-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
status: Warn about firmware quirks #189
Conversation
I like this! Generally I would need help to maintain a list of quirks, we probably need a new section as well.
Generally it's a very good first draft :) Just need to figure out how to best document all of this! |
I found that it is possible to get the IFR data from the OS. This method relies on reading HiiDB efivar which has the address and size The only issue is that it requires reading from I wrote a very messy proof of concept in half Python, half shell: #!/usr/bin/env python3
import os, shutil, struct
with open("/sys/firmware/efi/efivars/HiiDB-1b838190-4625-4ead-abc9-cd5e6af18fe0", "rb") as f:
size, addr = struct.unpack('@xxxxII', f.read())
with open("/dev/mem", "rb") as f:
f.seek(addr)
hiidb = f.read(size)
if hiidb.replace(b"\x00",b"").find(b"Image Execution Policy") == -1:
print("Image Execution Policy settings not found in HiiDB")
else:
print("Image Execution Policy settings found in HiiDB")
try:
shutil.rmtree("/tmp/hiidb")
except FileNotFoundError:
pass
os.mkdir("/tmp/hiidb")
with open("/tmp/hiidb/hiidb", "wb") as f:
f.write(hiidb)
os.system("""
cd /tmp/hiidb
ifrextractor /tmp/hiidb/hiidb 1>/dev/null
output="$(grep -A1 -E 'OneOf Prompt: "(Option ROM|Removable Media|Fixed Media)", Help: "Image Execution Policy' /tmp/hiidb/*ifr.txt)"
if echo "$output" | grep -q "DefaultId: 0x0"; then
printf "\033[1;31mInsecure defaults\033[0m\n" "$1"
else
printf "\033[1;32mSecure defaults\033[0m\n" "$1"
fi
""")
shutil.rmtree("/tmp/hiidb") Because of the issues with this approach, I don't think it would make I don't know how else I would be able to read this data if not from |
567af92
to
eb3753a
Compare
I've started improving the end-to-end unit testing support in So if you want to try write unit tests for the CLI interface to test this feature it should be possible :) https://github.com/Foxboron/sbctl/blob/master/cmd/sbctl/status_test.go https://github.com/Foxboron/go-uefi/blob/master/efi/efitest/files.go |
Sure thing, will do. I just had some free time and tried, but I'm not really sure how I'm SetFS(
fstest.MapFS{
"/sys/devices/virtual/dmi/id/board_vendor": {
Data: []byte{0x0, 0x6, 0x0, 0x0, 0x1}},
},
fstest.MapFS{
"/sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c": {
Data: []byte{0x0, 0x6, 0x0, 0x0, 0x1}},
},
efitest.SecureBootOn(),
) I tried something like this and I get such output:
When I change Setup Mode part to
When I change the check in fq0001.go if dmi.Table.BoardVendor == "not Micro-Star International Co., Ltd." && dmi.Table.ChassisType == "3" {
So clearly it does set Setup Mode and Secure Boot efivar files, but it Will look more into it in the morning in my timezone. |
I had actually tried changing
If we add Idk what to do with this now, I guess I can just execute it in EDIT: Just checked
It's fine, I don't mind. |
Please only parse it when we need it :) We probably don't need this as global state |
0224907
to
37526c9
Compare
Since there is no way to PR to wiki, here are my changes: EDIT: Maybe we should use someting else than the wiki? Some information will Could ship these docs with sbctl, but it would get outdated fast, I think having some website would be a good idea. |
I did buy the domain https://github.com/Foxboron/secureboot.dev Might be an idea to figure out a usecase for that thing. |
Thanks for working on this :) |
Thanks for adding this feature! I just applied the changes from the wiki and it worked from my testing. Will these quirks still be displayed even after the changes in the BIOS are made? I want to make sure I have it set up properly and didn't know if this warning was still telling me otherwise. |
Yes, they will still be displayed, at least this one. |
Related: #181
Just a rough idea, would like to hear your input.