proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-16 08:02:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add an HSI attribute for Intel SMAP

Browse Source 
See https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention for details.
This commit is contained in:
Richard Hughes 2020-05-21 21:57:16 +01:00
parent 4a62329401
commit c821923668
5 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libfwupd/fwupd-security-attr.h
View File

@ -118,6 +118,7 @@ typedef enum {
#define FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES "org.fwupd.hsi.FwupdUpdates" /* Since: 1.5.0 */ #define FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES "org.fwupd.hsi.FwupdUpdates" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_INTEL_AMT "org.fwupd.hsi.IntelAmt" /* Since: 1.5.0 */ #define FWUPD_SECURITY_ATTR_ID_INTEL_AMT "org.fwupd.hsi.IntelAmt" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_INTEL_CET "org.fwupd.hsi.IntelCet" /* Since: 1.5.0 */ #define FWUPD_SECURITY_ATTR_ID_INTEL_CET "org.fwupd.hsi.IntelCet" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_INTEL_SMAP "org.fwupd.hsi.IntelSmap" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_IOMMU "org.fwupd.hsi.Iommu" /* Since: 1.5.0 */ #define FWUPD_SECURITY_ATTR_ID_IOMMU "org.fwupd.hsi.Iommu" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN "org.fwupd.hsi.KernelLockdown" /* Since: 1.5.0 */ #define FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN "org.fwupd.hsi.KernelLockdown" /* Since: 1.5.0 */
#define FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP "org.fwupd.hsi.KernelSwap" /* Since: 1.5.0 */ #define FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP "org.fwupd.hsi.KernelSwap" /* Since: 1.5.0 */

4
plugins/cpu/fu-cpu-device.c
View File

@ -31,6 +31,8 @@ fu_cpu_device_to_string (FuDevice *device, guint idt, GString *str)
fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_IBT)); fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_IBT));
fu_common_string_append_kb (str, idt, "HasTME", fu_common_string_append_kb (str, idt, "HasTME",
fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_TME)); fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_TME));
fu_common_string_append_kb (str, idt, "HasSMAP",
fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_SMAP));
} }
static void static void
@ -44,6 +46,8 @@ fu_cpu_device_parse_flags (FuCpuDevice *self, const gchar *data)
self->flags |= FU_CPU_DEVICE_FLAG_IBT; self->flags |= FU_CPU_DEVICE_FLAG_IBT;
if (g_strcmp0 (flags[i], "tme") == 0) if (g_strcmp0 (flags[i], "tme") == 0)
self->flags |= FU_CPU_DEVICE_FLAG_TME; self->flags |= FU_CPU_DEVICE_FLAG_TME;
if (g_strcmp0 (flags[i], "smap") == 0)
self->flags |= FU_CPU_DEVICE_FLAG_SMAP;
} }
} }

1
plugins/cpu/fu-cpu-device.h
View File

@ -16,6 +16,7 @@ typedef enum {
FU_CPU_DEVICE_FLAG_SHSTK = 1 << 0, FU_CPU_DEVICE_FLAG_SHSTK = 1 << 0,
FU_CPU_DEVICE_FLAG_IBT = 1 << 1, FU_CPU_DEVICE_FLAG_IBT = 1 << 1,
FU_CPU_DEVICE_FLAG_TME = 1 << 2, FU_CPU_DEVICE_FLAG_TME = 1 << 2,
FU_CPU_DEVICE_FLAG_SMAP = 1 << 3,
} FuCpuDeviceFlag; } FuCpuDeviceFlag;
FuCpuDevice *fu_cpu_device_new (const gchar *section); FuCpuDevice *fu_cpu_device_new (const gchar *section);

27
plugins/cpu/fu-plugin-cpu.c
View File

@ -12,6 +12,7 @@
struct FuPluginData { struct FuPluginData {
gboolean has_cet; gboolean has_cet;
gboolean has_smap;
gboolean has_tme; gboolean has_tme;
}; };
@ -46,6 +47,8 @@ fu_plugin_coldplug (FuPlugin *plugin, GError **error)
data->has_cet = TRUE; data->has_cet = TRUE;
if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_TME)) if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_TME))
data->has_tme = TRUE; data->has_tme = TRUE;
if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_SMAP))
data->has_smap = TRUE;
fu_plugin_device_add (plugin, FU_DEVICE (dev)); fu_plugin_device_add (plugin, FU_DEVICE (dev));
} }
@ -98,6 +101,29 @@ fu_plugin_add_security_attrs_intel_tme (FuPlugin *plugin, FuSecurityAttrs *attrs
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED); fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED);
} }
static void
fu_plugin_add_security_attrs_intel_smap (FuPlugin *plugin, FuSecurityAttrs *attrs)
{
FuPluginData *data = fu_plugin_get_data (plugin);
g_autoptr(FwupdSecurityAttr) attr = NULL;
/* create attr */
attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_SMAP);
fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION);
fu_security_attrs_append (attrs, attr);
/* check for SMEP and SMAP */
if (!data->has_smap) {
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED);
return;
}
/* success */
fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED);
}
void void
fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs) fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
{ {
@ -107,4 +133,5 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
fu_plugin_add_security_attrs_intel_cet (plugin, attrs); fu_plugin_add_security_attrs_intel_cet (plugin, attrs);
fu_plugin_add_security_attrs_intel_tme (plugin, attrs); fu_plugin_add_security_attrs_intel_tme (plugin, attrs);
fu_plugin_add_security_attrs_intel_smap (plugin, attrs);
} }

4
src/fu-security-attr.c
View File

@ -37,6 +37,10 @@ fu_security_attr_get_name (FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: CET = Control-flow Enforcement Technology */ /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology */
return _("Intel CET"); return _("Intel CET");
} }
if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_SMAP) == 0) {
/* TRANSLATORS: Title: SMAP = Supervisor Mode Access Prevention */
return _("Intel SMAP");
}
if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0) { if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0) {
/* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */ /* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */
return _("Encrypted RAM"); return _("Encrypted RAM");