/* * Copyright (C) 2020 Richard Hughes * * SPDX-License-Identifier: LGPL-2.1+ */ #define G_LOG_DOMAIN "FuSecurityAttrs" #include "fu-security-attrs.h" #include #include #include "fwupd-security-attr-private.h" #include "fwupd-version.h" #include "fu-security-attrs-private.h" #include "fu-security-attrs.h" /** * FuSecurityAttrs: * * A set of Host Security ID attributes that represents the system state. */ struct _FuSecurityAttrs { GObject parent_instance; GPtrArray *attrs; }; /* probably sane to *not* make this part of the ABI */ #define FWUPD_SECURITY_ATTR_ID_DOC_URL "https://fwupd.github.io/hsi.html" G_DEFINE_TYPE(FuSecurityAttrs, fu_security_attrs, G_TYPE_OBJECT) static void fu_security_attrs_finalize(GObject *obj) { FuSecurityAttrs *self = FU_SECURITY_ATTRS(obj); g_ptr_array_unref(self->attrs); G_OBJECT_CLASS(fu_security_attrs_parent_class)->finalize(obj); } static void fu_security_attrs_class_init(FuSecurityAttrsClass *klass) { GObjectClass *object_class = G_OBJECT_CLASS(klass); object_class->finalize = fu_security_attrs_finalize; } static void fu_security_attrs_init(FuSecurityAttrs *self) { self->attrs = g_ptr_array_new_with_free_func((GDestroyNotify)g_object_unref); } /** * fu_security_attrs_append: * @self: a #FuSecurityAttrs * @attr: a #FwupdSecurityAttr * * Adds a #FwupdSecurityAttr to the array. * * Since: 1.5.0 **/ void fu_security_attrs_append(FuSecurityAttrs *self, FwupdSecurityAttr *attr) { g_return_if_fail(FU_IS_SECURITY_ATTRS(self)); g_return_if_fail(FWUPD_IS_SECURITY_ATTR(attr)); /* sanity check */ if (fwupd_security_attr_get_plugin(attr) == NULL) { g_warning("%s has no plugin set", fwupd_security_attr_get_appstream_id(attr)); } /* sanity check, and correctly prefix the URLs with the current mirror */ if (fwupd_security_attr_get_url(attr) == NULL) { g_autofree gchar *url = NULL; url = g_strdup_printf("%s#%s", FWUPD_SECURITY_ATTR_ID_DOC_URL, fwupd_security_attr_get_appstream_id(attr)); fwupd_security_attr_set_url(attr, url); } else if (g_str_has_prefix(fwupd_security_attr_get_url(attr), "#")) { g_autofree gchar *url = NULL; url = g_strdup_printf("%s%s", FWUPD_SECURITY_ATTR_ID_DOC_URL, fwupd_security_attr_get_url(attr)); fwupd_security_attr_set_url(attr, url); } g_ptr_array_add(self->attrs, g_object_ref(attr)); } /** * fu_security_attrs_to_variant: * @self: a #FuSecurityAttrs * * Serializes the #FwupdSecurityAttr objects. * * Returns: a #GVariant or %NULL * * Since: 1.5.0 **/ GVariant * fu_security_attrs_to_variant(FuSecurityAttrs *self) { GVariantBuilder builder; g_return_val_if_fail(FU_IS_SECURITY_ATTRS(self), NULL); g_return_val_if_fail(self->attrs->len > 0, NULL); g_variant_builder_init(&builder, G_VARIANT_TYPE_ARRAY); for (guint i = 0; i < self->attrs->len; i++) { FwupdSecurityAttr *security_attr = g_ptr_array_index(self->attrs, i); GVariant *tmp = fwupd_security_attr_to_variant(security_attr); g_variant_builder_add_value(&builder, tmp); } return g_variant_new("(aa{sv})", &builder); } /** * fu_security_attrs_get_all: * @self: a #FuSecurityAttrs * * Gets all the attributes in the object. * * Returns: (transfer container) (element-type FwupdSecurityAttr): attributes * * Since: 1.5.0 **/ GPtrArray * fu_security_attrs_get_all(FuSecurityAttrs *self) { g_return_val_if_fail(FU_IS_SECURITY_ATTRS(self), NULL); return g_ptr_array_ref(self->attrs); } /** * fu_security_attrs_remove_all: * @self: a #FuSecurityAttrs * * Removes all the attributes in the object. * * Since: 1.5.0 **/ void fu_security_attrs_remove_all(FuSecurityAttrs *self) { g_return_if_fail(FU_IS_SECURITY_ATTRS(self)); return g_ptr_array_set_size(self->attrs, 0); } /** * fu_security_attrs_calculate_hsi: * @self: a #FuSecurityAttrs * @flags: HSI attribute flags * * Calculates the HSI string from the appended attributes. * * Returns: (transfer full): a string or %NULL * * Since: 1.5.0 **/ gchar * fu_security_attrs_calculate_hsi(FuSecurityAttrs *self, FuSecurityAttrsFlags flags) { guint hsi_number = 0; FwupdSecurityAttrFlags attr_flags = FWUPD_SECURITY_ATTR_FLAG_NONE; GString *str = g_string_new("HSI:"); const FwupdSecurityAttrFlags hpi_suffixes[] = { FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE, FWUPD_SECURITY_ATTR_FLAG_NONE, }; g_return_val_if_fail(FU_IS_SECURITY_ATTRS(self), NULL); /* find the highest HSI number where there are no failures and at least * one success */ for (guint j = 1; j <= FWUPD_SECURITY_ATTR_LEVEL_LAST; j++) { gboolean success_cnt = 0; gboolean failure_cnt = 0; for (guint i = 0; i < self->attrs->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index(self->attrs, i); if (fwupd_security_attr_get_level(attr) != j) continue; if (fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) success_cnt++; else if (!fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) failure_cnt++; } /* abort */ if (failure_cnt > 0) { hsi_number = j - 1; break; } /* we matched at least one thing on this level */ if (success_cnt > 0) hsi_number = j; } /* get a logical OR of the runtime flags */ for (guint i = 0; i < self->attrs->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index(self->attrs, i); if (fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) continue; if (fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE) && fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) continue; attr_flags |= fwupd_security_attr_get_flags(attr); } g_string_append_printf(str, "%u", hsi_number); if (attr_flags & FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE) { for (guint j = 0; hpi_suffixes[j] != FWUPD_SECURITY_ATTR_FLAG_NONE; j++) { if (attr_flags & hpi_suffixes[j]) g_string_append( str, fwupd_security_attr_flag_to_suffix(hpi_suffixes[j])); } } if (flags & FU_SECURITY_ATTRS_FLAG_ADD_VERSION) { g_string_append_printf(str, " (v%d.%d.%d)", FWUPD_MAJOR_VERSION, FWUPD_MINOR_VERSION, FWUPD_MICRO_VERSION); } return g_string_free(str, FALSE); } static gchar * fu_security_attrs_get_sort_key(FwupdSecurityAttr *attr) { GString *str = g_string_new(NULL); /* level */ g_string_append_printf(str, "%u", fwupd_security_attr_get_level(attr)); /* success -> fail -> obsoletes */ if (fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS)) { g_string_append(str, "0"); } else if (!fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS) && !fwupd_security_attr_has_flag(attr, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED)) { g_string_append(str, "1"); } else { g_string_append(str, "9"); } /* prefer name, but fallback to appstream-id for tests */ if (fwupd_security_attr_get_name(attr) != NULL) { g_string_append(str, fwupd_security_attr_get_name(attr)); } else { g_string_append(str, fwupd_security_attr_get_appstream_id(attr)); } return g_string_free(str, FALSE); } static gint fu_security_attrs_sort_cb(gconstpointer item1, gconstpointer item2) { FwupdSecurityAttr *attr1 = *((FwupdSecurityAttr **)item1); FwupdSecurityAttr *attr2 = *((FwupdSecurityAttr **)item2); g_autofree gchar *sort1 = fu_security_attrs_get_sort_key(attr1); g_autofree gchar *sort2 = fu_security_attrs_get_sort_key(attr2); return g_strcmp0(sort1, sort2); } /** * fu_security_attrs_depsolve: * @self: a #FuSecurityAttrs * * Marks any attributes with %FWUPD_SECURITY_ATTR_FLAG_OBSOLETED that have been * defined as obsoleted by other attributes. * * It is only required to call this function once, and should be done when all * attributes have been added. This will also sort the attrs. * * Since: 1.5.0 **/ void fu_security_attrs_depsolve(FuSecurityAttrs *self) { g_autoptr(GHashTable) attrs_by_id = NULL; g_return_if_fail(FU_IS_SECURITY_ATTRS(self)); /* make hash of ID -> object */ attrs_by_id = g_hash_table_new(g_str_hash, g_str_equal); for (guint i = 0; i < self->attrs->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index(self->attrs, i); g_hash_table_insert(attrs_by_id, (gpointer)fwupd_security_attr_get_appstream_id(attr), (gpointer)attr); } /* set flat where required */ for (guint i = 0; i < self->attrs->len; i++) { FwupdSecurityAttr *attr = g_ptr_array_index(self->attrs, i); GPtrArray *obsoletes = fwupd_security_attr_get_obsoletes(attr); for (guint j = 0; j < obsoletes->len; j++) { const gchar *obsolete = g_ptr_array_index(obsoletes, j); FwupdSecurityAttr *attr_tmp = g_hash_table_lookup(attrs_by_id, obsolete); /* by AppStream ID */ if (attr_tmp != NULL) { g_debug("security attr %s obsoleted by %s", obsolete, fwupd_security_attr_get_appstream_id(attr_tmp)); fwupd_security_attr_add_flag(attr_tmp, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED); } /* by plugin name */ for (guint k = 0; k < self->attrs->len; k++) { attr_tmp = g_ptr_array_index(self->attrs, k); if (g_strcmp0(obsolete, fwupd_security_attr_get_plugin(attr_tmp)) == 0) { g_debug("security attr %s obsoleted by %s", obsolete, fwupd_security_attr_get_appstream_id(attr_tmp)); fwupd_security_attr_add_flag( attr_tmp, FWUPD_SECURITY_ATTR_FLAG_OBSOLETED); } } } } /* sort */ g_ptr_array_sort(self->attrs, fu_security_attrs_sort_cb); } /** * fu_security_attrs_new: * * Returns: a security attribute * * Since: 1.5.0 **/ FuSecurityAttrs * fu_security_attrs_new(void) { return g_object_new(FU_TYPE_SECURITY_ATTRS, NULL); }