A new HSI security attribute showing the system boot mode (Legacy or UEFI)

[smallorange]

Could a system boot mode attribute be added to HSI security attribute?

Since secure boot can work properly under the UEFI boot mode, if the system is booted under the legacy mode, the secure boot may partially or not work under this boot mode configuration. Showing the boot mode can help users notice their system is not configured properly and allows them to tweak the configuration to improve the system security.

An AppstreamId called "org.fwupd.hsi.boot.mode" can be added and used to show the boot mode status. It also can be a condition of HSI-1. fwupd detects the system boot mode and put the results into this attribute. If fwupd finds the system is booted under the legacy mode, the HSI will be 0. So, the user can notice this and start to repair their system. By showing both secure boot and boot mode status, the ordinary users can fully understand their system security level and also introduce the correct system configuration to the ordinary users to protect their system. :)

[superm1]

I would argue this is something that should be done at installation time not by the time someone is already installed and using the system.

I acknowledge this is deflecting the problem but the reality is that "repairing" for booting in UEFI mode is not trivial. The installer will need to have created an EFI system partition and installed a bootloader.

Typically there is a bifurcated experience where ESP isn't created and set up unless you boot in UEFI mode to start.

[smallorange]

Thanks for the reply.

I agree that it is not an easy task to switch from legacy to UEFI boot mode. Typically, the ordinary user should reinstall their system.
The ordinary user may not know their system is configured using Legacy boot and start to install the system. They would find a warning "secure-boot is disabled" but the ordinary user would not know the reason for it.

This time, if fwupd could provide some information about secure-boot being disabled for some reason (based on the current boot mode configuration), the ordinary user could have a chance to configure and reinstall their system after finishing installing under legacy boot mode.

[superm1]

The other thing you need to keep in mind is that some systems don't support UEFI secure boot. coreboot, really old x86 systems without UEFI, architectures without UEFI etc.

Anyway; I think this will meet your suggestion: #4535

[smallorange]

Thank you for the information. I'll test it :)

[hughsie]

I think @smallorange was asking for some kind of HSI test failure when in CSM or legacy mode -- but I wonder if org.fwupd.hsi.Uefi.SecureBoot being not-found is what we can use for this.

[smallorange]

It could be used to indicate the boot mode. Moreover, the possible reasons could have to be found in the documents.