Commit Graph

19 Commits

Author SHA1 Message Date
Richard Hughes
deabfc5012 uefi-dbx: Do not upload a failure report for a failed dbx check
Use one of the errors mapping to FWUPD_UPDATE_STATE_FAILED_TRANSIENT to avoid
uploading a failure report for something the user has to fix, i.e. update the
distro shim package.
2020-09-29 13:15:50 +01:00
Richard Hughes
9b688d0b73 trivial: Set FWUPD_STATUS_DECOMPRESSING when preparing firmware
This avoids the plugins forgetting to do it themselves.
2020-09-08 14:18:46 +01:00
Mario Limonciello
5de5dd3582 Install the installed tests
Move binaries out of fwupd tree to https://github.com/fwupd/fwupd-test-firmware

Fixes some of https://github.com/fwupd/fwupd/issues/1956
2020-08-28 10:10:43 -05:00
Mario Limonciello
82c3e3471d Remove support for UEFI dbx security attribute
This is no longer relevant as fwupd is providing dbxtool now.
2020-08-19 07:38:51 +01:00
Richard Hughes
58ba785915 Install the new dbx utility as fwupdbxtool 2020-08-18 17:34:26 +01:00
Richard Hughes
1abb32c623 uefi-dbx: Validate the dbx update is safe to apply
To do this mount all ESP partitions and check all the binaries there to see if
they match any entries in the new dbx. If we applied the update when a hash
matched, we would unintentially 'brick' the users machine, as the grub and shim
binaries *have* to be updated first.

This functionality does reimplement the PE hashing functionality found in
sbsigntools and pesign. This was done for 4 main reasons:

 * There were some memory safety issues found when fuzzing random binaries
 * Executing the tools hundreds of times was a lot of overhead
 * Operating from a blob of immutable mmap'd memory is much faster
 * We only need a very small amount of functionality from both tools
2020-08-17 15:59:02 +01:00
Richard Hughes
0e7102c4f8 uefi-dbx: Fix some NULL/FALSE confusion 2020-08-17 14:47:58 +01:00
Richard Hughes
01d5779597 uefi-dbx: Allow updating the dbx using the LVFS
The GUID is built using the SHA256 of the certificates in the KEK.
2020-08-14 13:22:53 +01:00
Richard Hughes
edc3432338 dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs
Fixes https://github.com/fwupd/fwupd/issues/2319
2020-08-13 21:19:10 +01:00
Richard Hughes
361114784b Add a compatible re-implementation of the rhboot dbxtool 2020-08-13 19:09:40 +01:00
Richard Hughes
99dda53cc2 trivial: Define one more EFI GUID 2020-08-12 15:13:09 +01:00
Richard Hughes
a852254d92 trivial: Hide the UEFI DBX parsing by default 2020-07-03 12:32:06 +01:00
Richard Hughes
85226fd9d1 Remove potentially problematic language
Red Hat wants to drive an initiative in correcting problematic and potentially
divisive language in open source projects. These naming conventions and
descriptive phrases are hurtful and offensive to many of our colleagues across
the open source universe.

See https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language
2020-06-30 17:31:17 +01:00
Richard Hughes
b246bcaecb Allow client tools to translate the HSI attributes and results
To do this, rely on the AppStream ID to map to a translated string (providing a
fallback for clients that do not care) and switch the free-form result string
into a set of enumerated values that can be translated.

This fixes some of the problems where some things have to be enabled to "pass"
and other attributes have to be some other state. For cases where we want the
user to "do" something, provide a URL to a wiki page that we update out-of-band
of fwupd releases.
2020-05-18 17:03:49 +01:00
Richard Hughes
cae111d1de Save the plugin that created the FwupdSecurityAttr
This is really useful for debugging.
2020-05-15 16:17:27 +01:00
Mario Limonciello
05b9eb5936 trivial: remove an extra colon at the end of uefi-dbx error 2020-05-14 15:40:24 -05:00
Richard Hughes
c1eda7d516 Add many new plugins to support for the Host Security ID
The HSI specification is currently incomplete and in active development.

Sample output for my Lenovo P50 Laptop:

    Host Security ID: HSI:2+UA!

    HSI-1
    ✔  UEFI dbx: OK
    ✔  TPM: v2.0
    ✔  SPI: Write disabled
    ✔  SPI: Lock enabled
    ✔  SPI: SMM required
    ✔  UEFI Secure Boot: Enabled

    HSI-2
    ✔  TPM Reconstruction: Matched PCR0 reading

    HSI-3
    ✘  Linux Kernel S3 Sleep: Deep sleep available

    HSI-4
    ✘  Intel CET: Unavailable

    Runtime Suffix -U
    ✔  Firmware Updates: Newest release is 8 months old

    Runtime Suffix -A
    ✔  Firmware Attestation: OK

    Runtime Suffix -!
    ✔  fwupd plugins: OK
    ✔  Linux Kernel: OK
    ✔  Linux Kernel: Locked down
    ✘  Linux Swap: Not encrypted
2020-05-12 21:20:18 +01:00
Mario Limonciello
cb6ec2b18e trivial: uefi-dbx: correct error message on missing file
```
unset error in plugin uefi_dbx for add_security_attrs()
```
2020-05-07 13:02:57 -05:00
Richard Hughes
b9640a28ec uefi-dbx: Add a plugin that analyses the UEFI dbx variable
This will be used for future functionality.
2020-05-07 16:59:36 +01:00