Enterprise: Add secure boot status to device posture

browser/components/enterprise/modules/ConsoleClient.sys.mjs

@@ -482,6 +482,8 @@ export const ConsoleClient = {
         ipv4: null,
         ipv6: null,
       },
+      secureBootEnabled:
+        Services.sysinfo.getPropertyAsBool("secureBootEnabled"),
     };
     return devicePosturePayload;
   },

testing/enterprise/test_felt_device_posture.py

@@ -43,6 +43,7 @@ def test_felt_2_device_posture_content(self, exp):
         assert device_posture["build"]["applicationName"] == "FirefoxEnterprise", (
             "Device posture reports proper applicationName"
         )
+        assert "secureBootEnabled" in device_posture
         return True
 
     def test_felt_3_access(self, exp):

xpcom/base/nsSystemInfo.cpp

@@ -1421,6 +1421,52 @@ BOOL WINAPI IsUserCetAvailableInEnvironment(_In_ DWORD UserCetEnvironment);
 #  define USER_CET_ENVIRONMENT_WIN32_PROCESS 0x00000000
 #endif
 
+#if defined(MOZ_ENTERPRISE) && defined(XP_LINUX)
+bool GetSecureBootStatus_Linux() {
+  std::ifstream input(
+      "/sys/firmware/efi/efivars/"
+      "SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c",
+      std::ios::binary);
+  if (input.fail()) {
+    return false;
+  }
+
+  unsigned char bytes[5] = {0};
+  input.read(reinterpret_cast<char*>(bytes), sizeof(bytes));
+  if (!input) {
+    return false;
+  }
+
+  return bytes[4] == 0x01;
+}
+#endif
+
+#if defined(MOZ_ENTERPRISE) && defined(XP_WIN)
+bool GetSecureBootStatus_Windows() {
+  HKEY secureBootStateHKey;
+  LONG status =
+      RegOpenKeyEx(HKEY_LOCAL_MACHINE,
+                   L"SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State", 0,
+                   KEY_READ, &secureBootStateHKey);
+
+  if (status != ERROR_SUCCESS) {
+    return false;
+  }
+
+  nsAutoRegKey secureBootStateKey(secureBootStateHKey);
+
+  DWORD data, len;
+  len = sizeof(data);
+
+  if (RegQueryValueEx(secureBootStateHKey, L"UEFISecureBootEnabled", 0, 0,
+                      reinterpret_cast<LPBYTE>(&data), &len) == ERROR_SUCCESS) {
+    return static_cast<bool>(data);
+  }
+
+  return false;
+}
+#endif
+
 nsresult nsSystemInfo::Init() {
   // check that it is called from the main thread on all platforms.
   MOZ_ASSERT(NS_IsMainThread());
@@ -1694,9 +1740,26 @@ nsresult nsSystemInfo::Init() {
   }
 #endif  // XP_LINUX && MOZ_SANDBOX
 
+#if defined(MOZ_ENTERPRISE)
+  SetPropertyAsBool(u"secureBootEnabled"_ns, GetSecureBootStatus());
+#endif
+
   return NS_OK;
 }
 
+#if defined(MOZ_ENTERPRISE)
+/* static */
+bool nsSystemInfo::GetSecureBootStatus() {
+#  if defined(XP_LINUX)
+  return GetSecureBootStatus_Linux();
+#  elif defined(XP_WIN)
+  return GetSecureBootStatus_Windows();
+#  else
+  return false;
+#  endif
+}
+#endif
+
 #ifdef MOZ_WIDGET_ANDROID
 // Prerelease versions of Android use a letter instead of version numbers.
 // Unfortunately this breaks websites due to the user agent.

xpcom/base/nsSystemInfo.h

@@ -99,6 +99,10 @@ class nsSystemInfo final : public nsISystemInfo, public nsHashPropertyBag {
   // See comments above the variable definition and in NS_InitXPCOM.
   static uint32_t gUserUmask;
 
+#if defined(MOZ_ENTERPRISE)
+  static bool GetSecureBootStatus();
+#endif
+
 #ifdef MOZ_WIDGET_ANDROID
   static void GetAndroidSystemInfo(mozilla::dom::AndroidSystemInfo* aInfo);