-
Notifications
You must be signed in to change notification settings - Fork 416
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uefi-ssp-policy: Add a new plugin to detect missing SkuSiPolicy attributes #7331
base: main
Are you sure you want to change the base?
Conversation
@jsetje some review most welcome please |
9b9d646
to
71d4751
Compare
71d4751
to
07610f3
Compare
@jsetje does this look sane? |
/* we can fix this! */ | ||
fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_CAN_FIX); | ||
fwupd_security_attr_set_result(attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
premature, no? I don't see any code in here calling out the fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ohh fu_uefi_ssp_policy_plugin_fix_host_security_attr
does exist -- apparently by setting the SSPPolicy
key to 1
on next reboot shim will create the SkuSiPolicyVersion
and SkuSiPolicyUpdateSigners
-- although it doesn't seem to work for me at all.
@vathpela can you see anything fishy here? I can't get shim to set the |
d89270a
to
ae627d5
Compare
} | ||
|
||
/* we can fix this! */ | ||
fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_CAN_FIX); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to check whether SSPPolicy
already exists though don't you? It can only be fixed if the file doesn't exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use the dummy efivars interface for a self test? Then you can cover existing variables, junk variables, all the permutations we might see in the wild.
@superm1 talking of testing -- do we have a plan for getting coverage back? At least physiologically seeing a number "go down" means we're more likely to write tests. |
I'm trying to remember why it broke. It was some random bug in Debian we couldn't figure out right? Maybe we should just try to turn it back on in a PR and see what happens. |
ae627d5
to
0c67938
Compare
(void)g_setenv("G_MESSAGES_DEBUG", "all", TRUE); | ||
|
||
/* tests go here */ | ||
g_test_add_func("/uefi-ssp-policy/hsi", fu_uefi_ssp_policy_plugin_func); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great! Can you add a second test of no Windows in the boot order?
Look at SkuSiPolicyVersion perhaps - https://support.microsoft.com/en-us/topic/kb5027455-guidance-for-blocking-vulnerable-windows-boot-managers-522bb851-0a61-44ad-aa94-ad11119c5e91
|
I assume you're running a sufficiently new shim? The SkuSi support went into 15.8. Here's the code in mokutil that sets the variable: https://github.com/lcp/mokutil/blob/master/src/mokutil.c#L1792 the attributes probably matter. Also, the interface I've been trying to preserve is mokutil not inherently setting the variables, although I'm willing to promote that by adding an appropriate comment to where shim consumes the variables. Oh, the SkuSi variables are all BS variables only. I don't think they get mirrored to RT counterparts, since they aren't really part of MOK, although perhaps they should -- which would open the question of whether or not they should be measured (only?) when the Windows CA is trusted, which adds quite a bit of complexity. Hmm. |
guint8 val = SHIM_SSP_POLICY_LATEST; | ||
|
||
/* shim will do the right thing on next boot */ | ||
if (!fu_efivars_set_data(efivars, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would think that would work.
Fixes #7329
Type of pull request: