Message ID | 20230412144821.5716-1-jorge.lopez2@hp.com (mailing list archive) |
---|---|
State | Changes Requested, archived |
Headers | show |
Series | [v9] HP BIOSCFG driver - Documentation | expand |
Hi Jorge, On 2023-04-12 09:48:21-0500, Jorge Lopez wrote: > [..] > > +What: /sys/class/firmware-attributes/*/authentication/SPM/statusbin > +Date: March 29 > +KernelVersion: 5.18 > +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> > +Description: 'statusbin' is a read-only file that returns 'status' information > + in binary format. This file provides a mechanism for components > + downstream (e.g. Recovery Agent) can read the status and public > + key modulus. This is still missing docs about how to interpret the contents of the "statusbin" file. "components downstream" -> userspace. I think we can start with the code review. Could you also provide a sample of the attribute files? I'm especially curious about the different instances of the sure-start attributes, including current_value, possible_values and the auditlog properties. Also is the userspace component for this published somewhere? If so it would be useful to refer to it from the commit message. Thanks, Thomas
Hi Thomas, On Fri, Apr 14, 2023 at 10:27 AM <thomas@t-8ch.de> wrote: > > Hi Jorge, > > On 2023-04-12 09:48:21-0500, Jorge Lopez wrote: > > [..] > > > > +What: /sys/class/firmware-attributes/*/authentication/SPM/statusbin > > +Date: March 29 > > +KernelVersion: 5.18 > > +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> > > +Description: 'statusbin' is a read-only file that returns 'status' information > > + in binary format. This file provides a mechanism for components > > + downstream (e.g. Recovery Agent) can read the status and public > > + key modulus. > > This is still missing docs about how to interpret the contents of the > "statusbin" file. > > "components downstream" -> userspace. > I will provide the details in Version 10. Additionally, I am working with the architect to understand the need for 'statusbin' in their upcoming features. > > I think we can start with the code review. > I will send all files with Version 10. To aid in the review process, I will keep all ..c in separate reviews. It is less confusing that way since there is commonality between them > Could you also provide a sample of the attribute files? > I'm especially curious about the different instances of the sure-start > attributes, including current_value, possible_values and the auditlog > properties. > What type of sample are you looking for.? I can provide you with a tree display of all attributes and some output samples for different attribute types. I will include sure-start attributes, including current_value, possible_values and the audit log properties. Please let me know if there is anything else you want to see. > Also is the userspace component for this published somewhere? > If so it would be useful to refer to it from the commit message. Linux components are under development and not published yet. The only linux component at this time is the driver (hp bioscfg). The only published components are under Windows ONLY. > > Thanks, > Thomas
On 2023-04-14 15:00:02-0500, Jorge Lopez wrote: > On Fri, Apr 14, 2023 at 10:27 AM <thomas@t-8ch.de> wrote: > > On 2023-04-12 09:48:21-0500, Jorge Lopez wrote: > > > [..] > > > > > > +What: /sys/class/firmware-attributes/*/authentication/SPM/statusbin > > > +Date: March 29 > > > +KernelVersion: 5.18 > > > +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> > > > +Description: 'statusbin' is a read-only file that returns 'status' information > > > + in binary format. This file provides a mechanism for components > > > + downstream (e.g. Recovery Agent) can read the status and public > > > + key modulus. > > > > This is still missing docs about how to interpret the contents of the > > "statusbin" file. > > > > "components downstream" -> userspace. > > > > I will provide the details in Version 10. Additionally, I am working > with the architect to understand the need for 'statusbin' in their > upcoming features. If the userspace component is not ready maybe this can be delayed for a future patchset? The basic features should already be useful with a generic client like fwupd. Doing it in steps should be faster both in development and wall time. > > I think we can start with the code review. > > > > I will send all files with Version 10. To aid in the review process, > I will keep all ..c in separate reviews. It is less confusing that > way since there is commonality between them > > > Could you also provide a sample of the attribute files? > > I'm especially curious about the different instances of the sure-start > > attributes, including current_value, possible_values and the auditlog > > properties. > > > > What type of sample are you looking for.? I can provide you with a > tree display of all attributes and some output samples for different > attribute types. That sounds great. > I will include sure-start attributes, including current_value, > possible_values and the audit log properties. Please let me know if > there is anything else you want to see. I want to get a feeling for the exposed bios settings and how the sure-start stuff works. > > Also is the userspace component for this published somewhere? > > If so it would be useful to refer to it from the commit message. > > Linux components are under development and not published yet. The > only linux component at this time is the driver (hp bioscfg). > The only published components are under Windows ONLY. Maybe mention this in the commit message. Also it would be useful to test the new driver with fwupd which is the existing userspace user of this ABI. Just to make sure that nothing is obviously broken there. (And mention this in the commit message) Thomas
Hi Thomas, On Fri, Apr 14, 2023 at 3:36 PM Thomas Weißschuh <thomas@t-8ch.de> wrote: > > On 2023-04-14 15:00:02-0500, Jorge Lopez wrote: > > On Fri, Apr 14, 2023 at 10:27 AM <thomas@t-8ch.de> wrote: > > > On 2023-04-12 09:48:21-0500, Jorge Lopez wrote: > > > > [..] > > > > > > > > +What: /sys/class/firmware-attributes/*/authentication/SPM/statusbin > > > > +Date: March 29 > > > > +KernelVersion: 5.18 > > > > +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> > > > > +Description: 'statusbin' is a read-only file that returns 'status' information > > > > + in binary format. This file provides a mechanism for components > > > > + downstream (e.g. Recovery Agent) can read the status and public > > > > + key modulus. > > > > > > This is still missing docs about how to interpret the contents of the > > > "statusbin" file. > > > > > > "components downstream" -> userspace. > > > > > > > I will provide the details in Version 10. Additionally, I am working > > with the architect to understand the need for 'statusbin' in their > > upcoming features. Statusbin is one attribute we can drop but will require changes how 'status' data is reported (JSON format). > > If the userspace component is not ready maybe this can be delayed for a > future patchset? > The basic features should already be useful with a generic client like > fwupd. > Doing it in steps should be faster both in development and wall time. The interaction with fwupd and support is a goal for future patches for hp-bioscfg. Initially, We want to establish the proper and basic framework to enable the security and BIOS configuration features by leveraging firmware-attributes framework. No testing with fwupd tool has taken place since hp-bioscfg is not associated with a specific device > > > > I think we can start with the code review. > > > > > > > I will send all files with Version 10. To aid in the review process, > > I will keep all ..c in separate reviews. It is less confusing that > > way since there is commonality between them > > > > > Could you also provide a sample of the attribute files? > > > I'm especially curious about the different instances of the sure-start > > > attributes, including current_value, possible_values and the auditlog > > > properties. > > > > > > > What type of sample are you looking for.? I can provide you with a > > tree display of all attributes and some output samples for different > > attribute types. > > That sounds great. Attached is a copy of three files for your review. tree-view.log -- tree view of all attributes/authentication files reported by hp-bioscfg authentication.log -- List of all authentication attributes and corresponding file output. The data includes SPM (statusbin, status) attributes-sample.log -- Reduced list of attributes including a sample output for each attribute type. (string, enumeration, ordered-list, integer, Sure_Start, pending_reboot) Sure_Start includes the output captured for audit_log_entries and audit_log_entry_count. In addition, I captured the hex output for statusbin and audit_log_entries if you are interested to go over them. Binary-dump-statusbin-auditlog.log > > > I will include sure-start attributes, including current_value, > > possible_values and the audit log properties. Please let me know if > > there is anything else you want to see. > > I want to get a feeling for the exposed bios settings and how the > sure-start stuff works. > > > > Also is the userspace component for this published somewhere? > > > If so it would be useful to refer to it from the commit message. > > > > Linux components are under development and not published yet. The > > only linux component at this time is the driver (hp bioscfg). > > The only published components are under Windows ONLY. > > Maybe mention this in the commit message. The text will be added as part of the commit message. > > Also it would be useful to test the new driver with fwupd which is the > existing userspace user of this ABI. > Just to make sure that nothing is obviously broken there. > (And mention this in the commit message) > > Thomas
diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes index 4cdba3477176..d9bfef9f2f2b 100644 --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes @@ -22,6 +22,12 @@ Description: - integer: a range of numerical values - string + HP specific types + ----------------- + - ordered-list - a set of ordered list valid values + - sure-start - report audit logs read from BIOS + + All attribute types support the following values: current_value: @@ -126,6 +132,44 @@ Description: value will not be effective through sysfs until this rule is met. + HP specific class extensions + ------------------------------ + + On HP systems the following additional attributes are available: + + "ordered-list"-type specific properties: + + elements: + A file that can be read to obtain the possible + list of values of the <attr>. Values are separated using + semi-colon (``;``). The order individual elements are listed + according to their priority. An Element listed first has the + highest priority. Writing the list in a different order to + current_value alters the priority order for the particular + attribute. + + "sure-start"-type specific properties: + + audit_log_entries: + A read-only file that returns the events in the log. + Values are separated using semi-colon (``;``) + + Audit log entry format + + Byte 0-15: Requested Audit Log entry (Each Audit log is 16 bytes) + Byte 16-127: Unused + + audit_log_entry_count: + A read-only file that returns the number of existing audit log events available to be read. + Values are separated using comma (``,``) + + [No of entries],[log entry size],[Max number of entries supported] + + log entry size identifies audit log size for the current BIOS version. + The current size is 16 bytes but it can be to up to 128 bytes long + in future BIOS versions. + + What: /sys/class/firmware-attributes/*/authentication/ Date: February 2021 KernelVersion: 5.11 @@ -206,7 +250,7 @@ Description: Drivers may emit a CHANGE uevent when a password is set or unset userspace may check it again. - On Dell and Lenovo systems, if Admin password is set, then all BIOS attributes + On Dell, Lenovo and HP systems, if Admin password is set, then all BIOS attributes require password validation. On Lenovo systems if you change the Admin password the new password is not active until the next boot. @@ -296,6 +340,15 @@ Description: echo "signature" > authentication/Admin/signature echo "password" > authentication/Admin/certificate_to_password + HP specific class extensions + -------------------------------- + + On HP systems the following additional settings are available: + + role: enhanced-bios-auth: + This role is specific to Secure Platform Management (SPM) attribute. + It requires configuring an endorsement (kek) and signing certificate (sk). + What: /sys/class/firmware-attributes/*/attributes/pending_reboot Date: February 2021 @@ -311,7 +364,7 @@ Description: == ========================================= 0 All BIOS attributes setting are current 1 A reboot is necessary to get pending BIOS - attribute changes applied + attribute changes applied == ========================================= Note, userspace applications need to follow below steps for efficient @@ -364,3 +417,54 @@ Description: use it to enable extra debug attributes or BIOS features for testing purposes. Note that any changes to this attribute requires a reboot for changes to take effect. + + + HP specific class extensions - Secure Platform Manager (SPM) + -------------------------------- + +What: /sys/class/firmware-attributes/*/authentication/SPM/kek +Date: March 29 +KernelVersion: 5.18 +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> +Description: 'kek' Key-Encryption-Key is a write-only file that can be used to configure the + RSA public key that will be used by the BIOS to verify + signatures when setting the signing key. When written, + the bytes should correspond to the KEK certificate + (x509 .DER format containing an OU). The size of the + certificate must be less than or equal to 4095 bytes. + + +What: /sys/class/firmware-attributes/*/authentication/SPM/sk +Date: March 29 +KernelVersion: 5.18 +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> +Description: 'sk' Signature Key is a write-only file that can be used to configure the RSA + public key that will be used by the BIOS to verify signatures + when configuring BIOS settings and security features. When + written, the bytes should correspond to the modulus of the + public key. The exponent is assumed to be 0x10001. + + +What: /sys/class/firmware-attributes/*/authentication/SPM/status +Date: March 29 +KernelVersion: 5.18 +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> +Description: 'status' is a read-only file that returns ASCII text reporting + the status information. + + State: Not Provisioned / Provisioned / Provisioning in progress + Version: Major. Minor + Feature Bit Mask: <16-bit unsigned number display in hex> + SPM Counter: <16-bit unsigned number display in base 10> + Signing Key Public Key Modulus (base64): <256 bytes in base64> + KEK Public Key Modulus (base64): <256 bytes in base64> + + +What: /sys/class/firmware-attributes/*/authentication/SPM/statusbin +Date: March 29 +KernelVersion: 5.18 +Contact: "Jorge Lopez" <jorge.lopez2@hp.com> +Description: 'statusbin' is a read-only file that returns 'status' information + in binary format. This file provides a mechanism for components + downstream (e.g. Recovery Agent) can read the status and public + key modulus.