| Message ID | 20220312000439.4143-1-markpearson@lenovo.com (mailing list archive) |
|---|---|
| State | Changes Requested, archived |
| Headers | show |
| Series | [1/2] Documentation: syfs-class-firmware-attributes: Lenovo Certificate support | expand |
Hi, On 3/12/22 01:04, Mark Pearson wrote: > Certificate based authentication is available as an alternative to > password based authentication. > > The WMI commands are cryptographically signed using a separate > signing server and will be verified by the BIOS before being > accepted. > > This commit details the fields that are needed to support that > implementation. At present the changes are intended for Lenovo > platforms, but have been designed to keep them as flexible as possible > for future implementations from other vendors. > > Signed-off-by: Mark Pearson <markpearson@lenovo.com> Thanks, patch looks good to me: Reviewed-by: Hans de Goede <hdegoede@redhat.com> Regards, Hans > --- > .../testing/sysfs-class-firmware-attributes | 52 +++++++++++++++++++ > 1 file changed, 52 insertions(+) > > diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes > index 13e31c6a0e9c..1d9c3bb1dbcd 100644 > --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes > +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes > @@ -246,6 +246,43 @@ Description: > that is being referenced (e.g hdd0, hdd1 etc) > This attribute defaults to device 0. > > + certificate: > + signature: > + These attributes are used for certificate based authentication. This is > + used in conjunction with a signing server as an alternative to password > + based authentication. > + The user writes to the attribute with a BASE64 encoded string obtained > + from the signing server. > + The attribute can be displayed to check the stored value. > + > + Some usage examples: > + Installing a certificate to enable feature: > + echo <supervisor password > authentication/Admin/current_password > + echo <signed certificate> > authentication/Admin/certificate > + > + Updating the installed certificate: > + echo <signature> > authentication/Admin/signature > + echo <signed certificate> > authentication/Admin/certificate > + > + Removing the installed certificate: > + echo <signature> > authentication/Admin/signature > + echo '' > authentication/Admin/signature > + > + You cannot enable certificate authentication if a supervisor password > + has not been set. > + After any of these operations the system must reboot for the changes to > + take effect > + > + certificate_thumbprint > + Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints > + for the certificate installed in the BIOS. > + > + certificate_to_password > + Write only attribute used to switch from certificate based authentication > + back to password based. > + Usage: > + echo <signature> > authentication/Admin/signature > + echo <password> > authentication/Admin/certificate_to_password > > > What: /sys/class/firmware-attributes/*/attributes/pending_reboot > @@ -315,3 +352,18 @@ Description: > use it to enable extra debug attributes or BIOS features for testing purposes. > > Note that any changes to this attribute requires a reboot for changes to take effect. > + > +What: /sys/class/firmware-attributes/*/attributes/set_signature > +What: /sys/class/firmware-attributes/*/attributes/save_signature > +Date: March 2022 > +KernelVersion: 5.18 > +Contact: Mark Pearson <markpearson@lenovo.com> > +Description: > + These attributes are used when certificate based authentication are enabled. > + The set_signature and save_signature are both obtained from the signing server > + and both need to be set when changing an attribute. > + Usage example: > + echo <set signature> > set_signature > + echo <save signature> > save_signature > + echo Enable > PasswordBeep/current_value > + The attributes can be read to display the stored value.
diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes index 13e31c6a0e9c..1d9c3bb1dbcd 100644 --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes @@ -246,6 +246,43 @@ Description: that is being referenced (e.g hdd0, hdd1 etc) This attribute defaults to device 0. + certificate: + signature: + These attributes are used for certificate based authentication. This is + used in conjunction with a signing server as an alternative to password + based authentication. + The user writes to the attribute with a BASE64 encoded string obtained + from the signing server. + The attribute can be displayed to check the stored value. + + Some usage examples: + Installing a certificate to enable feature: + echo <supervisor password > authentication/Admin/current_password + echo <signed certificate> > authentication/Admin/certificate + + Updating the installed certificate: + echo <signature> > authentication/Admin/signature + echo <signed certificate> > authentication/Admin/certificate + + Removing the installed certificate: + echo <signature> > authentication/Admin/signature + echo '' > authentication/Admin/signature + + You cannot enable certificate authentication if a supervisor password + has not been set. + After any of these operations the system must reboot for the changes to + take effect + + certificate_thumbprint + Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints + for the certificate installed in the BIOS. + + certificate_to_password + Write only attribute used to switch from certificate based authentication + back to password based. + Usage: + echo <signature> > authentication/Admin/signature + echo <password> > authentication/Admin/certificate_to_password What: /sys/class/firmware-attributes/*/attributes/pending_reboot @@ -315,3 +352,18 @@ Description: use it to enable extra debug attributes or BIOS features for testing purposes. Note that any changes to this attribute requires a reboot for changes to take effect. + +What: /sys/class/firmware-attributes/*/attributes/set_signature +What: /sys/class/firmware-attributes/*/attributes/save_signature +Date: March 2022 +KernelVersion: 5.18 +Contact: Mark Pearson <markpearson@lenovo.com> +Description: + These attributes are used when certificate based authentication are enabled. + The set_signature and save_signature are both obtained from the signing server + and both need to be set when changing an attribute. + Usage example: + echo <set signature> > set_signature + echo <save signature> > save_signature + echo Enable > PasswordBeep/current_value + The attributes can be read to display the stored value.
Certificate based authentication is available as an alternative to password based authentication. The WMI commands are cryptographically signed using a separate signing server and will be verified by the BIOS before being accepted. This commit details the fields that are needed to support that implementation. At present the changes are intended for Lenovo platforms, but have been designed to keep them as flexible as possible for future implementations from other vendors. Signed-off-by: Mark Pearson <markpearson@lenovo.com> --- .../testing/sysfs-class-firmware-attributes | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+)