cockpit icon indicating copy to clipboard operation
cockpit copied to clipboard

Published 20 hours ago verified publisher icon cockpit-project

Display boot type information (EFI, BIOS, Secure Boot, etc.)

Open allisonkarlitskaya opened this issue 1 year ago • 14 comments

Possibly nice feature that would fit in nicely in the "System information" card.

If it's possible to determine it, show a "Boot type" indicator which could be one of:

  • EFI (Secure Boot enabled)
  • EFI (Secure Boot disabled)
  • BIOS

allisonkarlitskaya avatar Sep 21 '23 11:09 allisonkarlitskaya

It seems like if you read /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c you'll end up with:

  • 0000000 0006 0000 0001 secure boot enabled
  • 0000000 0006 0000 0000 secure boot disabled
  • file not present: BIOS boot (or non-EFI platform)

allisonkarlitskaya avatar Sep 21 '23 11:09 allisonkarlitskaya

GNOME 45, just released, has included more system information and moved most of the system-level stuff to a popup window.

Here's what it looks like (after I moved the window to the side a bit, to show both parts of the information).

Screenshot from 2023-09-21 15-15-10

Is there anything useful in there that we should also include? WDYT?

garrett avatar Sep 21 '23 13:09 garrett

GNOME also has secure boot shown like this under the privacy > security section:

image

image

garrett avatar Sep 21 '23 13:09 garrett

Firmware and kernel versions are potentially interesting. Some of the other things like CPU type we have tucked away inside of "Hardware details" and I think they belong there...

allisonkarlitskaya avatar Sep 21 '23 13:09 allisonkarlitskaya

My security panel also has "Linux Kernel Lockdown" (I guess that means no unsigned modules) and "Encrypted RAM". Those are potentially nice for the "Hardware details" panel as well?

For me I guess the top-level interesting item is "Secure Boot is enabled" and indeed GNOME also gives it top billing with its own large indicator at the top of the page.

allisonkarlitskaya avatar Sep 21 '23 13:09 allisonkarlitskaya

Linux Kernel lockdown is a sysctl / kernel option. Feels a bit weird to mix that with "Hardware details".

https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html

jelly avatar Sep 21 '23 13:09 jelly

It seems like if you read /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c you'll end up with:

  • 0000000 0006 0000 0001 secure boot enabled
  • 0000000 0006 0000 0000 secure boot disabled
  • file not present: BIOS boot (or non-EFI platform)

Seems pretty easy to achieve indeed:

diff --git a/pkg/systemd/hw-detect.js b/pkg/systemd/hw-detect.js
index 925116def..305b11a9c 100644
--- a/pkg/systemd/hw-detect.js
+++ b/pkg/systemd/hw-detect.js
@@ -120,6 +120,17 @@ function findMemoryDevices(udevdb, info) {
     info.memory = memoryArray;
 }
 
+async function getBootType() {
+    try {
+        await cockpit.script("test -f /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c");
+    } catch {
+        return "BIOS or Legacy";
+    }
+
+    const result = await cockpit.script("od -j4 --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c");
+    return `EFI (Secure Boot ${result.trim() == "1" ? "enabled" : "disabled"})`;
+}
+
 export default function detect() {
     const info = { system: {}, pci: [], memory: [] };
     const tasks = [];
@@ -154,6 +165,11 @@ export default function detect() {
                 return true;
             }));
 
+    tasks.push(getBootType()
+            .then(result => {
+                info.system.boot_type = result;
+            }));
+
     // Fallback if systemd < 248
     if (info.memory.length === 0) {
         tasks.push(machine_info.memory_info()
diff --git a/pkg/systemd/hwinfo.jsx b/pkg/systemd/hwinfo.jsx
index 53e971390..f0dc022a7 100644
--- a/pkg/systemd/hwinfo.jsx
+++ b/pkg/systemd/hwinfo.jsx
@@ -111,6 +111,10 @@ class SystemInfo extends React.Component {
                                 <DescriptionListDescription>{ bios_date ? timeformat.date(bios_date) : info.bios_date }</DescriptionListDescription>
                             </DescriptionListGroup>
                         </> }
+                        <DescriptionListGroup>
+                            <DescriptionListTerm>{ _("Boot type") }</DescriptionListTerm>
+                            <DescriptionListDescription>{ info.boot_type }</DescriptionListDescription>
+                        </DescriptionListGroup>
                         { info.nproc !== undefined && <>
                             <DescriptionListGroup>
                                 <DescriptionListTerm>{ _("CPU") }</DescriptionListTerm>

leomoty avatar Sep 21 '23 14:09 leomoty

Seems pretty easy to achieve indeed:

Cool!

I would have imagined using a single

cockpit.file('/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c', {binary: true}).read()

though.

allisonkarlitskaya avatar Sep 21 '23 14:09 allisonkarlitskaya

Yep I never noticed that extra flag, that works :)

leomoty avatar Sep 21 '23 14:09 leomoty

@allisonkarlitskaya the int test TestSystemInfo.testHardwareInfo is not working by default in my end, am I missing something? Mismatched values: QEMU => Red Hat KVM Standard PC => KVM

leomoty avatar Sep 21 '23 15:09 leomoty

Hello @allisonkarlitskaya can i work on this issue, i am new to this project looking for good first issues.

ashutosh7i avatar Nov 18 '23 20:11 ashutosh7i

There is already a Pull Request open for this issue, so I would suggest looking into a different issue.

jelly avatar Nov 20 '23 07:11 jelly

Is this issue still open? Can I contribute?

monkCommits avatar Dec 16 '23 00:12 monkCommits

We need more than that... We also need to know if we're using a "fake-UEFI" like U-Boot (on ARM and RISC-V).

Conan-Kudo avatar Jan 24 '24 13:01 Conan-Kudo