From b246bcaecb84c2facc0b42a54c145fab5148bc2a Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Mon, 18 May 2020 14:31:35 +0100 Subject: [PATCH] Allow client tools to translate the HSI attributes and results To do this, rely on the AppStream ID to map to a translated string (providing a fallback for clients that do not care) and switch the free-form result string into a set of enumerated values that can be translated. This fixes some of the problems where some things have to be enabled to "pass" and other attributes have to be some other state. For cases where we want the user to "do" something, provide a URL to a wiki page that we update out-of-band of fwupd releases. --- libfwupd/fwupd-enums-private.h | 2 +- libfwupd/fwupd-security-attr.c | 137 ++++++++++++-- libfwupd/fwupd-security-attr.h | 72 +++++++- libfwupd/fwupd.map | 3 + libfwupdplugin/fu-security-attrs.c | 15 +- libfwupdplugin/fu-self-test.c | 20 +- plugins/acpi-dmar/fu-plugin-acpi-dmar.c | 10 +- plugins/acpi-facp/fu-plugin-acpi-facp.c | 10 +- plugins/amt/fu-plugin-amt.c | 7 +- plugins/cpu/fu-plugin-cpu.c | 14 +- plugins/iommu/fu-plugin-iommu.c | 6 +- .../linux-lockdown/fu-plugin-linux-lockdown.c | 9 +- plugins/linux-sleep/fu-plugin-linux-sleep.c | 8 +- .../linux-spi-lpc/fu-plugin-linux-spi-lpc.c | 62 ++++--- plugins/linux-swap/fu-plugin-linux-swap.c | 12 +- .../linux-tainted/fu-plugin-linux-tainted.c | 8 +- plugins/pci-bcr/fu-plugin-pci-bcr.c | 64 ++++--- plugins/pci-mei/fu-plugin-pci-mei.c | 6 +- plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c | 9 +- plugins/tpm/fu-plugin-tpm.c | 9 +- plugins/uefi-dbx/fu-plugin-uefi-dbx.c | 23 +-- plugins/uefi-dbx/fu-uefi-dbx-common.h | 2 - plugins/uefi/fu-plugin-uefi.c | 7 +- po/POTFILES.in | 1 + src/fu-engine.c | 78 ++++---- src/fu-security-attr.c | 174 ++++++++++++++++++ src/fu-security-attr.h | 12 ++ src/fu-self-test.c | 12 ++ src/fu-util-common.c | 24 ++- src/meson.build | 6 + 30 files changed, 608 insertions(+), 214 deletions(-) create mode 100644 src/fu-security-attr.c create mode 100644 src/fu-security-attr.h diff --git a/libfwupd/fwupd-enums-private.h b/libfwupd/fwupd-enums-private.h index abb556895..7d2bc8136 100644 --- a/libfwupd/fwupd-enums-private.h +++ b/libfwupd/fwupd-enums-private.h @@ -24,7 +24,7 @@ G_BEGIN_DECLS #define FWUPD_RESULT_KEY_FLASHES_LEFT "FlashesLeft" /* u */ #define FWUPD_RESULT_KEY_URGENCY "Urgency" /* u */ #define FWUPD_RESULT_KEY_HSI_LEVEL "HsiLevel" /* u */ -#define FWUPD_RESULT_KEY_HSI_RESULT "HsiResult" /* s */ +#define FWUPD_RESULT_KEY_HSI_RESULT "HsiResult" /* u */ #define FWUPD_RESULT_KEY_INSTALL_DURATION "InstallDuration" /* u */ #define FWUPD_RESULT_KEY_GUID "Guid" /* as */ #define FWUPD_RESULT_KEY_INSTANCE_IDS "InstanceIds" /* as */ diff --git a/libfwupd/fwupd-security-attr.c b/libfwupd/fwupd-security-attr.c index 5a0a2b094..6e618f894 100644 --- a/libfwupd/fwupd-security-attr.c +++ b/libfwupd/fwupd-security-attr.c @@ -25,8 +25,9 @@ typedef struct { GPtrArray *obsoletes; gchar *name; gchar *plugin; - gchar *result; + gchar *url; FwupdSecurityAttrLevel level; + FwupdSecurityAttrResult result; FwupdSecurityAttrFlags flags; } FwupdSecurityAttrPrivate; @@ -61,6 +62,50 @@ fwupd_security_attr_flag_to_string (FwupdSecurityAttrFlags flag) return NULL; } +/** + * fwupd_security_attr_result_to_string: + * @result: A #FwupdSecurityAttrResult, e.g. %FWUPD_SECURITY_ATTR_RESULT_ENABLED + * + * Returns the printable string for the result enum. + * + * Returns: string, or %NULL + * + * Since: 1.5.0 + **/ +const gchar * +fwupd_security_attr_result_to_string (FwupdSecurityAttrResult result) +{ + if (result == FWUPD_SECURITY_ATTR_RESULT_VALID) + return "valid"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_VALID) + return "not-valid"; + if (result == FWUPD_SECURITY_ATTR_RESULT_ENABLED) + return "enabled"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED) + return "not-enabled"; + if (result == FWUPD_SECURITY_ATTR_RESULT_LOCKED) + return "locked"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED) + return "not-locked"; + if (result == FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED) + return "encrypted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED) + return "not-encrypted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_TAINTED) + return "tainted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED) + return "not-tainted"; + if (result == FWUPD_SECURITY_ATTR_RESULT_FOUND) + return "found"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND) + return "not-found"; + if (result == FWUPD_SECURITY_ATTR_RESULT_SUPPORTED) + return "supported"; + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED) + return "not-supported"; + return NULL; +} + /** * fwupd_security_attr_flag_to_suffix: * @flag: A #FwupdSecurityAttrFlags, e.g. %FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES @@ -105,7 +150,7 @@ fwupd_security_attr_get_obsoletes (FwupdSecurityAttr *self) /** * fwupd_security_attr_add_obsolete: * @self: A #FwupdSecurityAttr - * @appstream_id: the appstream_id + * @appstream_id: the appstream_id or plugin name * * Adds an attribute appstream_id to obsolete. The obsoleted attribute will not * contribute to the calculated HSI value or be visible in command line tools. @@ -180,26 +225,31 @@ fwupd_security_attr_set_appstream_id (FwupdSecurityAttr *self, const gchar *apps { FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); g_return_if_fail (FWUPD_IS_SECURITY_ATTR (self)); + + /* sanity check */ + if (!g_str_has_prefix (appstream_id, "org.fwupd.hsi.")) + g_critical ("HSI attributes need to have a 'org.fwupd.hsi.' prefix"); + g_free (priv->appstream_id); priv->appstream_id = g_strdup (appstream_id); } /** - * fwupd_security_attr_get_result: + * fwupd_security_attr_get_url: * @self: A #FwupdSecurityAttr * - * Gets the attribute result. + * Gets the attribute URL. * * Returns: the attribute result, or %NULL if unset * * Since: 1.5.0 **/ const gchar * -fwupd_security_attr_get_result (FwupdSecurityAttr *self) +fwupd_security_attr_get_url (FwupdSecurityAttr *self) { FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); g_return_val_if_fail (FWUPD_IS_SECURITY_ATTR (self), NULL); - return priv->result; + return priv->url; } /** @@ -239,21 +289,21 @@ fwupd_security_attr_set_plugin (FwupdSecurityAttr *self, const gchar *plugin) } /** - * fwupd_security_attr_set_result: + * fwupd_security_attr_set_url: * @self: A #FwupdSecurityAttr - * @result: the attribute one line result + * @url: the attribute URL * * Sets the attribute result. * * Since: 1.5.0 **/ void -fwupd_security_attr_set_result (FwupdSecurityAttr *self, const gchar *result) +fwupd_security_attr_set_url (FwupdSecurityAttr *self, const gchar *url) { FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); g_return_if_fail (FWUPD_IS_SECURITY_ATTR (self)); - g_free (priv->result); - priv->result = g_strdup (result); + g_free (priv->url); + priv->url = g_strdup (url); } /** @@ -399,6 +449,42 @@ fwupd_security_attr_set_level (FwupdSecurityAttr *self, FwupdSecurityAttrLevel l priv->level = level; } +/** + * fwupd_security_attr_set_result: + * @self: A #FwupdSecurityAttr + * @result: A #FwupdSecurityAttrResult, e.g. %FWUPD_SECURITY_ATTR_LEVEL_LOCKED + * + * Sets the optional HSI result. This is required because some attributes may + * be a "success" when something is `locked` or may be "failed" if `found`. + * + * Since: 1.5.0 + **/ +void +fwupd_security_attr_set_result (FwupdSecurityAttr *self, FwupdSecurityAttrResult result) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); + g_return_if_fail (FWUPD_IS_SECURITY_ATTR (self)); + priv->result = result; +} + +/** + * fwupd_security_attr_get_result: + * @self: A #FwupdSecurityAttr + * + * Gets the optional HSI result. + * + * Returns: the #FwupdSecurityAttrResult, e.g %FWUPD_SECURITY_ATTR_LEVEL_LOCKED + * + * Since: 1.5.0 + **/ +FwupdSecurityAttrResult +fwupd_security_attr_get_result (FwupdSecurityAttr *self) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE (self); + g_return_val_if_fail (FWUPD_IS_SECURITY_ATTR (self), 0); + return priv->result; +} + /** * fwupd_security_attr_to_variant: * @self: A #FwupdSecurityAttr @@ -428,10 +514,10 @@ fwupd_security_attr_to_variant (FwupdSecurityAttr *self) FWUPD_RESULT_KEY_NAME, g_variant_new_string (priv->name)); } - if (priv->result != NULL) { + if (priv->url != NULL) { g_variant_builder_add (&builder, "{sv}", - FWUPD_RESULT_KEY_HSI_RESULT, - g_variant_new_string (priv->result)); + FWUPD_RESULT_KEY_URI, + g_variant_new_string (priv->url)); } if (priv->obsoletes->len > 0) { g_autofree const gchar **strv = g_new0 (const gchar *, priv->obsoletes->len + 1); @@ -451,6 +537,11 @@ fwupd_security_attr_to_variant (FwupdSecurityAttr *self) FWUPD_RESULT_KEY_HSI_LEVEL, g_variant_new_uint32 (priv->level)); } + if (priv->result > 0) { + g_variant_builder_add (&builder, "{sv}", + FWUPD_RESULT_KEY_HSI_RESULT, + g_variant_new_uint32 (priv->result)); + } return g_variant_new ("a{sv}", &builder); } @@ -465,8 +556,8 @@ fwupd_security_attr_from_key_value (FwupdSecurityAttr *self, const gchar *key, G fwupd_security_attr_set_name (self, g_variant_get_string (value, NULL)); return; } - if (g_strcmp0 (key, FWUPD_RESULT_KEY_HSI_RESULT) == 0) { - fwupd_security_attr_set_result (self, g_variant_get_string (value, NULL)); + if (g_strcmp0 (key, FWUPD_RESULT_KEY_URI) == 0) { + fwupd_security_attr_set_url (self, g_variant_get_string (value, NULL)); return; } if (g_strcmp0 (key, FWUPD_RESULT_KEY_FLAGS) == 0) { @@ -477,6 +568,10 @@ fwupd_security_attr_from_key_value (FwupdSecurityAttr *self, const gchar *key, G fwupd_security_attr_set_level (self, g_variant_get_uint32 (value)); return; } + if (g_strcmp0 (key, FWUPD_RESULT_KEY_HSI_RESULT) == 0) { + fwupd_security_attr_set_result (self, g_variant_get_uint32 (value)); + return; + } } static void @@ -559,9 +654,11 @@ fwupd_security_attr_to_json (FwupdSecurityAttr *self, JsonBuilder *builder) fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_APPSTREAM_ID, priv->appstream_id); fwupd_security_attr_json_add_int (builder, FWUPD_RESULT_KEY_HSI_LEVEL, priv->level); + fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_HSI_RESULT, + fwupd_security_attr_result_to_string (priv->result)); fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_NAME, priv->name); fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_PLUGIN, priv->plugin); - fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_HSI_RESULT, priv->result); + fwupd_security_attr_json_add_string (builder, FWUPD_RESULT_KEY_URI, priv->url); if (priv->flags != FWUPD_SECURITY_ATTR_FLAG_NONE) { json_builder_set_member_name (builder, FWUPD_RESULT_KEY_FLAGS); json_builder_begin_array (builder); @@ -598,11 +695,13 @@ fwupd_security_attr_to_string (FwupdSecurityAttr *self) str = g_string_new (""); fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_APPSTREAM_ID, priv->appstream_id); fwupd_pad_kv_int (str, FWUPD_RESULT_KEY_HSI_LEVEL, priv->level); + fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_HSI_RESULT, + fwupd_security_attr_result_to_string (priv->result)); if (priv->flags != FWUPD_SECURITY_ATTR_FLAG_NONE) fwupd_pad_kv_tfl (str, FWUPD_RESULT_KEY_FLAGS, priv->flags); fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_NAME, priv->name); fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_PLUGIN, priv->plugin); - fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_HSI_RESULT, priv->result); + fwupd_pad_kv_str (str, FWUPD_RESULT_KEY_URI, priv->url); for (guint i = 0; i < priv->obsoletes->len; i++) { const gchar *appstream_id = g_ptr_array_index (priv->obsoletes, i); fwupd_pad_kv_str (str, "Obsolete", appstream_id); @@ -634,7 +733,7 @@ fwupd_security_attr_finalize (GObject *object) g_free (priv->appstream_id); g_free (priv->name); g_free (priv->plugin); - g_free (priv->result); + g_free (priv->url); g_ptr_array_unref (priv->obsoletes); G_OBJECT_CLASS (fwupd_security_attr_parent_class)->finalize (object); diff --git a/libfwupd/fwupd-security-attr.h b/libfwupd/fwupd-security-attr.h index 4ced33435..44033ebed 100644 --- a/libfwupd/fwupd-security-attr.h +++ b/libfwupd/fwupd-security-attr.h @@ -71,6 +71,68 @@ typedef enum { FWUPD_SECURITY_ATTR_LEVEL_LAST = 6 /* perhaps increased in the future */ } FwupdSecurityAttrLevel; +/** + * FwupdSecurityAttrResult: + * @FWUPD_SECURITY_ATTR_RESULT_UNKNOWN: Not known + * @FWUPD_SECURITY_ATTR_RESULT_ENABLED: Enabled + * @FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED: Not enabled + * @FWUPD_SECURITY_ATTR_RESULT_VALID: Valid + * @FWUPD_SECURITY_ATTR_RESULT_NOT_VALID: Not valid + * @FWUPD_SECURITY_ATTR_RESULT_LOCKED: Locked + * @FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED: Not locked + * @FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED: Encrypted + * @FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED: Not encrypted + * @FWUPD_SECURITY_ATTR_RESULT_TAINTED: Tainted + * @FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED: Not tainted + * @FWUPD_SECURITY_ATTR_RESULT_FOUND: Found + * @FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND: NOt found + * @FWUPD_SECURITY_ATTR_RESULT_SUPPORTED: Supported + * @FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED: Not supported + * + * The HSI result. + **/ +typedef enum { + FWUPD_SECURITY_ATTR_RESULT_UNKNOWN, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_ENABLED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_VALID, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_VALID, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_LOCKED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_TAINTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_FOUND, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_SUPPORTED, /* Since: 1.5.0 */ + FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED, /* Since: 1.5.0 */ + /*< private >*/ + FWUPD_SECURITY_ATTR_RESULT_LAST +} FwupdSecurityAttrResult; + +#define FWUPD_SECURITY_ATTR_ID_ACPI_DMAR "org.fwupd.hsi.AcpiDmar" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM "org.fwupd.hsi.EncryptedRam" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION "org.fwupd.hsi.FwupdAttestation" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS "org.fwupd.hsi.FwupdPlugins" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES "org.fwupd.hsi.FwupdUpdates" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_INTEL_AMT "org.fwupd.hsi.IntelAmt" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_INTEL_CET "org.fwupd.hsi.IntelCet" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_IOMMU "org.fwupd.hsi.Iommu" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN "org.fwupd.hsi.KernelLockdown" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP "org.fwupd.hsi.KernelSwap" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED "org.fwupd.hsi.KernelTainted" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE "org.fwupd.hsi.MeiManufacturingMode" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE "org.fwupd.hsi.SpiBioswe" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SPI_BLE "org.fwupd.hsi.SpiBle" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP "org.fwupd.hsi.SpiSmmBwp" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE "org.fwupd.hsi.SuspendToIdle" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM "org.fwupd.hsi.SuspendToRam" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0 "org.fwupd.hsi.TpmReconstructionPcr0" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20 "org.fwupd.hsi.TpmVersion20" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_UEFI_DBX "org.fwupd.hsi.UefiDbx" /* Since: 1.5.0 */ +#define FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT "org.fwupd.hsi.UefiSecureBoot" /* Since: 1.5.0 */ + FwupdSecurityAttr *fwupd_security_attr_new (const gchar *appstream_id); gchar *fwupd_security_attr_to_string (FwupdSecurityAttr *self); @@ -80,15 +142,18 @@ void fwupd_security_attr_set_appstream_id (FwupdSecurityAttr *self, FwupdSecurityAttrLevel fwupd_security_attr_get_level (FwupdSecurityAttr *self); void fwupd_security_attr_set_level (FwupdSecurityAttr *self, FwupdSecurityAttrLevel level); +FwupdSecurityAttrResult fwupd_security_attr_get_result (FwupdSecurityAttr *self); +void fwupd_security_attr_set_result (FwupdSecurityAttr *self, + FwupdSecurityAttrResult result); const gchar *fwupd_security_attr_get_name (FwupdSecurityAttr *self); void fwupd_security_attr_set_name (FwupdSecurityAttr *self, const gchar *name); const gchar *fwupd_security_attr_get_plugin (FwupdSecurityAttr *self); void fwupd_security_attr_set_plugin (FwupdSecurityAttr *self, const gchar *plugin); -const gchar *fwupd_security_attr_get_result (FwupdSecurityAttr *self); -void fwupd_security_attr_set_result (FwupdSecurityAttr *self, - const gchar *result); +const gchar *fwupd_security_attr_get_url (FwupdSecurityAttr *self); +void fwupd_security_attr_set_url (FwupdSecurityAttr *self, + const gchar *url); GPtrArray *fwupd_security_attr_get_obsoletes (FwupdSecurityAttr *self); void fwupd_security_attr_add_obsolete (FwupdSecurityAttr *self, const gchar *appstream_id); @@ -103,6 +168,7 @@ gboolean fwupd_security_attr_has_flag (FwupdSecurityAttr *self, FwupdSecurityAttrFlags flag); const gchar *fwupd_security_attr_flag_to_string (FwupdSecurityAttrFlags flag); const gchar *fwupd_security_attr_flag_to_suffix (FwupdSecurityAttrFlags flag); +const gchar *fwupd_security_attr_result_to_string (FwupdSecurityAttrResult result); FwupdSecurityAttr *fwupd_security_attr_from_variant (GVariant *value); GPtrArray *fwupd_security_attr_array_from_variant (GVariant *value); diff --git a/libfwupd/fwupd.map b/libfwupd/fwupd.map index 54dbe74b5..3a3bf6402 100644 --- a/libfwupd/fwupd.map +++ b/libfwupd/fwupd.map @@ -465,15 +465,18 @@ LIBFWUPD_1.5.0 { fwupd_security_attr_get_plugin; fwupd_security_attr_get_result; fwupd_security_attr_get_type; + fwupd_security_attr_get_url; fwupd_security_attr_has_flag; fwupd_security_attr_has_obsolete; fwupd_security_attr_new; + fwupd_security_attr_result_to_string; fwupd_security_attr_set_appstream_id; fwupd_security_attr_set_flags; fwupd_security_attr_set_level; fwupd_security_attr_set_name; fwupd_security_attr_set_plugin; fwupd_security_attr_set_result; + fwupd_security_attr_set_url; fwupd_security_attr_to_json; fwupd_security_attr_to_string; fwupd_security_attr_to_variant; diff --git a/libfwupdplugin/fu-security-attrs.c b/libfwupdplugin/fu-security-attrs.c index 6ae739366..16b0da571 100644 --- a/libfwupdplugin/fu-security-attrs.c +++ b/libfwupdplugin/fu-security-attrs.c @@ -262,12 +262,25 @@ fu_security_attrs_depsolve (FuSecurityAttrs *self) for (guint j = 0; j < obsoletes->len; j++) { const gchar *obsolete = g_ptr_array_index (obsoletes, j); FwupdSecurityAttr *attr_tmp = g_hash_table_lookup (attrs_by_id, obsolete); + + /* by AppStream ID */ if (attr_tmp != NULL) { g_debug ("security attr %s obsoleted by %s", obsolete, - fwupd_security_attr_get_appstream_id (attr)); + fwupd_security_attr_get_appstream_id (attr_tmp)); fwupd_security_attr_add_flag (attr_tmp, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED); } + + /* by plugin name */ + for (guint k = 0; k < self->attrs->len; k++) { + attr_tmp = g_ptr_array_index (self->attrs, k); + if (g_strcmp0 (obsolete, fwupd_security_attr_get_plugin (attr_tmp)) == 0) { + g_debug ("security attr %s obsoleted by %s", obsolete, + fwupd_security_attr_get_appstream_id (attr_tmp)); + fwupd_security_attr_add_flag (attr_tmp, + FWUPD_SECURITY_ATTR_FLAG_OBSOLETED); + } + } } } diff --git a/libfwupdplugin/fu-self-test.c b/libfwupdplugin/fu-self-test.c index 0406ce112..f820a6f01 100644 --- a/libfwupdplugin/fu-self-test.c +++ b/libfwupdplugin/fu-self-test.c @@ -1762,9 +1762,9 @@ fu_security_attrs_hsi_func (void) g_assert_cmpstr (hsi1, ==, "HSI:0"); /* just success from HSI:1 */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.BIOSWE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin (attr, "test"); - fwupd_security_attr_set_level (attr, 1); + fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); fu_security_attrs_append (attrs, attr); hsi2 = fu_security_attrs_calculate_hsi (attrs); @@ -1772,20 +1772,20 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add failed from HSI:2, so still HSI:1 */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.PRX"); + attr = fwupd_security_attr_new ("org.fwupd.hsi.PRX"); fwupd_security_attr_set_plugin (attr, "test"); - fwupd_security_attr_set_level (attr, 2); + fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); fu_security_attrs_append (attrs, attr); hsi3 = fu_security_attrs_calculate_hsi (attrs); g_assert_cmpstr (hsi3, ==, "HSI:1"); g_clear_object (&attr); /* add attr from HSI:3, obsoleting the failure */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.BIOSGuard"); + attr = fwupd_security_attr_new ("org.fwupd.hsi.BIOSGuard"); fwupd_security_attr_set_plugin (attr, "test"); - fwupd_security_attr_set_level (attr, 3); + fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.Hsi.PRX"); + fwupd_security_attr_add_obsolete (attr, "org.fwupd.hsi.PRX"); fu_security_attrs_append (attrs, attr); fu_security_attrs_depsolve (attrs); hsi4 = fu_security_attrs_calculate_hsi (attrs); @@ -1793,7 +1793,7 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add taint that was fine */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.PluginsTainted"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS); fwupd_security_attr_set_plugin (attr, "test"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); @@ -1803,7 +1803,7 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add updates and attestation */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.LVFS"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES); fwupd_security_attr_set_plugin (attr, "test"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ATTESTATION); @@ -1814,7 +1814,7 @@ fu_security_attrs_hsi_func (void) g_clear_object (&attr); /* add issue that was uncool */ - attr = fwupd_security_attr_new ("org.fwupd.Hsi.Swap"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP); fwupd_security_attr_set_plugin (attr, "test"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append (attrs, attr); diff --git a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c index 255c9a843..4f637cd70 100644 --- a/plugins/acpi-dmar/fu-plugin-acpi-dmar.c +++ b/plugins/acpi-dmar/fu-plugin-acpi-dmar.c @@ -31,10 +31,9 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) return; /* create attr */ - attr = fwupd_security_attr_new ("org.uefi.ACPI.Dmar"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_ACPI_DMAR); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Pre-boot kernel DMA protection"); fu_security_attrs_append (attrs, attr); /* load DMAR table */ @@ -43,20 +42,21 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) blob = fu_common_get_contents_bytes (fn, &error_local); if (blob == NULL) { g_warning ("failed to load %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not load DMAR"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } dmar = fu_acpi_dmar_new (blob, &error_local); if (dmar == NULL) { g_warning ("failed to parse %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not parse DMAR"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (!fu_acpi_dmar_get_opt_in (dmar)) { - fwupd_security_attr_set_result (attr, "Unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); } diff --git a/plugins/acpi-facp/fu-plugin-acpi-facp.c b/plugins/acpi-facp/fu-plugin-acpi-facp.c index 09927db56..e0fef9189 100644 --- a/plugins/acpi-facp/fu-plugin-acpi-facp.c +++ b/plugins/acpi-facp/fu-plugin-acpi-facp.c @@ -27,10 +27,9 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.uefi.ACPI.Facp"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Suspend To Idle"); fu_security_attrs_append (attrs, attr); /* load FACP table */ @@ -39,20 +38,21 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) blob = fu_common_get_contents_bytes (fn, &error_local); if (blob == NULL) { g_warning ("failed to load %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not load FACP"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } facp = fu_acpi_facp_new (blob, &error_local); if (facp == NULL) { g_warning ("failed to parse %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not parse FACP"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (!fu_acpi_facp_get_s2i (facp)) { - fwupd_security_attr_set_result (attr, "Default set as suspend-to-ram (S3)"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); } diff --git a/plugins/amt/fu-plugin-amt.c b/plugins/amt/fu-plugin-amt.c index 74b8a47b8..ed568f2a2 100644 --- a/plugins/amt/fu-plugin-amt.c +++ b/plugins/amt/fu-plugin-amt.c @@ -579,15 +579,16 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) return; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.AMT"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_AMT); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); - fwupd_security_attr_set_name (attr, "Intel AMT"); fu_security_attrs_append (attrs, attr); if (data->provisioned) { - fwupd_security_attr_set_result (attr, "Provisioned"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } + /* success */ + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); } diff --git a/plugins/cpu/fu-plugin-cpu.c b/plugins/cpu/fu-plugin-cpu.c index 453a6b835..b293b9e60 100644 --- a/plugins/cpu/fu-plugin-cpu.c +++ b/plugins/cpu/fu-plugin-cpu.c @@ -59,21 +59,20 @@ fu_plugin_add_security_attrs_intel_cet (FuPlugin *plugin, FuSecurityAttrs *attrs g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.CET"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_CET); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Intel control enforcement technology (CET)"); fu_security_attrs_append (attrs, attr); /* check for CET */ if (!data->has_cet) { - fwupd_security_attr_set_result (attr, "Unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Available"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static void @@ -83,21 +82,20 @@ fu_plugin_add_security_attrs_intel_tme (FuPlugin *plugin, FuSecurityAttrs *attrs g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.TME"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); - fwupd_security_attr_set_name (attr, "Intel total memory encryption (TME)"); fu_security_attrs_append (attrs, attr); /* check for TME */ if (!data->has_tme) { - fwupd_security_attr_set_result (attr, "Unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Available"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } void diff --git a/plugins/iommu/fu-plugin-iommu.c b/plugins/iommu/fu-plugin-iommu.c index 3d1a6921e..bfbaf4aa9 100644 --- a/plugins/iommu/fu-plugin-iommu.c +++ b/plugins/iommu/fu-plugin-iommu.c @@ -41,17 +41,17 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.IOMMU"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_IOMMU); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); - fwupd_security_attr_set_name (attr, "IOMMU"); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fu_security_attrs_append (attrs, attr); if (!data->has_iommu) { - fwupd_security_attr_set_result (attr, "Not found"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } diff --git a/plugins/linux-lockdown/fu-plugin-linux-lockdown.c b/plugins/linux-lockdown/fu-plugin-linux-lockdown.c index 8c2e21e47..ccfdefe40 100644 --- a/plugins/linux-lockdown/fu-plugin-linux-lockdown.c +++ b/plugins/linux-lockdown/fu-plugin-linux-lockdown.c @@ -70,9 +70,8 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.CheckLockdown"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); - fwupd_security_attr_set_name (attr, "Linux Kernel Lockdown"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append (attrs, attr); @@ -80,16 +79,16 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!g_file_load_contents (data->file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Not supported"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strstr_len (buf, bufsz, "[integrity]") == NULL && g_strstr_len (buf, bufsz, "[confidentiality]") == NULL) { - fwupd_security_attr_set_result (attr, "Not locked down"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Locked down"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } diff --git a/plugins/linux-sleep/fu-plugin-linux-sleep.c b/plugins/linux-sleep/fu-plugin-linux-sleep.c index f54ed2be5..09cbd485b 100644 --- a/plugins/linux-sleep/fu-plugin-linux-sleep.c +++ b/plugins/linux-sleep/fu-plugin-linux-sleep.c @@ -25,24 +25,24 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GFile) file = g_file_new_for_path ("/sys/power/mem_sleep"); /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.CheckS3Sleep"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); - fwupd_security_attr_set_name (attr, "Linux Kernel S3 Sleep"); fu_security_attrs_append (attrs, attr); /* load file */ if (!g_file_load_contents (file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Deep sleep status unavailable"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strstr_len (buf, bufsz, "[deep]") != NULL) { - fwupd_security_attr_set_result (attr, "System configured to suspend-to-ram (S3)"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); } diff --git a/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c b/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c index 2f0dec11d..479c0cd73 100644 --- a/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c +++ b/plugins/linux-spi-lpc/fu-plugin-linux-spi-lpc.c @@ -28,28 +28,33 @@ fu_plugin_add_security_attr_bioswe (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.BIOSWE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.pci-bcr"); + fwupd_security_attr_add_obsolete (attr, "pci_bcr"); fu_security_attrs_append (attrs, attr); + /* maybe the kernel module does not exist */ + if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ fn = g_build_filename (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, "bioswe", NULL); if (!g_file_get_contents (fn, &buf, &bufsz, &error_local)) { g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "0\n") != 0) { - fwupd_security_attr_set_result (attr, "Write enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Write disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static void @@ -62,27 +67,32 @@ fu_plugin_add_security_attr_ble (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.BLE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BLE); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.pci-bcr"); + fwupd_security_attr_add_obsolete (attr, "pci_bcr"); fu_security_attrs_append (attrs, attr); + /* maybe the kernel module does not exist */ + if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ fn = g_build_filename (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, "ble", NULL); if (!g_file_get_contents (fn, &buf, &bufsz, &error_local)) { g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "1\n") != 0) { - fwupd_security_attr_set_result (attr, "Lock disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Lock enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); } static void @@ -95,27 +105,32 @@ fu_plugin_add_security_attr_smm_bwp (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.SMM_BWP"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "BIOS region of SPI"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.pci-bcr"); + fwupd_security_attr_add_obsolete (attr, "pci_bcr"); fu_security_attrs_append (attrs, attr); + /* maybe the kernel module does not exist */ + if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ fn = g_build_filename (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, "smm_bwp", NULL); if (!g_file_get_contents (fn, &buf, &bufsz, &error_local)) { g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "1\n") != 0) { - fwupd_security_attr_set_result (attr, "Writable by OS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Writable only through BIOS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_LOCKED); } void @@ -125,17 +140,6 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!fu_common_is_cpu_intel ()) return; - /* maybe the kernel module does not exist */ - if (!g_file_test (FU_PLUGIN_LINUX_SPI_LPC_SYSFS_DIR, G_FILE_TEST_IS_DIR)) { - g_autoptr(FwupdSecurityAttr) attr = NULL; - attr = fwupd_security_attr_new ("org.fwupd.plugin.linux-spi-lpc"); - fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_set_result (attr, "Kernel support not present"); - fu_security_attrs_append (attrs, attr); - return; - } - /* look for the three files in sysfs */ fu_plugin_add_security_attr_bioswe (plugin, attrs); fu_plugin_add_security_attr_ble (plugin, attrs); diff --git a/plugins/linux-swap/fu-plugin-linux-swap.c b/plugins/linux-swap/fu-plugin-linux-swap.c index c54d293d1..a92d86de2 100644 --- a/plugins/linux-swap/fu-plugin-linux-swap.c +++ b/plugins/linux-swap/fu-plugin-linux-swap.c @@ -72,40 +72,40 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.Swap"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); - fwupd_security_attr_set_name (attr, "Linux Swap"); fu_security_attrs_append (attrs, attr); /* load list of swaps */ if (!g_file_load_contents (data->file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } swap = fu_linux_swap_new (buf, bufsz, &error_local); if (swap == NULL) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not parse %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not parse file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } /* none configured */ if (!fu_linux_swap_get_enabled (swap)) { fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* add security attribute */ if (!fu_linux_swap_get_encrypted (swap)) { - fwupd_security_attr_set_result (attr, "Not encrypted"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Encrypted"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED); } diff --git a/plugins/linux-tainted/fu-plugin-linux-tainted.c b/plugins/linux-tainted/fu-plugin-linux-tainted.c index c1317256f..86c69655e 100644 --- a/plugins/linux-tainted/fu-plugin-linux-tainted.c +++ b/plugins/linux-tainted/fu-plugin-linux-tainted.c @@ -70,9 +70,8 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.kernel.CheckTainted"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); - fwupd_security_attr_set_name (attr, "Linux Kernel Taint"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append (attrs, attr); @@ -80,14 +79,15 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!g_file_load_contents (data->file, NULL, &buf, &bufsz, NULL, &error_local)) { g_autofree gchar *fn = g_file_get_path (data->file); g_warning ("could not open %s: %s", fn, error_local->message); - fwupd_security_attr_set_result (attr, "Could not open file"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } if (g_strcmp0 (buf, "0\n") != 0) { - fwupd_security_attr_set_result (attr, "Tainted"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_TAINTED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED); } diff --git a/plugins/pci-bcr/fu-plugin-pci-bcr.c b/plugins/pci-bcr/fu-plugin-pci-bcr.c index 41433548f..fa2f8e50a 100644 --- a/plugins/pci-bcr/fu-plugin-pci-bcr.c +++ b/plugins/pci-bcr/fu-plugin-pci-bcr.c @@ -34,23 +34,27 @@ fu_plugin_add_security_attr_bioswe (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.BIOSWE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.kernel.BIOSWE"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.linux-spi-lpc"); + fwupd_security_attr_add_obsolete (attr, "linux_spi_lpc"); fu_security_attrs_append (attrs, attr); + /* no device */ + if (!priv->has_device) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ if ((priv->bcr & BCR_WPD) == 1) { - fwupd_security_attr_set_result (attr, "Write enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Write disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); } static void @@ -60,23 +64,27 @@ fu_plugin_add_security_attr_ble (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.BLE"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_BLE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_add_obsolete (attr, "org.kernel.BLE"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.linux-spi-lpc"); + fwupd_security_attr_add_obsolete (attr, "linux_spi_lpc"); fu_security_attrs_append (attrs, attr); + /* no device */ + if (!priv->has_device) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ if ((priv->bcr & BCR_BLE) == 0) { - fwupd_security_attr_set_result (attr, "Lock disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Lock enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static void @@ -86,23 +94,27 @@ fu_plugin_add_security_attr_smm_bwp (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.SMM_BWP"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "BIOS region of SPI"); - fwupd_security_attr_add_obsolete (attr, "org.kernel.SMM_BWP"); - fwupd_security_attr_add_obsolete (attr, "org.fwupd.plugin.linux-spi-lpc"); + fwupd_security_attr_add_obsolete (attr, "linux_spi_lpc"); fu_security_attrs_append (attrs, attr); + /* no device */ + if (!priv->has_device) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + return; + } + /* load file */ if ((priv->bcr & BCR_SMM_BWP) == 0) { - fwupd_security_attr_set_result (attr, "Writable by OS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Writable only through BIOS"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_LOCKED); } gboolean @@ -125,7 +137,7 @@ fu_plugin_udev_device_added (FuPlugin *plugin, FuUdevDevice *device, GError **er /* grab BIOS Control Register */ if (!fu_udev_device_pread (device, BCR, &priv->bcr, error)) { - g_prefix_error (error, "could not read MEI"); + g_prefix_error (error, "could not read BCR"); return FALSE; } priv->has_device = TRUE; @@ -135,24 +147,10 @@ fu_plugin_udev_device_added (FuPlugin *plugin, FuUdevDevice *device, GError **er void fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) { - FuPluginData *priv = fu_plugin_get_data (plugin); - /* only Intel */ if (!fu_common_is_cpu_intel ()) return; - /* only Intel */ - if (!priv->has_device) { - g_autoptr(FwupdSecurityAttr) attr = NULL; - attr = fwupd_security_attr_new ("org.fwupd.plugin.pci-bcr"); - fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); - fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "SPI"); - fwupd_security_attr_set_result (attr, "No PCI devices with BCR"); - fu_security_attrs_append (attrs, attr); - return; - } - /* add attrs */ fu_plugin_add_security_attr_bioswe (plugin, attrs); fu_plugin_add_security_attr_ble (plugin, attrs); diff --git a/plugins/pci-mei/fu-plugin-pci-mei.c b/plugins/pci-mei/fu-plugin-pci-mei.c index c7443b78e..9d4735850 100644 --- a/plugins/pci-mei/fu-plugin-pci-mei.c +++ b/plugins/pci-mei/fu-plugin-pci-mei.c @@ -64,18 +64,18 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) return; /* create attr */ - attr = fwupd_security_attr_new ("com.intel.MEI"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "MEI"); fu_security_attrs_append (attrs, attr); /* load file */ if ((priv->mei_cfg & (1 << 4)) != 0) { - fwupd_security_attr_set_result (attr, "Manufacturing Mode"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_LOCKED); } diff --git a/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c b/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c index 4e7ff0803..a4ae71f8f 100644 --- a/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c +++ b/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c @@ -132,23 +132,22 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.trustedcomputinggroup.TpmEventLog"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); - fwupd_security_attr_set_name (attr, "TPM Reconstruction"); fu_security_attrs_append (attrs, attr); /* check reconstructed to PCR0 */ if (!fu_plugin_get_enabled (plugin)) { - fwupd_security_attr_set_result (attr, "No binary bios measurements available"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } if (!data->reconstructed) { - fwupd_security_attr_set_result (attr, "Did not match PCR0 reading"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Matched PCR0 reading"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_VALID); } diff --git a/plugins/tpm/fu-plugin-tpm.c b/plugins/tpm/fu-plugin-tpm.c index 18b0d263e..83e9534d8 100644 --- a/plugins/tpm/fu-plugin-tpm.c +++ b/plugins/tpm/fu-plugin-tpm.c @@ -41,23 +41,22 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.trustedcomputinggroup.Tpm"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "TPM"); fu_security_attrs_append (attrs, attr); /* check exists, and in v2.0 mode */ if (!data->has_tpm) { - fwupd_security_attr_set_result (attr, "Not found"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } if (!data->has_tpm_v20) { - fwupd_security_attr_set_result (attr, "Not in v2.0 mode"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "v2.0"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_FOUND); } diff --git a/plugins/uefi-dbx/fu-plugin-uefi-dbx.c b/plugins/uefi-dbx/fu-plugin-uefi-dbx.c index 84dafd5ef..4aed0eb48 100644 --- a/plugins/uefi-dbx/fu-plugin-uefi-dbx.c +++ b/plugins/uefi-dbx/fu-plugin-uefi-dbx.c @@ -56,27 +56,22 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(GError) error_local = NULL; /* create attr */ - attr = fwupd_security_attr_new ("org.uefi.SecureBoot.dbx"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_DBX); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "UEFI dbx"); fu_security_attrs_append (attrs, attr); /* no binary blob */ if (!fu_plugin_get_enabled (plugin)) { - g_autofree gchar *dbxdir = NULL; - g_autofree gchar *result = NULL; - dbxdir = fu_common_get_path (FU_PATH_KIND_EFIDBXDIR); - result = g_strdup_printf ("DBX can be downloaded from %s and decompressed into %s", - FU_UEFI_DBX_DATA_URL, dbxdir); - fwupd_security_attr_set_result (attr, result); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); + fwupd_security_attr_set_url (attr, "https://github.com/fwupd/fwupd/wiki/Missingdbx"); return; } /* get update dbx */ if (!g_file_get_contents (data->fn, (gchar **) &buf_update, &bufsz, &error_local)) { g_warning ("failed to load %s: %s", data->fn, error_local->message); - fwupd_security_attr_set_result (attr, "Failed to load update DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } dbx_update = fu_uefi_dbx_file_new (buf_update, bufsz, @@ -84,7 +79,7 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) &error_local); if (dbx_update == NULL) { g_warning ("failed to parse %s: %s", data->fn, error_local->message); - fwupd_security_attr_set_result (attr, "Failed to parse update DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } @@ -92,7 +87,7 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) if (!fu_efivar_get_data ("d719b2cb-3d3a-4596-a3bc-dad00e67656f", "dbx", &buf_system, &bufsz, NULL, &error_local)) { g_warning ("failed to load EFI dbx: %s", error_local->message); - fwupd_security_attr_set_result (attr, "Failed to load EFI DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } dbx_system = fu_uefi_dbx_file_new (buf_system, bufsz, @@ -100,7 +95,7 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) &error_local); if (dbx_system == NULL) { g_warning ("failed to parse EFI dbx: %s", error_local->message); - fwupd_security_attr_set_result (attr, "Failed to parse EFI DBX"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID); return; } @@ -116,11 +111,11 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) /* add security attribute */ if (missing_cnt > 0) { - g_autofree gchar *summary = g_strdup_printf ("%u hashes missing", missing_cnt); - fwupd_security_attr_set_result (attr, summary); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_FOUND); } diff --git a/plugins/uefi-dbx/fu-uefi-dbx-common.h b/plugins/uefi-dbx/fu-uefi-dbx-common.h index 7b02181c9..fd4243217 100644 --- a/plugins/uefi-dbx/fu-uefi-dbx-common.h +++ b/plugins/uefi-dbx/fu-uefi-dbx-common.h @@ -8,6 +8,4 @@ #include -#define FU_UEFI_DBX_DATA_URL "https://uefi.org/revocationlistfile" - gchar *fu_uefi_dbx_get_dbxupdate (GError **error); diff --git a/plugins/uefi/fu-plugin-uefi.c b/plugins/uefi/fu-plugin-uefi.c index a80ed250e..f953e0c98 100644 --- a/plugins/uefi/fu-plugin-uefi.c +++ b/plugins/uefi/fu-plugin-uefi.c @@ -97,21 +97,20 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ - attr = fwupd_security_attr_new ("com.uefi.SecureBoot"); + attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT); fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin)); fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); - fwupd_security_attr_set_name (attr, "UEFI Secure Boot"); fu_security_attrs_append (attrs, attr); /* SB disabled */ if (!fu_efivar_secure_boot_enabled ()) { - fwupd_security_attr_set_result (attr, "Disabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); return; } /* success */ fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); - fwupd_security_attr_set_result (attr, "Enabled"); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); } static GBytes * diff --git a/po/POTFILES.in b/po/POTFILES.in index ff7003b3f..95ac721db 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -12,6 +12,7 @@ src/fu-main.c src/fu-offline.c src/fu-progressbar.c src/fu-remote-list.c +src/fu-security-attr.c src/fu-tool.c src/fu-util.c src/fu-util-common.c diff --git a/src/fu-engine.c b/src/fu-engine.c index 23e2927e3..c3b1c9a78 100644 --- a/src/fu-engine.c +++ b/src/fu-engine.c @@ -49,6 +49,7 @@ #include "fu-plugin-private.h" #include "fu-quirks.h" #include "fu-remote-list.h" +#include "fu-security-attr.h" #include "fu-security-attrs-private.h" #include "fu-smbios-private.h" #include "fu-udev-device-private.h" @@ -3585,16 +3586,6 @@ fu_engine_get_devices_by_guid (FuEngine *self, const gchar *guid, GError **error return g_steal_pointer (&devices); } -static const gchar * -fu_engine_get_security_attr_result_string (FwupdSecurityAttr *attr) -{ - if (fwupd_security_attr_get_result (attr) != NULL) - return fwupd_security_attr_get_result (attr); - if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) - return "True"; - return "False"; -} - static void fu_engine_get_history_set_hsi_attrs (FuEngine *self, FuDevice *device) { @@ -3607,9 +3598,9 @@ fu_engine_get_history_set_hsi_attrs (FuEngine *self, FuDevice *device) vals = fu_security_attrs_get_all (attrs); for (guint i = 0; i < vals->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index (vals, i); - fu_device_set_metadata (device, - fwupd_security_attr_get_appstream_id (attr), - fu_engine_get_security_attr_result_string (attr)); + const gchar *tmp; + tmp = fwupd_security_attr_result_to_string (fwupd_security_attr_get_result (attr)); + fu_device_set_metadata (device, fwupd_security_attr_get_appstream_id (attr), tmp); } /* computed value */ @@ -5081,10 +5072,10 @@ fu_engine_add_security_attrs_tainted (FuEngine *self, FuSecurityAttrs *attrs) { gboolean disabled_plugins = FALSE; GPtrArray *blacklist = fu_config_get_blacklist_plugins (self->config); - g_autoptr(FwupdSecurityAttr) attr = fwupd_security_attr_new ("org.fwupd.Hsi.Plugins"); + g_autoptr(FwupdSecurityAttr) attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS); fwupd_security_attr_set_plugin (attr, "core"); - fwupd_security_attr_set_name (attr, "fwupd plugins"); fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); + fu_security_attrs_append (attrs, attr); for (guint i = 0; i < blacklist->len; i++) { const gchar *name_tmp = g_ptr_array_index (blacklist, i); if (g_strcmp0 (name_tmp, "test") != 0 && @@ -5094,13 +5085,17 @@ fu_engine_add_security_attrs_tainted (FuEngine *self, FuSecurityAttrs *attrs) } } if (self->tainted) { - fwupd_security_attr_set_result (attr, "Tainted"); - } else if (self->plugin_filter->len > 0 || disabled_plugins) { - fwupd_security_attr_set_result (attr, "Disabled plugins"); - } else { - fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_TAINTED); + return; } - fu_security_attrs_append (attrs, attr); + if (self->plugin_filter->len > 0 || disabled_plugins) { + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED); + return; + } + + /* success */ + fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED); } static void @@ -5115,10 +5110,9 @@ fu_engine_add_security_attrs_supported (FuEngine *self, FuSecurityAttrs *attrs) g_autoptr(GPtrArray) releases = NULL; /* find out if there is firmware less than 12 months old */ - attr_u = fwupd_security_attr_new ("org.fwupd.Hsi.Updates"); + attr_u = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES); fwupd_security_attr_set_plugin (attr_u, "core"); fwupd_security_attr_add_flag (attr_u, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES); - fwupd_security_attr_set_name (attr_u, "Firmware Updates"); fu_security_attrs_append (attrs, attr_u); /* get device */ @@ -5127,32 +5121,32 @@ fu_engine_add_security_attrs_supported (FuEngine *self, FuSecurityAttrs *attrs) "230c8b18-8d9b-53ec-838b-6cfc0383493a", NULL); if (device == NULL) { - fwupd_security_attr_set_result (attr_u, "No system device"); + fwupd_security_attr_set_result (attr_u, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); } else { releases = fu_engine_get_releases_for_device (self, device, NULL); if (releases == NULL) { - fwupd_security_attr_set_result (attr_u, "No releases"); + fwupd_security_attr_set_result (attr_u, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); } else { /* check the age */ - g_autofree gchar *str = NULL; for (guint i = 0; i < releases->len; i++) { FwupdRelease *rel_tmp = g_ptr_array_index (releases, i); if (rel_newest == NULL || fwupd_release_get_created (rel_tmp) > fwupd_release_get_created (rel_newest)) rel_newest = rel_tmp; } - str = g_strdup_printf ("Newest release is %" G_GUINT64_FORMAT " months old", - (now - fwupd_release_get_created (rel_newest)) / (60 * 60 * 24 * 30)); - fwupd_security_attr_set_result (attr_u, str); - if (now - fwupd_release_get_created (rel_newest) < 60 * 60 * 24 * 30 * 12) + g_debug ("newest release is %" G_GUINT64_FORMAT " months old", + (now - fwupd_release_get_created (rel_newest)) / (60 * 60 * 24 * 30)); + fwupd_security_attr_set_result (attr_u, FWUPD_SECURITY_ATTR_RESULT_SUPPORTED); + if (now - fwupd_release_get_created (rel_newest) < 60 * 60 * 24 * 30 * 12) { fwupd_security_attr_add_flag (attr_u, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr_a, FWUPD_SECURITY_ATTR_RESULT_SUPPORTED); + } } } /* do we have attestation checksums */ - attr_a = fwupd_security_attr_new ("org.fwupd.Hsi.Attestation"); + attr_a = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION); fwupd_security_attr_set_plugin (attr_a, "core"); - fwupd_security_attr_set_name (attr_a, "Firmware Attestation"); fwupd_security_attr_add_flag (attr_a, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ATTESTATION); fu_security_attrs_append (attrs, attr_a); if (releases != NULL) { @@ -5167,9 +5161,10 @@ fu_engine_add_security_attrs_supported (FuEngine *self, FuSecurityAttrs *attrs) } } if (rel_current == NULL) { - fwupd_security_attr_set_result (attr_a, "No PCR0s"); + fwupd_security_attr_set_result (attr_a, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED); } else if (fwupd_release_get_checksums(rel_current)->len > 0) { fwupd_security_attr_add_flag (attr_a, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); + fwupd_security_attr_set_result (attr_a, FWUPD_SECURITY_ATTR_RESULT_SUPPORTED); } } @@ -5178,6 +5173,7 @@ fu_engine_get_host_security_attrs (FuEngine *self) { GPtrArray *plugins = fu_plugin_list_get_all (self->plugin_list); g_autoptr(FuSecurityAttrs) attrs = fu_security_attrs_new (); + g_autoptr(GPtrArray) items = NULL; /* built in */ fu_engine_add_security_attrs_tainted (self, attrs); @@ -5189,8 +5185,24 @@ fu_engine_get_host_security_attrs (FuEngine *self) fu_plugin_runner_add_security_attrs (plugin_tmp, attrs); } + /* set the fallback names for clients without native translations */ + items = fu_security_attrs_get_all (attrs); + for (guint i = 0; i < items->len; i++) { + FwupdSecurityAttr *attr = g_ptr_array_index (items, i); + if (fwupd_security_attr_get_name (attr) == NULL) { + const gchar *name_tmp = fu_security_attr_get_name (attr); + if (name_tmp == NULL) { + g_warning ("failed to get fallback for %s", + fwupd_security_attr_get_appstream_id (attr)); + continue; + } + fwupd_security_attr_set_name (attr, name_tmp); + } + } + /* set the obsoletes flag for each attr */ fu_security_attrs_depsolve (attrs); + return g_steal_pointer (&attrs); } diff --git a/src/fu-security-attr.c b/src/fu-security-attr.c new file mode 100644 index 000000000..61dd52be0 --- /dev/null +++ b/src/fu-security-attr.c @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2020 Richard Hughes + * + * SPDX-License-Identifier: LGPL-2.1+ + */ + +#include +#include + +#include "fu-security-attr.h" + +const gchar * +fu_security_attr_get_name (FwupdSecurityAttr *attr) +{ + const gchar *appstream_id = fwupd_security_attr_get_appstream_id (attr); + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE) == 0) { + /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */ + return _("SPI write"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_BLE) == 0) { + /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */ + return _("SPI lock"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP) == 0) { + /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */ + return _("SPI BIOS region"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ACPI_DMAR) == 0) { + /* TRANSLATORS: Title: DMA as in https://en.wikipedia.org/wiki/DMA_attack */ + return _("Pre-boot DMA protection"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_AMT) == 0) { + /* TRANSLATORS: Title: AMT = Active Management Technology */ + return _("Intel AMT"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_CET) == 0) { + /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology */ + return _("Intel CET"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0) { + /* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */ + return _("Encrypted RAM"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_IOMMU) == 0) { + /* TRANSLATORS: Title: https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit */ + return _("IOMMU"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN) == 0) { + /* TRANSLATORS: Title: lockdown is a security mode of the kernel */ + return _("Linux kernel lockdown"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED) == 0) { + /* TRANSLATORS: Title: if it's tainted or not */ + return _("Linux kernel"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP) == 0) { + /* TRANSLATORS: Title: swap space or swap partition */ + return _("Linux swap"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM) == 0) { + /* TRANSLATORS: Title: sleep state */ + return _("Suspend-to-ram"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE) == 0) { + /* TRANSLATORS: Title: a better sleep state */ + return _("Suspend-to-idle"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_DBX) == 0) { + /* TRANSLATORS: Title: dbx is the database with revoked hashes */ + return _("UEFI dbx"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0) { + /* TRANSLATORS: Title: SB is a way of locking down UEFI */ + return _("UEFI secure boot"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0) == 0) { + /* TRANSLATORS: Title: the PCR is rebuilt from the TPM event log */ + return _("TPM PCR0 reconstruction"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20) == 0) { + /* TRANSLATORS: Title: TPM = Trusted Platform Module */ + return _("TPM v2.0"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE) == 0) { + /* TRANSLATORS: Title: MEI = Intel Management Engine */ + return _("MEI manufacturing mode"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES) == 0) { + /* TRANSLATORS: Title: if firmware updates are available */ + return _("Firmware updates"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION) == 0) { + /* TRANSLATORS: Title: if we can verify the firmware checksums */ + return _("Firmware attestation"); + } + if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS) == 0) { + /* TRANSLATORS: Title: if the fwupd plugins are all present and correct */ + return _("fwupd plugins"); + } + + /* we should not get here */ + return fwupd_security_attr_get_name (attr); +} + +const gchar * +fu_security_attr_get_result (FwupdSecurityAttr *attr) +{ + FwupdSecurityAttrResult result = fwupd_security_attr_get_result (attr); + if (result == FWUPD_SECURITY_ATTR_RESULT_VALID) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Valid"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_VALID) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Not Valid"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_ENABLED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Enabled"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Disabled"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_LOCKED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Locked"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_LOCKED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Unlocked"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_ENCRYPTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Encrypted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_ENCRYPTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Unencrypted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_TAINTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Tainted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Untainted"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_FOUND) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Found"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Not found"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_SUPPORTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Supported"); + } + if (result == FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("Not supported"); + } + + /* fallback */ + if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { + /* TRANSLATORS: Suffix: the HSI result */ + return _("OK"); + } + + /* TRANSLATORS: Suffix: the fallback HSI result */ + return _("Failed"); +} diff --git a/src/fu-security-attr.h b/src/fu-security-attr.h new file mode 100644 index 000000000..d81e33ce9 --- /dev/null +++ b/src/fu-security-attr.h @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2020 Richard Hughes + * + * SPDX-License-Identifier: LGPL-2.1+ + */ + +#pragma once + +#include + +const gchar *fu_security_attr_get_name (FwupdSecurityAttr *attr); +const gchar *fu_security_attr_get_result (FwupdSecurityAttr *attr); diff --git a/src/fu-self-test.c b/src/fu-self-test.c index 6f0db881e..0991a3618 100644 --- a/src/fu-self-test.c +++ b/src/fu-self-test.c @@ -25,6 +25,7 @@ #include "fu-plugin-list.h" #include "fu-progressbar.h" #include "fu-hash.h" +#include "fu-security-attr.h" #include "fu-security-attrs.h" #include "fu-smbios-private.h" @@ -2806,6 +2807,15 @@ fu_plugin_composite_func (gconstpointer user_data) } } +static void +fu_security_attr_func (gconstpointer user_data) +{ + g_autoptr(FwupdSecurityAttr) attr = fwupd_security_attr_new (NULL); + for (guint i = 0; i < FWUPD_SECURITY_ATTR_RESULT_LAST; i++) { + fwupd_security_attr_set_result (attr, i); + g_assert_cmpstr (fu_security_attr_get_result (attr), !=, NULL); + } +} static void fu_memcpy_func (gconstpointer user_data) @@ -2987,6 +2997,8 @@ main (int argc, char **argv) fu_plugin_module_func); g_test_add_data_func ("/fwupd/memcpy", self, fu_memcpy_func); + g_test_add_data_func ("/fwupd/security-attr", self, + fu_security_attr_func); g_test_add_data_func ("/fwupd/device-list", self, fu_device_list_func); g_test_add_data_func ("/fwupd/device-list{delay}", self, diff --git a/src/fu-util-common.c b/src/fu-util-common.c index ba863f0e6..6d3f45a8c 100644 --- a/src/fu-util-common.c +++ b/src/fu-util-common.c @@ -16,6 +16,7 @@ #include "fu-common.h" #include "fu-util-common.h" #include "fu-device.h" +#include "fu-security-attr.h" #include "fu-security-attrs.h" #ifdef HAVE_SYSTEMD @@ -1553,20 +1554,25 @@ static void fu_security_attr_append_str (FwupdSecurityAttr *attr, GString *str) { if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) { - g_string_append_printf (str, "\033[37m✦\033[0m "); + g_string_append (str, "✦ "); } else if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { - g_string_append_printf (str, "\033[32m✔\033[0m "); + g_string_append (str, "✔ "); } else { - g_string_append_printf (str, "\033[31m✘\033[0m "); + g_string_append (str, "✘ "); } - g_string_append_printf (str, "%s", fwupd_security_attr_get_name (attr)); - if (fwupd_security_attr_get_result (attr) != NULL) { - g_string_append_printf (str, ": %s", - fwupd_security_attr_get_result (attr)); + g_string_append_printf (str, "%s:", fu_security_attr_get_name (attr)); + for (guint i = fu_common_strwidth (fu_security_attr_get_name (attr)); i < 30; i++) + g_string_append (str, " "); + if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) { + g_string_append_printf (str, "\033[37m\033[1m%s\033[0m", fu_security_attr_get_result (attr)); + } else if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { + g_string_append_printf (str, "\033[32m\033[1m%s\033[0m", fu_security_attr_get_result (attr)); } else { + g_string_append_printf (str, "\033[31m\033[1m%s\033[0m", fu_security_attr_get_result (attr)); + } + if (fwupd_security_attr_get_url (attr) != NULL) { g_string_append_printf (str, ": %s", - fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS) - ? "OK" : "Failed"); + fwupd_security_attr_get_url (attr)); } if (fwupd_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) g_string_append (str, " (obsoleted)"); diff --git a/src/meson.build b/src/meson.build index c1ed9a979..7a0b2976a 100644 --- a/src/meson.build +++ b/src/meson.build @@ -17,6 +17,7 @@ fwupdmgr = executable( 'fu-util.c', 'fu-history.c', 'fu-progressbar.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src ], @@ -49,6 +50,7 @@ fwupdagent = executable( 'fwupdagent', sources : [ 'fu-agent.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src, ], @@ -80,6 +82,7 @@ fwupdoffline = executable( sources : [ 'fu-history.c', 'fu-offline.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src ], @@ -132,6 +135,7 @@ fwupdtool = executable( 'fu-plugin-list.c', 'fu-progressbar.c', 'fu-remote-list.c', + 'fu-security-attr.c', 'fu-util-common.c', systemd_src ], @@ -230,6 +234,7 @@ executable( 'fu-main.c', 'fu-plugin-list.c', 'fu-remote-list.c', + 'fu-security-attr.c', systemd_src ], include_directories : [ @@ -286,6 +291,7 @@ if get_option('tests') 'fu-plugin-list.c', 'fu-progressbar.c', 'fu-remote-list.c', + 'fu-security-attr.c', 'fu-self-test.c', systemd_src ],