Add an HSI attribute for Intel SMAP

See https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention for details.
2025-08-16 08:02:06 +00:00 · 2020-05-21 21:57:16 +01:00 · 2020-05-21 21:57:16 +01:00 · c821923668
commit c821923668
parent 4a62329401
5 changed files with 37 additions and 0 deletions
--- a/libfwupd/fwupd-security-attr.h
+++ b/libfwupd/fwupd-security-attr.h
@ -118,6 +118,7 @@ typedef enum {
 #define FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES		"org.fwupd.hsi.FwupdUpdates"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_INTEL_AMT		"org.fwupd.hsi.IntelAmt"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_INTEL_CET		"org.fwupd.hsi.IntelCet"		/* Since: 1.5.0 */
+#define FWUPD_SECURITY_ATTR_ID_INTEL_SMAP		"org.fwupd.hsi.IntelSmap"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_IOMMU			"org.fwupd.hsi.Iommu"			/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN		"org.fwupd.hsi.KernelLockdown"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP		"org.fwupd.hsi.KernelSwap"		/* Since: 1.5.0 */
--- a/plugins/cpu/fu-cpu-device.c
+++ b/plugins/cpu/fu-cpu-device.c
@ -31,6 +31,8 @@ fu_cpu_device_to_string (FuDevice *device, guint idt, GString *str)
 				    fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_IBT));
 	fu_common_string_append_kb (str, idt, "HasTME",
 				    fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_TME));
+	fu_common_string_append_kb (str, idt, "HasSMAP",
+				    fu_cpu_device_has_flag (self, FU_CPU_DEVICE_FLAG_SMAP));
 }

 static void
@ -44,6 +46,8 @@ fu_cpu_device_parse_flags (FuCpuDevice *self, const gchar *data)
 			self->flags |= FU_CPU_DEVICE_FLAG_IBT;
 		if (g_strcmp0 (flags[i], "tme") == 0)
 			self->flags |= FU_CPU_DEVICE_FLAG_TME;
+		if (g_strcmp0 (flags[i], "smap") == 0)
+			self->flags |= FU_CPU_DEVICE_FLAG_SMAP;
 	}
 }

--- a/plugins/cpu/fu-cpu-device.h
+++ b/plugins/cpu/fu-cpu-device.h
@ -16,6 +16,7 @@ typedef enum {
 	FU_CPU_DEVICE_FLAG_SHSTK	= 1 << 0,
 	FU_CPU_DEVICE_FLAG_IBT		= 1 << 1,
 	FU_CPU_DEVICE_FLAG_TME		= 1 << 2,
+	FU_CPU_DEVICE_FLAG_SMAP		= 1 << 3,
 } FuCpuDeviceFlag;

 FuCpuDevice		*fu_cpu_device_new		(const gchar	*section);
--- a/plugins/cpu/fu-plugin-cpu.c
+++ b/plugins/cpu/fu-plugin-cpu.c
@ -12,6 +12,7 @@

 struct FuPluginData {
 	gboolean		 has_cet;
+	gboolean		 has_smap;
 	gboolean		 has_tme;
 };

@ -46,6 +47,8 @@ fu_plugin_coldplug (FuPlugin *plugin, GError **error)
 			data->has_cet = TRUE;
 		if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_TME))
 			data->has_tme = TRUE;
+		if (fu_cpu_device_has_flag (dev, FU_CPU_DEVICE_FLAG_SMAP))
+			data->has_smap = TRUE;
 		fu_plugin_device_add (plugin, FU_DEVICE (dev));
 	}

@ -98,6 +101,29 @@ fu_plugin_add_security_attrs_intel_tme (FuPlugin *plugin, FuSecurityAttrs *attrs
 	fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED);
 }

+static void
+fu_plugin_add_security_attrs_intel_smap (FuPlugin *plugin, FuSecurityAttrs *attrs)
+{
+	FuPluginData *data = fu_plugin_get_data (plugin);
+	g_autoptr(FwupdSecurityAttr) attr = NULL;
+
+	/* create attr */
+	attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_INTEL_SMAP);
+	fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
+	fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION);
+	fu_security_attrs_append (attrs, attr);
+
+	/* check for SMEP and SMAP */
+	if (!data->has_smap) {
+		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_SUPPORTED);
+		return;
+	}
+
+	/* success */
+	fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
+	fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_ENABLED);
+}
+
 void
 fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
 {
@ -107,4 +133,5 @@ fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)

 	fu_plugin_add_security_attrs_intel_cet (plugin, attrs);
 	fu_plugin_add_security_attrs_intel_tme (plugin, attrs);
+	fu_plugin_add_security_attrs_intel_smap (plugin, attrs);
 }
--- a/src/fu-security-attr.c
+++ b/src/fu-security-attr.c
@ -37,6 +37,10 @@ fu_security_attr_get_name (FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: CET = Control-flow Enforcement Technology */
 		return _("Intel CET");
 	}
+	if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_SMAP) == 0) {
+		/* TRANSLATORS: Title: SMAP = Supervisor Mode Access Prevention */
+		return _("Intel SMAP");
+	}
 	if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0) {
 		/* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */
 		return _("Encrypted RAM");