Create registry key to force secure mode

[seanbudd]

Link to issue number:

Fixes #10018

Summary of the issue:

System administrators may wish to configure NVDA to restrict unauthorized system access.
Secure mode can be forced through the --secure CLI parameter, however, forcing this parameter is not easily done for system administrators.

In a corporate environment where application usage is restricted, NVDA should be forced into secure mode via a registry key parameter, rather than a CLI parameter

Description of user facing changes

Added a registry key parameter to force secure mode of NVDA.

Improved documentation for system administrators on secure mode.

Description of development approach

Added a registry key parameter to force secure mode of NVDA.

make isRunningOnSecureDesktop and isLockScreenModeActive part of public API

Testing strategy:

Tested setting the reg key parameter.

Known issues with pull request:

None

Change log entries:

After 2023.2 release, relevant info should be added to the NV Access corporate page

New features

A system wide parameter has been added to allow users and system administrators to force NVDA to start in secure mode.

Deprecations
config.CONFIG_IN_LOCAL_APPDATA_SUBKEY is deprecated. Instead use config.RegistryKey.CONFIG_IN_LOCAL_APPDATA_SUBKEY.

Code Review Checklist:

• Pull Request description:
  • description is up to date
  • change log entries
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• API is compatible with existing add-ons.
• Documentation:
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• Security precautions taken.

[Qchristensen]

Good work, this will be very useful for some of our corporate users

[LeonarddeR]

I'm pretty sure this registry key gets lost after an update. To prevent this, you probably need to adapt installer.install in the same way as this has been done for the configInLocalAppData flag. So you'd also need adding an extra parameter to installer.registerInstallation.

Also, while I Really like this change, I'm pretty sure globalVars.appArgs.secure is treated by add-ons as a way of checking whether the add-on is running on a secure screen. Pretty sure NVDA Remote uses it like this. My NVDA Remote Desktop add-on uses systemutils._isSecureDesktop, but as the name of that function implies, it's meant as a private API. I'm not saying this should hold this change back, but it must be carefully considered that both add-ons and NVDA Core doesn't assume globalVars.appArgs.secure and secure desktop are the same.
I'd suggest going forward as follows:

1. Do a scan of NVDA Internals for the secure flag. Ensure that there's no logic using this that expects a secure desktop instead of just a secure copy.
2. Provide a public API to find out whether we're on a secure desktop, preferably a read-only flag that doesn't have to get the current desktop every time.
3. Clearly communicate to add-on authors that they should change from globalVars.appArgs.secure to the new API to check whether running on a secure desktop.

[seanbudd]

@LeonarddeR

Thanks for the pointers surrounding preventing the registry key from being lost during an update.

Also, while I Really like this change, I'm pretty sure globalVars.appArgs.secure is treated by add-ons as a way of checking whether the add-on is running on a secure screen.

This is unexpected usage, and has been incorrect for a long time. The --secure CLI parameter has existed for 10 years and contradicts this assumption (b7821e1). The SecureDesktopNVDAObject has been the historic method of checking if NVDA is on a secure screen. Moving away from this is proposed in #14488, and staged for 2024.1.

Do a scan of NVDA Internals for the secure flag. Ensure that there's no logic using this that expects a secure desktop instead of just a secure copy.

As this underlying assumption has been incorrect for a long time, and with recent security focused rewrites, I am fairly confident that this sort of logic does not exist. The way secure mode is defined has always been based on being a secure mode, the CLI parameter has existed for 10+ years , and should not be conflated with secure screens.

Provide a public API to find out whether we're on a secure desktop, preferably a read-only flag that doesn't have to get the current desktop every time.

This should be covered by the gain focus event for SecureDesktopNVDAObject currently, and in future the proposed change in #14488.

Clearly communicate to add-on authors that they should change from globalVars.appArgs.secure to the new API to check whether running on a secure desktop.

Again, I am surprised by this assumption, but we can always remind API consumers of the difference between secure mode, secure screens, etc.

[CyrilleB79]

@seanbudd, you write:

After merging, relevant info should be added to the NV Access corporate page

IMO, the website should be updated after the stable release instead.

[seanbudd]

Also note that NVDA Remote uses SecureDesktopNVDAObject as intended: NVDARemote/NVDARemote#309

[LeonarddeR]

This is unexpected usage, and has been incorrect for a long time. The --secure CLI parameter has existed for 10 years and contradicts this assumption (b7821e1). The SecureDesktopNVDAObject has been the historic method of checking if NVDA is on a secure screen. Moving away from this is proposed in #14488, and staged for 2024.1.

I'm afraid you're mixing up two things here. The SecureDesktopNVDAObject is indeed meant to check whether we're on a secure desktop when you're talking about the instance of NVDA that runs on the user desktop. However, how about the copy that runs on the secure desktop itself?

I am fairly confident that this sort of logic does not exist.

As per above, I'm slightly in doubt of that. Furthermore, just a git grep for globalVars.appArgs.secure comes up with a check in jabHandler that looks to me like a way to avoid access bridge registration on secure desktops. I couldn't think of a reason why the jab handler shouldn't work with the secure parameter otherwise.

Provide a public API to find out whether we're on a secure desktop, preferably a read-only flag that doesn't have to get the current desktop every time.

This should be covered by the gain focus event for SecureDesktopNVDAObject currently

To clarify, I'm talking about the copy that runs on the secure desktop itself, not the user copy.

[seanbudd]

@LeonarddeR - ah thanks I see that NVDARemote does indeed rely on globalVars.appArgs.secure. We definitely should commit systemutils._isSecureDesktop (name as runningOnSecureDesktop?) to the public API to handle this.

[CyrilleB79]

@seanbudd , while at it, may you put winAPI.sessionTracking._isLockScreenModeActive in the public API?
We had discussed it together during 2022.3.x dev cycle regarding a request for Character Information add-on. And you wrote:

A public API can be requested by add-on developers 2-3 month after 2022.3.3 release if no issue is found.

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• FAIL: Lint check. See test results for more information.
• PASS: System tests (tags: installer NVDA).
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/450v8xc503qa9ug4/artifacts/output/nvda_snapshot_pr15049-28508,9a7c58cf.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 0.9,
  INSTALL_END 0.9,
  BUILD_START 0.0,
  BUILD_END 25.1,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.3,
  TEST_START 0.0,
  TEST_END 21.9,
  FINISH_END 0.2

See test results for failed build of commit 9a7c58cfa0

[seanbudd]

@LeonarddeR - I've done a review of .secure instances. All seem generally correct.

The disabled JAB handler code encompassed setting a flag to let Java know we are using a11y.
It was disabled as we generally should not write to disk from secure mode.
However, this is an one-off system operation for NVDA and it is not user configurable.

In 2a24b14 I also changed blackAction.Context.WINDOWS_LOCKED, which is currently only checked by the add-on store.

stale

[Qchristensen]

This will be of benefit to many corporate users wanting to roll out NVDA securely, great work!

[michaelDCurran]

All good, with just one suggestion fix for a typo in user guide.