fu-security-attr.c src/fu-tool.c src/fu-util.c src/fu-util-common.c diff --git a/src/fu-engine.c b/src/fu-engine.c index 23e2927e3..c3b1c9a78 100644 --- a/src/fu-engine.c +++ b/src/fu-engine.c @@ -49,6 +49,7 @@ #include "fu-plugin-private.h" #include "fu-quirks.h" #include "fu-remote-list.h" +#include "fu-security-attr.h" #include "fu-security-attrs-private.h" #include "fu-smbios-private.h" #include "fu-udev-device-private.h" @@ -3585,16 +3586,6 @@ fu_engine_get_devices_by_guid (FuEngine *self, const gchar *guid, GError **error return g_steal_pointer (&devices); } -static const gchar * -fu_engine_get_security_attr_result_string (FwupdSecurityAttr *attr) -{ - if (fwupd_security_attr_get_result (attr) != NULL) - return fwupd_security_attr_get_result (attr); - if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) - return "True"; - return "False"; -} - static void fu_engine_get_history_set_hsi_attrs (FuEngine *self, FuDevice *device) { @@ -3607,9 +3598,9 @@ fu_engine_get_history_set_hsi_attrs (FuEngine *self, FuDevice *device) vals = fu_security_attrs_get_all (attrs); for (guint i = 0; i < vals->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index (vals, i); - fu_device_set_metadata (device, - fwupd_security_attr_get_appstream_id (attr), - fu_engine_get_security_attr_result_string (attr)); + const gchar *tmp; + tmp = fwupd_security_attr_result_to_string (fwupd_security_attr_get_result (attr)); + fu_device_set_metadata (device, fwupd_security_attr_get_appstream_id (attr), tmp); } /* computed value */ @@ -5081,10 +5072,10 @@ fu_engine_add_security_attrs_tainted (FuEngine *self, FuSecurityAttrs *attrs) { gboolean disabled_plugins = FALSE; GPtrArray *blacklist = fu_config_get_blacklist_plugins (self->config); - g_autoptr(FwupdSecurityAttr) attr = fwupd_security_attr_new ("org.fwupd.Hsi.Plugins"); + g_autoptr(FwupdSecurityAttr) attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS); fwupd_security_attr_set_plugin (attr, "core"); - fwupd_security_attr_set_name (attr, "fwupd plugins"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); + fu_security_attrs_append (attrs, attr); for (guint i = 0; i < blacklist->len; i++) { const gchar *name_tmp = g_ptr_array_index (blacklist, i); if (g_strcmp0 (name_tmp, "test") != 0 && @@ -5094,13 +5085,17 @@ fu_engine_add_security_attrs_tainted (FuEngine *self, FuSecurityAttrs *attrs) } } if (self->tainted) { - fwupd_security_attr_set_result (attr, "Tainted"); - } else if (self->plugin_filter->len > 0 || disabled_plugins) { - fwupd_security_attr_set_result (attr, "Disabled plugins"); - } else { - fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_TAINTED); + return; } - fu_security_attrs_append (attrs, attr); + if (self->plugin_filter->len > 0 || disabled_plugins) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); + return; + } + + /* success */ + fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED); } static void @@ -5115,10 +5110,9 @@ fu_engine_add_security_attrs_supported (FuEngine *self, FuSecurityAttrs *attrs) g_autoptr(GPtrArray) releases = NULL; /* find out if there is firmware less than 12 months old */ - attr_u = fwupd_security_attr_new ("org.fwupd.Hsi.Updates"); + attr_u = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES); fwupd_security_attr_set_plugin (attr_u, "core"); fwupd_security_attr_add_flag (attr_u, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES); - fwupd_security_attr_set_name (attr_u, "Firmware Updates"); fu_security_attrs_append (attrs, attr_u); /* get device */ @@ -5127,32 +5121,32 @@ fu_engine_add_security_attrs_supported (FuEngine *self, FuSecurityAttrs *attrs) "230c8b18-8d9b-53ec-838b-6cfc0383493a", NULL); if (device == NULL) { - fwupd_security_attr_set_result (attr_u, "No system device"); + fwupd_security_attr_set_result (attr_u, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); } else { releases = fu_engine_get_releases_for_device (self, device, NULL); if (releases == NULL) { - fwupd_security_attr_set_result (attr_u, "No releases"); + fwupd_security_attr_set_result (attr_u, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); } else { /* check the age */ - g_autofree gchar *str = NULL; for (guint i = 0; i < releases->len; i++) { FwupdRelease *rel_tmp = g_ptr_array_index (releases, i); if (rel_newest == NULL || fwupd_release_get_created (rel_tmp) > fwupd_release_get_created (rel_newest)) rel_newest = rel_tmp; } - str = g_strdup_printf ("Newest release is %" G_GUINT64_FORMAT " months old", - (now - fwupd_release_get_created (rel_newest)) / (60 * 60 * 24 * 30)); - fwupd_security_attr_set_result (attr_u, str); - if (now - fwupd_release_get_created (rel_newest) < 60 * 60 * 24 * 30 * 12) + g_debug ("newest release is %" G_GUINT64_FORMAT " months old", + (now - fwupd_release_get_created (rel_newest)) / (60 * 60 * 24 * 30)); + fwupd_security_attr_set_result (attr_u, FWUPD_SECURITY_ATTR_RESULT_SUPPORTED); + if (now - fwupd_release_get_created (rel_newest) < 60 * 60 * 24 * 30 * 12) { fwupd_security_attr_add_flag (attr_u, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr_a, FWUPD_SECURITY_ATTR_RESULT_SUPPORTED); + } } } /* do we have attestation checksums */ - attr_a = fwupd_security_attr_new ("org.fwupd.Hsi.Attestation"); + attr_a = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION); fwupd_security_attr_set_plugin (attr_a, "core"); - fwupd_security_attr_set_name (attr_a, "Firmware Attestation"); fwupd_security_attr_add_flag (attr_a, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ATTESTATION); fu_security_attrs_append (attrs, attr_a); if (releases != NULL) { @@ -5167,9 +5161,10 @@ fu_engine_add_security_attrs_supported (FuEngine *self, FuSecurityAttrs *attrs) } } if (rel_current == NULL) { - fwupd_security_attr_set_result (attr_a, "No PCR0s"); + fwupd_security_attr_set_result (attr_a, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); } else if (fwupd_release_get_checksums(rel_current)->len > 0) { fwupd_security_attr_add_flag (attr_a, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr_a, FWUPD_SECURITY_ATTR_RESULT_SUPPORTED); } } @@ -5178,6 +5173,7 @@ fu_engine_get_host_security_attrs (FuEngine *self) { GPtrArray *plugins = fu_plugin_list_get_all (self->plugin_list); g_autoptr(FuSecurityAttrs) attrs = fu_security_attrs_new (); + g_autoptr(GPtrArray) items = NULL; /* built in */ fu_engine_add_security_attrs_tainted (self, attrs); @@ -5189,8 +5185,24 @@ fu_engine_get_host_security_attrs (FuEngine *self) fu_plugin_runner_add_security_attrs (plugin_tmp, attrs); } + /* set the fallback names for clients without native translations */ + items = fu_security_attrs_get_all (attrs); + for (guint i = 0; i < items->len; i++) { + FwupdSecurityAttr *attr = g_ptr_array_index (items, i); + if (fwupd_security_attr_get_name (attr) == NULL) { + const gchar *name_tmp = fu_security_attr_get_name (attr); + if (name_tmp == NULL) { + g_warning ("failed to get fallback for %s", + fwupd_security_attr_get_appstream_id (attr)); + continue; + } + fwupd_security_attr_set_name (attr, name_tmp); + } + } + /* set the obsoletes flag for each attr */ fu_security_attrs_depsolve (attrs); + return g_steal_pointer (&attrs); } diff --git a/src/fu-security-attr.c b/src/fu-security-attr.c new file mode 100644 index 000000000..61dd52be0 --- /dev/null +++ b/src/fu-security-attr.c @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2020 Richard Hughes + * + * SPDX-License-Identifier: LGPL-2.1+ + */ + +#include +#include + +#include "fu-security-attr.h" + +const gchar * +fu_security_attr_get_name (FwupdSecurityAttr *attr) +{ + const gchar *appstream_id = fwupd_security_attr_get_appstream_id (attr); + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE) == 0) { + /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */ + return _("SPI write"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_BLE) == 0) { + /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */ + return _("SPI lock"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP) == 0) { + /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */ + return _("SPI BIOS region"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ACPI_DMAR) == 0) { + /* TRANSLATORS: Title: DMA as in https://en.wikipedia.org/wiki/DMA_attack */ + return _("Pre-boot DMA protection"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_AMT) == 0) { + /* TRANSLATORS: Title: AMT = Active Management Technology */ + return _("Intel AMT"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_CET) == 0) { + /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology */ + return _("Intel CET"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0) { + /* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */ + return _("Encrypted RAM"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_IOMMU) == 0) { + /* TRANSLATORS: Title: https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit */ + return _("IOMMU"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN) == 0) { + /* TRANSLATORS: Title: lockdown is a security mode of the kernel */ + return _("Linux kernel lockdown"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED) == 0) { + /* TRANSLATORS: Title: if it's tainted or not */ + return _("Linux kernel"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP) == 0) { + /* TRANSLATORS: Title: swap space or swap partition */ + return _("Linux swap"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM) == 0) { + /* TRANSLATORS: Title: sleep state */ + return _("Suspend-to-ram"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE) == 0) { + /* TRANSLATORS: Title: a better sleep state */ + return _("Suspend-to-idle"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_DBX) == 0) { + /* TRANSLATORS: Title: dbx is the database with revoked hashes */ + return _("UEFI dbx"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0) { + /* TRANSLATORS: Title: SB is a way of locking down UEFI */ + return _("UEFI secure boot"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0) == 0) { + /* TRANSLATORS: Title: the PCR is rebuilt from the TPM event log */ + return _("TPM PCR0 reconstruction"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20) == 0) { + /* TRANSLATORS: Title: TPM = Trusted Platform Module */ + return _("TPM v2.0"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE) == 0) { + /* TRANSLATORS: Title: MEI = Intel Management Engine */ + return _("MEI manufacturing mode"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES) == 0) { + /* TRANSLATORS: Title: if firmware updates are available */ + return _("Firmware updates"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION) == 0) { + /* TRANSLATORS: Title: if we can verify the firmware checksums */ + return _("Firmware attestation"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS) == 0) { + /* TRANSLATORS: Title: if the fwupd plugins are all present and correct */ + return _("fwupd plugins"); + } + + /* we should not get here */ + return fwupd_security_attr_get_name (attr); +} + +const gchar * +fu_security_attr_get_result (FwupdSecurityAttr *attr) +{ + FwupdSecurityAttrResult result = fwupd_security_attr_get_result (attr); + if (result == FWUPD_SECURITY_ATTR_RESULT_VALID) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Valid"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_VALID) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Not Valid"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_ENABLED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Enabled"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Disabled"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_LOCKED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Locked"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Unlocked"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Encrypted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Unencrypted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_TAINTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Tainted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Untainted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_FOUND) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Found"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Not found"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_SUPPORTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Supported"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Not supported"); + } + + /* fallback */ + if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("OK"); + } + + /* TRANSLATORS: Suffix: the fallback HSI result */ + return _("Failed"); +} diff --git a/src/fu-security-attr.h b/src/fu-security-attr.h new file mode 100644 index 000000000..d81e33ce9 --- /dev/null +++ b/src/fu-security-attr.h @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2020 Richard Hughes + * + * SPDX-License-Identifier: LGPL-2.1+ + */ + +#pragma once + +#include + +const gchar *fu_security_attr_get_name (FwupdSecurityAttr *attr); +const gchar *fu_security_attr_get_result (FwupdSecurityAttr *attr); diff --git a/src/fu-self-test.c b/src/fu-self-test.c index 6f0db881e..0991a3618 100644 --- a/src/fu-self-test.c +++ b/src/fu-self-test.c @@ -25,6 +25,7 @@ #include "fu-plugin-list.h" #include "fu-progressbar.h" #include "fu-hash.h" +#include "fu-security-attr.h" #include "fu-security-attrs.h" #include "fu-smbios-private.h" @@ -2806,6 +2807,15 @@ fu_plugin_composite_func (gconstpointer user_data) } } +static void +fu_security_attr_func (gconstpointer user_data) +{ + g_autoptr(FwupdSecurityAttr) attr = fwupd_security_attr_new (NULL); + for (guint i = 0; i < FWUPD_SECURITY_ATTR_RESULT_LAST; i++) { + fwupd_security_attr_set_result (attr, i); + g_assert_cmpstr (fu_security_attr_get_result (attr), !=, NULL); + } +} static void fu_memcpy_func (gconstpointer user_data) @@ -2987,6 +2997,8 @@ main (int argc, char **argv) fu_plugin_module_func); g_test_add_data_func ("/fwupd/memcpy", self, fu_memcpy_func); + g_test_add_data_func ("/fwupd/security-attr", self, + fu_security_attr_func); g_test_add_data_func ("/fwupd/device-list", self, fu_device_list_func); g_test_add_data_func ("/fwupd/device-list{delay}", self, diff --git a/src/fu-util-common.c b/src/fu-util-common.c index ba863f0e6..6d3f45a8c 100644 --- a/src/fu-util-common.c +++ b/src/fu-util-common.c @@ -16,6 +16,7 @@ #include "fu-common.h" #include "fu-util-common.h" #include "fu-device.h" +#include "fu-security-attr.h" #include "fu-security-attrs.h" #ifdef HAVE_SYSTEMD @@ -1553,20 +1554,25 @@ static void fu_security_attr_append_str (FwupdSecurityAttr *attr, GString *str) { if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) { - g_string_append_printf (str, "\033[37m✦\033[0m "); + g_string_append (str, "✦ "); } else if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { - g_string_append_printf (str, "\033[32m✔\033[0m "); + g_string_append (str, "✔ "); } else { - g_string_append_printf (str, "\033[31m✘\033[0m "); + g_string_append (str, "✘ "); } - g_string_append_printf (str, "%s", fwupd_security_attr_get_name (attr)); - if (fwupd_security_attr_get_result (attr) != NULL) { - g_string_append_printf (str, ": %s", - fwupd_security_attr_get_result (attr)); + g_string_append_printf (str, "%s:", fu_security_attr_get_name (attr)); + for (guint i = fu_common_strwidth (fu_security_attr_get_name (attr)); i < 30; i++) + g_string_append (str, " "); + if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) { + g_string_append_printf (str, "\033[37m\033[1m%s\033[0m", fu_security_attr_get_result (attr)); + } else if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { + g_string_append_printf (str, "\033[32m\033[1m%s\033[0m", fu_security_attr_get_result (attr)); } else { + g_string_append_printf (str, "\033[31m\033[1m%s\033[0m", fu_security_attr_get_result (attr)); + } + if (fwupd_security_attr_get_url (attr) != NULL) { g_string_append_printf (str, ": %s", - fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS) - ? "OK" : "Failed"); + fwupd_security_attr_get_url (attr)); } if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) g_string_append (str, " (obsoleted)"); diff --git a/src/meson.build b/src/meson.build index c1ed9a979..7a0b2976a 100644 --- a/src/meson.build +++ b/src/meson.build @@ -17,6 +17,7 @@ fwupdmgr = executable( 'fu-util.c', 'fu-history.c', 'fu-progressbar.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src ], @@ -49,6 +50,7 @@ fwupdagent = executable( 'fwupdagent', sources : [ 'fu-agent.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src, ], @@ -80,6 +82,7 @@ fwupdoffline = executable( sources : [ 'fu-history.c', 'fu-offline.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src ], @@ -132,6 +135,7 @@ fwupdtool = executable( 'fu-plugin-list.c', 'fu-progressbar.c', 'fu-remote-list.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src ], @@ -230,6 +234,7 @@ executable( 'fu-main.c', 'fu-plugin-list.c', 'fu-remote-list.c', + 'fu-security-attr.c', systemd_src ], include_directories : [ @@ -286,6 +291,7 @@ if get_option('tests') 'fu-plugin-list.c', 'fu-progressbar.c', 'fu-remote-list.c', + 'fu-security-attr.c', 'fu-self-test.c', systemd_src ],