From patchwork Mon Oct 21 19:38:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Pearson <mpearson-lenovo@squebb.ca>
X-Patchwork-Id: 13844581
Received: from fout-a7-smtp.messagingengine.com
 (fout-a7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEEBF1CF7A6;
	Mon, 21 Oct 2024 19:38:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=103.168.172.150
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1729539528; cv=none;
 b=SKN1E0XY8hbl1q4H1LE/wQVijMVX6ujSh8a78ovIcQGTnNBNU9YrNiqUcTqK41Kr8yyvtmGupx6QUrt3leVWQ+L6vCa88NDhBaO/sxddQL38/UdH7ebQlZLEyEFaV/0owbgmpIgMO4Lxt1JZVThfSIwKGZtS1WkmN6V6tXTlzNI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1729539528; c=relaxed/simple;
	bh=54jwoouqgKE0bVqr3uFQHW/WkkHaCd/oyMvONoJ0cjU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Esgnmx8QUip6fMQ7pHdMKicQaSBQzQxVeXuNpfjFVaAJMCNXt8crAb8tvZd3KUUqTGUlUaeBjMzwAWHj96WoU9gAs1VSg65KrAHtkd3C1058fRD41Gq3GyyWmSeh4ixl8XJC+dmaA6sCBnfI//0pb412fTa2GoQ/S75KWSoTQqY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca;
 spf=pass smtp.mailfrom=squebb.ca;
 dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b=B1suubmc;
 dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com
 header.b=Z6zH1OIj; arc=none smtp.client-ip=103.168.172.150
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b="B1suubmc";
	dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com header.b="Z6zH1OIj"
Received: from phl-compute-05.internal (phl-compute-05.phl.internal
 [10.202.2.45])
	by mailfout.phl.internal (Postfix) with ESMTP id AA82813802EA;
	Mon, 21 Oct 2024 15:38:44 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-05.internal (MEProxy); Mon, 21 Oct 2024 15:38:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=squebb.ca; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1729539524; x=
	1729625924; bh=LE2Hk0JKN4Kf5sI0bnT9emdXdEal6XnN2BMhL9CtIWs=; b=B
	1suubmcTwhSmTm8CJzrBvOAAUvImE8mUJG0Z3n28qkFDJmWrfqgHpcGRcbolhWYL
	H/jsOgPpkyrZOQJFsnG/kxxLVM4wB+ELsMpyHOGgjw0GXyou3KjZcwSdYI3CCNL3
	t9hxZCfMUi98KfCGV1beM/OX1uwLfaJOqz11gME5ifvGPK4Z4TGo1Y2lqrRXi0jC
	WeodFYgV1Iq/H9ZigHoyU6i5PobZfqspAdjlQzrtP4+KSqa2jUwR0+AnATi0imT2
	3U72sM5DoCK+PMjjIVwxcEwAnQJ70Oq3OQdS9te3w0BWvW7mrbTZgkYezMzDJj67
	mRr33ZJcq+c1Yhx6Tr6Ug==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1729539524; x=
	1729625924; bh=LE2Hk0JKN4Kf5sI0bnT9emdXdEal6XnN2BMhL9CtIWs=; b=Z
	6zH1OIjfdDjS5OhpBHWkd7j7a2ydqf+kDjpwcHONPlvFOzZvIFU7QLp16OiUiT4u
	eey5suMIz86gSXHXfR/QBLcNxi+tYq/lwLtbno8gmD9vJIcdUKUTOWcSICGoOWuP
	kUoeWM8DZxUz+zT8Uc7G46WExukXHcaYn369iLZg9dyG15M38mnQ5zxmqZLgqaSI
	JDt0nakod5m1Wu+s56qjZ/hk33hWrPpiyNflYpV2fmw2D7N29p7sI/xBDcTDK2BG
	C5I2V9T9l65Q2EIaSLWLCGobhoENgwm5kon9SBl4cN2hoxDQPpVERzmiJRemL4Gb
	mVgeljUeVJxWZ2udAExzA==
X-ME-Sender: <xms:xK0WZyQbOIWvI2CFDWbXJpeGq6QHdye3LjxGh44DUQRcce7mQESfdg>
    <xme:xK0WZ3wCbKZS3UhuoTUQUXxJJqtkSy0HQcX5BBwOc0fHTR7XJUBSYxY-RQp1NHZmr
    CvWh1f_g6olxs8sLAY>
X-ME-Received: 
 <xmr:xK0WZ_3O6K8ojBpJGgCvL3z0G2Xr6RmBtXcNSLyV-vdh1ZKUHV3r24r2MPvjzyFAJ9KL6KYxUpsEtv_k-kWRjeJ3K3m1FbAirfcIgxlF6rlcGfJ6WV-rgcch-jytdg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeftddrvdehledgudegtdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogetfedtuddqtdduuc
    dludehmdenucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhm
    peforghrkhcurfgvrghrshhonhcuoehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvg
    gssgdrtggrqeenucggtffrrghtthgvrhhnpeeftddvjeefleffvefhgfejjeehudetteei
    geeugfekhffhgeejudeuteehgfdvffenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
    grmhepmhgrihhlfhhrohhmpehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdr
    tggrpdhnsggprhgtphhtthhopeehpdhmohguvgepshhmthhpohhuthdprhgtphhtthhope
    hmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdrtggrpdhrtghpthhtohephhgu
    vghgohgvuggvsehrvgguhhgrthdrtghomhdprhgtphhtthhopehilhhpohdrjhgrrhhvih
    hnvghnsehlihhnuhigrdhinhhtvghlrdgtohhmpdhrtghpthhtohepphhlrghtfhhorhhm
    qdgurhhivhgvrhdqgiekieesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhope
    hlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrgh
X-ME-Proxy: <xmx:xK0WZ-DbNowvML_uJrB8rH-GYW6tBKA0Vk4crB-0pnSJirJY5QZSJw>
    <xmx:xK0WZ7iiqiuOVF8xhWnlJoH9JgyJZUad9M-6HKADoqdoiCOnGgA2tg>
    <xmx:xK0WZ6o0X_gEgNF5tC_pkgvErsmjmk-79tY9Yfa0rpTpXQrLPsklig>
    <xmx:xK0WZ-i5L7VavWEn7qDRaYsPWKj2BWX3jkvel_C9cll8z6rieXzjkg>
    <xmx:xK0WZxaHvXv-wCOUKtcGpyhIijNwnUbhJ8VKy72STZFXbdYm83N1seSb>
Feedback-ID: ibe194615:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 21 Oct 2024 15:38:43 -0400 (EDT)
From: Mark Pearson <mpearson-lenovo@squebb.ca>
To: mpearson-lenovo@squebb.ca
Cc: hdegoede@redhat.com,
	ilpo.jarvinen@linux.intel.com,
	platform-driver-x86@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 1/4] platform/x86: think-lmi: improve check if BIOS account
 security enabled
Date: Mon, 21 Oct 2024 15:38:23 -0400
Message-ID: <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <mpearson-lenovo@squebb.ca>
References: <mpearson-lenovo@squebb.ca>
Precedence: bulk
X-Mailing-List: platform-driver-x86@vger.kernel.org
List-Id: <platform-driver-x86.vger.kernel.org>
List-Subscribe: <mailto:platform-driver-x86+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:platform-driver-x86+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Improve determination of whether authentication account is enabled by
checking if either password or certificate is enabled.

Renamed valid to pwd_enabled for better readability.

Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 drivers/platform/x86/think-lmi.c | 26 +++++++++++++-------------
 drivers/platform/x86/think-lmi.h |  2 +-
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
index 4cfb53206cb8..727a9400d406 100644
--- a/drivers/platform/x86/think-lmi.c
+++ b/drivers/platform/x86/think-lmi.c
@@ -391,7 +391,7 @@ static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr
 {
 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
 
-	return sysfs_emit(buf, "%d\n", setting->valid);
+	return sysfs_emit(buf, "%d\n", setting->pwd_enabled || setting->cert_installed);
 }
 
 static struct kobj_attribute auth_is_pass_set = __ATTR_RO(is_enabled);
@@ -469,7 +469,7 @@ static ssize_t new_password_store(struct kobject *kobj,
 		if (ret)
 			goto out;
 
-		if (tlmi_priv.pwd_admin->valid) {
+		if (tlmi_priv.pwd_admin->pwd_enabled) {
 			ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
 					tlmi_priv.pwd_admin->password);
 			if (ret)
@@ -777,7 +777,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 				new_cert, setting->signature);
 	} else {
 		/* This is a fresh install */
-		if (!setting->valid || !setting->password[0]) {
+		if (!setting->pwd_enabled || !setting->password[0]) {
 			kfree(new_cert);
 			return -EACCES;
 		}
@@ -1019,7 +1019,7 @@ static ssize_t current_value_store(struct kobject *kobj,
 		 * Workstation's require the opcode to be set before changing the
 		 * attribute.
 		 */
-		if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+		if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) {
 			ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
 						  tlmi_priv.pwd_admin->password);
 			if (ret)
@@ -1042,7 +1042,7 @@ static ssize_t current_value_store(struct kobject *kobj,
 		else
 			ret = tlmi_save_bios_settings("");
 	} else { /* old non-opcode based authentication method (deprecated) */
-		if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+		if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) {
 			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
 					tlmi_priv.pwd_admin->password,
 					encoding_options[tlmi_priv.pwd_admin->encoding],
@@ -1215,7 +1215,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
 			if (ret)
 				goto out;
 		} else if (tlmi_priv.opcode_support) {
-			if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+			if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) {
 				ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
 							  tlmi_priv.pwd_admin->password);
 				if (ret)
@@ -1223,7 +1223,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
 			}
 			ret = tlmi_save_bios_settings("");
 		} else { /* old non-opcode based authentication method (deprecated) */
-			if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+			if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) {
 				auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
 						     tlmi_priv.pwd_admin->password,
 						     encoding_options[tlmi_priv.pwd_admin->encoding],
@@ -1273,7 +1273,7 @@ static ssize_t debug_cmd_store(struct kobject *kobj, struct kobj_attribute *attr
 	if (!new_setting)
 		return -ENOMEM;
 
-	if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+	if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) {
 		auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
 				tlmi_priv.pwd_admin->password,
 				encoding_options[tlmi_priv.pwd_admin->encoding],
@@ -1637,14 +1637,14 @@ static int tlmi_analyze(void)
 		goto fail_clear_attr;
 
 	if (tlmi_priv.pwdcfg.core.password_state & TLMI_PAP_PWD)
-		tlmi_priv.pwd_admin->valid = true;
+		tlmi_priv.pwd_admin->pwd_enabled = true;
 
 	tlmi_priv.pwd_power = tlmi_create_auth("pop", "power-on");
 	if (!tlmi_priv.pwd_power)
 		goto fail_clear_attr;
 
 	if (tlmi_priv.pwdcfg.core.password_state & TLMI_POP_PWD)
-		tlmi_priv.pwd_power->valid = true;
+		tlmi_priv.pwd_power->pwd_enabled = true;
 
 	if (tlmi_priv.opcode_support) {
 		tlmi_priv.pwd_system = tlmi_create_auth("smp", "system");
@@ -1652,7 +1652,7 @@ static int tlmi_analyze(void)
 			goto fail_clear_attr;
 
 		if (tlmi_priv.pwdcfg.core.password_state & TLMI_SMP_PWD)
-			tlmi_priv.pwd_system->valid = true;
+			tlmi_priv.pwd_system->pwd_enabled = true;
 
 		tlmi_priv.pwd_hdd = tlmi_create_auth("hdd", "hdd");
 		if (!tlmi_priv.pwd_hdd)
@@ -1670,7 +1670,7 @@ static int tlmi_analyze(void)
 			/* Check if PWD is configured and set index to first drive found */
 			if (tlmi_priv.pwdcfg.ext.hdd_user_password ||
 					tlmi_priv.pwdcfg.ext.hdd_master_password) {
-				tlmi_priv.pwd_hdd->valid = true;
+				tlmi_priv.pwd_hdd->pwd_enabled = true;
 				if (tlmi_priv.pwdcfg.ext.hdd_master_password)
 					tlmi_priv.pwd_hdd->index =
 						ffs(tlmi_priv.pwdcfg.ext.hdd_master_password) - 1;
@@ -1680,7 +1680,7 @@ static int tlmi_analyze(void)
 			}
 			if (tlmi_priv.pwdcfg.ext.nvme_user_password ||
 					tlmi_priv.pwdcfg.ext.nvme_master_password) {
-				tlmi_priv.pwd_nvme->valid = true;
+				tlmi_priv.pwd_nvme->pwd_enabled = true;
 				if (tlmi_priv.pwdcfg.ext.nvme_master_password)
 					tlmi_priv.pwd_nvme->index =
 						ffs(tlmi_priv.pwdcfg.ext.nvme_master_password) - 1;
diff --git a/drivers/platform/x86/think-lmi.h b/drivers/platform/x86/think-lmi.h
index e1975ffebeb4..4728f40143a3 100644
--- a/drivers/platform/x86/think-lmi.h
+++ b/drivers/platform/x86/think-lmi.h
@@ -65,7 +65,7 @@ struct tlmi_pwdcfg {
 /* password setting details */
 struct tlmi_pwd_setting {
 	struct kobject kobj;
-	bool valid;
+	bool pwd_enabled;
 	char password[TLMI_PWD_BUFSIZE];
 	const char *pwd_type;
 	const char *role;

From patchwork Mon Oct 21 19:38:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Pearson <mpearson-lenovo@squebb.ca>
X-Patchwork-Id: 13844580
Received: from fout-a7-smtp.messagingengine.com
 (fout-a7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F87B1F470E;
	Mon, 21 Oct 2024 19:38:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=103.168.172.150
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1729539529; cv=none;
 b=NWqRceQr8CIsMPXS2KYT4JBLHZY4dOJ44I9fwh1wwv4MslModSoPc7EOl3Vgr7lItHt51DcVlgzg6H/kqTQl2Ws63js0WS7gQ+5aTh7u0xce+WVYNXXBWEY9mH0l5zZa7PDi/YBOBObIZcQyQZIvt0txAu4NaEHYVy+kFvGcpEo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1729539529; c=relaxed/simple;
	bh=JOqGIJUy+8+O0XbTcmFBJZzS+v6x80z8AdZpFds3QhA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=sR05Mhj20lYlwLYaMJBZHHc4QHXgV+cyWhCRD4RU1W1Jue14J/VqfktQ18M8BsLjd/p7AoxHbddNCUTRDJTEZvP0JQyE5hCWhYAz9gHn0ag/9kkdemml8TygkNe3OeopuNiBaxNA8u3mZ5mqU2mPg0XBBONz+oeNU2SmwZEHUhw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca;
 spf=pass smtp.mailfrom=squebb.ca;
 dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b=dpfujiBV;
 dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com
 header.b=LCn1CRmK; arc=none smtp.client-ip=103.168.172.150
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b="dpfujiBV";
	dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com header.b="LCn1CRmK"
Received: from phl-compute-12.internal (phl-compute-12.phl.internal
 [10.202.2.52])
	by mailfout.phl.internal (Postfix) with ESMTP id 72A6E1380307;
	Mon, 21 Oct 2024 15:38:45 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-12.internal (MEProxy); Mon, 21 Oct 2024 15:38:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=squebb.ca; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1729539525; x=
	1729625925; bh=yOzTdihS8e5sBdwni/5F9R9burodzXe4NHoQUPQN5ZQ=; b=d
	pfujiBVBIz97vFUSOC65/UPBpXL5MDukDfhn99PzKfDCfpB3Y1X/arBtI8mcqDPO
	qOhpKeeZTIY4K1DX03gMf90/XVgepmSr63v6grSqJEjy2lMHrWTpDVJw7CdcPu+8
	hVcIAJXKHWId5YFuVYbQthVZIrVEi+HNDkmK7R346UGTQThaNKkBJycYTpX/XBc5
	XX2tjZtdfhpPQNtJWnaBQTEKDvqaBlg5lPu6eIKo6AhRy8ND9miJp4lrgFKpfYXY
	rzg6hkQubuTKPFbkh/NE69URGpc8Sm9C4aulq41R4NtIgWM1d8yCUkZakhJmsJ/q
	fAMwr5p5D1lZLIZy72Qkw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1729539525; x=
	1729625925; bh=yOzTdihS8e5sBdwni/5F9R9burodzXe4NHoQUPQN5ZQ=; b=L
	Cn1CRmKQ3S+ayMkONfXdfS8vJUsR0fblkjI6Gmc/io4sLtuuvPwjpKNKM5koDdN4
	dZ03DbkbE1QoZcBcUiFSUngvr1H7vLMZRmerSxsPa7JbWyrS/CHRQ1Bb7MXEFfvW
	eoFPLGcTN85NcxMzGvbuJqW/OuZJZ2xUSPgpgG9u3uoN4OtNewXpdatYS72kzhY2
	/VE50ylKreetGIGp0CrGO6rkUAqURFVq+pOqd5CuLJx7rWmIJIbEICKklHortoze
	UvIkfwnF0LYHOd8ZwXuqdZMAD8puxxqVgxNYP5xOT/p/y/M8zUflCpseF9CQdyAC
	4AZTRqHpRcD8ODcQxGoMw==
X-ME-Sender: <xms:xa0WZ6StS8RRnkMvjV6ykGA9kRTrYD0Daj2HkI7yKZNxSibQi8bzqw>
    <xme:xa0WZ_xiYCWq09NzQRAMdZb8MvU-AS4oMXlGapVXXfSk9PRJ6dLHivtJL2bVKdvly
    CsiQJb1_5PuP6qhBpg>
X-ME-Received: 
 <xmr:xa0WZ33lqEKzL08S7qW5EvHg6j3b7B2TofPolDEAwaZZstEm1FvBh-MXQLCb_T-HVabWXY44nxE4J7Q9ZMeSH6YMZhDQC-mqjxM_REWnvzQeerDexw1gB9Xtdw7JJg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeftddrvdehledgudegtdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogetfedtuddqtdduuc
    dludehmdenucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhm
    peforghrkhcurfgvrghrshhonhcuoehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvg
    gssgdrtggrqeenucggtffrrghtthgvrhhnpeeftddvjeefleffvefhgfejjeehudetteei
    geeugfekhffhgeejudeuteehgfdvffenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
    grmhepmhgrihhlfhhrohhmpehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdr
    tggrpdhnsggprhgtphhtthhopeehpdhmohguvgepshhmthhpohhuthdprhgtphhtthhope
    hmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdrtggrpdhrtghpthhtohephhgu
    vghgohgvuggvsehrvgguhhgrthdrtghomhdprhgtphhtthhopehilhhpohdrjhgrrhhvih
    hnvghnsehlihhnuhigrdhinhhtvghlrdgtohhmpdhrtghpthhtohepphhlrghtfhhorhhm
    qdgurhhivhgvrhdqgiekieesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhope
    hlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrgh
X-ME-Proxy: <xmx:xa0WZ2BwN1oo0wFW2MLsuZsgCWiDOI22RWgVHWNmLr-mMSYwzdLAMQ>
    <xmx:xa0WZzjdVE0jocG2N2aMn-sP-PgEIm-T0BQWHSc9Jt03r8npJy2_cg>
    <xmx:xa0WZyodaSxietXxcsn-6j-30Qx29Nji6h5AuTF2NoMHQdp7-TZtPQ>
    <xmx:xa0WZ2i4ShrzmdS9vQxPKt8SieWQFZCZ-DuD37eWJayqW61ju7Mp4g>
    <xmx:xa0WZ5bzgd69Axli-P2fNda_EBPpQOyIXfU0CHInTBzpY5G2enFPymVK>
Feedback-ID: ibe194615:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 21 Oct 2024 15:38:44 -0400 (EDT)
From: Mark Pearson <mpearson-lenovo@squebb.ca>
To: mpearson-lenovo@squebb.ca
Cc: hdegoede@redhat.com,
	ilpo.jarvinen@linux.intel.com,
	platform-driver-x86@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 2/4] platform/x86: think-lmi: Add certificate as mechanism
Date: Mon, 21 Oct 2024 15:38:24 -0400
Message-ID: <20241021193837.7641-2-mpearson-lenovo@squebb.ca>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
References: <mpearson-lenovo@squebb.ca>
 <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
Precedence: bulk
X-Mailing-List: platform-driver-x86@vger.kernel.org
List-Id: <platform-driver-x86.vger.kernel.org>
List-Subscribe: <mailto:platform-driver-x86+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:platform-driver-x86+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

As both password or certificate authentication are available as mechanisms
update the documentation to add certificate as an option

Update driver to return correct mechanism appropriately.

Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 Documentation/ABI/testing/sysfs-class-firmware-attributes | 2 +-
 drivers/platform/x86/think-lmi.c                          | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes
index 9c82c7b42ff8..1a8b59f5d6e3 100644
--- a/Documentation/ABI/testing/sysfs-class-firmware-attributes
+++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes
@@ -193,7 +193,7 @@ Description:
 
 		mechanism:
 					The means of authentication.  This attribute is mandatory.
-					Only supported type currently is "password".
+					Supported types are "password" or "certificate".
 
 		max_password_length:
 					A file that can be read to obtain the
diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
index 727a9400d406..46ab82fb2898 100644
--- a/drivers/platform/x86/think-lmi.c
+++ b/drivers/platform/x86/think-lmi.c
@@ -524,6 +524,10 @@ static struct kobj_attribute auth_max_pass_length = __ATTR_RO(max_password_lengt
 static ssize_t mechanism_show(struct kobject *kobj, struct kobj_attribute *attr,
 			 char *buf)
 {
+	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
+
+	if (setting->cert_installed)
+		return sysfs_emit(buf, "certificate\n");
 	return sysfs_emit(buf, "password\n");
 }
 static struct kobj_attribute auth_mechanism = __ATTR_RO(mechanism);

From patchwork Mon Oct 21 19:38:25 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Pearson <mpearson-lenovo@squebb.ca>
X-Patchwork-Id: 13844582
Received: from fout-a7-smtp.messagingengine.com
 (fout-a7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 013C61F7091;
	Mon, 21 Oct 2024 19:38:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=103.168.172.150
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1729539529; cv=none;
 b=l1+KxgfPGX+VHBWaKagTZJ615bhriQDD+W2iKF4cs01Oba6lRHd53RUaK+HUtuNsaxptAfU9xvkVq8KpB4WZSxliACNTcgXhRGb7H2QkPH92wwuKphQX06ivw1SWaQTSK31wes1Jo77L2RHGkQ+Dqt4MVCJlHCYDofSBAVqOtKs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1729539529; c=relaxed/simple;
	bh=lZwCDmTUI6g1I9S6SAz3J2/xTEjocHuMzIu/W4MxzkY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=QEzRp3vbkLHxf/C6CrMNPsgBrZZPubz/XzL77lRos8ALUKcPw7ewsx300JZm4l7D+6/FtCTYR2UGjIUp/mi0/cSrs8bp/MM3Zy2NlINU24krvDH4WxwoOH6u+FXjtmaA5KUfzvXAZk+FXBvlYWwCbq3SqzOoaoQJUATVPu5D48I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca;
 spf=pass smtp.mailfrom=squebb.ca;
 dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b=kaQoGZz0;
 dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com
 header.b=LmTpB6cj; arc=none smtp.client-ip=103.168.172.150
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b="kaQoGZz0";
	dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com header.b="LmTpB6cj"
Received: from phl-compute-01.internal (phl-compute-01.phl.internal
 [10.202.2.41])
	by mailfout.phl.internal (Postfix) with ESMTP id 0F7E613801D7;
	Mon, 21 Oct 2024 15:38:46 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-01.internal (MEProxy); Mon, 21 Oct 2024 15:38:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=squebb.ca; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1729539526; x=
	1729625926; bh=X9MLRegjfbLwd211osFWUaLWw79vYWXYz6OILq6zoV4=; b=k
	aQoGZz0nC7tJqwr+DOL1jZmfAtmsQ8YWsaasB2ZVHJrOA7wDl+j/lK7KpG749EHU
	lCR+Y4saHQ+4vJOt6Mrz+AfQskwpR24NEcFh/tb0YtlSCaiCsh8PWglLUDALxG04
	+gTEomO5dXDQPEudgTcOtz+EjsB5k5irOZSFw3rNWHHa4eaS2YjxeJz89/ZzOJiN
	xOZknKFsLKXwCs0zIWQwP2os43BSCoDr/fe38a86UOXkYvYvTmcLrLFaHQshLKWM
	3J3+Ds/s0xDgNMKo4WOMu+E/5uuEvCxtgyCoGojtrcdbI+hfBAupAvsVEY4TiWie
	ilGRhwncSdbQxJv2Oj/HQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1729539526; x=
	1729625926; bh=X9MLRegjfbLwd211osFWUaLWw79vYWXYz6OILq6zoV4=; b=L
	mTpB6cjzVkHZlOHhDugCPAggYMfxSE8MBEsppwNX7Zfy6JsqrFtElIeRCVWTNceQ
	HZcfi5PMZUIwYt36c5OJ94XyttYtOL+gmAaVdqWdRECMsuT78LS5fz5QBPtzcCMP
	VN03+9iH79tMo4Adntx5FzB/7TL//KwhYao2e2735VjR5mrg+6fbaRGFK+63HSOQ
	5dLBNAt1/Aft67rEv6286PsX6Hmta7ZpLhfvptjVkyoq+AM6I4eAfsaL24kw/15P
	da/odSzFr7p6mV25hW6btQBy3dbYabF/E7zVx0xSl5MLbe1pnQLRtTL5kBY/EBfL
	mR4DFBP0tSYS0PcOcp8JQ==
X-ME-Sender: <xms:xa0WZ0XaKdwS4gDwXmtn18osr1ZUX6DcDQLxbCYg_2NT9TNtzA2XMQ>
    <xme:xa0WZ4kJfq3x-3QIizFYA56eT7PGRs4Xh4WrhEj2eM7EvyRuytdb-UMrIABgxero4
    Ey07kviyI2MVzHej9w>
X-ME-Received: 
 <xmr:xa0WZ4Z956qr0lRlS7EnMZccPkicMUEzUxo5x9F44M1o27ZKtQTzxsAwUChvmS5geIC20QhoHnGhzTF_JkELOIoK35g5OBpHR9DolBdSEds2UlXsd6FYf99BPUokZg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeftddrvdehledgudegtdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogetfedtuddqtdduuc
    dludehmdenucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhm
    peforghrkhcurfgvrghrshhonhcuoehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvg
    gssgdrtggrqeenucggtffrrghtthgvrhhnpeeftddvjeefleffvefhgfejjeehudetteei
    geeugfekhffhgeejudeuteehgfdvffenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
    grmhepmhgrihhlfhhrohhmpehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdr
    tggrpdhnsggprhgtphhtthhopeehpdhmohguvgepshhmthhpohhuthdprhgtphhtthhope
    hmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdrtggrpdhrtghpthhtohephhgu
    vghgohgvuggvsehrvgguhhgrthdrtghomhdprhgtphhtthhopehilhhpohdrjhgrrhhvih
    hnvghnsehlihhnuhigrdhinhhtvghlrdgtohhmpdhrtghpthhtohepphhlrghtfhhorhhm
    qdgurhhivhgvrhdqgiekieesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhope
    hlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrgh
X-ME-Proxy: <xmx:xa0WZzVCwu_-9slOPbaHdNHtu7mzrZpfMo9SmCk5IckzKYe3UtycjQ>
    <xmx:xa0WZ-mSUdhdsc3h4e-8OjOFd-cLGYAdWB3p6bcd4l_mm-EsCGdKOA>
    <xmx:xa0WZ4d_a2IZwZa1VZhITDGPz-ivvtdHGn8NJvcKcdeoym7Drvjy7A>
    <xmx:xa0WZwEoapEhk90MqdzsI5L9nKFWTS2QkTHj2Wj1R5RJZdlBDC_RrA>
    <xmx:xq0WZ1stKccSpkwBMge_wVdEy4aIaE0XBlpLXeXgNtlzMcT4lsCjjsTA>
Feedback-ID: ibe194615:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 21 Oct 2024 15:38:45 -0400 (EDT)
From: Mark Pearson <mpearson-lenovo@squebb.ca>
To: mpearson-lenovo@squebb.ca
Cc: hdegoede@redhat.com,
	ilpo.jarvinen@linux.intel.com,
	platform-driver-x86@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 3/4] platform/x86: think-lmi: Allow empty admin password
Date: Mon, 21 Oct 2024 15:38:25 -0400
Message-ID: <20241021193837.7641-3-mpearson-lenovo@squebb.ca>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
References: <mpearson-lenovo@squebb.ca>
 <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
Precedence: bulk
X-Mailing-List: platform-driver-x86@vger.kernel.org
List-Id: <platform-driver-x86.vger.kernel.org>
List-Subscribe: <mailto:platform-driver-x86+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:platform-driver-x86+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

SVP = BIOS Supervisor/Admin password
SMP = BIOS System password

If SMP ACL is enabled in the BIOS then the system allows you to set the
SMP without a SVP password configured. Change code to allow this.
BIOS will return permissions error if SVP is required.

Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 drivers/platform/x86/think-lmi.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
index 46ab82fb2898..751e351dfc42 100644
--- a/drivers/platform/x86/think-lmi.c
+++ b/drivers/platform/x86/think-lmi.c
@@ -469,7 +469,12 @@ static ssize_t new_password_store(struct kobject *kobj,
 		if (ret)
 			goto out;
 
-		if (tlmi_priv.pwd_admin->pwd_enabled) {
+		/*
+		 * Note admin password not always required if SMPControl enabled in BIOS,
+		 * So only set if it's configured.
+		 * Let BIOS figure it out - we'll get an error if operation not permitted
+		 */
+		if (tlmi_priv.pwd_admin->pwd_enabled && strlen(tlmi_priv.pwd_admin->password)) {
 			ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
 					tlmi_priv.pwd_admin->password);
 			if (ret)

From patchwork Mon Oct 21 19:38:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Pearson <mpearson-lenovo@squebb.ca>
X-Patchwork-Id: 13844583
Received: from fout-a7-smtp.messagingengine.com
 (fout-a7-smtp.messagingengine.com [103.168.172.150])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9613D1F8EFC;
	Mon, 21 Oct 2024 19:38:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=103.168.172.150
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1729539530; cv=none;
 b=pL9P6+19uR3eDFlGLRkfUIMqzEEVlh/6sVRFEPaU7kcm/aEgwXpX+nTHUKBt7KS0EhPG7EVwIgcOUb8AfFpKD3qxtrGGy0wJz/19jP/5Db7rI/xIhH7U32CdjhuRhXx2a7Zj48WydSyJ0s9gGmdiAUhH0sH5WhoogdKdP5oKv+0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1729539530; c=relaxed/simple;
	bh=JPjj8vFXxj1rHxd5bQ9ucqiLJ/GIvhEwH5McHfGzYZM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=cR2jVFrmSOR2Y+1dol1d5Z3XK9uojS8Ck5kKjqmlTxd4pgT/y/tFZQ9klV6mnIaMWtxIq7nyr53DnV1NQpYzV9SeFrIjtxYwvNLSGgntw4pkCGowWcd5/mrhemwheASbsPSMPJV9LXjbsIGrAcr8oPH8DCb+Kz7TOOJP4UK9jxs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca;
 spf=pass smtp.mailfrom=squebb.ca;
 dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b=FLYzyAdV;
 dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com
 header.b=eHr4eBTz; arc=none smtp.client-ip=103.168.172.150
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=squebb.ca
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=squebb.ca header.i=@squebb.ca
 header.b="FLYzyAdV";
	dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com header.b="eHr4eBTz"
Received: from phl-compute-05.internal (phl-compute-05.phl.internal
 [10.202.2.45])
	by mailfout.phl.internal (Postfix) with ESMTP id 9CF0713805F2;
	Mon, 21 Oct 2024 15:38:46 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-05.internal (MEProxy); Mon, 21 Oct 2024 15:38:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=squebb.ca; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1729539526; x=
	1729625926; bh=0GY4lqaCIiz/+86oKZcavgzRFRu4yb/WVgx5SRAPiSk=; b=F
	LYzyAdV2T3jpspcGeOdEc8MRXEHeVhNcea6fcH9CQe+z+pWbSgL8atEcE8iE0o82
	fEXWs2H3urjBGuhosNosBQbP5VvJMu+eMmKaMrNfSvCCjcOK14frjxvnCLzc5MZW
	kuQ4sUzhNIb5QHw4fwGDmDyK0pmeIGjUjAzYK4jaNcpg7LP5gUcz1PXKJW7K5G8Q
	G4E9bJzlBd65tzRo5xwoalMSj5TjwsFOYoI4Y8RoDos6U7ppSu1lgQtquTPDUw21
	VkLXUtjU14HNKI1pCNLb4lKWq7V5Hb5LOPHSQxLVW2MUDAYduJ4EG853hCAcw4hr
	fob46vCNU5lx1KBYGQwhQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1729539526; x=
	1729625926; bh=0GY4lqaCIiz/+86oKZcavgzRFRu4yb/WVgx5SRAPiSk=; b=e
	Hr4eBTzPRENopk3U07Uj/h/9PFzGZuP4NJ7PX6kzcNishqtHNjauJWtEYv2ZinNN
	pjp29KABsqFGwAFQLpb5ldtcGuROvzELpyUNG+vT5qX/aE6R/oA/PtDvrXqfzr+R
	JMpGr0fwWNLLCGab3LYwYblbV3oqqJr2RxtiwJOEXdTXwKqxKNwegoiBmB14UIJh
	7Rgg64IaNjtwh/KG/lw9IKoykeY5oh7NIo55m22ANBLkwv7aV1GzwYKIYWq/sMcN
	t9wR1Cx6On6SMzvu0w77XcVXOPVsCnC72q2a6G8GG5vcRXZajneNmjVQV0mmhAQ0
	FbJxHP1HlKT2w8YH5hK+w==
X-ME-Sender: <xms:xq0WZ8TANB975IopElyh6mJ4Cr3CMn28Sc58wwzJCnmpUbBTR5a6UA>
    <xme:xq0WZ5xHTKPZbRfElESC_2VCjlH3BWVnp9vi0rTVm7NePp4PlfVn0liT_xE4Tz6FQ
    v9tvzyOHc_Je7ihzYQ>
X-ME-Received: 
 <xmr:xq0WZ539AFOTHYiKJiYBq423jNIkgII1sLjBGLhQf6xt1546mjo8MJ9KL2J-MLMpckJOf57EIeRbwWGnTzCYY4QO57eaubLv93lX594m8wYCweZDJft9Sc5hHOLrZA>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeftddrvdehledgudegtdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogetfedtuddqtdduuc
    dludehmdenucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhm
    peforghrkhcurfgvrghrshhonhcuoehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvg
    gssgdrtggrqeenucggtffrrghtthgvrhhnpeeftddvjeefleffvefhgfejjeehudetteei
    geeugfekhffhgeejudeuteehgfdvffenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
    grmhepmhgrihhlfhhrohhmpehmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdr
    tggrpdhnsggprhgtphhtthhopeehpdhmohguvgepshhmthhpohhuthdprhgtphhtthhope
    hmphgvrghrshhonhdqlhgvnhhovhhosehsqhhuvggssgdrtggrpdhrtghpthhtohephhgu
    vghgohgvuggvsehrvgguhhgrthdrtghomhdprhgtphhtthhopehilhhpohdrjhgrrhhvih
    hnvghnsehlihhnuhigrdhinhhtvghlrdgtohhmpdhrtghpthhtohepphhlrghtfhhorhhm
    qdgurhhivhgvrhdqgiekieesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhope
    hlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrgh
X-ME-Proxy: <xmx:xq0WZwB25nJ-Kd7ljiOzApUA582gtcRWlLDTqLY45dDLeikwhyrYKg>
    <xmx:xq0WZ1gCaP5FWfmxRJ_lIanaECX_hEsXcfINKXGhIzbXZPuiKEM-fQ>
    <xmx:xq0WZ8qrar6RA7j4eZX33RlQmi9IRHOmap90gw3igPZQCvJl-yz8lw>
    <xmx:xq0WZ4gymObsjsuT_sdsaX85nyLj1-X2N7VD6PObjVw5G-w58eKdAw>
    <xmx:xq0WZzYHlAfEh29a69rL7EXvEknataal18x3E-uva_WUcKxYOr4dYKCB>
Feedback-ID: ibe194615:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 21 Oct 2024 15:38:46 -0400 (EDT)
From: Mark Pearson <mpearson-lenovo@squebb.ca>
To: mpearson-lenovo@squebb.ca
Cc: hdegoede@redhat.com,
	ilpo.jarvinen@linux.intel.com,
	platform-driver-x86@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 4/4] platform/x86: think-lmi: Multi-certificate support
Date: Mon, 21 Oct 2024 15:38:26 -0400
Message-ID: <20241021193837.7641-4-mpearson-lenovo@squebb.ca>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
References: <mpearson-lenovo@squebb.ca>
 <20241021193837.7641-1-mpearson-lenovo@squebb.ca>
Precedence: bulk
X-Mailing-List: platform-driver-x86@vger.kernel.org
List-Id: <platform-driver-x86.vger.kernel.org>
List-Subscribe: <mailto:platform-driver-x86+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:platform-driver-x86+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Lenovo are adding support for both Admin and System certificates to
the certificate based authentication feature

This commit adds the support for this.

Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 .../testing/sysfs-class-firmware-attributes   |   1 +
 drivers/platform/x86/think-lmi.c              | 141 ++++++++++++++----
 drivers/platform/x86/think-lmi.h              |   4 +
 3 files changed, 116 insertions(+), 30 deletions(-)

diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes
index 1a8b59f5d6e3..2713efa509b4 100644
--- a/Documentation/ABI/testing/sysfs-class-firmware-attributes
+++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes
@@ -303,6 +303,7 @@ Description:
 					being configured allowing anyone to make changes.
 					After any of these operations the system must reboot for the changes to
 					take effect.
+					Admin and System certificates are supported from 2025 systems onward.
 
 		certificate_thumbprint:
 					Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints
diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
index 751e351dfc42..fca190232c24 100644
--- a/drivers/platform/x86/think-lmi.c
+++ b/drivers/platform/x86/think-lmi.c
@@ -169,11 +169,12 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  */
 #define LENOVO_CERT_THUMBPRINT_GUID "C59119ED-1C0D-4806-A8E9-59AA318176C4"
 
-#define TLMI_POP_PWD BIT(0) /* Supervisor */
-#define TLMI_PAP_PWD BIT(1) /* Power-on */
-#define TLMI_HDD_PWD BIT(2) /* HDD/NVME */
-#define TLMI_SMP_PWD BIT(6) /* System Management */
-#define TLMI_CERT    BIT(7) /* Certificate Based */
+#define TLMI_POP_PWD  BIT(0) /* Supervisor */
+#define TLMI_PAP_PWD  BIT(1) /* Power-on */
+#define TLMI_HDD_PWD  BIT(2) /* HDD/NVME */
+#define TLMI_SMP_PWD  BIT(6) /* System Management */
+#define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
+#define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
 
 static const struct tlmi_err_codes tlmi_errs[] = {
 	{"Success", 0},
@@ -678,18 +679,35 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
 	return count;
 }
 
+#define NUM_THUMBTYPES 3
+static char *thumbtypes[NUM_THUMBTYPES] = {"Md5", "Sha1", "Sha256"};
+
 static ssize_t certificate_thumbprint_show(struct kobject *kobj, struct kobj_attribute *attr,
 			 char *buf)
 {
 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
-	int count = 0;
+	char *wmistr;
+	int count = 0, i;
 
 	if (!tlmi_priv.certificate_support || !setting->cert_installed)
 		return -EOPNOTSUPP;
 
-	count += cert_thumbprint(buf, "Md5", count);
-	count += cert_thumbprint(buf, "Sha1", count);
-	count += cert_thumbprint(buf, "Sha256", count);
+	for (i = 0; i < NUM_THUMBTYPES; i++) {
+		if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) {
+			/* Format: 'SVC | SMC, Thumbtype' */
+			wmistr = kasprintf(GFP_KERNEL, "%s,%s",
+					   setting == tlmi_priv.pwd_admin ? "SVC" : "SMC",
+					   thumbtypes[i]);
+		} else {
+			/* Format: 'Thumbtype' */
+			wmistr = kasprintf(GFP_KERNEL, "%s", thumbtypes[i]);
+		}
+		if (!wmistr)
+			return -ENOMEM;
+		count += cert_thumbprint(buf, wmistr, count);
+		kfree(wmistr);
+	}
+
 	return count;
 }
 
@@ -720,8 +738,15 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
 	if (!passwd)
 		return -ENOMEM;
 
-	/* Format: 'Password,Signature' */
-	auth_str = kasprintf(GFP_KERNEL, "%s,%s", passwd, setting->signature);
+	if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) {
+		/* Format: 'SVC | SMC, password, signature' */
+		auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s",
+				     setting == tlmi_priv.pwd_admin ? "SVC" : "SMC",
+				     passwd, setting->signature);
+	} else {
+		/* Format: 'Password,Signature' */
+		auth_str = kasprintf(GFP_KERNEL, "%s,%s", passwd, setting->signature);
+	}
 	if (!auth_str) {
 		kfree_sensitive(passwd);
 		return -ENOMEM;
@@ -735,12 +760,19 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
 
 static struct kobj_attribute auth_cert_to_password = __ATTR_WO(cert_to_password);
 
+enum cert_install_mode {
+	TLMI_CERT_INSTALL,
+	TLMI_CERT_UPDATE,
+};
+
 static ssize_t certificate_store(struct kobject *kobj,
 				  struct kobj_attribute *attr,
 				  const char *buf, size_t count)
 {
 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
+	enum cert_install_mode install_mode = TLMI_CERT_INSTALL;
 	char *auth_str, *new_cert;
+	char *signature;
 	char *guid;
 	int ret;
 
@@ -756,10 +788,18 @@ static ssize_t certificate_store(struct kobject *kobj,
 		if (!setting->signature || !setting->signature[0])
 			return -EACCES;
 
-		/* Format: 'serial#, signature' */
-		auth_str = kasprintf(GFP_KERNEL, "%s,%s",
-				dmi_get_system_info(DMI_PRODUCT_SERIAL),
-				setting->signature);
+		if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) {
+			/* Format: 'SVC | SMC, serial#, signature' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s",
+					     setting == tlmi_priv.pwd_admin ? "SVC" : "SMC",
+					     dmi_get_system_info(DMI_PRODUCT_SERIAL),
+					     setting->signature);
+		} else {
+			/* Format: 'serial#, signature' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s",
+					     dmi_get_system_info(DMI_PRODUCT_SERIAL),
+					     setting->signature);
+		}
 		if (!auth_str)
 			return -ENOMEM;
 
@@ -776,24 +816,59 @@ static ssize_t certificate_store(struct kobject *kobj,
 
 	if (setting->cert_installed) {
 		/* Certificate is installed so this is an update */
-		if (!setting->signature || !setting->signature[0]) {
+		install_mode = TLMI_CERT_UPDATE;
+		/* If admin account enabled - need to use it's signature */
+		if (tlmi_priv.pwd_admin->pwd_enabled)
+			signature = tlmi_priv.pwd_admin->signature;
+		else
+			signature = setting->signature;
+	} else { /* Cert install */
+		/* Check if SMC and SVC already installed */
+		if ((setting == tlmi_priv.pwd_system) && tlmi_priv.pwd_admin->cert_installed) {
+			/* This gets treated as a cert update */
+			install_mode = TLMI_CERT_UPDATE;
+			signature = tlmi_priv.pwd_admin->signature;
+		} else { /* Regular cert install */
+			install_mode = TLMI_CERT_INSTALL;
+			signature = setting->signature;
+		}
+	}
+
+	if (install_mode == TLMI_CERT_UPDATE) {
+		/* This is a certificate update */
+		if (!signature || !signature[0]) {
 			kfree(new_cert);
 			return -EACCES;
 		}
 		guid = LENOVO_UPDATE_BIOS_CERT_GUID;
-		/* Format: 'Certificate,Signature' */
-		auth_str = kasprintf(GFP_KERNEL, "%s,%s",
-				new_cert, setting->signature);
+		if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) {
+			/* Format: 'SVC | SMC, certificate, signature' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s",
+					     setting == tlmi_priv.pwd_admin ? "SVC" : "SMC",
+					     new_cert, signature);
+		} else {
+			/* Format: 'Certificate,Signature' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s",
+					     new_cert, signature);
+		}
 	} else {
 		/* This is a fresh install */
-		if (!setting->pwd_enabled || !setting->password[0]) {
+		/* To set admin cert, a password must be enabled */
+		if ((setting == tlmi_priv.pwd_admin) &&
+		    (!setting->pwd_enabled || !setting->password[0])) {
 			kfree(new_cert);
 			return -EACCES;
 		}
 		guid = LENOVO_SET_BIOS_CERT_GUID;
-		/* Format: 'Certificate,Admin-password' */
-		auth_str = kasprintf(GFP_KERNEL, "%s,%s",
-				new_cert, setting->password);
+		if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) {
+			/* Format: 'SVC | SMC, Certificate, password' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s",
+					     setting == tlmi_priv.pwd_admin ? "SVC" : "SMC",
+					     new_cert, setting->password);
+		} else {
+			/* Format: 'Certificate, password' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s", new_cert, setting->password);
+		}
 	}
 	kfree(new_cert);
 	if (!auth_str)
@@ -873,14 +948,19 @@ static umode_t auth_attr_is_visible(struct kobject *kobj,
 		return 0;
 	}
 
-	/* We only display certificates on Admin account, if supported */
+	/* We only display certificates, if supported */
 	if (attr == &auth_certificate.attr ||
 	    attr == &auth_signature.attr ||
 	    attr == &auth_save_signature.attr ||
 	    attr == &auth_cert_thumb.attr ||
 	    attr == &auth_cert_to_password.attr) {
-		if ((setting == tlmi_priv.pwd_admin) && tlmi_priv.certificate_support)
+		if (tlmi_priv.certificate_support) {
+			if (setting == tlmi_priv.pwd_admin)
+				return attr->mode;
+		if ((tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) &&
+		    (setting == tlmi_priv.pwd_system))
 			return attr->mode;
+		}
 		return 0;
 	}
 
@@ -1700,12 +1780,13 @@ static int tlmi_analyze(void)
 		}
 	}
 
-	if (tlmi_priv.certificate_support &&
-		(tlmi_priv.pwdcfg.core.password_state & TLMI_CERT))
-		tlmi_priv.pwd_admin->cert_installed = true;
-
+	if (tlmi_priv.certificate_support) {
+		tlmi_priv.pwd_admin->cert_installed =
+			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
+		tlmi_priv.pwd_system->cert_installed =
+			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
+	}
 	return 0;
-
 fail_clear_attr:
 	for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) {
 		if (tlmi_priv.setting[i]) {
diff --git a/drivers/platform/x86/think-lmi.h b/drivers/platform/x86/think-lmi.h
index 4728f40143a3..f267d8b46957 100644
--- a/drivers/platform/x86/think-lmi.h
+++ b/drivers/platform/x86/think-lmi.h
@@ -41,6 +41,10 @@ enum save_mode {
 };
 
 /* password configuration details */
+#define TLMI_PWDCFG_MODE_LEGACY    0
+#define TLMI_PWDCFG_MODE_PASSWORD  1
+#define TLMI_PWDCFG_MODE_MULTICERT 3
+
 struct tlmi_pwdcfg_core {
 	uint32_t password_mode;
 	uint32_t password_state;