| Message ID | 20211108232533.211693-1-markpearson@lenovo.com (mailing list archive) |
|---|---|
| State | Changes Requested, archived |
| Headers | show |
| Series | [1/2] Documentation: syfs-class-firmware-attributes: Lenovo Opcode support | expand |
Hi, On 11/9/21 00:25, Mark Pearson wrote: > Newer Lenovo BIOS's have an opcode GUID support interface which provides > - improved password setting control > - ability to set System, hard drive and NVMe passwords > > Add the support for these new passwords, and the ability to select > user/master mode and the drive index. > > Signed-off-by: Mark Pearson <markpearson@lenovo.com> > --- > .../ABI/testing/sysfs-class-firmware-attributes | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes > index 3348bf80a37c..6af4c5cf3d47 100644 > --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes > +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes > @@ -161,6 +161,12 @@ Description: > power-on: > Representing a password required to use > the system > + system-mgmt: > + Representing System Management password What is the difference between the system-mgmt password and the bios-admin one ? > + HDD: > + Representing HDD password > + NVMe: > + Representing NVMe password > > mechanism: > The means of authentication. This attribute is mandatory. > @@ -185,6 +191,17 @@ Description: > A write only value that when used in tandem with > current_password will reset a system or admin password. > > + level: > + Used with HDD and NVMe authentication to set 'user' or 'master' > + privilege level > + This attribute defaults to 'user' level What is the difference between user and master levels ? > + > + index: > + Used with HDD and NVME authentication to set the drive index > + that is being referenced (e.g hdd0, hdd1 etc) > + This attribute defaults to device 0. > + > + > Note, password management is session specific. If Admin password is set, > same password must be written into current_password file (required for > password-validation) and must be cleared once the session is over. > Also maybe all of this needs to be moved to the Lenovo specific section for now ? If we then get other firmware APIs to set HDD / NVMe passwords we can try to re-use this and move it to the generic section (assuming we can make things fit ...) Regards, Hans
Hi Hans, Thank you for the review. On 2021-11-16 09:00, Hans de Goede wrote: > Hi, > > On 11/9/21 00:25, Mark Pearson wrote: >> Newer Lenovo BIOS's have an opcode GUID support interface which provides >> - improved password setting control >> - ability to set System, hard drive and NVMe passwords >> >> Add the support for these new passwords, and the ability to select >> user/master mode and the drive index. >> >> Signed-off-by: Mark Pearson <markpearson@lenovo.com> >> --- >> .../ABI/testing/sysfs-class-firmware-attributes | 17 +++++++++++++++++ >> 1 file changed, 17 insertions(+) >> >> diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes >> index 3348bf80a37c..6af4c5cf3d47 100644 >> --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes >> +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes >> @@ -161,6 +161,12 @@ Description: >> power-on: >> Representing a password required to use >> the system >> + system-mgmt: >> + Representing System Management password > > What is the difference between the system-mgmt password and the bios-admin one ? Taken from the documentation but somewhat reformatted/edited for clarity bios-admin - You are prompted to enter a valid password each time you try to enter the BIOS menu system-mgmt - You can enable the system management password to have the same authority as the bios-admin password to control security related features. You can customize the authority of the system management password through the UEFI BIOS menu (SMP Access Control Policy) > >> + HDD: >> + Representing HDD password >> + NVMe: >> + Representing NVMe password >> >> mechanism: >> The means of authentication. This attribute is mandatory. >> @@ -185,6 +191,17 @@ Description: >> A write only value that when used in tandem with >> current_password will reset a system or admin password. >> >> + level: >> + Used with HDD and NVMe authentication to set 'user' or 'master' >> + privilege level >> + This attribute defaults to 'user' level > > What is the difference between user and master levels ? User: If a user hard disk password has been set, but no master hard disk password has been, the user must enter the user hard disk password to access files and applications on the hard disk drive. Master: The master hard disk password also requires a user hard disk password. The master hard disk password is usually set and used by a system administrator. It enables the administrator to access any hard disk drive in a system like a master key. The administrator sets the master password; then assigns a user password for each computer in the network. The user can then change the user password as desired, but the administrator still can get access by using the master password When a master hard disk password is set, only the administrator can remove the user hard disk password. > >> + >> + index: >> + Used with HDD and NVME authentication to set the drive index >> + that is being referenced (e.g hdd0, hdd1 etc) >> + This attribute defaults to device 0. >> + >> + >> Note, password management is session specific. If Admin password is set, >> same password must be written into current_password file (required for >> password-validation) and must be cleared once the session is over. >> > > > Also maybe all of this needs to be moved to the Lenovo specific section for now ? > > If we then get other firmware APIs to set HDD / NVMe passwords we can try to re-use this > and move it to the generic section (assuming we can make things fit ...) > Ah - good point. I will do that Thanks Mark
Hi, On 11/16/21 22:05, Mark Pearson wrote: > > Hi Hans, > > Thank you for the review. > > On 2021-11-16 09:00, Hans de Goede wrote: >> Hi, >> >> On 11/9/21 00:25, Mark Pearson wrote: >>> Newer Lenovo BIOS's have an opcode GUID support interface which provides >>> - improved password setting control >>> - ability to set System, hard drive and NVMe passwords >>> >>> Add the support for these new passwords, and the ability to select >>> user/master mode and the drive index. >>> >>> Signed-off-by: Mark Pearson <markpearson@lenovo.com> >>> --- >>> .../ABI/testing/sysfs-class-firmware-attributes | 17 +++++++++++++++++ >>> 1 file changed, 17 insertions(+) >>> >>> diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes >>> index 3348bf80a37c..6af4c5cf3d47 100644 >>> --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes >>> +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes >>> @@ -161,6 +161,12 @@ Description: >>> power-on: >>> Representing a password required to use >>> the system >>> + system-mgmt: >>> + Representing System Management password >> >> What is the difference between the system-mgmt password and the bios-admin one ? > > Taken from the documentation but somewhat reformatted/edited for clarity > > bios-admin - You are prompted to enter a valid password each time you > try to enter the BIOS menu > > system-mgmt - You can enable the system management password to have the > same authority as the bios-admin password to control security related > features. You can customize the authority of the system management > password through the UEFI BIOS menu (SMP Access Control Policy) Ok, so if I understand this correctly, then if both a bios-admin and a system-mgmt password are set then with the bios-admin option all options accept those on the "security settings" BIOS screen can be changed, and with the system-mgmt password everything can be changed, is that correct? Also can you update the new text here to try and explain this somewhat ? >>> + HDD: >>> + Representing HDD password >>> + NVMe: >>> + Representing NVMe password >>> >>> mechanism: >>> The means of authentication. This attribute is mandatory. >>> @@ -185,6 +191,17 @@ Description: >>> A write only value that when used in tandem with >>> current_password will reset a system or admin password. >>> >>> + level: >>> + Used with HDD and NVMe authentication to set 'user' or 'master' >>> + privilege level >>> + This attribute defaults to 'user' level >> >> What is the difference between user and master levels ? > > User: If a user hard disk password has been set, but no master hard disk > password has been, the user must enter the user hard disk password to > access files and applications on the hard disk drive. > > Master: The master hard disk password also requires a user hard disk > password. The master hard disk password is usually set and used by a > system administrator. It enables the administrator to access any hard > disk drive in a system like a master key. The administrator sets the > master password; then assigns a user password for each computer in the > network. The user can then change the user password as desired, but the > administrator still can get access by using the master password When a > master hard disk password is set, only the administrator can remove the > user hard disk password. I understand, so like a master-key vs a normal key in a big office building. Can you update the new text here to try and explain this somewhat ? >> >>> + >>> + index: >>> + Used with HDD and NVME authentication to set the drive index >>> + that is being referenced (e.g hdd0, hdd1 etc) >>> + This attribute defaults to device 0. >>> + >>> + >>> Note, password management is session specific. If Admin password is set, >>> same password must be written into current_password file (required for >>> password-validation) and must be cleared once the session is over. >>> >> >> >> Also maybe all of this needs to be moved to the Lenovo specific section for now ? >> >> If we then get other firmware APIs to set HDD / NVMe passwords we can try to re-use this >> and move it to the generic section (assuming we can make things fit ...) >> > Ah - good point. I will do that Great. Regards, Hans
Hi Hans, On 2021-11-17 07:09, Hans de Goede wrote: > Hi, > > On 11/16/21 22:05, Mark Pearson wrote: >> >> Hi Hans, >> >> Thank you for the review. >> >> On 2021-11-16 09:00, Hans de Goede wrote: >>> Hi, >>> >>> On 11/9/21 00:25, Mark Pearson wrote: >>>> Newer Lenovo BIOS's have an opcode GUID support interface which provides >>>> - improved password setting control >>>> - ability to set System, hard drive and NVMe passwords >>>> >>>> Add the support for these new passwords, and the ability to select >>>> user/master mode and the drive index. >>>> >>>> Signed-off-by: Mark Pearson <markpearson@lenovo.com> >>>> --- >>>> .../ABI/testing/sysfs-class-firmware-attributes | 17 +++++++++++++++++ >>>> 1 file changed, 17 insertions(+) >>>> >>>> diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes >>>> index 3348bf80a37c..6af4c5cf3d47 100644 >>>> --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes >>>> +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes >>>> @@ -161,6 +161,12 @@ Description: >>>> power-on: >>>> Representing a password required to use >>>> the system >>>> + system-mgmt: >>>> + Representing System Management password >>> >>> What is the difference between the system-mgmt password and the bios-admin one ? >> >> Taken from the documentation but somewhat reformatted/edited for clarity >> >> bios-admin - You are prompted to enter a valid password each time you >> try to enter the BIOS menu >> >> system-mgmt - You can enable the system management password to have the >> same authority as the bios-admin password to control security related >> features. You can customize the authority of the system management >> password through the UEFI BIOS menu (SMP Access Control Policy) > > Ok, so if I understand this correctly, then if both a bios-admin and > a system-mgmt password are set then with the bios-admin option > all options accept those on the "security settings" BIOS screen > can be changed, and with the system-mgmt password everything can > be changed, is that correct? > Yes - that's my understanding. > Also can you update the new text here to try and explain this > somewhat ? Will do > > >>>> + HDD: >>>> + Representing HDD password >>>> + NVMe: >>>> + Representing NVMe password >>>> >>>> mechanism: >>>> The means of authentication. This attribute is mandatory. >>>> @@ -185,6 +191,17 @@ Description: >>>> A write only value that when used in tandem with >>>> current_password will reset a system or admin password. >>>> >>>> + level: >>>> + Used with HDD and NVMe authentication to set 'user' or 'master' >>>> + privilege level >>>> + This attribute defaults to 'user' level >>> >>> What is the difference between user and master levels ? >> >> User: If a user hard disk password has been set, but no master hard disk >> password has been, the user must enter the user hard disk password to >> access files and applications on the hard disk drive. >> >> Master: The master hard disk password also requires a user hard disk >> password. The master hard disk password is usually set and used by a >> system administrator. It enables the administrator to access any hard >> disk drive in a system like a master key. The administrator sets the >> master password; then assigns a user password for each computer in the >> network. The user can then change the user password as desired, but the >> administrator still can get access by using the master password When a >> master hard disk password is set, only the administrator can remove the >> user hard disk password. > > I understand, so like a master-key vs a normal key in a big office building. Yes - good analogy > > Can you update the new text here to try and explain this somewhat ? Will do Thanks! Mark
diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes index 3348bf80a37c..6af4c5cf3d47 100644 --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes @@ -161,6 +161,12 @@ Description: power-on: Representing a password required to use the system + system-mgmt: + Representing System Management password + HDD: + Representing HDD password + NVMe: + Representing NVMe password mechanism: The means of authentication. This attribute is mandatory. @@ -185,6 +191,17 @@ Description: A write only value that when used in tandem with current_password will reset a system or admin password. + level: + Used with HDD and NVMe authentication to set 'user' or 'master' + privilege level + This attribute defaults to 'user' level + + index: + Used with HDD and NVME authentication to set the drive index + that is being referenced (e.g hdd0, hdd1 etc) + This attribute defaults to device 0. + + Note, password management is session specific. If Admin password is set, same password must be written into current_password file (required for password-validation) and must be cleared once the session is over.
Newer Lenovo BIOS's have an opcode GUID support interface which provides - improved password setting control - ability to set System, hard drive and NVMe passwords Add the support for these new passwords, and the ability to select user/master mode and the drive index. Signed-off-by: Mark Pearson <markpearson@lenovo.com> --- .../ABI/testing/sysfs-class-firmware-attributes | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)