[gnome-control-center/wip/firmware-security-descriptions] Show a description for each event
- From: Richard Hughes <rhughes src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-control-center/wip/firmware-security-descriptions] Show a description for each event
- Date: Wed, 27 Jul 2022 08:16:20 +0000 (UTC)
commit a7f2be25334da9e6495ba44f7d9c073788c275d2
Author: Kate Hsuan <hpa redhat com>
Date: Mon Jul 11 15:52:18 2022 +0800
Show a description for each event
Show the HSI event description to improve the UX and match the new mockups.
Fixes: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1938
Signed-off-by: Kate Hsuan <hpa redhat com>
Signed-off-by: Richard Hughes <richard hughsie com>
.../cc-firmware-security-dialog.c | 73 +++-
.../firmware-security/cc-firmware-security-panel.c | 142 ++++---
.../firmware-security/cc-firmware-security-utils.c | 463 +++++++++++----------
.../firmware-security/cc-firmware-security-utils.h | 32 +-
4 files changed, 407 insertions(+), 303 deletions(-)
---
diff --git a/panels/firmware-security/cc-firmware-security-dialog.c
b/panels/firmware-security/cc-firmware-security-dialog.c
index c92202540..e597a9578 100644
--- a/panels/firmware-security/cc-firmware-security-dialog.c
+++ b/panels/firmware-security/cc-firmware-security-dialog.c
@@ -158,16 +158,70 @@ update_dialog (CcFirmwareSecurityDialog *self)
}
}
+static gchar *
+fu_security_attr_get_description_for_dialog (FwupdSecurityAttr *attr)
+{
+ GString *str = g_string_new (attr->description);
+
+ if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONTACT_OEM &&
+ attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW &&
+ attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW)
+ {
+ g_string_append_printf (str, "\n\n%s %s",
+ _("Contact your hardware manufacturer for help with security updates."),
+ _("This issue could be resolved in this devices firmware settings (BIOS) "
+ "or by the system administrator."));
+ }
+ else if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONTACT_OEM &&
+ attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW)
+ {
+ g_string_append_printf (str, "\n\n%s %s",
+ _("Contact your hardware manufacturer for help with security updates."),
+ _("This issue could be resolved in this devices firmware settings (BIOS)."));
+ }
+ else if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONTACT_OEM)
+ {
+ g_string_append_printf (str, "\n\n%s",
+ _("Contact your hardware manufacturer for help with security updates."));
+ }
+ else if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW)
+ {
+ g_string_append_printf (str, "\n\n%s",
+ _("This issue could be resolved in this devices firmware settings (BIOS)."));
+ }
+ else if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_OS)
+ {
+ g_string_append_printf (str, "\n\n%s",
+ _("This issue could be resolved by the system administrator."));
+ }
+
+ return g_string_free (str, FALSE);
+}
+
static GtkWidget *
hsi_create_pg_row (const gchar *icon_name,
const gchar *style,
- const gchar *item_name)
+ FwupdSecurityAttr *attr)
{
GtkWidget *row;
+ GtkWidget *subrow;
- row = adw_action_row_new ();
- adw_action_row_set_icon_name (ADW_ACTION_ROW (row), icon_name);
- adw_preferences_row_set_title (ADW_PREFERENCES_ROW (row), fu_security_attr_get_name (item_name));
+ row = adw_expander_row_new ();
+ adw_expander_row_set_icon_name (ADW_EXPANDER_ROW (row), icon_name);
+ adw_preferences_row_set_title (ADW_PREFERENCES_ROW (row), attr->title);
+
+ if (attr->description != NULL)
+ {
+ g_autofree gchar *str = fu_security_attr_get_description_for_dialog (attr);
+ subrow = adw_action_row_new ();
+ gtk_widget_add_css_class (subrow, "view");
+ adw_action_row_set_subtitle (ADW_ACTION_ROW (subrow), str);
+ adw_expander_row_add_row (ADW_EXPANDER_ROW (row), subrow);
+ }
+ else
+ {
+ adw_expander_row_set_enable_expansion (ADW_EXPANDER_ROW (row), false);
+ }
return row;
}
@@ -180,7 +234,6 @@ update_hsi_listbox (CcFirmwareSecurityDialog *self,
GHashTable *hsi_dict = NULL;
GtkWidget *pg_row;
GtkWidget *hsi_pg;
- guint64 flags = 0;
switch (hsi_level)
{
@@ -205,15 +258,17 @@ update_hsi_listbox (CcFirmwareSecurityDialog *self,
hash_keys = g_hash_table_get_keys (hsi_dict);
for (GList *item = g_list_first (hash_keys); item != NULL; item = g_list_next (item))
{
- flags = GPOINTER_TO_INT (g_hash_table_lookup (hsi_dict, item->data));
- if (firmware_security_attr_has_flag (flags, FWUPD_SECURITY_ATTR_FLAG_SUCCESS))
+ FwupdSecurityAttr *attr = g_hash_table_lookup (hsi_dict, item->data);
+ if (attr->title == NULL)
+ continue;
+ if (firmware_security_attr_has_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS))
{
- pg_row = hsi_create_pg_row ("emblem-default-symbolic", "color_green", item->data);
+ pg_row = hsi_create_pg_row ("emblem-default-symbolic", "color_green", attr);
gtk_widget_add_css_class (pg_row, "success-icon");
}
else
{
- pg_row = hsi_create_pg_row ("dialog-error-symbolic", "color_dim", item->data);
+ pg_row = hsi_create_pg_row ("dialog-error-symbolic", "color_dim", attr);
gtk_widget_add_css_class (pg_row, "error-icon");
}
adw_preferences_group_add (ADW_PREFERENCES_GROUP (hsi_pg), GTK_WIDGET (pg_row));
diff --git a/panels/firmware-security/cc-firmware-security-panel.c
b/panels/firmware-security/cc-firmware-security-panel.c
index 2e99424c9..8521ccbab 100644
--- a/panels/firmware-security/cc-firmware-security-panel.c
+++ b/panels/firmware-security/cc-firmware-security-panel.c
@@ -73,17 +73,17 @@ CC_PANEL_REGISTER (CcfirmwareSecurityPanel, cc_firmware_security_panel)
static void
set_secure_boot_button_view (CcfirmwareSecurityPanel *self)
{
+ FwupdSecurityAttr *attr;
guint64 sb_flags = 0;
guint64 pk_flags = 0;
- guint64 *result;
/* get HSI-1 flags if set */
- result = g_hash_table_lookup (self->hsi1_dict, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT);
- if (result != NULL)
- sb_flags = GPOINTER_TO_INT (result);
- result = g_hash_table_lookup (self->hsi1_dict, FWUPD_SECURITY_ATTR_ID_UEFI_PK);
- if (result != NULL)
- pk_flags = GPOINTER_TO_INT (result);
+ attr = g_hash_table_lookup (self->hsi1_dict, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT);
+ if (attr != NULL)
+ sb_flags = attr->flags;
+ attr = g_hash_table_lookup (self->hsi1_dict, FWUPD_SECURITY_ATTR_ID_UEFI_PK);
+ if (attr != NULL)
+ pk_flags = attr->flags;
/* enabled and valid */
if ((sb_flags & FWUPD_SECURITY_ATTR_FLAG_SUCCESS) > 0 &&
@@ -121,59 +121,83 @@ set_secure_boot_button_view (CcfirmwareSecurityPanel *self)
}
}
+static gchar *
+fu_security_attr_get_description_for_eventlog (FwupdSecurityAttr *attr)
+{
+ GString *str = g_string_new (attr->description);
+
+ /* nothing to do */
+ if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_SUCCESS)
+ return g_string_free (str, FALSE);
+
+ if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONTACT_OEM &&
+ attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW)
+ {
+ g_string_append_printf (str, "\n\n%s",
+ _("This issue could have been caused by a firmware setting change in the BIOS,
"
+ "an OS setting change or because of malicious software on this system."));
+ }
+ else if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW)
+ {
+ g_string_append_printf (str, "\n\n%s",
+ _("This issue could have been caused by a firmware setting change in the BIOS "
+ "or because of malicious software on this system."));
+ }
+ else if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_OS)
+ {
+ g_string_append_printf (str, "\n\n%s",
+ _("This issue could have been caused by an OS setting change or because "
+ "of malicious software on this system."));
+ }
+
+ return g_string_free (str, FALSE);
+}
+
static void
parse_event_variant_iter (CcfirmwareSecurityPanel *self,
GVariantIter *iter)
{
- FwupdSecurityAttrResult result = 0;
- FwupdSecurityAttrFlags flags = 0;
g_autofree gchar *date_string = NULL;
g_autoptr (GDateTime) date = NULL;
- const gchar *appstream_id = NULL;
- const gchar *key;
- const gchar *event_msg;
- guint64 timestamp = 0;
- GVariant *value;
+ g_autoptr (FwupdSecurityAttr) attr = fu_security_attr_new_from_variant(iter);
GtkWidget *row;
-
- while (g_variant_iter_next (iter, "{&sv}", &key, &value))
- {
- if (g_strcmp0 (key, "AppstreamId") == 0)
- appstream_id = g_variant_get_string (value, NULL);
- else if (g_strcmp0 (key, "Flags") == 0)
- flags = g_variant_get_uint64(value);
- else if (g_strcmp0 (key, "HsiResult") == 0)
- result = g_variant_get_uint32 (value);
- else if (g_strcmp0 (key, "Created") == 0)
- timestamp = g_variant_get_uint64 (value);
- g_variant_unref (value);
- }
+ GtkWidget *subrow;
/* unknown to us */
- if (appstream_id == NULL)
- return;
-
- event_msg = fwupd_event_to_log (appstream_id, result);
- if (event_msg == NULL)
+ if (attr->appstream_id == NULL || attr->title == NULL)
return;
/* build new row */
- date = g_date_time_new_from_unix_local (timestamp);
+ date = g_date_time_new_from_unix_local (attr->timestamp);
date_string = g_date_time_format (date, "\%F \%H:\%m:\%S");
- row = adw_action_row_new ();
- if (flags & FWUPD_SECURITY_ATTR_FLAG_SUCCESS)
+
+ row = adw_expander_row_new ();
+ if (attr->flags & FWUPD_SECURITY_ATTR_FLAG_SUCCESS)
{
- adw_action_row_set_icon_name (ADW_ACTION_ROW (row), "emblem-default-symbolic");
+ adw_expander_row_set_icon_name (ADW_EXPANDER_ROW (row), "emblem-default-symbolic");
gtk_widget_add_css_class (row, "success-icon");
}
else
{
- adw_action_row_set_icon_name (ADW_ACTION_ROW (row), "dialog-warning-symbolic");
+ adw_expander_row_set_icon_name (ADW_EXPANDER_ROW (row), "dialog-warning-symbolic");
gtk_widget_add_css_class (row, "warning-icon");
}
- adw_preferences_row_set_title (ADW_PREFERENCES_ROW (row), event_msg);
- adw_action_row_set_subtitle (ADW_ACTION_ROW (row), date_string);
+ if (attr->description != NULL)
+ {
+ g_autofree gchar *str = fu_security_attr_get_description_for_eventlog (attr);
+ subrow = adw_action_row_new ();
+ gtk_widget_add_css_class (subrow, "view");
+ adw_action_row_set_subtitle (ADW_ACTION_ROW (subrow), str);
+ adw_expander_row_add_row (ADW_EXPANDER_ROW (row), subrow);
+ }
+ else
+ {
+ adw_expander_row_set_enable_expansion (ADW_EXPANDER_ROW (row), false);
+ }
+
+ adw_preferences_row_set_title (ADW_PREFERENCES_ROW (row), attr->title);
+ adw_expander_row_set_subtitle (ADW_EXPANDER_ROW (row), date_string);
adw_preferences_group_add (ADW_PREFERENCES_GROUP (self->firmware_security_log_pgroup), GTK_WIDGET (row));
adw_view_stack_set_visible_child_name (ADW_VIEW_STACK (self->firmware_security_log_stack), "page2");
@@ -183,59 +207,45 @@ static void
parse_variant_iter (CcfirmwareSecurityPanel *self,
GVariantIter *iter)
{
- GVariant *value;
- const gchar *key;
- const gchar *appstream_id = NULL;
- guint64 flags = 0;
- guint32 hsi_level = 0;
-
- while (g_variant_iter_next (iter, "{&sv}", &key, &value))
- {
- if (g_strcmp0 (key, "AppstreamId") == 0)
- appstream_id = g_variant_get_string (value, NULL);
- else if (g_strcmp0 (key, "Flags") == 0)
- flags = g_variant_get_uint64 (value);
- else if (g_strcmp0 (key, "HsiLevel") == 0)
- hsi_level = g_variant_get_uint32 (value);
- g_variant_unref (value);
- }
+ g_autoptr (FwupdSecurityAttr) attr = fu_security_attr_new_from_variant(iter);
+ const gchar *appstream_id = attr->appstream_id;
/* invalid */
if (appstream_id == NULL)
return;
/* insert into correct hash table */
- switch (hsi_level)
+ switch (attr->hsi_level)
{
case 0:
/* in fwupd <= 1.8.3 org.fwupd.hsi.Uefi.SecureBoot was incorrectly marked as HSI-0,
* so accept either level here to avoid raising the runtime version requirement */
- if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0)
+ if (g_strcmp0 (attr->appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0)
{
g_hash_table_insert (self->hsi1_dict,
g_strdup (appstream_id),
- GINT_TO_POINTER (flags));
+ g_steal_pointer (&attr));
}
break;
case 1:
g_hash_table_insert (self->hsi1_dict,
g_strdup (appstream_id),
- GINT_TO_POINTER (flags));
+ g_steal_pointer (&attr));
break;
case 2:
g_hash_table_insert (self->hsi2_dict,
g_strdup (appstream_id),
- GINT_TO_POINTER (flags));
+ g_steal_pointer (&attr));
break;
case 3:
g_hash_table_insert (self->hsi3_dict,
g_strdup (appstream_id),
- GINT_TO_POINTER (flags));
+ g_steal_pointer (&attr));
break;
case 4:
g_hash_table_insert (self->hsi4_dict,
g_strdup (appstream_id),
- GINT_TO_POINTER (flags));
+ g_steal_pointer (&attr));
break;
}
}
@@ -622,10 +632,10 @@ cc_firmware_security_panel_init (CcfirmwareSecurityPanel *self)
gtk_widget_init_template (GTK_WIDGET (self));
- self->hsi1_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
- self->hsi2_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
- self->hsi3_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
- self->hsi4_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
+ self->hsi1_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify)
fu_security_attr_free);
+ self->hsi2_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify)
fu_security_attr_free);
+ self->hsi3_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify)
fu_security_attr_free);
+ self->hsi4_dict = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify)
fu_security_attr_free);
load_custom_css ("/org/gnome/control-center/firmware-security/security-level.css");
diff --git a/panels/firmware-security/cc-firmware-security-utils.c
b/panels/firmware-security/cc-firmware-security-utils.c
index b3298a131..4b65b9e92 100644
--- a/panels/firmware-security/cc-firmware-security-utils.c
+++ b/panels/firmware-security/cc-firmware-security-utils.c
@@ -26,238 +26,255 @@
#include "cc-firmware-security-utils.h"
-const gchar *
-fu_security_attr_get_name (const gchar *appstream_id)
+/* we don't need to keep this up to date, as any new attrs added by fwupd >= 1.8.3 will also
+ * come with translated titles *and* descriptions */
+static const gchar *
+fu_security_attr_get_title_fallback (const gchar *appstream_id)
{
- struct
- {
- const gchar *id;
- const gchar *name;
- } attr_to_name[] = {
- /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */
- { FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE, N_("SPI write"), },
- /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */
- { FWUPD_SECURITY_ATTR_ID_SPI_BLE, N_("SPI lock"), },
- /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */
- { FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP, N_("SPI BIOS region"), },
- /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */
- { FWUPD_SECURITY_ATTR_ID_SPI_DESCRIPTOR, N_("SPI BIOS Descriptor"), },
- /* TRANSLATORS: Title: DMA as in https://en.wikipedia.org/wiki/DMA_attack */
- { FWUPD_SECURITY_ATTR_ID_ACPI_DMAR, N_("Pre-boot DMA protection is"), },
- /* TRANSLATORS: Title: BootGuard is a trademark from Intel */
- { FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ENABLED, N_("Intel BootGuard"), },
- /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
- * verified boot refers to the way the boot process is verified */
- { FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_VERIFIED, N_("Intel BootGuard verified boot"), },
- /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
- * ACM means to verify the integrity of Initial Boot Block */
- { FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ACM, N_("Intel BootGuard ACM protected"), },
- /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
- * error policy is what to do on failure */
- { FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_POLICY, N_("Intel BootGuard error policy"), },
- /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
- * OTP = one time programmable */
- { FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_OTP, N_("Intel BootGuard OTP fuse"), },
- /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology,
- * enabled means supported by the processor */
- { FWUPD_SECURITY_ATTR_ID_INTEL_CET_ENABLED, N_("Intel CET"), },
- /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology,
- * active means being used by the OS */
- { FWUPD_SECURITY_ATTR_ID_INTEL_CET_ACTIVE, N_("Intel CET Active"), },
- /* TRANSLATORS: Title: SMAP = Supervisor Mode Access Prevention */
- { FWUPD_SECURITY_ATTR_ID_INTEL_SMAP, N_("Intel SMAP"), },
- /* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */
- { FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM, N_("Encrypted RAM"), },
- /* TRANSLATORS: Title:
- * https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit */
- { FWUPD_SECURITY_ATTR_ID_IOMMU, N_("IOMMU device protection"), },
- /* TRANSLATORS: Title: lockdown is a security mode of the kernel */
- { FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN, N_("Kernel lockdown"), },
- /* TRANSLATORS: Title: if it's tainted or not */
- { FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED, N_("Kernel tainted"), },
- /* TRANSLATORS: Title: swap space or swap partition */
- { FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP, N_("Linux swap"), },
- /* TRANSLATORS: Title: sleep state */
- { FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM, N_("Suspend-to-ram"), },
- /* TRANSLATORS: Title: a better sleep state */
- { FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE, N_("Suspend-to-idle"), },
- /* TRANSLATORS: Title: PK is the 'platform key' for the machine */
- { FWUPD_SECURITY_ATTR_ID_UEFI_PK, N_("UEFI platform key"), },
- /* TRANSLATORS: Title: SB is a way of locking down UEFI */
- { FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT, N_("Secure boot"), },
- /* TRANSLATORS: Title: PCRs (Platform Configuration Registers) shouldn't be empty */
- { FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR, N_("All TPM PCRs are"), },
- /* TRANSLATORS: Title: the PCR is rebuilt from the TPM event log */
- { FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0, N_("TPM PCR0 reconstruction"), },
- /* TRANSLATORS: Title: TPM = Trusted Platform Module */
- { FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20, N_("TPM v2.0"), },
- /* TRANSLATORS: Title: MEI = Intel Management Engine */
- { FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE, N_("MEI manufacturing mode"), },
- /* TRANSLATORS: Title: MEI = Intel Management Engine, and the
- * "override" is the physical PIN that can be driven to
- * logic high -- luckily it is probably not accessible to
- * end users on consumer boards */
- { FWUPD_SECURITY_ATTR_ID_MEI_OVERRIDE_STRAP, N_("MEI override"), },
- /* TRANSLATORS: Title: MEI = Intel Management Engine */
- { FWUPD_SECURITY_ATTR_ID_MEI_VERSION, N_("MEI version"), },
- /* TRANSLATORS: Title: if firmware updates are available */
- { FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES, N_("Firmware updates"), },
- /* TRANSLATORS: Title: if we can verify the firmware checksums */
- { FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION, N_("Firmware attestation"), },
- /* TRANSLATORS: Title: if the fwupd plugins are all present and correct */
- { FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS, N_("fwupd plugins"), },
- /* TRANSLATORS: Title: Direct Connect Interface (DCI) allows
- * debugging of Intel processors using the USB3 port */
- { FWUPD_SECURITY_ATTR_ID_INTEL_DCI_ENABLED, N_("Intel DCI debugger"), },
- { FWUPD_SECURITY_ATTR_ID_INTEL_DCI_LOCKED, N_("Intel DCI debugger"), },
- /* TRANSLATORS: Title: DMA as in https://en.wikipedia.org/wiki/DMA_attack */
- { FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION, N_("Pre-boot DMA protection"), },
- /* TRANSLATORS: Title: if fwupd supports HSI on this chip */
- { FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU, N_("Supported CPU"), }
- };
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_BIOSWE) == 0)
+ {
+ /* TRANSLATORS: Title: firmware refers to the flash chip in the computer */
+ return _("Firmware Write Protection");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_BLE) == 0)
+ {
+ /* TRANSLATORS: Title: firmware refers to the flash chip in the computer */
+ return _("Firmware Write Protection Lock");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_SMM_BWP) == 0)
+ {
+ /* TRANSLATORS: Title: SPI refers to the flash chip in the computer */
+ return _("Firmware BIOS Region");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SPI_DESCRIPTOR) == 0)
+ {
+ /* TRANSLATORS: Title: firmware refers to the flash chip in the computer */
+ return _("Firmware BIOS Descriptor");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION) == 0)
+ {
+ /* TRANSLATORS: Title: DMA as in https://en.wikipedia.org/wiki/DMA_attack */
+ return _("Pre-boot DMA Protection");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ENABLED) == 0)
+ {
+ /* TRANSLATORS: Title: BootGuard is a trademark from Intel */
+ return _("Intel BootGuard");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_VERIFIED) == 0)
+ {
+ /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
+ * verified boot refers to the way the boot process is verified */
+ return _("Intel BootGuard Verified Boot");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_ACM) == 0)
+ {
+ /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
+ * ACM means to verify the integrity of Initial Boot Block */
+ return _("Intel BootGuard ACM Protected");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_POLICY) == 0)
+ {
+ /* TRANSLATORS: Title: BootGuard is a trademark from Intel,
+ * error policy is what to do on failure */
+ return _("Intel BootGuard Error Policy");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_BOOTGUARD_OTP) == 0)
+ {
+ /* TRANSLATORS: Title: BootGuard is a trademark from Intel */
+ return _("Intel BootGuard Fuse");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_CET_ENABLED) == 0)
+ {
+ /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology,
+ * enabled means supported by the processor */
+ return _("Intel CET Enabled");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_CET_ACTIVE) == 0)
+ {
+ /* TRANSLATORS: Title: CET = Control-flow Enforcement Technology,
+ * active means being used by the OS */
+ return _("Intel CET Active");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_INTEL_SMAP) == 0)
+ {
+ /* TRANSLATORS: Title: SMAP = Supervisor Mode Access Prevention */
+ return _("Intel SMAP");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM) == 0)
+ {
+ /* TRANSLATORS: Title: Memory contents are encrypted, e.g. Intel TME */
+ return _("Encrypted RAM");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_IOMMU) == 0)
+ {
+ /* TRANSLATORS: Title:
+ * https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit */
+ return _("IOMMU Protection");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_LOCKDOWN) == 0)
+ {
+ /* TRANSLATORS: Title: lockdown is a security mode of the kernel */
+ return _("Linux Kernel Lockdown");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_TAINTED) == 0)
+ {
+ /* TRANSLATORS: Title: if it's tainted or not */
+ return _("Linux Kernel Verification");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_KERNEL_SWAP) == 0)
+ {
+ /* TRANSLATORS: Title: swap space or swap partition */
+ return _("Linux Swap");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM) == 0)
+ {
+ /* TRANSLATORS: Title: sleep state */
+ return _("Suspend To RAM");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_IDLE) == 0)
+ {
+ /* TRANSLATORS: Title: a better sleep state */
+ return _("Suspend To Idle");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_PK) == 0)
+ {
+ /* TRANSLATORS: Title: PK is the 'platform key' for the machine */
+ return _("UEFI Platform Key");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0)
+ {
+ /* TRANSLATORS: Title: SB is a way of locking down UEFI */
+ return _("UEFI Secure Boot");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR) == 0)
+ {
+ /* TRANSLATORS: Title: PCRs (Platform Configuration Registers) shouldn't be empty */
+ return _("TPM Platform Configuration");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0) == 0)
+ {
+ /* TRANSLATORS: Title: the PCR is rebuilt from the TPM event log */
+ return _("TPM Reconstruction");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20) == 0)
+ {
+ /* TRANSLATORS: Title: TPM = Trusted Platform Module */
+ return _("TPM v2.0");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_MEI_MANUFACTURING_MODE) == 0)
+ {
+ /* TRANSLATORS: Title: MEI = Intel Management Engine */
+ return _("Intel Management Engine Manufacturing Mode");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_MEI_OVERRIDE_STRAP) == 0)
+ {
+ /* TRANSLATORS: Title: MEI = Intel Management Engine, and the "override" is enabled
+ * with a jumper -- luckily it is probably not accessible to end users on consumer
+ * boards */
+ return _("Intel Management Engine Override");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_MEI_VERSION) == 0)
+ {
+ /* TRANSLATORS: Title: MEI = Intel Management Engine */
+ return _("Intel Management Engine Version");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_UPDATES) == 0)
+ {
+ /* TRANSLATORS: Title: if firmware updates are available */
+ return _("Firmware Updates");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION) == 0)
+ {
+ /* TRANSLATORS: Title: if we can verify the firmware checksums */
+ return _("Firmware Attestation");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_FWUPD_PLUGINS) == 0)
+ {
+ /* TRANSLATORS: Title: if the fwupd plugins are all present and correct */
+ return _("Firmware Updater Verification");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED) == 0 ||
+ g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED) == 0)
+ {
+ /* TRANSLATORS: Title: Allows debugging of parts using proprietary hardware */
+ return _("Platform Debugging");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU) == 0)
+ {
+ /* TRANSLATORS: Title: if fwupd supports HSI on this chip */
+ return _("Processor Security Checks");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0)
+ {
+ /* TRANSLATORS: Title: if firmware enforces rollback protection */
+ return _("AMD Rollback Protection");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0)
+ {
+ /* TRANSLATORS: Title: if hardware enforces control of SPI replays */
+ return _("AMD Firmware Replay Protection");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION) == 0)
+ {
+ /* TRANSLATORS: Title: if hardware enforces control of SPI writes */
+ return _("AMD Firmware Write Protection");
+ }
+ if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_PLATFORM_FUSED) == 0)
+ {
+ /* TRANSLATORS: Title: if the part has been fused */
+ return _("Fused Platform");
+ }
+ return NULL;
+}
+
+/* ->summary and ->description are translated */
+FwupdSecurityAttr *
+fu_security_attr_new_from_variant (GVariantIter *iter)
+{
+ FwupdSecurityAttr *attr = g_new0 (FwupdSecurityAttr, 1);
+ const gchar *key;
+ GVariant *value;
+
+ while (g_variant_iter_next (iter, "{&sv}", &key, &value))
+ {
+ if (g_strcmp0 (key, "AppstreamId") == 0)
+ attr->appstream_id = g_variant_dup_string (value, NULL);
+ else if (g_strcmp0 (key, "Flags") == 0)
+ attr->flags = g_variant_get_uint64(value);
+ else if (g_strcmp0 (key, "HsiLevel") == 0)
+ attr->hsi_level = g_variant_get_uint32 (value);
+ else if (g_strcmp0 (key, "Created") == 0)
+ attr->timestamp = g_variant_get_uint64 (value);
+ else if (g_strcmp0 (key, "Description") == 0)
+ attr->description = g_strdup (dgettext ("fwupd", g_variant_get_string (value, NULL)));
+ else if (g_strcmp0 (key, "Summary") == 0)
+ attr->title = g_strdup (dgettext ("fwupd", g_variant_get_string (value, NULL)));
+ g_variant_unref (value);
+ }
- for (int i = 0; i < G_N_ELEMENTS (attr_to_name); i++)
- {
- if (g_strcmp0 (appstream_id, attr_to_name[i].id) == 0)
- return _(attr_to_name[i].name);
- }
+ /* fallback for older fwupd versions */
+ if (attr->appstream_id != NULL && attr->title == NULL)
+ attr->title = g_strdup (fu_security_attr_get_title_fallback (attr->appstream_id));
- return appstream_id;
+ /* success */
+ return attr;
}
-gboolean
-firmware_security_attr_has_flag (guint64 flags,
- FwupdSecurityAttrFlags flag)
+void
+fu_security_attr_free (FwupdSecurityAttr *attr)
{
- return (flags & flag) > 0;
+ g_free (attr->appstream_id);
+ g_free (attr->title);
+ g_free (attr->description);
+ g_free (attr);
}
-const char *
-fwupd_event_to_log (const char *appstream_id,
- FwupdSecurityAttrResult result)
+gboolean
+firmware_security_attr_has_flag (FwupdSecurityAttr *attr,
+ FwupdSecurityAttrFlags flag)
{
- struct
- {
- const gchar *appstream_id;
- FwupdSecurityAttrResult result;
- const gchar *text;
- } event_log_items[] =
- {
- {
- "org.fwupd.hsi.Iommu",
- FWUPD_SECURITY_ATTR_RESULT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("IOMMU device protection enabled")
- },
- {
- "org.fwupd.hsi.Iommu",
- FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND,
- /* TRANSLATORS: HSI event title */
- N_("IOMMU device protection disabled")},
- {
- "org.fwupd.hsi.Fwupd.Plugins",
- FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED,
- NULL
- },
- {
- "org.fwupd.hsi.Fwupd.Plugins",
- FWUPD_SECURITY_ATTR_RESULT_TAINTED,
- NULL
- },
- {
- "org.fwupd.hsi.Fwupd.Plugins",
- FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED,
- NULL
- },
- {
- "org.fwupd.hsi.Kernel.Tainted",
- FWUPD_SECURITY_ATTR_RESULT_NOT_TAINTED,
- /* TRANSLATORS: HSI event title */
- N_("Kernel is no longer tainted")
- },
- {
- "org.fwupd.hsi.Kernel.Tainted",
- FWUPD_SECURITY_ATTR_RESULT_TAINTED,
- /* TRANSLATORS: HSI event title */
- N_("Kernel is tainted")
- },
- {
- "org.fwupd.hsi.Kernel.Lockdown",
- FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("Kernel lockdown disabled")
- },
- {
- "org.fwupd.hsi.Kernel.Lockdown",
- FWUPD_SECURITY_ATTR_RESULT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("Kernel lockdown enabled")
- },
- {
- "org.fwupd.hsi.AcpiDmar",
- FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("Pre-boot DMA protection is disabled")
- },
- {
- "org.fwupd.hsi.AcpiDmar",
- FWUPD_SECURITY_ATTR_RESULT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("Pre-boot DMA protection is enabled")
- },
- {
- "org.fwupd.hsi.Uefi.SecureBoot",
- FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("Secure Boot disabled")
- },
- {
- "org.fwupd.hsi.Uefi.SecureBoot",
- FWUPD_SECURITY_ATTR_RESULT_ENABLED,
- /* TRANSLATORS: HSI event title */
- N_("Secure Boot enabled")
- },
- {
- "org.fwupd.hsi.Tpm.EmptyPcr",
- FWUPD_SECURITY_ATTR_RESULT_VALID,
- /* TRANSLATORS: HSI event title */
- N_("All TPM PCRs are valid")
- },
- {
- "org.fwupd.hsi.Tpm.EmptyPcr",
- FWUPD_SECURITY_ATTR_RESULT_NOT_VALID,
- /* TRANSLATORS: HSI event title */
- N_("All TPM PCRs are now valid")
- },
- {
- "org.fwupd.hsi.Uefi.SecureBoot",
- FWUPD_SECURITY_ATTR_RESULT_VALID,
- /* TRANSLATORS: HSI event title */
- N_("A TPM PCR is now an invalid value")
- },
- {
- "org.fwupd.hsi.Tpm.ReconstructionPcr0",
- FWUPD_SECURITY_ATTR_RESULT_NOT_VALID,
- /* TRANSLATORS: HSI event title */
- N_("TPM PCR0 reconstruction is invalid")
- },
- {
- NULL,
- 0,
- NULL
- }
- };
-
- for (int i = 0; event_log_items[i].appstream_id != NULL; i++)
- {
- if (g_strcmp0 (appstream_id, event_log_items[i].appstream_id) == 0 &&
- result == event_log_items[i].result)
- {
- return _(event_log_items[i].text);
- }
- }
-
- return NULL;
+ return (attr->flags & flag) > 0;
}
void
diff --git a/panels/firmware-security/cc-firmware-security-utils.h
b/panels/firmware-security/cc-firmware-security-utils.h
index 38bfc5070..aa666902a 100644
--- a/panels/firmware-security/cc-firmware-security-utils.h
+++ b/panels/firmware-security/cc-firmware-security-utils.h
@@ -26,6 +26,8 @@
G_BEGIN_DECLS
+/* we don't need to keep this up to date and from fwupd >= 1.8.3 we only need the defines
+ * for the things we actually query, e.g. FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT */
#define FWUPD_SECURITY_ATTR_ID_ACPI_DMAR "org.fwupd.hsi.AcpiDmar"
#define FWUPD_SECURITY_ATTR_ID_ENCRYPTED_RAM "org.fwupd.hsi.EncryptedRam"
#define FWUPD_SECURITY_ATTR_ID_FWUPD_ATTESTATION "org.fwupd.hsi.Fwupd.Attestation"
@@ -61,7 +63,12 @@ G_BEGIN_DECLS
#define FWUPD_SECURITY_ATTR_ID_UEFI_PK "org.fwupd.hsi.Uefi.Pk"
#define FWUPD_SECURITY_ATTR_ID_PREBOOT_DMA_PROTECTION "org.fwupd.hsi.PrebootDma"
#define FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU "org.fwupd.hsi.SupportedCpu"
-
+#define FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_LOCKED "org.fwupd.hsi.PlatformDebugLocked"
+#define FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION "org.fwupd.hsi.Amd.RollbackProtection"
+#define FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION "org.fwupd.hsi.Amd.SpiWriteProtection"
+#define FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION "org.fwupd.hsi.Amd.SpiReplayProtection"
+#define FWUPD_SECURITY_ATTR_ID_PLATFORM_DEBUG_ENABLED "org.fwupd.hsi.PlatformDebugEnabled"
+#define FWUPD_SECURITY_ATTR_ID_PLATFORM_FUSED "org.fwupd.hsi.PlatformFused"
typedef enum {
SECURE_BOOT_STATE_UNKNOWN,
@@ -77,6 +84,9 @@ typedef enum {
FWUPD_SECURITY_ATTR_FLAG_RUNTIME_UPDATES = 1 << 8,
FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ATTESTATION = 1 << 9,
FWUPD_SECURITY_ATTR_FLAG_RUNTIME_ISSUE = 1 << 10,
+ FWUPD_SECURITY_ATTR_FLAG_ACTION_CONTACT_OEM = 1 << 11,
+ FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_FW = 1 << 12,
+ FWUPD_SECURITY_ATTR_FLAG_ACTION_CONFIG_OS = 1 << 13,
} FwupdSecurityAttrFlags;
typedef enum {
@@ -98,12 +108,24 @@ typedef enum {
FWUPD_SECURITY_ATTR_RESULT_LAST
} FwupdSecurityAttrResult;
-const gchar *fu_security_attr_get_name (const gchar *appstream_id);
-gboolean firmware_security_attr_has_flag (guint64 flags,
+typedef struct {
+ FwupdSecurityAttrResult result;
+ FwupdSecurityAttrFlags flags;
+ guint32 hsi_level;
+ guint64 timestamp;
+ gchar *appstream_id;
+ gchar *title;
+ gchar *description;
+} FwupdSecurityAttr;
+
+FwupdSecurityAttr *fu_security_attr_new_from_variant (GVariantIter *iter);
+void fu_security_attr_free (FwupdSecurityAttr *attr);
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(FwupdSecurityAttr, fu_security_attr_free)
+
+gboolean firmware_security_attr_has_flag (FwupdSecurityAttr *attr,
FwupdSecurityAttrFlags flag);
void load_custom_css (const char *path);
-const char *fwupd_event_to_log (const char *appstream_id,
- FwupdSecurityAttrResult result);
G_END_DECLS
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
