diff --git a/browser/components/enterprise/modules/ConsoleClient.sys.mjs b/browser/components/enterprise/modules/ConsoleClient.sys.mjs index eff07bb8baf44..156c5a13d3b2b 100644 --- a/browser/components/enterprise/modules/ConsoleClient.sys.mjs +++ b/browser/components/enterprise/modules/ConsoleClient.sys.mjs @@ -482,6 +482,8 @@ export const ConsoleClient = { ipv4: null, ipv6: null, }, + secureBootEnabled: + Services.sysinfo.getPropertyAsBool("secureBootEnabled"), }; return devicePosturePayload; }, diff --git a/testing/enterprise/test_felt_device_posture.py b/testing/enterprise/test_felt_device_posture.py index 5f2cf3ed04cbc..f6001272937bb 100644 --- a/testing/enterprise/test_felt_device_posture.py +++ b/testing/enterprise/test_felt_device_posture.py @@ -43,6 +43,7 @@ def test_felt_2_device_posture_content(self, exp): assert device_posture["build"]["applicationName"] == "FirefoxEnterprise", ( "Device posture reports proper applicationName" ) + assert "secureBootEnabled" in device_posture return True def test_felt_3_access(self, exp): diff --git a/xpcom/base/nsSystemInfo.cpp b/xpcom/base/nsSystemInfo.cpp index c4fd591da4111..5b573aeffce42 100644 --- a/xpcom/base/nsSystemInfo.cpp +++ b/xpcom/base/nsSystemInfo.cpp @@ -1421,6 +1421,52 @@ BOOL WINAPI IsUserCetAvailableInEnvironment(_In_ DWORD UserCetEnvironment); # define USER_CET_ENVIRONMENT_WIN32_PROCESS 0x00000000 #endif +#if defined(MOZ_ENTERPRISE) && defined(XP_LINUX) +bool GetSecureBootStatus_Linux() { + std::ifstream input( + "/sys/firmware/efi/efivars/" + "SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c", + std::ios::binary); + if (input.fail()) { + return false; + } + + unsigned char bytes[5] = {0}; + input.read(reinterpret_cast(bytes), sizeof(bytes)); + if (!input) { + return false; + } + + return bytes[4] == 0x01; +} +#endif + +#if defined(MOZ_ENTERPRISE) && defined(XP_WIN) +bool GetSecureBootStatus_Windows() { + HKEY secureBootStateHKey; + LONG status = + RegOpenKeyEx(HKEY_LOCAL_MACHINE, + L"SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State", 0, + KEY_READ, &secureBootStateHKey); + + if (status != ERROR_SUCCESS) { + return false; + } + + nsAutoRegKey secureBootStateKey(secureBootStateHKey); + + DWORD data, len; + len = sizeof(data); + + if (RegQueryValueEx(secureBootStateHKey, L"UEFISecureBootEnabled", 0, 0, + reinterpret_cast(&data), &len) == ERROR_SUCCESS) { + return static_cast(data); + } + + return false; +} +#endif + nsresult nsSystemInfo::Init() { // check that it is called from the main thread on all platforms. MOZ_ASSERT(NS_IsMainThread()); @@ -1694,9 +1740,26 @@ nsresult nsSystemInfo::Init() { } #endif // XP_LINUX && MOZ_SANDBOX +#if defined(MOZ_ENTERPRISE) + SetPropertyAsBool(u"secureBootEnabled"_ns, GetSecureBootStatus()); +#endif + return NS_OK; } +#if defined(MOZ_ENTERPRISE) +/* static */ +bool nsSystemInfo::GetSecureBootStatus() { +# if defined(XP_LINUX) + return GetSecureBootStatus_Linux(); +# elif defined(XP_WIN) + return GetSecureBootStatus_Windows(); +# else + return false; +# endif +} +#endif + #ifdef MOZ_WIDGET_ANDROID // Prerelease versions of Android use a letter instead of version numbers. // Unfortunately this breaks websites due to the user agent. diff --git a/xpcom/base/nsSystemInfo.h b/xpcom/base/nsSystemInfo.h index 595655d00a81d..6520b121857fd 100644 --- a/xpcom/base/nsSystemInfo.h +++ b/xpcom/base/nsSystemInfo.h @@ -99,6 +99,10 @@ class nsSystemInfo final : public nsISystemInfo, public nsHashPropertyBag { // See comments above the variable definition and in NS_InitXPCOM. static uint32_t gUserUmask; +#if defined(MOZ_ENTERPRISE) + static bool GetSecureBootStatus(); +#endif + #ifdef MOZ_WIDGET_ANDROID static void GetAndroidSystemInfo(mozilla::dom::AndroidSystemInfo* aInfo);