If a specific plugin calls fu_plugin_set_secure_config_value() and then
fu_plugin_set_config_value() then we'll save the file with the world-readable
permissions.
Set a plugin flag to say that 'this plugin is storing sensitive details' which
allows us to use the same entrypoint and also fix up any files at startup that
do not have the correct permissions.
When the redfish plugin automatically creates an OPERATOR user account on the
BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
the keyfile string data.
I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
used to copy permissions, but alas not.
GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
which undoes the previous chmod().
Use g_file_set_contents_full() with the correct mode for newer GLib versions,
and provide a fallback with the same semantics for older versions.
We now have two plugins getting the ESP values, and we only allow hardcoding
the ESP in uefi_capsule.conf.
Make all this a lot simpler by moving the ESP+BDP code to `FuContext`, which
also means we can handle the override (via the config file) in the engine,
and the override (in the command line tools) using the same mechanism.
Also, automate the migration of the `OverrideESPMountPoint` -> `EspLocation`
when loading the engine.
Fixes https://github.com/fwupd/fwupd/issues/5042
This feature adds support for platform capability BOS descriptors which allows
the device itself to ship quirk data.
Use `sudo fwupdtool get-devices --save-backends=FILENAME` to save fake backend
devices to a file. This allows easy creation of self tests that do not require
physical hardware.
It's true that the USB4 spec won't require x86, but a recent autopkgtest
failure on powerpc doesn't make sense to debug. You won't ever see TBT
in a powerpc machine.
We can loosen this to any non-x86 architectures later that DO prove to
have support for USB4 add-in cards.
Add a plugin for supporting Android bootloaders which are used on
all Qualcomm-based Android devices. These bootloaders are stored on
their own partitions and the partition table cannot be altered on
Qualcomm devices. This plugin supports any block device, but only
exposes the ones defined in the quirk file as updatable.
This is being used for other products, e.g. USB4 docks.
If non-Intel firmware is being used (e.g. ASMedia) then the explicit
calls to `fu_intel_thunderbolt_nvm_new()` can be changed to something
like `fu_firmware_new_from_gtypes()` with all the formats listed.
A user can place a JSON file in /etc/fwupd/bios-settings.d/ with
the default desired policy for the machine.
fwupd will load this policy on startup to ensure BIOS settings
are set as desired by the system administrator.
These are currently used interchangeably since there was indecisiveness
which to use as the feature was being developed.
As outward facing it will be named with "settings", change all uses
in the code to match this.
* trivial: ci: debian: Use helper script to install dependencies instead.
Should fix building Debian stable containers
Fixes: #4901
* trivial: debian: ci: only populate fwupd-doc if dependencies are met
* trivial: ci: debian: generate control file using fwupd_setup_helpers
We used the firmware builder functionality to either build or modify
firmware images on the end-user system, e.g. copying the MAC address
from the old system image to the new system image.
Unfortunately running fwupd on the command line (e.g. ./src/fwupd)
leaves the tty connected and thus bubblewrap doesn't protect us from
installing malicious signed firmware. The firmware would have to have
been uploaded to the LVFS by a trusted vendor and signed before being
installed, which further decreases the severity of this problem.
As there was only one vendor who asked for this functionality (who have
yet to upload a single firmware to the LVFS...) just rip out this
functionality to reduce our attack surface and completely fix the bug,
and any like it.
Many thanks to Aaron Janse <aaron@ajanse.me> for discovering and
disclosing this issue to us.
By pre-commit getting setup early we were installing markdown and
meson into the virtual environment. This might not be a bad thing
if we encouraged virtual environments for development, but we don't.
`yu` was added in 014e5526ff to solve cache issues.
But since then several other invocations of pacman have been added and doing so constantly is pointless, as you are unlikely to see new upgrades while the CI is running (and it might not be desired either). It also breaks testing older versions of fwupd as seen in GH-4860. So upgrade only once at the beginning and keep installing from the same cache afterwards.
This allows us to load sets of different host security attributes
for testing the various front end tools we have now. e.g.
sudo FWUPD_HOST_EMULATE=thinkpad-p1-iommu.json.gz fwupd
or, using a non-compressed absolute path:
sudo FWUPD_HOST_EMULATE=/tmp/test/thinkpad-p1-iommu.json fwupd
Data can be created with `./contrib/generate-emulation.py file.json`
and then can be manually modified if required. Running the script on
a file that already exists will just strip out any unneeded data, as
well as piping content into it using stdin.
As a precaution, the org.fwupd.hsi.HostEmulation attribute is added
so we do not ask the user to upload the HSI report. It also allows
the LVFS to ignore any HSI reports with this attribute for clients
that upload HSI reports regardless.
See https://github.com/fwupd/fwupd/discussions/4832