From f3a13f89dd3ad2ee236c814ff050451c0b4c4a09 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Sat, 19 Feb 2022 22:11:45 +0000
Subject: [PATCH] Allow specifing the DeviceIntegrity flag from metadata

---
 libfwupdplugin/fu-device.c            |  4 ++++
 libfwupdplugin/fu-device.h            |  9 ++++++++
 plugins/ata/fu-ata-device.c           |  1 +
 plugins/emmc/fu-emmc-device.c         |  1 +
 plugins/flashrom/fu-flashrom-device.c |  1 +
 plugins/nvme/fu-nvme-device.c         |  1 +
 plugins/redfish/fu-redfish-device.c   |  1 +
 plugins/uefi-capsule/fu-uefi-device.c |  1 +
 src/fu-engine.c                       | 30 +++++++++++++++++++++++++++
 9 files changed, 49 insertions(+)

diff --git a/libfwupdplugin/fu-device.c b/libfwupdplugin/fu-device.c
index 4987ca8c4..22cb8a65f 100644
--- a/libfwupdplugin/fu-device.c
+++ b/libfwupdplugin/fu-device.c
@@ -239,6 +239,8 @@ fu_device_internal_flag_to_string(FuDeviceInternalFlags flag)
 		return "no-lid-closed";
 	if (flag == FU_DEVICE_INTERNAL_FLAG_NO_PROBE)
 		return "no-probe";
+	if (flag == FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED)
+		return "md-set-signed";
 	return NULL;
 }
 
@@ -301,6 +303,8 @@ fu_device_internal_flag_from_string(const gchar *flag)
 		return FU_DEVICE_INTERNAL_FLAG_NO_LID_CLOSED;
 	if (g_strcmp0(flag, "no-probe") == 0)
 		return FU_DEVICE_INTERNAL_FLAG_NO_PROBE;
+	if (g_strcmp0(flag, "md-set-signed") == 0)
+		return FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED;
 	return FU_DEVICE_INTERNAL_FLAG_UNKNOWN;
 }
 
diff --git a/libfwupdplugin/fu-device.h b/libfwupdplugin/fu-device.h
index afcf6da9c..4e4621862 100644
--- a/libfwupdplugin/fu-device.h
+++ b/libfwupdplugin/fu-device.h
@@ -438,6 +438,15 @@ typedef guint64 FuDeviceInternalFlags;
  */
 #define FU_DEVICE_INTERNAL_FLAG_NO_PROBE (1ull << 22)
 
+/**
+ * FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED:
+ *
+ * Set the signed/unsigned payload from the metadata if available.
+ *
+ * Since: 1.7.6
+ */
+#define FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED (1ull << 23)
+
 /* accessors */
 gchar *
 fu_device_to_string(FuDevice *self);
diff --git a/plugins/ata/fu-ata-device.c b/plugins/ata/fu-ata-device.c
index 0ff7f377f..588e437ed 100644
--- a/plugins/ata/fu-ata-device.c
+++ b/plugins/ata/fu-ata-device.c
@@ -874,6 +874,7 @@ fu_ata_device_init(FuAtaDevice *self)
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_REQUIRE_AC);
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UPDATABLE);
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_INHERIT_ACTIVATION);
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_set_summary(FU_DEVICE(self), "ATA drive");
 	fu_device_add_icon(FU_DEVICE(self), "drive-harddisk");
 	fu_device_add_protocol(FU_DEVICE(self), "org.t13.ata");
diff --git a/plugins/emmc/fu-emmc-device.c b/plugins/emmc/fu-emmc-device.c
index df31c9445..ed88347a2 100644
--- a/plugins/emmc/fu-emmc-device.c
+++ b/plugins/emmc/fu-emmc-device.c
@@ -544,6 +544,7 @@ fu_emmc_device_init(FuEmmcDevice *self)
 {
 	fu_device_add_protocol(FU_DEVICE(self), "org.jedec.mmc");
 	fu_device_add_icon(FU_DEVICE(self), "media-memory");
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 }
 
 static void
diff --git a/plugins/flashrom/fu-flashrom-device.c b/plugins/flashrom/fu-flashrom-device.c
index 9c165918a..2e381d0f0 100644
--- a/plugins/flashrom/fu-flashrom-device.c
+++ b/plugins/flashrom/fu-flashrom-device.c
@@ -72,6 +72,7 @@ static void
 fu_flashrom_device_init(FuFlashromDevice *self)
 {
 	fu_device_add_protocol(FU_DEVICE(self), "org.flashrom");
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 }
 
 static void
diff --git a/plugins/nvme/fu-nvme-device.c b/plugins/nvme/fu-nvme-device.c
index 62f5f1c1d..0ecb7903a 100644
--- a/plugins/nvme/fu-nvme-device.c
+++ b/plugins/nvme/fu-nvme-device.c
@@ -448,6 +448,7 @@ fu_nvme_device_init(FuNvmeDevice *self)
 {
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_REQUIRE_AC);
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UPDATABLE);
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_set_version_format(FU_DEVICE(self), FWUPD_VERSION_FORMAT_PLAIN);
 	fu_device_set_summary(FU_DEVICE(self), "NVM Express solid state drive");
 	fu_device_add_icon(FU_DEVICE(self), "drive-harddisk");
diff --git a/plugins/redfish/fu-redfish-device.c b/plugins/redfish/fu-redfish-device.c
index 7ec7855a5..563e765ea 100644
--- a/plugins/redfish/fu-redfish-device.c
+++ b/plugins/redfish/fu-redfish-device.c
@@ -809,6 +809,7 @@ fu_redfish_device_init(FuRedfishDevice *self)
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_VERFMT);
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_ICON);
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_VENDOR);
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_register_private_flag(FU_DEVICE(self),
 					FU_REDFISH_DEVICE_FLAG_IS_BACKUP,
 					"is-backup");
diff --git a/plugins/uefi-capsule/fu-uefi-device.c b/plugins/uefi-capsule/fu-uefi-device.c
index d6eedb7fe..7f9cdb107 100644
--- a/plugins/uefi-capsule/fu-uefi-device.c
+++ b/plugins/uefi-capsule/fu-uefi-device.c
@@ -735,6 +735,7 @@ fu_uefi_device_init(FuUefiDevice *self)
 {
 	fu_device_set_summary(FU_DEVICE(self), "UEFI ESRT device");
 	fu_device_add_protocol(FU_DEVICE(self), "org.uefi.capsule");
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_register_private_flag(FU_DEVICE(self),
 					FU_UEFI_DEVICE_FLAG_NO_UX_CAPSULE,
 					"no-ux-capsule");
diff --git a/src/fu-engine.c b/src/fu-engine.c
index 8bca073d8..6c16d7fe1 100644
--- a/src/fu-engine.c
+++ b/src/fu-engine.c
@@ -3740,6 +3740,34 @@ fu_engine_md_refresh_device_vendor(FuEngine *self, FuDevice *device, XbNode *com
 	}
 }
 
+static void
+fu_engine_md_refresh_device_signed(FuEngine *self, FuDevice *device, XbNode *component)
+{
+	const gchar *value = NULL;
+
+	/* require data */
+	if (component == NULL)
+		return;
+
+	/* already set, possibly by a quirk */
+	if (fu_device_has_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_SIGNED_PAYLOAD) ||
+	    fu_device_has_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UNSIGNED_PAYLOAD))
+		return;
+
+	/* copy 1:1 */
+	value = xb_node_query_text(component, "custom/value[@key='LVFS::DeviceIntegrity']", NULL);
+	if (value != NULL) {
+		if (g_strcmp0(value, "signed") == 0) {
+			fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_SIGNED_PAYLOAD);
+		} else if (g_strcmp0(value, "unsigned") == 0) {
+			fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UNSIGNED_PAYLOAD);
+		} else {
+			g_warning("payload value unexpected: %s, expected signed|unsigned", value);
+		}
+		fu_device_remove_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_VENDOR);
+	}
+}
+
 static void
 fu_engine_md_refresh_device_icon(FuEngine *self, FuDevice *device, XbNode *component)
 {
@@ -3895,6 +3923,8 @@ fu_engine_md_refresh_device_from_component(FuEngine *self, FuDevice *device, XbN
 		fu_engine_md_refresh_device_icon(self, device, component);
 	if (fu_device_has_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_VENDOR))
 		fu_engine_md_refresh_device_vendor(self, device, component);
+	if (fu_device_has_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED))
+		fu_engine_md_refresh_device_signed(self, device, component);
 
 	/* fix the version */
 	if (fu_device_has_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_VERFMT))