From f56878ff88f0706c42173f5736ca29b6ed741a6b Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Fri, 3 Sep 2021 14:16:21 +0100 Subject: [PATCH] Allow adding GUIDs to each HSI security attr This indicates the GUID in some way contributed to the result decided. It also allows us to match the submitted HSI results back to a firmware stream on the LVFS, which allows us to allow vendors to see a subset of results for uploaded devices. --- libfwupd/fwupd-security-attr.c | 116 ++++++++++++++++++ libfwupd/fwupd-security-attr.h | 8 ++ libfwupd/fwupd.map | 9 ++ plugins/cpu/fu-cpu-device.c | 4 + plugins/intel-spi/fu-intel-spi-device.c | 1 + plugins/msr/fu-plugin-msr.c | 9 ++ plugins/pci-bcr/fu-plugin-pci-bcr.c | 9 ++ plugins/pci-mei/fu-plugin-pci-mei.c | 14 ++- plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c | 9 +- plugins/tpm/fu-plugin-tpm.c | 15 ++- plugins/uefi-pk/fu-plugin-uefi-pk.c | 10 ++ 11 files changed, 195 insertions(+), 9 deletions(-) diff --git a/libfwupd/fwupd-security-attr.c b/libfwupd/fwupd-security-attr.c index fb11c33a1..7ee898ed6 100644 --- a/libfwupd/fwupd-security-attr.c +++ b/libfwupd/fwupd-security-attr.c @@ -25,6 +25,7 @@ fwupd_security_attr_finalize(GObject *object); typedef struct { gchar *appstream_id; GPtrArray *obsoletes; + GPtrArray *guids; GHashTable *metadata; /* (nullable) */ gchar *name; gchar *plugin; @@ -196,6 +197,91 @@ fwupd_security_attr_has_obsolete(FwupdSecurityAttr *self, const gchar *appstream return FALSE; } +/** + * fwupd_security_attr_get_guids: + * @self: a #FwupdSecurityAttr + * + * Gets the list of attribute GUIDs. The GUID values will not modify the calculated HSI value. + * + * Returns: (element-type utf8) (transfer none): the GUIDs, which may be empty + * + * Since: 1.7.0 + **/ +GPtrArray * +fwupd_security_attr_get_guids(FwupdSecurityAttr *self) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE(self); + g_return_val_if_fail(FWUPD_IS_SECURITY_ATTR(self), NULL); + return priv->guids; +} + +/** + * fwupd_security_attr_add_guid: + * @self: a #FwupdSecurityAttr + * @guid: the GUID + * + * Adds a device GUID to the attribute. This indicates the GUID in some way contributed to the + * result decided. + * + * Since: 1.7.0 + **/ +void +fwupd_security_attr_add_guid(FwupdSecurityAttr *self, const gchar *guid) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE(self); + g_return_if_fail(FWUPD_IS_SECURITY_ATTR(self)); + g_return_if_fail(fwupd_guid_is_valid(guid)); + if (fwupd_security_attr_has_guid(self, guid)) + return; + g_ptr_array_add(priv->guids, g_strdup(guid)); +} + +/** + * fwupd_security_attr_add_guids: + * @self: a #FwupdSecurityAttr + * @guids: (element-type utf8): the GUIDs + * + * Adds device GUIDs to the attribute. This indicates the GUIDs in some way contributed to the + * result decided. + * + * Since: 1.7.0 + **/ +void +fwupd_security_attr_add_guids(FwupdSecurityAttr *self, GPtrArray *guids) +{ + g_return_if_fail(FWUPD_IS_SECURITY_ATTR(self)); + g_return_if_fail(guids != NULL); + for (guint i = 0; i < guids->len; i++) { + const gchar *guid = g_ptr_array_index(guids, i); + fwupd_security_attr_add_guid(self, guid); + } +} + +/** + * fwupd_security_attr_has_guid: + * @self: a #FwupdSecurityAttr + * @guid: the attribute guid + * + * Finds out if a specific GUID was added to the attribute. + * + * Returns: %TRUE if the self matches + * + * Since: 1.7.0 + **/ +gboolean +fwupd_security_attr_has_guid(FwupdSecurityAttr *self, const gchar *guid) +{ + FwupdSecurityAttrPrivate *priv = GET_PRIVATE(self); + g_return_val_if_fail(FWUPD_IS_SECURITY_ATTR(self), FALSE); + g_return_val_if_fail(guid != NULL, FALSE); + for (guint i = 0; i < priv->guids->len; i++) { + const gchar *guid_tmp = g_ptr_array_index(priv->guids, i); + if (g_strcmp0(guid_tmp, guid) == 0) + return TRUE; + } + return FALSE; +} + /** * fwupd_security_attr_get_appstream_id: * @self: a #FwupdSecurityAttr @@ -553,6 +639,15 @@ fwupd_security_attr_to_variant(FwupdSecurityAttr *self) FWUPD_RESULT_KEY_CATEGORIES, g_variant_new_strv(strv, -1)); } + if (priv->guids->len > 0) { + g_autofree const gchar **strv = g_new0(const gchar *, priv->guids->len + 1); + for (guint i = 0; i < priv->guids->len; i++) + strv[i] = (const gchar *)g_ptr_array_index(priv->guids, i); + g_variant_builder_add(&builder, + "{sv}", + FWUPD_RESULT_KEY_GUID, + g_variant_new_strv(strv, -1)); + } if (priv->flags != 0) { g_variant_builder_add(&builder, "{sv}", @@ -657,6 +752,12 @@ fwupd_security_attr_from_key_value(FwupdSecurityAttr *self, const gchar *key, GV fwupd_security_attr_set_result(self, g_variant_get_uint32(value)); return; } + if (g_strcmp0(key, FWUPD_RESULT_KEY_GUID) == 0) { + g_autofree const gchar **strv = g_variant_get_strv(value, NULL); + for (guint i = 0; strv[i] != NULL; i++) + fwupd_security_attr_add_guid(self, strv[i]); + return; + } if (g_strcmp0(key, FWUPD_RESULT_KEY_METADATA) == 0) { if (priv->metadata != NULL) g_hash_table_unref(priv->metadata); @@ -745,6 +846,15 @@ fwupd_security_attr_to_json(FwupdSecurityAttr *self, JsonBuilder *builder) } json_builder_end_array(builder); } + if (priv->guids->len > 0) { + json_builder_set_member_name(builder, FWUPD_RESULT_KEY_GUID); + json_builder_begin_array(builder); + for (guint i = 0; i < priv->guids->len; i++) { + const gchar *guid = g_ptr_array_index(priv->guids, i); + json_builder_add_string_value(builder, guid); + } + json_builder_end_array(builder); + } if (priv->metadata != NULL) { g_autoptr(GList) keys = g_hash_table_get_keys(priv->metadata); for (GList *l = keys; l != NULL; l = l->next) { @@ -788,6 +898,10 @@ fwupd_security_attr_to_string(FwupdSecurityAttr *self) const gchar *appstream_id = g_ptr_array_index(priv->obsoletes, i); fwupd_pad_kv_str(str, "Obsolete", appstream_id); } + for (guint i = 0; i < priv->guids->len; i++) { + const gchar *guid = g_ptr_array_index(priv->guids, i); + fwupd_pad_kv_str(str, FWUPD_RESULT_KEY_GUID, guid); + } if (priv->metadata != NULL) { g_autoptr(GList) keys = g_hash_table_get_keys(priv->metadata); for (GList *l = keys; l != NULL; l = l->next) { @@ -812,6 +926,7 @@ fwupd_security_attr_init(FwupdSecurityAttr *self) { FwupdSecurityAttrPrivate *priv = GET_PRIVATE(self); priv->obsoletes = g_ptr_array_new_with_free_func(g_free); + priv->guids = g_ptr_array_new_with_free_func(g_free); } static void @@ -827,6 +942,7 @@ fwupd_security_attr_finalize(GObject *object) g_free(priv->plugin); g_free(priv->url); g_ptr_array_unref(priv->obsoletes); + g_ptr_array_unref(priv->guids); G_OBJECT_CLASS(fwupd_security_attr_parent_class)->finalize(object); } diff --git a/libfwupd/fwupd-security-attr.h b/libfwupd/fwupd-security-attr.h index d91d09d49..dfa3bf99a 100644 --- a/libfwupd/fwupd-security-attr.h +++ b/libfwupd/fwupd-security-attr.h @@ -148,6 +148,14 @@ void fwupd_security_attr_add_obsolete(FwupdSecurityAttr *self, const gchar *appstream_id); gboolean fwupd_security_attr_has_obsolete(FwupdSecurityAttr *self, const gchar *appstream_id); +GPtrArray * +fwupd_security_attr_get_guids(FwupdSecurityAttr *self); +void +fwupd_security_attr_add_guid(FwupdSecurityAttr *self, const gchar *guid); +void +fwupd_security_attr_add_guids(FwupdSecurityAttr *self, GPtrArray *guids); +gboolean +fwupd_security_attr_has_guid(FwupdSecurityAttr *self, const gchar *guid); const gchar * fwupd_security_attr_get_metadata(FwupdSecurityAttr *self, const gchar *key); void diff --git a/libfwupd/fwupd.map b/libfwupd/fwupd.map index a8113eb08..c4031a76a 100644 --- a/libfwupd/fwupd.map +++ b/libfwupd/fwupd.map @@ -700,3 +700,12 @@ LIBFWUPD_1.6.2 { fwupd_request_to_variant; local: *; } LIBFWUPD_1.6.1; + +LIBFWUPD_1.7.0 { + global: + fwupd_security_attr_add_guid; + fwupd_security_attr_add_guids; + fwupd_security_attr_get_guids; + fwupd_security_attr_has_guid; + local: *; +} LIBFWUPD_1.6.2; diff --git a/plugins/cpu/fu-cpu-device.c b/plugins/cpu/fu-cpu-device.c index 29711e9cf..3197babe8 100644 --- a/plugins/cpu/fu-cpu-device.c +++ b/plugins/cpu/fu-cpu-device.c @@ -303,6 +303,7 @@ fu_cpu_device_add_security_attrs_intel_cet_enabled(FuCpuDevice *self, FuSecurity attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_CET_ENABLED); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); + fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fu_security_attrs_append(attrs, attr); /* check for CET */ @@ -334,6 +335,7 @@ fu_cpu_device_add_security_attrs_intel_cet_active(FuCpuDevice *self, FuSecurityA attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_CET_ACTIVE); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_THEORETICAL); + fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE); fu_security_attrs_append(attrs, attr); @@ -362,6 +364,7 @@ fu_cpu_device_add_security_attrs_intel_tme(FuCpuDevice *self, FuSecurityAttrs *a attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); + fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fu_security_attrs_append(attrs, attr); /* check for TME */ @@ -384,6 +387,7 @@ fu_cpu_device_add_security_attrs_intel_smap(FuCpuDevice *self, FuSecurityAttrs * attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_SMAP); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); + fwupd_security_attr_add_guids(attr, fu_device_get_guids(FU_DEVICE(self))); fu_security_attrs_append(attrs, attr); /* check for SMEP and SMAP */ diff --git a/plugins/intel-spi/fu-intel-spi-device.c b/plugins/intel-spi/fu-intel-spi-device.c index e5435a681..9b3900752 100644 --- a/plugins/intel-spi/fu-intel-spi-device.c +++ b/plugins/intel-spi/fu-intel-spi-device.c @@ -214,6 +214,7 @@ fu_intel_spi_device_add_security_attrs(FuDevice *device, FuSecurityAttrs *attrs) attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_DESCRIPTOR); fwupd_security_attr_set_plugin(attr, fu_device_get_plugin(FU_DEVICE(self))); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); + fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); /* check for read access from other regions */ diff --git a/plugins/msr/fu-plugin-msr.c b/plugins/msr/fu-plugin-msr.c index c2b887749..3e058569e 100644 --- a/plugins/msr/fu-plugin-msr.c +++ b/plugins/msr/fu-plugin-msr.c @@ -187,6 +187,7 @@ static void fu_plugin_add_security_attr_dci_enabled(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *device = fu_plugin_cache_lookup(plugin, "cpu"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* this MSR is only valid for a subset of Intel CPUs */ @@ -199,6 +200,8 @@ fu_plugin_add_security_attr_dci_enabled(FuPlugin *plugin, FuSecurityAttrs *attrs attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_DCI_ENABLED); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); + if (device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); /* check fields */ @@ -216,6 +219,7 @@ static void fu_plugin_add_security_attr_dci_locked(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *device = fu_plugin_cache_lookup(plugin, "cpu"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* this MSR is only valid for a subset of Intel CPUs */ @@ -228,6 +232,8 @@ fu_plugin_add_security_attr_dci_locked(FuPlugin *plugin, FuSecurityAttrs *attrs) attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_INTEL_DCI_LOCKED); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); + if (device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); /* check fields */ @@ -245,6 +251,7 @@ static void fu_plugin_add_security_attr_amd_tsme_enabled(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *device = fu_plugin_cache_lookup(plugin, "cpu"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* this MSR is only valid for a subset of AMD CPUs */ @@ -255,6 +262,8 @@ fu_plugin_add_security_attr_amd_tsme_enabled(FuPlugin *plugin, FuSecurityAttrs * attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_SYSTEM_PROTECTION); + if (device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(device)); fu_security_attrs_append(attrs, attr); /* check fields */ diff --git a/plugins/pci-bcr/fu-plugin-pci-bcr.c b/plugins/pci-bcr/fu-plugin-pci-bcr.c index 4c948ba14..62eeceac8 100644 --- a/plugins/pci-bcr/fu-plugin-pci-bcr.c +++ b/plugins/pci-bcr/fu-plugin-pci-bcr.c @@ -69,12 +69,15 @@ static void fu_plugin_add_security_attr_bioswe(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *msf_device = fu_plugin_cache_lookup(plugin, "main-system-firmware"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); + if (msf_device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); /* no device */ @@ -98,6 +101,7 @@ static void fu_plugin_add_security_attr_ble(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *msf_device = fu_plugin_cache_lookup(plugin, "main-system-firmware"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* no device */ @@ -108,6 +112,8 @@ fu_plugin_add_security_attr_ble(FuPlugin *plugin, FuSecurityAttrs *attrs) attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_BLE); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); + if (msf_device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); /* load file */ @@ -125,6 +131,7 @@ static void fu_plugin_add_security_attr_smm_bwp(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *msf_device = fu_plugin_cache_lookup(plugin, "main-system-firmware"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* no device */ @@ -135,6 +142,8 @@ fu_plugin_add_security_attr_smm_bwp(FuPlugin *plugin, FuSecurityAttrs *attrs) attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); + if (msf_device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); /* load file */ diff --git a/plugins/pci-mei/fu-plugin-pci-mei.c b/plugins/pci-mei/fu-plugin-pci-mei.c index 76c6d608e..e4346d914 100644 --- a/plugins/pci-mei/fu-plugin-pci-mei.c +++ b/plugins/pci-mei/fu-plugin-pci-mei.c @@ -11,7 +11,7 @@ #include "fu-mei-common.h" struct FuPluginData { - gboolean has_device; + FuDevice *pci_device; FuMeiHfsts1 hfsts1; FuMeiHfsts2 hfsts2; FuMeiHfsts3 hfsts3; @@ -56,6 +56,14 @@ fu_plugin_init(FuPlugin *plugin) fu_plugin_add_udev_subsystem(plugin, "pci"); } +void +fu_plugin_destroy(FuPlugin *plugin) +{ + FuPluginData *data = fu_plugin_get_data(plugin); + if (data->pci_device != NULL) + g_object_unref(data->pci_device); +} + static FuMeiFamily fu_mei_detect_family(FuPlugin *plugin) { @@ -218,7 +226,7 @@ fu_plugin_backend_device_added(FuPlugin *plugin, FuDevice *device, GError **erro return FALSE; } priv->hfsts6.data = fu_common_read_uint32(buf, G_LITTLE_ENDIAN); - priv->has_device = TRUE; + g_set_object(&priv->pci_device, device); /* dump to console */ if (g_getenv("FWUPD_PCI_MEI_VERBOSE") != NULL) { @@ -503,7 +511,7 @@ fu_plugin_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) /* only Intel */ if (fu_common_get_cpu_vendor() != FU_CPU_VENDOR_INTEL) return; - if (!priv->has_device) + if (priv->pci_device == NULL) return; fu_plugin_add_security_attrs_manufacturing_mode(plugin, attrs); diff --git a/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c b/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c index 589d8de0a..e4b7c6344 100644 --- a/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c +++ b/plugins/tpm-eventlog/fu-plugin-tpm-eventlog.c @@ -12,7 +12,7 @@ struct FuPluginData { GPtrArray *pcr0s; - gboolean has_tpm_device; + FuDevice *tpm_device; gboolean has_uefi_device; gboolean reconstructed; }; @@ -32,6 +32,8 @@ fu_plugin_destroy(FuPlugin *plugin) FuPluginData *data = fu_plugin_get_data(plugin); if (data->pcr0s != NULL) g_ptr_array_unref(data->pcr0s); + if (data->tpm_device != NULL) + g_object_unref(data->tpm_device); } gboolean @@ -93,7 +95,7 @@ static void fu_plugin_device_registered_tpm(FuPlugin *plugin, FuDevice *device) { FuPluginData *data = fu_plugin_get_data(plugin); - data->has_tpm_device = TRUE; + g_set_object(&data->tpm_device, device); } static void @@ -150,13 +152,14 @@ fu_plugin_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) g_autoptr(FwupdSecurityAttr) attr = NULL; /* no TPM device */ - if (!data->has_tpm_device) + if (data->tpm_device == NULL) return; /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_IMPORTANT); + fwupd_security_attr_add_guids(attr, fu_device_get_guids(data->tpm_device)); fu_security_attrs_append(attrs, attr); /* check reconstructed to PCR0 */ diff --git a/plugins/tpm/fu-plugin-tpm.c b/plugins/tpm/fu-plugin-tpm.c index 634c143e1..5f56e524f 100644 --- a/plugins/tpm/fu-plugin-tpm.c +++ b/plugins/tpm/fu-plugin-tpm.c @@ -11,7 +11,7 @@ #include "fu-tpm-device.h" struct FuPluginData { - gboolean has_tpm; + FuDevice *tpm_device; gboolean has_tpm_v20; }; @@ -24,13 +24,21 @@ fu_plugin_init(FuPlugin *plugin) fu_plugin_add_device_gtype(plugin, FU_TYPE_TPM_DEVICE); } +void +fu_plugin_destroy(FuPlugin *plugin) +{ + FuPluginData *data = fu_plugin_get_data(plugin); + if (data->tpm_device != NULL) + g_object_unref(data->tpm_device); +} + void fu_plugin_device_added(FuPlugin *plugin, FuDevice *dev) { FuPluginData *data = fu_plugin_get_data(plugin); const gchar *family = fu_tpm_device_get_family(FU_TPM_DEVICE(dev)); - data->has_tpm = TRUE; + g_set_object(&data->tpm_device, dev); if (g_strcmp0(family, "2.0") == 0) data->has_tpm_v20 = TRUE; fu_plugin_add_report_metadata(plugin, "TpmFamily", family); @@ -49,7 +57,7 @@ fu_plugin_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) fu_security_attrs_append(attrs, attr); /* check exists, and in v2.0 mode */ - if (!data->has_tpm) { + if (data->tpm_device == NULL) { fwupd_security_attr_set_result(attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); return; } @@ -59,6 +67,7 @@ fu_plugin_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) } /* success */ + fwupd_security_attr_add_guids(attr, fu_device_get_guids(data->tpm_device)); fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS); fwupd_security_attr_set_result(attr, FWUPD_SECURITY_ATTR_RESULT_FOUND); } diff --git a/plugins/uefi-pk/fu-plugin-uefi-pk.c b/plugins/uefi-pk/fu-plugin-uefi-pk.c index 28a9b3233..db47c37ec 100644 --- a/plugins/uefi-pk/fu-plugin-uefi-pk.c +++ b/plugins/uefi-pk/fu-plugin-uefi-pk.c @@ -158,16 +158,26 @@ fu_plugin_init(FuPlugin *plugin) fu_plugin_set_build_hash(plugin, FU_BUILD_HASH); } +void +fu_plugin_device_registered(FuPlugin *plugin, FuDevice *device) +{ + if (fu_device_has_instance_id(device, "main-system-firmware")) + fu_plugin_cache_add(plugin, "main-system-firmware", device); +} + void fu_plugin_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs) { FuPluginData *priv = fu_plugin_get_data(plugin); + FuDevice *msf_device = fu_plugin_cache_lookup(plugin, "main-system-firmware"); g_autoptr(FwupdSecurityAttr) attr = NULL; /* create attr */ attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_UEFI_PK); fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL); fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin)); + if (msf_device != NULL) + fwupd_security_attr_add_guids(attr, fu_device_get_guids(msf_device)); fu_security_attrs_append(attrs, attr); /* test key is not secure */