The HSI specification assigns a simple text ID to the current state of firmware
security. As new vulnerabilities are found, and as protection measures are
updated, new requirements will be added to the required firmware behaviours for
each HSI value.
The HSI specification is currently incomplete and in active development, and
so the --force flag is required in all command line tools. The current ID value
will probably change on a given platform so please do not start using the result
for any kind of compliance requirements.
It is a good practice to install files relative to our own variables
https://www.bassi.io/articles/2018/03/15/pkg-config-and-paths/
and it is required on systems like NixOS.
Unfortunately, systemd allows overriding the root prefix,
see also 1c2c7c6cb3,
so we cannot just do that.
Let's at least make the systemd installation prefix overridable.
This will also allow us to drop `systemdsystemunitdir` option since
systemd hardcodes it to `${rootprefix}/lib/systemd/system`.
Since bash-completion 2.9, it was no longer possible to override
the completionsdir through prefix. [1] In 2.10, the overridability
was re-estabilished but this time through datadir variable. [2]
This should not really matter except for developers installing the project
into a custom prefix or distros using per-package prefixes like NixOS.
[1]: 81ba2c7e7d
[2]: https://github.com/scop/bash-completion/pull/344
The README says: "A test suite that can be used to interact with a fake device is installed when configured with `-Ddaemon=true` and `-Dtests=true`", so actually only install these tests when tests are enabled.
From [Lennart’s answer on systemd-devel][1]:
> fwupd.target should not list the various network management solutions,
> that is unnecessary, and ordering after network.target should be
> sufficient to achieve the same, in a generic fashion. i.e. network
> managers should order themselves before network.target, so that
> ordering yourself after that automatically orders you after all
> implementations at once...
So, remove the unneeded targets. As the service unit is not
installed/enabled, and instead called by a timer, the system will most
probably be online already.
[1]: https://lists.freedesktop.org/archives/systemd-devel/2020-March/044205.html
"Best practices for starting unit only if network is online"
A Jcat file can be used to store GPG, PKCS-7 and SHA-256 checksums for multiple
files. This allows us to sign a firmware or metadata multiple times (perhaps
by the OEM and also then the LVFS) which further decentralizes the trust model
of the LVFS.
The Jcat format was chosen as the Microsoft catalog format is nonfree and not
documented. We also don't want to modify an existing .cat file created from WU
as this may make it unsuitable to use on Windows.
More information can be found here: https://github.com/hughsie/libjcat
If the measurements are missing but it's a UEFI system, it's a good indication
that the user has secure boot turned off.
Notify the user on the UEFI device through a non-fatal `UpdateMessage`
To accomplish this, move fu-uefi-vars into the plugin library for other plugins to use
This allows it to be refreshed anytime the daemon updates rather
than once a day by a systemd job.
As part of this change, remove the logging from `fwupdmgr` which
was only used for motd purposes.
Some hardware does not handle upgrading from version 1.2.2 to 1.2.4 and instead
needs to be upgraded from 1.2.2->1.2.3->1.2.4 so that on-device metadata can be
migrated correctly.
Add a new per-device flag `install-all-releases` which causes the daemon to not
skip directly to the newest release. This is designed to be set from a quirk
file.
This can obviously only be used for devices that can apply firmware "live" and
thus do not need a reboot or system shutdown to actually apply the firmware.
This also needs the cabinet archive to ship multiple versions of the firmware,
and for the metainfo.xml file to refer to multiple release objects.
In some CI infrastructures other devices show up and so the webcam
is not automatically picked.
```
Enabling fwupd-tests remote...
Successfully enabled remote
Update the device hash database...
Choose a device:
0. Cancel
1. 08d460be0f1f9f128413f816022a6439e0078018 (Integrated Webcam™)
2. bbbf1ce3d1cf15550c3760b354592040292415bb (Virtio network device)
Request canceled
FAIL: fwupd/fwupdmgr.test (Child process exited with code 2)
SUMMARY: total=1; passed=0; skipped=0; failed=1; user=0.0s; system=0.0s; maxrss=11736
FAIL: fwupd/fwupdmgr.test (Child process exited with code 2)
autopkgtest [22:09:32]: test ci: -----------------------]
ci FAIL non-zero exit status 2
autopkgtest [22:09:33]: test ci: - - - - - - - - - - results - - - - - - - - - -
autopkgtest [22:09:33]: @@@@@@@@@@@@@@@@@@@@ summary
ci FAIL non-zero exit status 2
```
