We can read this from userspace even when SB is turned on and with the kernel
locked down. The kernel securityfs patches are still in-progress, but will take
significant time to get upstream.
The kernel patches are needed when the PCI device is hidden from userspace.
A Jcat file can be used to store GPG, PKCS-7 and SHA-256 checksums for multiple
files. This allows us to sign a firmware or metadata multiple times (perhaps
by the OEM and also then the LVFS) which further decentralizes the trust model
of the LVFS.
The Jcat format was chosen as the Microsoft catalog format is nonfree and not
documented. We also don't want to modify an existing .cat file created from WU
as this may make it unsuitable to use on Windows.
More information can be found here: https://github.com/hughsie/libjcat
Calling 'rmdir --parents /var/cache/fwupdate' will cause it to attempt
to rmdir /var/cache and /var. Those directories are very unlikely to be
empty, so it should always quietly fail. However, there's not benefit
in attempting those removals, so let's quit doing it.
It's possible that someone has removed fwupdate package prior to the
fwupd transition meaning that they might have some artifacts left
behind from fwupdate packaging. Clean up these artifacts.
This commit can be reverted after both Debian bullseye and Ubuntu
focal have been released.
This splits out all development files, including headers into their
own packages where relevant.
Notably absent is `fu-hash.h` which is used for determining taint.
Out of tree developed plugins should still taint the daemon.
Makes `fwupd-refresh.service` strictly opt-in.
Some distros are defaulting to all systemd services on and causing
more refreshes than desirable by default, especially when using
both `gnome-software` and `fwupd-refresh.service`
`fwupd-refresh.service` uses `DynamicUser=true` which causes systemd
to make `/var/cache/fwupd` a symlink to `/var/cache/private/fwupd`.
Individual units aren't allowed to access this directory, only the ones
with the directive. This means that `fwupd.service` stops working as
soon as a user tries to start `fwupd-refresh.service`.
The bug details are present in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941360
Using the library instead of the command line tools provides a more
stable interface. This implementation only fetches PCR 0 for all
available hash algorithms since this is the only PCR that is actually
used in fwupd.
Since https://fwupd.github.io is now a thing, people can be directed there
rather than relying upon locally built documentation by default.
Also this will mean one less dependency to install for people who build
from source.
Lastly this finally means that I can do this set of actions without failure:
```
meson build
ninja -C build
ninja -C build install (PK prompts for password)
rm -rf build
```
Previously gtkdoc stuff was built as root due to the PK prompt and removing
it would lead to stuff like this:
```
rm: cannot remove 'build/docs/libfwupd/html/libfwupd-FwupdClient.html': Permission denied
```
Fixes Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921820
Introduce a new --log option to fwupdmgr that will log stdout to an argument.
If run under systemd, prefix that argument with $RUNTIME_DIRECTORY.
Add a new systemd unit and associated timer to regularly refresh metadata.
After the metadata refresh is complete, save the output to the motd location.
The timer and service are disabled by default and can be enabled by an admin.
This also means we now include a flashrom subproject as no distro currently has
a flashrom new enough to build the plugin.
Signed-off-by: Richard Hughes <richard@hughsie.com>
Signed-off-by: Artur Raglis <artur.raglis@3mdeb.com>
Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
* Move all the data under a new top-level "packages" key
* Add an empty "trusted_certs" key - our binaries do not do any
further verification with an embedded key.
The offline updates environment is special, and we have to be careful to delete
the trigger before doing anything that can fail to avoid boot loops.
For this reason, split it out to a simple self-contained binary that is easy to
understand.
This currently just outputs the current list of devices with releases and makes
it possible to integrate firmware version reporting with other tools like mgmt.
This is intended for devices that it is not safe to immediately activate
the firmware. It may be called at a more convenient time instead.
Both fwupdmgr and fwupdtool support the feature.
- if called at runtime with fwupdmgr it uses the daemon
- during shutdown fwupdtool uses the pending.db to perform this feature.
For this we need to register as a console application (which fwupdtool is, I
suppose) and also supply a usable icon.
I've used the new GNOME icon theme guidelines so please add a drop shadow
before using: https://gitlab.gnome.org/GNOME/Initiatives/issues/2
