diff mbox series

[v5,1/5] Introduction of HP-BIOSCFG driver (1)

Message ID 20221202173616.180108-2-jorge.lopez2@hp.com (mailing list archive)
State Changes Requested, archived
Headers show
Series Introduction of HP-BIOSCFG driver | expand

Commit Message

Jorge Lopez Dec. 2, 2022, 5:36 p.m. UTC 
The purpose for this patch is submit HP BIOSCFG driver to be list of
HP Linux kernel drivers.  The driver include a total of 12 files
broken in several patches.  This is set 1 of 4.

HP BIOS Configuration driver purpose is to provide a driver supporting
the latest sysfs class firmware attributes framework allowing the user
to change BIOS settings and security solutions on HP Inc.’s commercial
notebooks.

Many features of HP Commercial PC’s can be managed using Windows
Management Instrumentation (WMI). WMI is an implementation of Web-Based
Enterprise Management (WBEM) that provides a standards-based interface
for changing and monitoring system settings.  HP BISOCFG driver provides
a native Linux solution and the exposed features facilitates the
migration to Linux environments.

The Linux security features to be provided in hp-bioscfg driver enables
managing the BIOS settings and security solutions via sysfs, a virtual
filesystem that can be used by user-mode applications.   The new
documentation cover features such Secure Platform Management, Sure
Admin, and Sure Start.  Each section provides security feature
description and identifies sysfs directories and files exposed by
the driver.

Many HP Commercial PC’s include a feature called Secure Platform
Management (SPM), which replaces older password-based BIOS settings
management with public key cryptography. PC secure product management
begins when a target system is provisioned with cryptographic keys
that are used to ensure the integrity of communications between system
management utilities and the BIOS.

HP Commercial PC’s have several BIOS settings that control its behaviour
and capabilities, many of which are related to security. To prevent
unauthorized changes to these settings, the system can be configured
to use a Sure Admin cryptographic signature-based authorization string
that the BIOS will use to verify authorization to modify the setting.

Signed-off-by: Jorge Lopez <jorge.lopez2@hp.com>

---
Based on the latest platform-drivers-x86.git/for-next

History

Version 5
	Remove version 4 patch 1
	Address review changes proposed in Version 4
	Reorganize all patches number and file order
---
 .../testing/sysfs-class-firmware-attributes   | 181 +++++++++++++++++-
 MAINTAINERS                                   |   6 +
 drivers/platform/x86/hp/Kconfig               |  16 ++
 drivers/platform/x86/hp/Makefile              |   1 +
 drivers/platform/x86/hp/hp-bioscfg/Makefile   |  19 ++
 5 files changed, 221 insertions(+), 2 deletions(-)
 create mode 100644 drivers/platform/x86/hp/hp-bioscfg/Makefile

Comments

Hans de Goede Jan. 16, 2023, 12:05 p.m. UTC | #1 
Hi Jorge,

On 12/2/22 18:36, Jorge Lopez wrote:
> The purpose for this patch is submit HP BIOSCFG driver to be list of
> HP Linux kernel drivers.  The driver include a total of 12 files
> broken in several patches.  This is set 1 of 4.
> 
> HP BIOS Configuration driver purpose is to provide a driver supporting
> the latest sysfs class firmware attributes framework allowing the user
> to change BIOS settings and security solutions on HP Inc.’s commercial
> notebooks.
> 
> Many features of HP Commercial PC’s can be managed using Windows
> Management Instrumentation (WMI). WMI is an implementation of Web-Based
> Enterprise Management (WBEM) that provides a standards-based interface
> for changing and monitoring system settings.  HP BISOCFG driver provides
> a native Linux solution and the exposed features facilitates the
> migration to Linux environments.
> 
> The Linux security features to be provided in hp-bioscfg driver enables
> managing the BIOS settings and security solutions via sysfs, a virtual
> filesystem that can be used by user-mode applications.   The new
> documentation cover features such Secure Platform Management, Sure
> Admin, and Sure Start.  Each section provides security feature
> description and identifies sysfs directories and files exposed by
> the driver.
> 
> Many HP Commercial PC’s include a feature called Secure Platform
> Management (SPM), which replaces older password-based BIOS settings
> management with public key cryptography. PC secure product management
> begins when a target system is provisioned with cryptographic keys
> that are used to ensure the integrity of communications between system
> management utilities and the BIOS.
> 
> HP Commercial PC’s have several BIOS settings that control its behaviour
> and capabilities, many of which are related to security. To prevent
> unauthorized changes to these settings, the system can be configured
> to use a Sure Admin cryptographic signature-based authorization string
> that the BIOS will use to verify authorization to modify the setting.
> 
> Signed-off-by: Jorge Lopez <jorge.lopez2@hp.com>
> 
> ---
> Based on the latest platform-drivers-x86.git/for-next
> 
> History
> 
> Version 5
> 	Remove version 4 patch 1
> 	Address review changes proposed in Version 4
> 	Reorganize all patches number and file order
> ---
>  .../testing/sysfs-class-firmware-attributes   | 181 +++++++++++++++++-
>  MAINTAINERS                                   |   6 +
>  drivers/platform/x86/hp/Kconfig               |  16 ++
>  drivers/platform/x86/hp/Makefile              |   1 +
>  drivers/platform/x86/hp/hp-bioscfg/Makefile   |  19 ++

This patch really should be the last patch in the series since
the Makefile points to a bunch of files which don't exist
until the other patches are merged.

>  5 files changed, 221 insertions(+), 2 deletions(-)
>  create mode 100644 drivers/platform/x86/hp/hp-bioscfg/Makefile
> 
> diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes
> index 4cdba3477176..da8e06d9bb43 100644
> --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes
> +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes
> @@ -22,6 +22,13 @@ Description:
>  			- integer: a range of numerical values
>  			- string
>  
> +		HP specific types
> +		-----------------
> +			- ordered-list - a set of ordered list valid values
> +			- sure-admin
> +			- sure-start
> +
> +
>  		All attribute types support the following values:
>  
>  		current_value:
> @@ -126,6 +133,67 @@ Description:
>  					value will not be effective through sysfs until this rule is
>  					met.
>  
> +		HP specific class extensions
> +		------------------------------
> +
> +		On HP systems the following additional attributes are available:
> +
> +		"ordered-list"-type specific properties:
> +
> +		elements:
> +					A file that can be read to obtain the possible
> +					list of values of the <attr>. Values are separated using
> +					semi-colon (``;``). The order individual elements are listed
> +					according to their priority.  An Element listed first has the
> +					hightest priority. Writing the list in a different order to
> +					current_value alters the priority order for the particular
> +					attribute.

Ok, this new ordered-list type is fine.

> +
> +		"sure-admin"-type specific properties:
> +
> +		settings:
> +					A file associated with Sure Admin. BIOS settings can
> +					be read or written through the Sure Admin settings file in sysfs.
> +
> +					[BIOS setting],[new value],[auth token]
> +
> +					Sample settings reported data
> +
> +					{
> +						"Class": "HPBIOS_BIOSEnumeration",
> +						"Name": "USB Storage Boot",
> +						"Path": "\\Advanced\\Boot Options",
> +						"IsReadOnly": 0,
> +						...
> +						"Value": "Enable",
> +						"Size": 2,
> +						"PossibleValues": [
> +							"Disable",
> +							"Enable"
> +							]
> +					}
> +
> +					This file can also be written to in order to update
> +					the value sof a <attr> using a CMSL generated payload.
> +					For example:
> +
> +					<attr>,[value],[CMSL generated payload]


This is basically a run-around around the actual firmware attributes API,
so NACK for this.

Looking at how sure_admin_settings_write() encodes things I don't see any
difference between how auth-tokens/CFML-payloads are handled vs regular passwords
inside hp_set_attribute().

Except for the BEAM_PREFIX thing, which can be added to calculate_security_buffer() /
populate_security_buffer() too and in that case all 3 of the following should simply
work, taking a boot-delay integer attribute as example:

echo "password" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value

echo "auth-token" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value

cat csml-payload.file > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value

The only reason why this would not work is if things may get bigger then the size of a single
memory page (bigger then 4096 bytes).

But in that case you should just change the code implementing current_password to
use the bin_attribute interface and replace the static buffer for storing it
with a pointer to kmalloc-ed memory, which is NULL when the password is not set.

This will also remove a lot of finicky parsing which is currently done inside
sure_admin_settings_write()

###

As for the reading which returns a large large list of data blocks like this:

					{
						"Class": "HPBIOS_BIOSEnumeration",
						"Name": "USB Storage Boot",
						"Path": "\\Advanced\\Boot Options",
						"IsReadOnly": 0,
						...
						"Value": "Enable",
						"Size": 2,
						"PossibleValues": [
							"Disable",
							"Enable"
							]
					}

This sort of thing really does not belong in the kernel. I see that this does
export some info which is not available in the standard firmware-attributes interface,
like path and prerequisites and physical-presence.

If you want to export that info please just add extra HP specific attributes to
the integer, string, etc. attributes sets. Like how Dell has the dell_modifier
thing.

And if you have some consumers for data in the above format then give your users
a shell or python script or small C program which uses the sysfs interface
to output the information in the above format. Generating this format does
not belong in the kernel.


> +
> +		"sure-start"-type specific properties:
> +
> +		audit_log_entries:
> +					A read-only file that returns the events in the log.
> +
> +					Audit log entry format
> +
> +					Byte 0-15:   Requested Audit Log entry  (Each Audit log is 16 bytes)
> +					Byte 16-127: Unused
> +
> +		audit_log_entry_count:
> +					A read-only file that returns the number of existing audit log events available to be read.
> +
> +					[No of entries],[log entry size],[Max number of entries supported]
> +
>  What:		/sys/class/firmware-attributes/*/authentication/
>  Date:		February 2021
>  KernelVersion:	5.11
> @@ -206,7 +274,7 @@ Description:
>  		Drivers may emit a CHANGE uevent when a password is set or unset
>  		userspace may check it again.
>  
> -		On Dell and Lenovo systems, if Admin password is set, then all BIOS attributes
> +		On Dell, Lenovo, and HP systems, if Admin password is set, then all BIOS attributes
>  		require password validation.
>  		On Lenovo systems if you change the Admin password the new password is not active until
>  		the next boot.
> @@ -296,6 +364,15 @@ Description:
>  						echo "signature" > authentication/Admin/signature
>  						echo "password" > authentication/Admin/certificate_to_password
>  
> +		HP specific class extensions
> +		--------------------------------
> +
> +		On HP systems the following additional settings are available:
> +
> +		role: enhanced-bios-auth:
> +					This role is specific to Secure Platform Management (SPM) attribute.
> +					It requires configuring an endorsement (kek) and signing certificate (sk).
> +
>  
>  What:		/sys/class/firmware-attributes/*/attributes/pending_reboot
>  Date:		February 2021
> @@ -311,7 +388,7 @@ Description:
>  			==	=========================================
>  			0	All BIOS attributes setting are current
>  			1	A reboot is necessary to get pending BIOS
> -			        attribute changes applied
> +				attribute changes applied
>  			==	=========================================
>  
>  		Note, userspace applications need to follow below steps for efficient
> @@ -364,3 +441,103 @@ Description:
>  		use it to enable extra debug attributes or BIOS features for testing purposes.
>  
>  		Note that any changes to this attribute requires a reboot for changes to take effect.
> +
> +
> +		HP specific class extensions
> +		--------------------------------
> +
> +What:		/sys/class/firmware-attributes/*/authentication/SPM/kek
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	'kek' is a write-only file that can be used to configure the
> +		RSA public key that will be used by the BIOS to verify
> +		signatures when setting the signing key.  When written,
> +		the bytes should correspond to the KEK certificate
> +		(x509 .DER format containing an OU).  The size of the
> +		certificate must be less than or equal to 4095 bytes.
> +
> +
> +What:		/sys/class/firmware-attributes/*/authentication/SPM/sk
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	'sk' is a write-only file that can be used to configure the RSA
> +		public key that will be used by the BIOS to verify signatures
> +		when configuring BIOS settings and security features.  When
> +		written, the bytes should correspond to the modulus of the
> +		public key.  The exponent is assumed to be 0x10001.
> +
> +
> +What:		/sys/class/firmware-attributes/*/authentication/SPM/status
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	'status' is a read-only file that returns ASCII text reporting
> +		the status information.
> +
> +		  State:  Not Provisioned / Provisioned / Provisioning in progress
> +		  Version:  Major.   Minor
> +		  Feature Bit Mask: <16-bit unsigned number display in hex>
> +		  SPM Counter: <16-bit unsigned number display in base 10>
> +		  Signing Key Public Key Modulus (base64):
> +		  KEK Public Key Modulus (base64):
> +
> +
> +What:		/sys/class/firmware-attributes/*/authentication/SPM/statusbin
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	'statusbin' is a read-only file that returns identical status
> +		information reported by 'status' file in binary format.

The above is all fine.


The sure-admin thing needs to go away as already mentioned.

> +
> +
> +What:		/sys/class/firmware-attributes/*/attributes/Sure_Admin/settings
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	'settings' is a file associated with Sure Admin. BIOS settings can
> +		be read or written through the Sure Admin settings file in sysfs.
> +
> +		Expected data format to update BIOS setting
> +
> +		  [BIOS setting],[new value],[auth token]
> +
> +		Sample settings reported data
> +
> +		  {
> +			  "Class": "HPBIOS_BIOSEnumeration",
> +			  "Name": "USB Storage Boot",
> +			  "Path": "\\Advanced\\Boot Options",
> +			  "IsReadOnly": 0,
> +			  ...
> +			  "Value": "Enable",
> +			  "Size": 2,
> +			  "PossibleValues": [
> +				"Disable",
> +				"Enable"
> +				]
> +		  }
> +
> +
> +What:		/sys/class/firmware-attributes/*/attributes/Sure_Start/audit_log_entry_count
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	audit_log_entry_count is a read-only file that returns the
> +		number of existing audit log events available to be read.
> +
> +		  [No of entries],[log entry size],[Max number of entries supported]
> +
> +
> +What:		/sys/class/firmware-attributes/*/attributes/Sure_Start/audit_log_entries
> +Date:		March 29
> +KernelVersion:	5.18
> +Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
> +Description:	audit_log_entries is a read-only file that returns the events
> +		in the log.
> +
> +		Audit log entry format
> +
> +		  Byte 0-15:   Requested Audit Log entry  (Each Audit log is 16 bytes)
> +		  Byte 16-127: Unused


This audit_log info is duplicate with the documentation already added for this above,
please drop these entries.



> diff --git a/MAINTAINERS b/MAINTAINERS
> index 893c63e8beef..6cc9dd0c9ec2 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -9363,6 +9363,12 @@ S:	Obsolete
>  W:	http://w1.fi/hostap-driver.html
>  F:	drivers/net/wireless/intersil/hostap/
>  
> +HP BIOSCFG DRIVER
> +M:	Jorge Lopez <jorge.lopez2@hp.com>
> +S:	Maintained
> +L:      platform-driver-x86@vger.kernel.org
> +F:	drivers/platform/x86/hp/hp-bioscfg/
> +
>  HP COMPAQ TC1100 TABLET WMI EXTRAS DRIVER
>  L:	platform-driver-x86@vger.kernel.org
>  S:	Orphan
> diff --git a/drivers/platform/x86/hp/Kconfig b/drivers/platform/x86/hp/Kconfig
> index ae165955311c..7fef4f12e498 100644
> --- a/drivers/platform/x86/hp/Kconfig
> +++ b/drivers/platform/x86/hp/Kconfig
> @@ -60,4 +60,20 @@ config TC1100_WMI
>  	  This is a driver for the WMI extensions (wireless and bluetooth power
>  	  control) of the HP Compaq TC1100 tablet.
>  
> +config HP_BIOSCFG
> +	tristate "HP BIOS Configuration Driver"
> +	default m
> +	depends on ACPI_WMI
> +	select NLS
> +	select FW_ATTR_CLASS
> +	help
> +	  This driver enables administrators to securely manage BIOS settings
> +	  using digital certificates and public-key cryptography that eliminate
> +	  the need for passwords for both remote and local management. It supports
> +	  changing BIOS settings on many HP machines from 2018 and newer without
> +	  the use of any additional software.
> +
> +	  To compile this driver as a module, choose M here: the module will
> +	  be called hp-bioscfg.
> +
>  endif # X86_PLATFORM_DRIVERS_HP
> diff --git a/drivers/platform/x86/hp/Makefile b/drivers/platform/x86/hp/Makefile
> index db1eed4cd7c7..e4f908a61acf 100644
> --- a/drivers/platform/x86/hp/Makefile
> +++ b/drivers/platform/x86/hp/Makefile
> @@ -8,3 +8,4 @@
>  obj-$(CONFIG_HP_ACCEL)		+= hp_accel.o
>  obj-$(CONFIG_HP_WMI)		+= hp-wmi.o
>  obj-$(CONFIG_TC1100_WMI)	+= tc1100-wmi.o
> +obj-$(CONFIG_HP_BIOSCFG)	+= hp-bioscfg/
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/Makefile b/drivers/platform/x86/hp/hp-bioscfg/Makefile
> new file mode 100644
> index 000000000000..cc1a613f9223
> --- /dev/null
> +++ b/drivers/platform/x86/hp/hp-bioscfg/Makefile
> @@ -0,0 +1,19 @@
> +obj-$(CONFIG_HP_BIOSCFG) := hp-bioscfg.o
> +
> +hp-bioscfg-objs := bioscfg.o	\
> +	enum-attributes.o	\
> +	int-attributes.o	\
> +	string-attributes.o	\
> +	passwdobj-attributes.o	\
> +	biosattr-interface.o	\
> +	passwdattr-interface.o	\
> +	ordered-attributes.o	\
> +	surestart-attributes.o	\
> +	spmobj-attributes.o	\
> +	sureadmin-attributes.o

Everything below here:

> +
> +default:
> +	make -C /lib/modules/`uname -r`/build M=$(PWD) hp-bioscfg.ko
> +
> +clean:
> +	make -C /lib/modules/`uname -r`/build M=$(PWD) clean

Does not belong here, please drop it.

Regards,

Hans
Jorge Lopez Jan. 20, 2023, 9:58 p.m. UTC | #2 
Hi Hans,


>
> > +
> > +             "sure-admin"-type specific properties:
> > +
> > +             settings:
> > +                                     A file associated with Sure Admin. BIOS settings can
> > +                                     be read or written through the Sure Admin settings file in sysfs.
> > +
> > +                                     [BIOS setting],[new value],[auth token]
> > +
> > +                                     Sample settings reported data
> > +
> > +                                     {
> > +                                             "Class": "HPBIOS_BIOSEnumeration",
> > +                                             "Name": "USB Storage Boot",
> > +                                             "Path": "\\Advanced\\Boot Options",
> > +                                             "IsReadOnly": 0,
> > +                                             ...
> > +                                             "Value": "Enable",
> > +                                             "Size": 2,
> > +                                             "PossibleValues": [
> > +                                                     "Disable",
> > +                                                     "Enable"
> > +                                                     ]
> > +                                     }
> > +
> > +                                     This file can also be written to in order to update
> > +                                     the value sof a <attr> using a CMSL generated payload.
> > +                                     For example:
> > +
> > +                                     <attr>,[value],[CMSL generated payload]
>
>
> This is basically a run-around around the actual firmware attributes API,
> so NACK for this.
>
> Looking at how sure_admin_settings_write() encodes things I don't see any
> difference between how auth-tokens/CFML-payloads are handled vs regular passwords
> inside hp_set_attribute().

Yes. The handling of auth-tokens/CMSL-payloads vs regular passwords
are similar with the exception of their size.
auth-tokens/CMSL-payloads are in the size larger than 64 bytes while
passwords are limited to 64 bytes.
>
> Except for the BEAM_PREFIX thing, which can be added to calculate_security_buffer() /
> populate_security_buffer() too and in that case all 3 of the following should simply
> work, taking a boot-delay integer attribute as example:
>
> echo "password" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
>
> echo "auth-token" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
>
> cat csml-payload.file > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value

Last two cases cannot be handled by passing auth-token/CMSL payloads
values to the current password due to their possible sizes.
Passwords are limited to 64 bytes in size while
auth-tokens/CFML-payloads are in the size larger than 64 bytes
Here are examples of CMSL flow for your records.  Most of generated
payloads are stored remotely and signed by customer to ensure the data
integrity.   The full benefit of this process is better represented
when configuring Security settings in BIOS. (Sure Run, Sure Start,
Sure Recovery, etc)
.
1. Customer generates a signed CMSL payload to set BIOS "USB Storage
Boot" value to "Enable"

CMSL command:

New-HPSureAdminBIOSSettingValuePayload -Name "USB Storage Boot" -Value
"Enable" -SigningKeyFile sk.pfx -SigningKeyPassword test

Generated payload:

{"timestamp":"2022-09-26T16:01:22.7887948-05:00","purpose":"hp:sureadmin:biossetting","Data":[123,10,32,32,34,78,97,109,101,34,58,32,34,85,83,66,32,83,116,111,114,97,103,101,32,66,111,111,116,34,44,10,32,32,34,86,97,108,117,101,34,58,32,34,69,110,97,98,108,101,34,44,10,32,32,34,65,117,116,104,83,116,114,105,110,103,34,58,32,34,60,66,69,65,77,47,62,65,83,65,65,68,65,65,65,73,120,77,121,89,119,72,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,68,85,78,87,111,74,67,117,122,51,73,69,71,57,75,51,80,113,107,103,121,76,52,108,100,119,83,67,79,69,65,83,47,98,108,68,122,111,116,47,105,77,43,86,103,122,90,77,69,116,43,48,75,87,75,78,103,119,89,99,86,102,121,97,70,56,99,104,102,57,85,47,86,82,106,51,52,122,112,53,111,43,85,112,97,119,97,116,106,50,74,103,115,97,105,104,113,54,90,53,84,48,101,49,114,56,78,80,109,69,105,119,103,113,118,77,51,108,97,86,83,98,116,101,66,112,80,81,88,119,102,66,56,101,105,112,119,120,104,121,67,68,65,85,111,118,69,113,82,51,84,71,79,54,109,101,75,119,71,100,73,104,72,103,102,50,112,72,75,90,50,107,47,66,116,104,97,98,110,115,118,78,77,114,98,74,69,103,76,72,76,121,87,84,119,98,76,74,87,108,101,106,112,71,121,47,70,100,83,105,74,114,101,66,114,81,115,114,106,90,113,100,76,75,72,90,71,117,108,52,70,108,43,117,47,72,102,107,48,119,121,81,69,106,121,97,99,51,52,57,105,90,55,97,104,49,72,56,50,85,97,50,49,55,109,74,51,88,56,87,113,80,111,50,86,72,65,85,57,71,102,47,113,107,97,85,101,75,76,84,97,75,87,101,121,122,116,68,109,105,68,98,115,114,47,86,51,51,106,114,101,67,88,65,65,109,120,68,76,73,73,66,103,83,88,79,82,82,117,98,80,53,113,80,78,69,53,67,76,120,104,119,61,61,34,10,125],"Meta1":null,"Meta2":null,"Meta3":null,"Meta4":null}


The application reads the CMSL payload and sends the command to the
driver.  The payload is translated to  [BIOS setting], [Value],
[Password || auth-token]


echo "USB Storage
Boot,Enable,<BEAM/>ASAADAAANZ9AYwH/////////////////////64bPg7ygUv4xanoHIFrzME9mIsxeJh32fkhR7sgHpXdEHjetMXxNVhEK/twhhXhHS93kp9JpGhsr+J6AMKV2ldE99iJHo6ul1IxJQuBSxBoN1mf49Mm/ROCNll+IhsAn4ow+xlDwKQn2EzKtQc2Wf1eC646KPcl+ZCtiFhvLzXZrGSXsB2hJy0+IzegUPzLY6jaN0lYyQMtQ0KpcyGnK6xZSKCKfotygWawWY8BD3oewyrVLdKMGjrtX4HtHaeo5A9VVXVt89i7lZAmV3VkRtu70LEv240ue/SOhwrxGtydgNmtpV3dSn/ancnY4ONbTxBRiw8cifObEiNOidYzhpQ=="
> /sys/class/firmware-attributes/hp-bioscfg/attributes/Sure_Admin/settings'

As you can see, the auth-token  "<BEAN/>.....==" portion varies in
size depending on the signing certificate size used.

A method that can be used to address your comments and allow the
driver to handle both auth-tokens and password using command

       echo "auth-token" >
/sys/class/firmware-attributes/hp-bioscfg/"Setup
Password"/current_password

is adding an modifier to indicate if the input is a password or auth-token

For instance...  using [Token] modifier to identify the data is an
authentication token

     echo "[token] auth-token" >
/sys/class/firmware-attributes/hp-bioscfg/"Setup
Password"/current_password

If the modifier is missing, the driver will treat the data as a password.

This new method will conform with the firmware class framework and
provide the flexibility needed for HP solution.

Please advise.

>
> The only reason why this would not work is if things may get bigger then the size of a single
> memory page (bigger then 4096 bytes).
>
> But in that case you should just change the code implementing current_password to
> use the bin_attribute interface and replace the static buffer for storing it
> with a pointer to kmalloc-ed memory, which is NULL when the password is not set.
>
> This will also remove a lot of finicky parsing which is currently done inside
> sure_admin_settings_write()
>
> ###
>
> As for the reading which returns a large large list of data blocks like this:
>
>                                         {
>                                                 "Class": "HPBIOS_BIOSEnumeration",
>                                                 "Name": "USB Storage Boot",
>                                                 "Path": "\\Advanced\\Boot Options",
>                                                 "IsReadOnly": 0,
>                                                 ...
>                                                 "Value": "Enable",
>                                                 "Size": 2,
>                                                 "PossibleValues": [
>                                                         "Disable",
>                                                         "Enable"
>                                                         ]
>                                         }
>
> This sort of thing really does not belong in the kernel.

I concur with your statement and behavior will be removed from driver code.
Jorge Lopez Jan. 23, 2023, 4:12 p.m. UTC | #3 
Hi Mark,

On Fri, Jan 20, 2023 at 10:07 PM Mark Pearson <mpearson@squebb.ca> wrote:
>
> Hi Jorge,
>
> On Fri, Jan 20, 2023, at 4:58 PM, Jorge Lopez wrote:
>
> Hi Hans,
>
> <snip>
>
>
> Yes. The handling of auth-tokens/CMSL-payloads vs regular passwords
> are similar with the exception of their size.
> auth-tokens/CMSL-payloads are in the size larger than 64 bytes while
> passwords are limited to 64 bytes.
> >
> > Except for the BEAM_PREFIX thing, which can be added to calculate_security_buffer() /
> > populate_security_buffer() too and in that case all 3 of the following should simply
> > work, taking a boot-delay integer attribute as example:
> >
> > echo "password" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> > echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
> >
> > echo "auth-token" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> > echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
> >
> > cat csml-payload.file > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> > echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
>
> Last two cases cannot be handled by passing auth-token/CMSL payloads
> values to the current password due to their possible sizes.
> Passwords are limited to 64 bytes in size while
> auth-tokens/CFML-payloads are in the size larger than 64 bytes
> Here are examples of CMSL flow for your records.  Most of generated
> payloads are stored remotely and signed by customer to ensure the data
> integrity.   The full benefit of this process is better represented
> when configuring Security settings in BIOS. (Sure Run, Sure Start,
> Sure Recovery, etc)
> .
> 1. Customer generates a signed CMSL payload to set BIOS "USB Storage
> Boot" value to "Enable"
>
> CMSL command:
>
> New-HPSureAdminBIOSSettingValuePayload -Name "USB Storage Boot" -Value
> "Enable" -SigningKeyFile sk.pfx -SigningKeyPassword test
>
> Generated payload:
>
> {"timestamp":"2022-09-26T16:01:22.7887948-05:00","purpose":"hp:sureadmin:biossetting","Data":[123,10,32,32,34,78,97,109,101,34,58,32,34,85,83,66,32,83,116,111,114,97,103,101,32,66,111,111,116,34,44,10,32,32,34,86,97,108,117,101,34,58,32,34,69,110,97,98,108,101,34,44,10,32,32,34,65,117,116,104,83,116,114,105,110,103,34,58,32,34,60,66,69,65,77,47,62,65,83,65,65,68,65,65,65,73,120,77,121,89,119,72,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,68,85,78,87,111,74,67,117,122,51,73,69,71,57,75,51,80,113,107,103,121,76,52,108,100,119,83,67,79,69,65,83,47,98,108,68,122,111,116,47,105,77,43,86,103,122,90,77,69,116,43,48,75,87,75,78,103,119,89,99,86,102,121,97,70,56,99,104,102,57,85,47,86,82,106,51,52,122,112,53,111,43,85,112,97,119,97,116,106,50,74,103,115,97,105,104,113,54,90,53,84,48,101,49,114,56,78,80,109,69,105,119,103,113,118,77,51,108,97,86,83,98,116,101,66,112,80,81,88,119,102,66,56,101,105,112,119,120,104,121,67,68,65,85,111,118,69,113,82,51,84,71,79,54,109,101,75,119,71,100,73,104,72,103,102,50,112,72,75,90,50,107,47,66,116,104,97,98,110,115,118,78,77,114,98,74,69,103,76,72,76,121,87,84,119,98,76,74,87,108,101,106,112,71,121,47,70,100,83,105,74,114,101,66,114,81,115,114,106,90,113,100,76,75,72,90,71,117,108,52,70,108,43,117,47,72,102,107,48,119,121,81,69,106,121,97,99,51,52,57,105,90,55,97,104,49,72,56,50,85,97,50,49,55,109,74,51,88,56,87,113,80,111,50,86,72,65,85,57,71,102,47,113,107,97,85,101,75,76,84,97,75,87,101,121,122,116,68,109,105,68,98,115,114,47,86,51,51,106,114,101,67,88,65,65,109,120,68,76,73,73,66,103,83,88,79,82,82,117,98,80,53,113,80,78,69,53,67,76,120,104,119,61,61,34,10,125],"Meta1":null,"Meta2":null,"Meta3":null,"Meta4":null}
>
>
> The application reads the CMSL payload and sends the command to the
> driver.  The payload is translated to  [BIOS setting], [Value],
> [Password || auth-token]
>
>
> echo "USB Storage
> Boot,Enable,<BEAM/>ASAADAAANZ9AYwH/////////////////////64bPg7ygUv4xanoHIFrzME9mIsxeJh32fkhR7sgHpXdEHjetMXxNVhEK/twhhXhHS93kp9JpGhsr+J6AMKV2ldE99iJHo6ul1IxJQuBSxBoN1mf49Mm/ROCNll+IhsAn4ow+xlDwKQn2EzKtQc2Wf1eC646KPcl+ZCtiFhvLzXZrGSXsB2hJy0+IzegUPzLY6jaN0lYyQMtQ0KpcyGnK6xZSKCKfotygWawWY8BD3oewyrVLdKMGjrtX4HtHaeo5A9VVXVt89i7lZAmV3VkRtu70LEv240ue/SOhwrxGtydgNmtpV3dSn/ancnY4ONbTxBRiw8cifObEiNOidYzhpQ=="
> > /sys/class/firmware-attributes/hp-bioscfg/attributes/Sure_Admin/settings'
>
> As you can see, the auth-token  "<BEAN/>.....==" portion varies in
> size depending on the signing certificate size used.
>
> A method that can be used to address your comments and allow the
> driver to handle both auth-tokens and password using command
>
>        echo "auth-token" >
> /sys/class/firmware-attributes/hp-bioscfg/"Setup
> Password"/current_password
>
> is adding an modifier to indicate if the input is a password or auth-token
>
> For instance...  using [Token] modifier to identify the data is an
> authentication token
>
>      echo "[token] auth-token" >
> /sys/class/firmware-attributes/hp-bioscfg/"Setup
> Password"/current_password
>
> If the modifier is missing, the driver will treat the data as a password.
>
> This new method will conform with the firmware class framework and
> provide the flexibility needed for HP solution.
>
> Please advise.
>
> I don't know if this is helpful or not as I've not read your code in any detail and was just being nosy whilst skimming the mailing list posts - but I did similar for the Lenovo platforms recently.
> In our case we added a 'signature' sysfs entry under authentication/Admin that is used for what is (I think) the equivalent of 'auth-token' when certificate based authentication is enabled. We didn't try to re-use the password entry.
>
> So if certificate authentication is enabled the user ends up doing:
>     echo "crypto-string" > authentication/Admin/signature
>     echo "value" > attribute/"setting"
> and if password authentication is enabled
>     echo "password" > authentication/Admin/password
>     echo "value" > attribute/"setting"
> and the thinklmi driver takes care of figuring out the rest to pass as WMI calls to the BIOS (for us this is done at init time and is only changed by a reboot). Note for completeness - we have a signature and a save_signature....for reasons of BIOS (sigh).
>
Thank you for your suggestion.   Separating 'password' and signature
is a better approach and easier to implement since most of the
supporting code is already implemented.

> I'd also suggest that anything password/authentication related should go under the authentication directory to be consistent. This is what is in the sysfs-class-firmware-attributes document :)
>
Yes.  SPM (auth-token), 'Setup Password' (admin), and 'Power On
password' are listed under 'authentication' directory
> Mark
Hans de Goede Jan. 23, 2023, 5:18 p.m. UTC | #4 
Hi,

On 1/23/23 17:12, Jorge Lopez wrote:
> Hi Mark,
> 
> On Fri, Jan 20, 2023 at 10:07 PM Mark Pearson <mpearson@squebb.ca> wrote:
>>
>> Hi Jorge,
>>
>> On Fri, Jan 20, 2023, at 4:58 PM, Jorge Lopez wrote:
>>
>> Hi Hans,
>>
>> <snip>
>>
>>
>> Yes. The handling of auth-tokens/CMSL-payloads vs regular passwords
>> are similar with the exception of their size.
>> auth-tokens/CMSL-payloads are in the size larger than 64 bytes while
>> passwords are limited to 64 bytes.
>>>
>>> Except for the BEAM_PREFIX thing, which can be added to calculate_security_buffer() /
>>> populate_security_buffer() too and in that case all 3 of the following should simply
>>> work, taking a boot-delay integer attribute as example:
>>>
>>> echo "password" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
>>> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
>>>
>>> echo "auth-token" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
>>> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
>>>
>>> cat csml-payload.file > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
>>> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
>>
>> Last two cases cannot be handled by passing auth-token/CMSL payloads
>> values to the current password due to their possible sizes.
>> Passwords are limited to 64 bytes in size while
>> auth-tokens/CFML-payloads are in the size larger than 64 bytes
>> Here are examples of CMSL flow for your records.  Most of generated
>> payloads are stored remotely and signed by customer to ensure the data
>> integrity.   The full benefit of this process is better represented
>> when configuring Security settings in BIOS. (Sure Run, Sure Start,
>> Sure Recovery, etc)
>> .
>> 1. Customer generates a signed CMSL payload to set BIOS "USB Storage
>> Boot" value to "Enable"
>>
>> CMSL command:
>>
>> New-HPSureAdminBIOSSettingValuePayload -Name "USB Storage Boot" -Value
>> "Enable" -SigningKeyFile sk.pfx -SigningKeyPassword test
>>
>> Generated payload:
>>
>> {"timestamp":"2022-09-26T16:01:22.7887948-05:00","purpose":"hp:sureadmin:biossetting","Data":[123,10,32,32,34,78,97,109,101,34,58,32,34,85,83,66,32,83,116,111,114,97,103,101,32,66,111,111,116,34,44,10,32,32,34,86,97,108,117,101,34,58,32,34,69,110,97,98,108,101,34,44,10,32,32,34,65,117,116,104,83,116,114,105,110,103,34,58,32,34,60,66,69,65,77,47,62,65,83,65,65,68,65,65,65,73,120,77,121,89,119,72,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,68,85,78,87,111,74,67,117,122,51,73,69,71,57,75,51,80,113,107,103,121,76,52,108,100,119,83,67,79,69,65,83,47,98,108,68,122,111,116,47,105,77,43,86,103,122,90,77,69,116,43,48,75,87,75,78,103,119,89,99,86,102,121,97,70,56,99,104,102,57,85,47,86,82,106,51,52,122,112,53,111,43,85,112,97,119,97,116,106,50,74,103,115,97,105,104,113,54,90,53,84,48,101,49,114,56,78,80,109,69,105,119,103,113,118,77,51,108,97,86,83,98,116,101,66,112,80,81,88,119,102,66,56,101,105,112,119,120,104,121,67,68,65,85,111,118,69,113,82,51,84,71,79,54,109,101,75,119,71,100,73,104,72,103,102,50,112,72,75,90,50,107,47,66,116,104,97,98,110,115,118,78,77,114,98,74,69,103,76,72,76,121,87,84,119,98,76,74,87,108,101,106,112,71,121,47,70,100,83,105,74,114,101,66,114,81,115,114,106,90,113,100,76,75,72,90,71,117,108,52,70,108,43,117,47,72,102,107,48,119,121,81,69,106,121,97,99,51,52,57,105,90,55,97,104,49,72,56,50,85,97,50,49,55,109,74,51,88,56,87,113,80,111,50,86,72,65,85,57,71,102,47,113,107,97,85,101,75,76,84,97,75,87,101,121,122,116,68,109,105,68,98,115,114,47,86,51,51,106,114,101,67,88,65,65,109,120,68,76,73,73,66,103,83,88,79,82,82,117,98,80,53,113,80,78,69,53,67,76,120,104,119,61,61,34,10,125],"Meta1":null,"Meta2":null,"Meta3":null,"Meta4":null}
>>
>>
>> The application reads the CMSL payload and sends the command to the
>> driver.  The payload is translated to  [BIOS setting], [Value],
>> [Password || auth-token]
>>
>>
>> echo "USB Storage
>> Boot,Enable,<BEAM/>ASAADAAANZ9AYwH/////////////////////64bPg7ygUv4xanoHIFrzME9mIsxeJh32fkhR7sgHpXdEHjetMXxNVhEK/twhhXhHS93kp9JpGhsr+J6AMKV2ldE99iJHo6ul1IxJQuBSxBoN1mf49Mm/ROCNll+IhsAn4ow+xlDwKQn2EzKtQc2Wf1eC646KPcl+ZCtiFhvLzXZrGSXsB2hJy0+IzegUPzLY6jaN0lYyQMtQ0KpcyGnK6xZSKCKfotygWawWY8BD3oewyrVLdKMGjrtX4HtHaeo5A9VVXVt89i7lZAmV3VkRtu70LEv240ue/SOhwrxGtydgNmtpV3dSn/ancnY4ONbTxBRiw8cifObEiNOidYzhpQ=="
>>> /sys/class/firmware-attributes/hp-bioscfg/attributes/Sure_Admin/settings'
>>
>> As you can see, the auth-token  "<BEAN/>.....==" portion varies in
>> size depending on the signing certificate size used.
>>
>> A method that can be used to address your comments and allow the
>> driver to handle both auth-tokens and password using command
>>
>>        echo "auth-token" >
>> /sys/class/firmware-attributes/hp-bioscfg/"Setup
>> Password"/current_password
>>
>> is adding an modifier to indicate if the input is a password or auth-token
>>
>> For instance...  using [Token] modifier to identify the data is an
>> authentication token
>>
>>      echo "[token] auth-token" >
>> /sys/class/firmware-attributes/hp-bioscfg/"Setup
>> Password"/current_password
>>
>> If the modifier is missing, the driver will treat the data as a password.
>>
>> This new method will conform with the firmware class framework and
>> provide the flexibility needed for HP solution.
>>
>> Please advise.
>>
>> I don't know if this is helpful or not as I've not read your code in any detail and was just being nosy whilst skimming the mailing list posts - but I did similar for the Lenovo platforms recently.
>> In our case we added a 'signature' sysfs entry under authentication/Admin that is used for what is (I think) the equivalent of 'auth-token' when certificate based authentication is enabled. We didn't try to re-use the password entry.
>>
>> So if certificate authentication is enabled the user ends up doing:
>>     echo "crypto-string" > authentication/Admin/signature
>>     echo "value" > attribute/"setting"
>> and if password authentication is enabled
>>     echo "password" > authentication/Admin/password
>>     echo "value" > attribute/"setting"
>> and the thinklmi driver takes care of figuring out the rest to pass as WMI calls to the BIOS (for us this is done at init time and is only changed by a reboot). Note for completeness - we have a signature and a save_signature....for reasons of BIOS (sigh).
>>
> Thank you for your suggestion.   Separating 'password' and signature
> is a better approach and easier to implement since most of the
> supporting code is already implemented.

Ok, using a separate signature file under authentication/Admin/signature
(or something similar) for this is fine with me.

Regards,

Hans
Jorge Lopez Jan. 30, 2023, 4:55 p.m. UTC | #5 
Great, thanks!

On Mon, Jan 23, 2023 at 11:18 AM Hans de Goede <hdegoede@redhat.com> wrote:
>
> Hi,
>
> On 1/23/23 17:12, Jorge Lopez wrote:
> > Hi Mark,
> >
> > On Fri, Jan 20, 2023 at 10:07 PM Mark Pearson <mpearson@squebb.ca> wrote:
> >>
> >> Hi Jorge,
> >>
> >> On Fri, Jan 20, 2023, at 4:58 PM, Jorge Lopez wrote:
> >>
> >> Hi Hans,
> >>
> >> <snip>
> >>
> >>
> >> Yes. The handling of auth-tokens/CMSL-payloads vs regular passwords
> >> are similar with the exception of their size.
> >> auth-tokens/CMSL-payloads are in the size larger than 64 bytes while
> >> passwords are limited to 64 bytes.
> >>>
> >>> Except for the BEAM_PREFIX thing, which can be added to calculate_security_buffer() /
> >>> populate_security_buffer() too and in that case all 3 of the following should simply
> >>> work, taking a boot-delay integer attribute as example:
> >>>
> >>> echo "password" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> >>> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
> >>>
> >>> echo "auth-token" > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> >>> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
> >>>
> >>> cat csml-payload.file > /sys/class/firmware-attributes/hp-bioscfg/"Setup Password"/current_password
> >>> echo 5 > /sys/class/firmware-attributes/hp-bioscfg/attributes/boot-delay/current_value
> >>
> >> Last two cases cannot be handled by passing auth-token/CMSL payloads
> >> values to the current password due to their possible sizes.
> >> Passwords are limited to 64 bytes in size while
> >> auth-tokens/CFML-payloads are in the size larger than 64 bytes
> >> Here are examples of CMSL flow for your records.  Most of generated
> >> payloads are stored remotely and signed by customer to ensure the data
> >> integrity.   The full benefit of this process is better represented
> >> when configuring Security settings in BIOS. (Sure Run, Sure Start,
> >> Sure Recovery, etc)
> >> .
> >> 1. Customer generates a signed CMSL payload to set BIOS "USB Storage
> >> Boot" value to "Enable"
> >>
> >> CMSL command:
> >>
> >> New-HPSureAdminBIOSSettingValuePayload -Name "USB Storage Boot" -Value
> >> "Enable" -SigningKeyFile sk.pfx -SigningKeyPassword test
> >>
> >> Generated payload:
> >>
> >> {"timestamp":"2022-09-26T16:01:22.7887948-05:00","purpose":"hp:sureadmin:biossetting","Data":[123,10,32,32,34,78,97,109,101,34,58,32,34,85,83,66,32,83,116,111,114,97,103,101,32,66,111,111,116,34,44,10,32,32,34,86,97,108,117,101,34,58,32,34,69,110,97,98,108,101,34,44,10,32,32,34,65,117,116,104,83,116,114,105,110,103,34,58,32,34,60,66,69,65,77,47,62,65,83,65,65,68,65,65,65,73,120,77,121,89,119,72,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,47,68,85,78,87,111,74,67,117,122,51,73,69,71,57,75,51,80,113,107,103,121,76,52,108,100,119,83,67,79,69,65,83,47,98,108,68,122,111,116,47,105,77,43,86,103,122,90,77,69,116,43,48,75,87,75,78,103,119,89,99,86,102,121,97,70,56,99,104,102,57,85,47,86,82,106,51,52,122,112,53,111,43,85,112,97,119,97,116,106,50,74,103,115,97,105,104,113,54,90,53,84,48,101,49,114,56,78,80,109,69,105,119,103,113,118,77,51,108,97,86,83,98,116,101,66,112,80,81,88,119,102,66,56,101,105,112,119,120,104,121,67,68,65,85,111,118,69,113,82,51,84,71,79,54,109,101,75,119,71,100,73,104,72,103,102,50,112,72,75,90,50,107,47,66,116,104,97,98,110,115,118,78,77,114,98,74,69,103,76,72,76,121,87,84,119,98,76,74,87,108,101,106,112,71,121,47,70,100,83,105,74,114,101,66,114,81,115,114,106,90,113,100,76,75,72,90,71,117,108,52,70,108,43,117,47,72,102,107,48,119,121,81,69,106,121,97,99,51,52,57,105,90,55,97,104,49,72,56,50,85,97,50,49,55,109,74,51,88,56,87,113,80,111,50,86,72,65,85,57,71,102,47,113,107,97,85,101,75,76,84,97,75,87,101,121,122,116,68,109,105,68,98,115,114,47,86,51,51,106,114,101,67,88,65,65,109,120,68,76,73,73,66,103,83,88,79,82,82,117,98,80,53,113,80,78,69,53,67,76,120,104,119,61,61,34,10,125],"Meta1":null,"Meta2":null,"Meta3":null,"Meta4":null}
> >>
> >>
> >> The application reads the CMSL payload and sends the command to the
> >> driver.  The payload is translated to  [BIOS setting], [Value],
> >> [Password || auth-token]
> >>
> >>
> >> echo "USB Storage
> >> Boot,Enable,<BEAM/>ASAADAAANZ9AYwH/////////////////////64bPg7ygUv4xanoHIFrzME9mIsxeJh32fkhR7sgHpXdEHjetMXxNVhEK/twhhXhHS93kp9JpGhsr+J6AMKV2ldE99iJHo6ul1IxJQuBSxBoN1mf49Mm/ROCNll+IhsAn4ow+xlDwKQn2EzKtQc2Wf1eC646KPcl+ZCtiFhvLzXZrGSXsB2hJy0+IzegUPzLY6jaN0lYyQMtQ0KpcyGnK6xZSKCKfotygWawWY8BD3oewyrVLdKMGjrtX4HtHaeo5A9VVXVt89i7lZAmV3VkRtu70LEv240ue/SOhwrxGtydgNmtpV3dSn/ancnY4ONbTxBRiw8cifObEiNOidYzhpQ=="
> >>> /sys/class/firmware-attributes/hp-bioscfg/attributes/Sure_Admin/settings'
> >>
> >> As you can see, the auth-token  "<BEAN/>.....==" portion varies in
> >> size depending on the signing certificate size used.
> >>
> >> A method that can be used to address your comments and allow the
> >> driver to handle both auth-tokens and password using command
> >>
> >>        echo "auth-token" >
> >> /sys/class/firmware-attributes/hp-bioscfg/"Setup
> >> Password"/current_password
> >>
> >> is adding an modifier to indicate if the input is a password or auth-token
> >>
> >> For instance...  using [Token] modifier to identify the data is an
> >> authentication token
> >>
> >>      echo "[token] auth-token" >
> >> /sys/class/firmware-attributes/hp-bioscfg/"Setup
> >> Password"/current_password
> >>
> >> If the modifier is missing, the driver will treat the data as a password.
> >>
> >> This new method will conform with the firmware class framework and
> >> provide the flexibility needed for HP solution.
> >>
> >> Please advise.
> >>
> >> I don't know if this is helpful or not as I've not read your code in any detail and was just being nosy whilst skimming the mailing list posts - but I did similar for the Lenovo platforms recently.
> >> In our case we added a 'signature' sysfs entry under authentication/Admin that is used for what is (I think) the equivalent of 'auth-token' when certificate based authentication is enabled. We didn't try to re-use the password entry.
> >>
> >> So if certificate authentication is enabled the user ends up doing:
> >>     echo "crypto-string" > authentication/Admin/signature
> >>     echo "value" > attribute/"setting"
> >> and if password authentication is enabled
> >>     echo "password" > authentication/Admin/password
> >>     echo "value" > attribute/"setting"
> >> and the thinklmi driver takes care of figuring out the rest to pass as WMI calls to the BIOS (for us this is done at init time and is only changed by a reboot). Note for completeness - we have a signature and a save_signature....for reasons of BIOS (sigh).
> >>
> > Thank you for your suggestion.   Separating 'password' and signature
> > is a better approach and easier to implement since most of the
> > supporting code is already implemented.
>
> Ok, using a separate signature file under authentication/Admin/signature
> (or something similar) for this is fine with me.
>
> Regards,
>
> Hans
>
>
>
diff mbox series

Patch

diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes
index 4cdba3477176..da8e06d9bb43 100644
--- a/Documentation/ABI/testing/sysfs-class-firmware-attributes
+++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes
@@ -22,6 +22,13 @@  Description:
 			- integer: a range of numerical values
 			- string
 
+		HP specific types
+		-----------------
+			- ordered-list - a set of ordered list valid values
+			- sure-admin
+			- sure-start
+
+
 		All attribute types support the following values:
 
 		current_value:
@@ -126,6 +133,67 @@  Description:
 					value will not be effective through sysfs until this rule is
 					met.
 
+		HP specific class extensions
+		------------------------------
+
+		On HP systems the following additional attributes are available:
+
+		"ordered-list"-type specific properties:
+
+		elements:
+					A file that can be read to obtain the possible
+					list of values of the <attr>. Values are separated using
+					semi-colon (``;``). The order individual elements are listed
+					according to their priority.  An Element listed first has the
+					hightest priority. Writing the list in a different order to
+					current_value alters the priority order for the particular
+					attribute.
+
+		"sure-admin"-type specific properties:
+
+		settings:
+					A file associated with Sure Admin. BIOS settings can
+					be read or written through the Sure Admin settings file in sysfs.
+
+					[BIOS setting],[new value],[auth token]
+
+					Sample settings reported data
+
+					{
+						"Class": "HPBIOS_BIOSEnumeration",
+						"Name": "USB Storage Boot",
+						"Path": "\\Advanced\\Boot Options",
+						"IsReadOnly": 0,
+						...
+						"Value": "Enable",
+						"Size": 2,
+						"PossibleValues": [
+							"Disable",
+							"Enable"
+							]
+					}
+
+					This file can also be written to in order to update
+					the value sof a <attr> using a CMSL generated payload.
+					For example:
+
+					<attr>,[value],[CMSL generated payload]
+
+		"sure-start"-type specific properties:
+
+		audit_log_entries:
+					A read-only file that returns the events in the log.
+
+					Audit log entry format
+
+					Byte 0-15:   Requested Audit Log entry  (Each Audit log is 16 bytes)
+					Byte 16-127: Unused
+
+		audit_log_entry_count:
+					A read-only file that returns the number of existing audit log events available to be read.
+
+					[No of entries],[log entry size],[Max number of entries supported]
+
 What:		/sys/class/firmware-attributes/*/authentication/
 Date:		February 2021
 KernelVersion:	5.11
@@ -206,7 +274,7 @@  Description:
 		Drivers may emit a CHANGE uevent when a password is set or unset
 		userspace may check it again.
 
-		On Dell and Lenovo systems, if Admin password is set, then all BIOS attributes
+		On Dell, Lenovo, and HP systems, if Admin password is set, then all BIOS attributes
 		require password validation.
 		On Lenovo systems if you change the Admin password the new password is not active until
 		the next boot.
@@ -296,6 +364,15 @@  Description:
 						echo "signature" > authentication/Admin/signature
 						echo "password" > authentication/Admin/certificate_to_password
 
+		HP specific class extensions
+		--------------------------------
+
+		On HP systems the following additional settings are available:
+
+		role: enhanced-bios-auth:
+					This role is specific to Secure Platform Management (SPM) attribute.
+					It requires configuring an endorsement (kek) and signing certificate (sk).
+
 
 What:		/sys/class/firmware-attributes/*/attributes/pending_reboot
 Date:		February 2021
@@ -311,7 +388,7 @@  Description:
 			==	=========================================
 			0	All BIOS attributes setting are current
 			1	A reboot is necessary to get pending BIOS
-			        attribute changes applied
+				attribute changes applied
 			==	=========================================
 
 		Note, userspace applications need to follow below steps for efficient
@@ -364,3 +441,103 @@  Description:
 		use it to enable extra debug attributes or BIOS features for testing purposes.
 
 		Note that any changes to this attribute requires a reboot for changes to take effect.
+
+
+		HP specific class extensions
+		--------------------------------
+
+What:		/sys/class/firmware-attributes/*/authentication/SPM/kek
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	'kek' is a write-only file that can be used to configure the
+		RSA public key that will be used by the BIOS to verify
+		signatures when setting the signing key.  When written,
+		the bytes should correspond to the KEK certificate
+		(x509 .DER format containing an OU).  The size of the
+		certificate must be less than or equal to 4095 bytes.
+
+
+What:		/sys/class/firmware-attributes/*/authentication/SPM/sk
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	'sk' is a write-only file that can be used to configure the RSA
+		public key that will be used by the BIOS to verify signatures
+		when configuring BIOS settings and security features.  When
+		written, the bytes should correspond to the modulus of the
+		public key.  The exponent is assumed to be 0x10001.
+
+
+What:		/sys/class/firmware-attributes/*/authentication/SPM/status
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	'status' is a read-only file that returns ASCII text reporting
+		the status information.
+
+		  State:  Not Provisioned / Provisioned / Provisioning in progress
+		  Version:  Major.   Minor
+		  Feature Bit Mask: <16-bit unsigned number display in hex>
+		  SPM Counter: <16-bit unsigned number display in base 10>
+		  Signing Key Public Key Modulus (base64):
+		  KEK Public Key Modulus (base64):
+
+
+What:		/sys/class/firmware-attributes/*/authentication/SPM/statusbin
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	'statusbin' is a read-only file that returns identical status
+		information reported by 'status' file in binary format.
+
+
+What:		/sys/class/firmware-attributes/*/attributes/Sure_Admin/settings
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	'settings' is a file associated with Sure Admin. BIOS settings can
+		be read or written through the Sure Admin settings file in sysfs.
+
+		Expected data format to update BIOS setting
+
+		  [BIOS setting],[new value],[auth token]
+
+		Sample settings reported data
+
+		  {
+			  "Class": "HPBIOS_BIOSEnumeration",
+			  "Name": "USB Storage Boot",
+			  "Path": "\\Advanced\\Boot Options",
+			  "IsReadOnly": 0,
+			  ...
+			  "Value": "Enable",
+			  "Size": 2,
+			  "PossibleValues": [
+				"Disable",
+				"Enable"
+				]
+		  }
+
+
+What:		/sys/class/firmware-attributes/*/attributes/Sure_Start/audit_log_entry_count
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	audit_log_entry_count is a read-only file that returns the
+		number of existing audit log events available to be read.
+
+		  [No of entries],[log entry size],[Max number of entries supported]
+
+
+What:		/sys/class/firmware-attributes/*/attributes/Sure_Start/audit_log_entries
+Date:		March 29
+KernelVersion:	5.18
+Contact:	"Jorge Lopez" <jorge.lopez2@hp.com>
+Description:	audit_log_entries is a read-only file that returns the events
+		in the log.
+
+		Audit log entry format
+
+		  Byte 0-15:   Requested Audit Log entry  (Each Audit log is 16 bytes)
+		  Byte 16-127: Unused
diff --git a/MAINTAINERS b/MAINTAINERS
index 893c63e8beef..6cc9dd0c9ec2 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -9363,6 +9363,12 @@  S:	Obsolete
 W:	http://w1.fi/hostap-driver.html
 F:	drivers/net/wireless/intersil/hostap/
 
+HP BIOSCFG DRIVER
+M:	Jorge Lopez <jorge.lopez2@hp.com>
+S:	Maintained
+L:      platform-driver-x86@vger.kernel.org
+F:	drivers/platform/x86/hp/hp-bioscfg/
+
 HP COMPAQ TC1100 TABLET WMI EXTRAS DRIVER
 L:	platform-driver-x86@vger.kernel.org
 S:	Orphan
diff --git a/drivers/platform/x86/hp/Kconfig b/drivers/platform/x86/hp/Kconfig
index ae165955311c..7fef4f12e498 100644
--- a/drivers/platform/x86/hp/Kconfig
+++ b/drivers/platform/x86/hp/Kconfig
@@ -60,4 +60,20 @@  config TC1100_WMI
 	  This is a driver for the WMI extensions (wireless and bluetooth power
 	  control) of the HP Compaq TC1100 tablet.
 
+config HP_BIOSCFG
+	tristate "HP BIOS Configuration Driver"
+	default m
+	depends on ACPI_WMI
+	select NLS
+	select FW_ATTR_CLASS
+	help
+	  This driver enables administrators to securely manage BIOS settings
+	  using digital certificates and public-key cryptography that eliminate
+	  the need for passwords for both remote and local management. It supports
+	  changing BIOS settings on many HP machines from 2018 and newer without
+	  the use of any additional software.
+
+	  To compile this driver as a module, choose M here: the module will
+	  be called hp-bioscfg.
+
 endif # X86_PLATFORM_DRIVERS_HP
diff --git a/drivers/platform/x86/hp/Makefile b/drivers/platform/x86/hp/Makefile
index db1eed4cd7c7..e4f908a61acf 100644
--- a/drivers/platform/x86/hp/Makefile
+++ b/drivers/platform/x86/hp/Makefile
@@ -8,3 +8,4 @@ 
 obj-$(CONFIG_HP_ACCEL)		+= hp_accel.o
 obj-$(CONFIG_HP_WMI)		+= hp-wmi.o
 obj-$(CONFIG_TC1100_WMI)	+= tc1100-wmi.o
+obj-$(CONFIG_HP_BIOSCFG)	+= hp-bioscfg/
diff --git a/drivers/platform/x86/hp/hp-bioscfg/Makefile b/drivers/platform/x86/hp/hp-bioscfg/Makefile
new file mode 100644
index 000000000000..cc1a613f9223
--- /dev/null
+++ b/drivers/platform/x86/hp/hp-bioscfg/Makefile
@@ -0,0 +1,19 @@ 
+obj-$(CONFIG_HP_BIOSCFG) := hp-bioscfg.o
+
+hp-bioscfg-objs := bioscfg.o	\
+	enum-attributes.o	\
+	int-attributes.o	\
+	string-attributes.o	\
+	passwdobj-attributes.o	\
+	biosattr-interface.o	\
+	passwdattr-interface.o	\
+	ordered-attributes.o	\
+	surestart-attributes.o	\
+	spmobj-attributes.o	\
+	sureadmin-attributes.o
+
+default:
+	make -C /lib/modules/`uname -r`/build M=$(PWD) hp-bioscfg.ko
+
+clean:
+	make -C /lib/modules/`uname -r`/build M=$(PWD) clean