From c821923668d43d4b375be998f8872623f375cdcf Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Thu, 21 May 2020 21:57:16 +0100
Subject: [PATCH] Add an HSI attribute for Intel SMAP

See https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention for details.
---
 libfwupd/fwupd-security-attr.h |  1 +
 plugins/cpu/fu-cpu-device.c    |  4 ++++
 plugins/cpu/fu-cpu-device.h    |  1 +
 plugins/cpu/fu-plugin-cpu.c    | 27 +++++++++++++++++++++++++++
 src/fu-security-attr.c         |  4 ++++
 5 files changed, 37 insertions(+)

diff --git a/libfwupd/fwupd-security-attr.h b/libfwupd/fwupd-security-attr.h
index 44033ebed..00977397e 100644
--- a/libfwupd/fwupd-security-attr.h
+++ b/libfwupd/fwupd-security-attr.h
@@ -118,6 +118,7 @@ typedef enum {
 #define FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES		"org.fwupd.hsi.FwupdUpdates"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_INTEL_AMT		"org.fwupd.hsi.IntelAmt"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_INTEL_CET		"org.fwupd.hsi.IntelCet"		/* Since: 1.5.0 */
+#define FWUPD_SECURITY_ATTR_ID_INTEL_SMAP		"org.fwupd.hsi.IntelSmap"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_IOMMU			"org.fwupd.hsi.Iommu"			/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN		"org.fwupd.hsi.KernelLockdown"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP		"org.fwupd.hsi.KernelSwap"		/* Since: 1.5.0 */
diff --git a/plugins/cpu/fu-cpu-device.c b/plugins/cpu/fu-cpu-device.c
index bbfa77387..9a54218d0 100644
--- a/plugins/cpu/fu-cpu-device.c
+++ b/plugins/cpu/fu-cpu-device.c
@@ -31,6 +31,8 @@ fu_cpu_device_to_string (FuDevice *device, guint idt, GString *str)
 				    fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_IBT));
 	fu_common_string_append_kb (str, idt, "HasTME",
 				    fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_TME));
+	fu_common_string_append_kb (str, idt, "HasSMAP",
+				    fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_SMAP));
 }
 
 static void
@@ -44,6 +46,8 @@ fu_cpu_device_parse_flags (FuCpuDevice *self, const gchar *data)
 			self->flags |= FU_CPU_DEVICE_FLAG_IBT;
 		if (g_strcmp0 (flags[i], "tme") == 0)
 			self->flags |= FU_CPU_DEVICE_FLAG_TME;
+		if (g_strcmp0 (flags[i], "smap") == 0)
+			self->flags |= FU_CPU_DEVICE_FLAG_SMAP;
 	}
 }
 
diff --git a/plugins/cpu/fu-cpu-device.h b/plugins/cpu/fu-cpu-device.h
index b0c7de2a7..50d50d154 100644
--- a/plugins/cpu/fu-cpu-device.h
+++ b/plugins/cpu/fu-cpu-device.h
@@ -16,6 +16,7 @@ typedef enum {
 	FU_CPU_DEVICE_FLAG_SHSTK	= 1 << 0,
 	FU_CPU_DEVICE_FLAG_IBT		= 1 << 1,
 	FU_CPU_DEVICE_FLAG_TME		= 1 << 2,
+	FU_CPU_DEVICE_FLAG_SMAP		= 1 << 3,
 } FuCpuDeviceFlag;
 
 FuCpuDevice		*fu_cpu_device_new		(const gchar	*section);
diff --git a/plugins/cpu/fu-plugin-cpu.c b/plugins/cpu/fu-plugin-cpu.c
index b293b9e60..e5e83821a 100644
--- a/plugins/cpu/fu-plugin-cpu.c
+++ b/plugins/cpu/fu-plugin-cpu.c
@@ -12,6 +12,7 @@
 
 struct FuPluginData {
 	gboolean		 has_cet;
+	gboolean		 has_smap;
 	gboolean		 has_tme;
 };
 
@@ -46,6 +47,8 @@ fu_plugin_coldplug (FuPlugin *plugin, GError **error)
 			data->has_cet = TRUE;
 		if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_TME))
 			data->has_tme = TRUE;
+		if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_SMAP))
+			data->has_smap = TRUE;
 		fu_plugin_device_add (plugin, FU_DEVICE (dev));
 	}
 
@@ -98,6 +101,29 @@ fu_plugin_add_security_attrs_intel_tme (FuPlugin *plugin, FuSecurityAttrs *attrs
 	fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED);
 }
 
+static void
+fu_plugin_add_security_attrs_intel_smap (FuPlugin *plugin, FuSecurityAttrs *attrs)
+{
+	FuPluginData *data = fu_plugin_get_data (plugin);
+	g_autoptr(FwupdSecurityAttr) attr = NULL;
+
+	/* create attr */
+	attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_SMAP);
+	fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
+	fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION);
+	fu_security_attrs_append (attrs, attr);
+
+	/* check for SMEP and SMAP */
+	if (!data->has_smap) {
+		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED);
+		return;
+	}
+
+	/* success */
+	fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
+	fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED);
+}
+
 void
 fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
 {
@@ -107,4 +133,5 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
 
 	fu_plugin_add_security_attrs_intel_cet (plugin, attrs);
 	fu_plugin_add_security_attrs_intel_tme (plugin, attrs);
+	fu_plugin_add_security_attrs_intel_smap (plugin, attrs);
 }
diff --git a/src/fu-security-attr.c b/src/fu-security-attr.c
index 8b13c2135..df94007c6 100644
--- a/src/fu-security-attr.c
+++ b/src/fu-security-attr.c
@@ -37,6 +37,10 @@ fu_security_attr_get_name (FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: CET = Control-flow Enforcement Technology */
 		return _("Intel CET");
 	}
+	if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_SMAP) == 0) {
+		/* TRANSLATORS: Title: SMAP = Supervisor Mode Access Prevention */
+		return _("Intel SMAP");
+	}
 	if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0) {
 		/* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */
 		return _("Encrypted RAM");