[gnome-control-center/wip/hughsie/hsi-sb-level] firmware-security: Move the workaround for UEFI Secure Boot lower

[Richard Hughes <rhughes src gnome org>]

commit a87d93007600f97c2ee0178d677fcec63c155b79
Author: Richard Hughes <richard hughsie com>
Date:   Wed Aug 24 16:25:29 2022 +0100

    firmware-security: Move the workaround for UEFI Secure Boot lower
    
    This fixes the toplevel security level to correctly show failed.

 .../firmware-security/cc-firmware-security-panel.c | 23 ++++++++++++----------
 .../firmware-security/cc-firmware-security-utils.c |  4 ++++
 2 files changed, 17 insertions(+), 10 deletions(-)
---
diff --git a/panels/firmware-security/cc-firmware-security-panel.c 
b/panels/firmware-security/cc-firmware-security-panel.c
index 70a8664fe..8a5bb5e9a 100644
--- a/panels/firmware-security/cc-firmware-security-panel.c
+++ b/panels/firmware-security/cc-firmware-security-panel.c
@@ -73,6 +73,9 @@ struct _CcfirmwareSecurityPanel
 
 CC_PANEL_REGISTER (CcfirmwareSecurityPanel, cc_firmware_security_panel)
 
+static void
+set_hsi_button_view (CcfirmwareSecurityPanel *self);
+
 static void
 set_secure_boot_button_view (CcfirmwareSecurityPanel *self)
 {
@@ -226,19 +229,19 @@ parse_variant_iter (CcfirmwareSecurityPanel *self,
   if (appstream_id == NULL)
     return;
 
+  /* in fwupd <= 1.8.3 org.fwupd.hsi.Uefi.SecureBoot was incorrectly marked as HSI-0,
+   * so lower the HSI number forcefully if this attribute failed -- the correct thing
+   * to do of course is to update fwupd to a newer build */
+  if (g_strcmp0 (attr->appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0 &&
+      (attr->flags & FWUPD_SECURITY_ATTR_FLAG_SUCCESS) == 0)
+    {
+      self->hsi_number = 0;
+      set_hsi_button_view (self);
+    }
+
   /* insert into correct hash table */
   switch (attr->hsi_level)
     {
-      case 0:
-        /* in fwupd <= 1.8.3 org.fwupd.hsi.Uefi.SecureBoot was incorrectly marked as HSI-0,
-         * so accept either level here to avoid raising the runtime version requirement */
-        if (g_strcmp0 (attr->appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0)
-          {
-            g_hash_table_insert (self->hsi1_dict,
-                                 g_strdup (appstream_id),
-                                 g_steal_pointer (&attr));
-          }
-        break;
       case 1:
         g_hash_table_insert (self->hsi1_dict,
                              g_strdup (appstream_id),
diff --git a/panels/firmware-security/cc-firmware-security-utils.c 
b/panels/firmware-security/cc-firmware-security-utils.c
index fa715cbac..f6df3aebe 100644
--- a/panels/firmware-security/cc-firmware-security-utils.c
+++ b/panels/firmware-security/cc-firmware-security-utils.c
@@ -334,6 +334,10 @@ fu_security_attr_new_from_variant (GVariantIter *iter)
       g_variant_unref (value);
     }
 
+  /* in fwupd <= 1.8.3 org.fwupd.hsi.Uefi.SecureBoot was incorrectly marked as HSI-0 */
+  if (g_strcmp0 (attr->appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0)
+    attr->hsi_level = 1;
+
   /* fallback for older fwupd versions */
   if (attr->appstream_id != NULL && attr->title == NULL)
     attr->title = g_strdup (fu_security_attr_get_title_fallback (attr->appstream_id));