From: Kate Hsuan Date: Fri, 10 Jun 2022 05:52:37 +0000 (+0800) Subject: plugins: splash: two-step: Secure boot check and a warning image X-Git-Tag: 23.51.283~82^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98cf5fa56aab95a8fbb0b2778a6d87cd8f522f4c;p=thirdparty%2Fplymouth.git plugins: splash: two-step: Secure boot check and a warning image Secure boot is used against several security threats when malware tries to infect the firmware of the system. Users may inadvertently disable or software may intentionally disable the secure boot. Consequently, the system is running on an insecure platform with incorrect configuration. If Plymouth could offer a warning to the user, the user could reboot and reconfigure their system or asks for help immediately. This work can be used to check the secure boot configuration and put a red warning image on the screen if the secure boot is disabled. Also, this check can be utterly disabled through the kernel parameter for testing. If the parameter "secure_boot.warn_if_disabled=false" appears in the kernel parameter, the secure boot check will be disabled. Signed-off-by: Kate Hsuan --- diff --git a/src/plugins/splash/two-step/plugin.c b/src/plugins/splash/two-step/plugin.c index 2ecb1780..0e769232 100644 --- a/src/plugins/splash/two-step/plugin.c +++ b/src/plugins/splash/two-step/plugin.c @@ -109,7 +109,7 @@ typedef struct ply_label_t *message_label; ply_label_t *title_label; ply_label_t *subtitle_label; - ply_rectangle_t box_area, lock_area, watermark_area, dialog_area; + ply_rectangle_t box_area, lock_area, watermark_area, dialog_area, secure_boot_area; ply_trigger_t *end_trigger; ply_pixel_buffer_t *background_buffer; int animation_bottom; @@ -141,6 +141,7 @@ struct _ply_boot_splash_plugin ply_image_t *background_bgrt_image; ply_image_t *background_bgrt_fallback_image; ply_image_t *watermark_image; + ply_image_t *secure_boot_warning_image; ply_list_t *views; ply_boot_splash_display_type_t state; @@ -155,6 +156,9 @@ struct _ply_boot_splash_plugin double watermark_horizontal_alignment; double watermark_vertical_alignment; + double secure_boot_horizontal_alignment; + double secure_boot_vertical_alignment; + double animation_horizontal_alignment; double animation_vertical_alignment; char *animation_dir; @@ -642,6 +646,17 @@ view_load (view_t *view) screen_width, screen_height); } + if (plugin->secure_boot_warning_image != NULL) { + view->secure_boot_area.width = ply_image_get_width (plugin->secure_boot_warning_image); + view->secure_boot_area.height = ply_image_get_height (plugin->secure_boot_warning_image); + view->secure_boot_area.x = screen_width * plugin->secure_boot_horizontal_alignment - ply_image_get_width (plugin->secure_boot_warning_image) * plugin->secure_boot_horizontal_alignment; + view->secure_boot_area.y = screen_height * plugin->secure_boot_vertical_alignment - ply_image_get_height (plugin->secure_boot_warning_image) * plugin->secure_boot_vertical_alignment; + ply_trace ("using %ldx%ld secure_boot_warning_image centered at %ldx%ld for %ldx%ld screen", + view->secure_boot_area.width, view->secure_boot_area.height, + view->secure_boot_area.x, view->secure_boot_area.y, + screen_width, screen_height); + } + ply_trace ("loading entry"); if (!ply_entry_load (view->entry)) return false; @@ -1084,6 +1099,13 @@ create_plugin (ply_key_file_t *key_file) plugin->watermark_image = ply_image_new (image_path); free (image_path); + if (!ply_kernel_command_line_has_argument ("secure_boot.warn_if_disabled=false") && + !ply_is_secure_boot_enabled ()) { + asprintf (&image_path, "%s/emblem-warning.png", image_dir); + plugin->secure_boot_warning_image = ply_image_new (image_path); + free (image_path); + } + plugin->animation_dir = image_dir; plugin->font = ply_key_file_get_value (key_file, "two-step", "Font"); @@ -1117,6 +1139,14 @@ create_plugin (ply_key_file_t *key_file) ply_key_file_get_double (key_file, "two-step", "WatermarkVerticalAlignment", 0.5); + /* Secure boot warning icon alignment */ + plugin->secure_boot_horizontal_alignment = + ply_key_file_get_double (key_file, "two-step", + "SecureBootHorizontalAlignment", 0.05); + plugin->secure_boot_vertical_alignment = + ply_key_file_get_double (key_file, "two-step", + "SecureBootVerticalAlignment", 0.95); + /* Password (or other) dialog alignment */ plugin->dialog_horizontal_alignment = ply_key_file_get_double (key_file, "two-step", @@ -1485,6 +1515,13 @@ draw_background (view_t *view, data = ply_image_get_data (plugin->watermark_image); ply_pixel_buffer_fill_with_argb32_data (pixel_buffer, &view->watermark_area, data); } + + if (plugin->secure_boot_warning_image != NULL) { + uint32_t *data; + + data = ply_image_get_data (plugin->secure_boot_warning_image); + ply_pixel_buffer_fill_with_argb32_data (pixel_buffer, &view->secure_boot_area, data); + } } static void @@ -1724,6 +1761,14 @@ show_splash_screen (ply_boot_splash_plugin_t *plugin, } } + if (plugin->secure_boot_warning_image != NULL) { + ply_trace ("loading secure boot warning image"); + if (!ply_image_load (plugin->secure_boot_warning_image)) { + ply_image_free (plugin->secure_boot_warning_image); + plugin->secure_boot_warning_image = NULL; + } + } + if (!load_views (plugin)) { ply_trace ("couldn't load views"); return false;