Allow specifing the DeviceIntegrity flag from metadata

libfwupdplugin/fu-device.c

@@ -239,6 +239,8 @@ fu_device_internal_flag_to_string(FuDeviceInternalFlags flag)
 		return "no-lid-closed";
 	if (flag == FU_DEVICE_INTERNAL_FLAG_NO_PROBE)
 		return "no-probe";
+	if (flag == FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED)
+		return "md-set-signed";
 	return NULL;
 }
 
@@ -301,6 +303,8 @@ fu_device_internal_flag_from_string(const gchar *flag)
 		return FU_DEVICE_INTERNAL_FLAG_NO_LID_CLOSED;
 	if (g_strcmp0(flag, "no-probe") == 0)
 		return FU_DEVICE_INTERNAL_FLAG_NO_PROBE;
+	if (g_strcmp0(flag, "md-set-signed") == 0)
+		return FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED;
 	return FU_DEVICE_INTERNAL_FLAG_UNKNOWN;
 }
 

libfwupdplugin/fu-device.h

@@ -438,6 +438,15 @@ typedef guint64 FuDeviceInternalFlags;
  */
 #define FU_DEVICE_INTERNAL_FLAG_NO_PROBE (1ull << 22)
 
+/**
+ * FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED:
+ *
+ * Set the signed/unsigned payload from the metadata if available.
+ *
+ * Since: 1.7.6
+ */
+#define FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED (1ull << 23)
+
 /* accessors */
 gchar *
 fu_device_to_string(FuDevice *self);

plugins/ata/fu-ata-device.c

@@ -874,6 +874,7 @@ fu_ata_device_init(FuAtaDevice *self)
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_REQUIRE_AC);
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UPDATABLE);
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_INHERIT_ACTIVATION);
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_set_summary(FU_DEVICE(self), "ATA drive");
 	fu_device_add_icon(FU_DEVICE(self), "drive-harddisk");
 	fu_device_add_protocol(FU_DEVICE(self), "org.t13.ata");

plugins/emmc/fu-emmc-device.c

@@ -544,6 +544,7 @@ fu_emmc_device_init(FuEmmcDevice *self)
 {
 	fu_device_add_protocol(FU_DEVICE(self), "org.jedec.mmc");
 	fu_device_add_icon(FU_DEVICE(self), "media-memory");
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 }
 
 static void

plugins/flashrom/fu-flashrom-device.c

@@ -72,6 +72,7 @@ static void
 fu_flashrom_device_init(FuFlashromDevice *self)
 {
 	fu_device_add_protocol(FU_DEVICE(self), "org.flashrom");
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 }
 
 static void

plugins/nvme/fu-nvme-device.c

@@ -448,6 +448,7 @@ fu_nvme_device_init(FuNvmeDevice *self)
 {
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_REQUIRE_AC);
 	fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UPDATABLE);
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_set_version_format(FU_DEVICE(self), FWUPD_VERSION_FORMAT_PLAIN);
 	fu_device_set_summary(FU_DEVICE(self), "NVM Express solid state drive");
 	fu_device_add_icon(FU_DEVICE(self), "drive-harddisk");

plugins/redfish/fu-redfish-device.c

@@ -809,6 +809,7 @@ fu_redfish_device_init(FuRedfishDevice *self)
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_VERFMT);
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_ICON);
 	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_VENDOR);
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_register_private_flag(FU_DEVICE(self),
 					FU_REDFISH_DEVICE_FLAG_IS_BACKUP,
 					"is-backup");

plugins/uefi-capsule/fu-uefi-device.c

@@ -735,6 +735,7 @@ fu_uefi_device_init(FuUefiDevice *self)
 {
 	fu_device_set_summary(FU_DEVICE(self), "UEFI ESRT device");
 	fu_device_add_protocol(FU_DEVICE(self), "org.uefi.capsule");
+	fu_device_add_internal_flag(FU_DEVICE(self), FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED);
 	fu_device_register_private_flag(FU_DEVICE(self),
 					FU_UEFI_DEVICE_FLAG_NO_UX_CAPSULE,
 					"no-ux-capsule");

src/fu-engine.c

@@ -3740,6 +3740,34 @@ fu_engine_md_refresh_device_vendor(FuEngine *self, FuDevice *device, XbNode *com
 	}
 }
 
+static void
+fu_engine_md_refresh_device_signed(FuEngine *self, FuDevice *device, XbNode *component)
+{
+	const gchar *value = NULL;
+
+	/* require data */
+	if (component == NULL)
+		return;
+
+	/* already set, possibly by a quirk */
+	if (fu_device_has_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_SIGNED_PAYLOAD) ||
+	    fu_device_has_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UNSIGNED_PAYLOAD))
+		return;
+
+	/* copy 1:1 */
+	value = xb_node_query_text(component, "custom/value[@key='LVFS::DeviceIntegrity']", NULL);
+	if (value != NULL) {
+		if (g_strcmp0(value, "signed") == 0) {
+			fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_SIGNED_PAYLOAD);
+		} else if (g_strcmp0(value, "unsigned") == 0) {
+			fu_device_add_flag(FU_DEVICE(self), FWUPD_DEVICE_FLAG_UNSIGNED_PAYLOAD);
+		} else {
+			g_warning("payload value unexpected: %s, expected signed|unsigned", value);
+		}
+		fu_device_remove_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_VENDOR);
+	}
+}
+
 static void
 fu_engine_md_refresh_device_icon(FuEngine *self, FuDevice *device, XbNode *component)
 {
@@ -3895,6 +3923,8 @@ fu_engine_md_refresh_device_from_component(FuEngine *self, FuDevice *device, XbN
 		fu_engine_md_refresh_device_icon(self, device, component);
 	if (fu_device_has_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_VENDOR))
 		fu_engine_md_refresh_device_vendor(self, device, component);
+	if (fu_device_has_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_SIGNED))
+		fu_engine_md_refresh_device_signed(self, device, component);
 
 	/* fix the version */
 	if (fu_device_has_internal_flag(device, FU_DEVICE_INTERNAL_FLAG_MD_SET_VERFMT))