xref: /linux/Documentation/ABI/testing/sysfs-class-firmware-attributes (revision cbac924200b838cfb8d8b1415113d788089dc50b)
1What:		/sys/class/firmware-attributes/*/attributes/*/
2Date:		February 2021
3KernelVersion:	5.11
4Contact:	Divya Bharathi <Divya.Bharathi@Dell.com>,
5		Prasanth KSR <prasanth.ksr@dell.com>
6		Dell.Client.Kernel@dell.com
7Description:
8		A sysfs interface for systems management software to enable
9		configuration capability on supported systems.  This directory
10		exposes interfaces for interacting with configuration options.
11
12		Unless otherwise specified in an attribute description all attributes are optional
13		and will accept UTF-8 input.
14
15		type:
16		    A file that can be read to obtain the type of attribute.
17		    This attribute is mandatory.
18
19		The following are known types:
20
21			- enumeration: a set of pre-defined valid values
22			- integer: a range of numerical values
23			- string
24
25		All attribute types support the following values:
26
27		current_value:
28				A file that can be read to obtain the current
29				value of the <attr>.
30
31				This file can also be written to in order to update the value of a
32				<attr>
33
34				This attribute is mandatory.
35
36		default_value:
37				A file that can be read to obtain the default
38				value of the <attr>
39
40		display_name:
41				A file that can be read to obtain a user friendly
42				description of the at <attr>
43
44		display_name_language_code:
45						A file that can be read to obtain
46						the IETF language tag corresponding to the
47						"display_name" of the <attr>
48
49		"enumeration"-type specific properties:
50
51		possible_values:
52					A file that can be read to obtain the possible
53					values of the <attr>. Values are separated using
54					semi-colon (``;``).
55
56		"integer"-type specific properties:
57
58		min_value:
59				A file that can be read to obtain the lower
60				bound value of the <attr>
61
62		max_value:
63				A file that can be read to obtain the upper
64				bound value of the <attr>
65
66		scalar_increment:
67					A file that can be read to obtain the scalar value used for
68					increments of current_value this attribute accepts.
69
70		"string"-type specific properties:
71
72		max_length:
73				A file that can be read to obtain the maximum
74				length value of the <attr>
75
76		min_length:
77				A file that can be read to obtain the minimum
78				length value of the <attr>
79
80		Dell specific class extensions
81		------------------------------
82
83		On Dell systems the following additional attributes are available:
84
85		dell_modifier:
86				A file that can be read to obtain attribute-level
87				dependency rule. It says an attribute X will become read-only or
88				suppressed, if/if-not attribute Y is configured.
89
90				modifier rules can be in following format::
91
92				    [ReadOnlyIf:<attribute>=<value>]
93				    [ReadOnlyIfNot:<attribute>=<value>]
94				    [SuppressIf:<attribute>=<value>]
95				    [SuppressIfNot:<attribute>=<value>]
96
97				For example::
98
99				    AutoOnFri/dell_modifier has value,
100					    [SuppressIfNot:AutoOn=SelectDays]
101
102				This means AutoOnFri will be suppressed in BIOS setup if AutoOn
103				attribute is not "SelectDays" and its value will not be effective
104				through sysfs until this rule is met.
105
106		Enumeration attributes also support the following:
107
108		dell_value_modifier:
109					A file that can be read to obtain value-level dependency.
110					This file is similar to dell_modifier but here,	an
111					attribute's current value will be forcefully changed based
112					dependent attributes value.
113
114					dell_value_modifier rules can be in following format::
115
116					    <value>[ForceIf:<attribute>=<value>]
117					    <value>[ForceIfNot:<attribute>=<value>]
118
119					For example:
120
121					    LegacyOrom/dell_value_modifier has value:
122						    Disabled[ForceIf:SecureBoot=Enabled]
123
124					This means LegacyOrom's current value will be forced to
125					"Disabled" in BIOS setup if SecureBoot is Enabled and its
126					value will not be effective through sysfs until this rule is
127					met.
128
129What:		/sys/class/firmware-attributes/*/authentication/
130Date:		February 2021
131KernelVersion:	5.11
132Contact:	Divya Bharathi <Divya.Bharathi@Dell.com>,
133		Prasanth KSR <prasanth.ksr@dell.com>
134		Dell.Client.Kernel@dell.com
135Description:
136		Devices support various authentication mechanisms which can be exposed
137		as a separate configuration object.
138
139		For example a "BIOS Admin" password and "System" Password can be set,
140		reset or cleared using these attributes.
141
142		- An "Admin" password is used for preventing modification to the BIOS
143		  settings.
144		- A "System" password is required to boot a machine.
145
146		Change in any of these two authentication methods will also generate an
147		uevent KOBJ_CHANGE.
148
149		is_enabled:
150					A file that can be read to obtain a 0/1 flag to see if
151					<attr> authentication is enabled.
152					This attribute is mandatory.
153
154		role:
155					The type of authentication used.
156					This attribute is mandatory.
157
158					Known types:
159						bios-admin:
160							Representing BIOS administrator password
161						power-on:
162							Representing a password required to use
163							the system
164						system-mgmt:
165							Representing System Management password.
166							See Lenovo extensions section for details
167						HDD:
168							Representing HDD password
169							See Lenovo extensions section for details
170						NVMe:
171							Representing NVMe password
172							See Lenovo extensions section for details
173
174		mechanism:
175					The means of authentication.  This attribute is mandatory.
176					Only supported type currently is "password".
177
178		max_password_length:
179					A file that can be read to obtain the
180					maximum length of the Password
181
182		min_password_length:
183					A file that can be read to obtain the
184					minimum length of the Password
185
186		current_password:
187					A write only value used for privileged access such as
188					setting	attributes when a system or admin password is set
189					or resetting to a new password
190
191					This attribute is mandatory when mechanism == "password".
192
193		new_password:
194					A write only value that when used in tandem with
195					current_password will reset a system or admin password.
196
197		Note, password management is session specific. If Admin password is set,
198		same password must be written into current_password file (required for
199		password-validation) and must be cleared once the session is over.
200		For example::
201
202			echo "password" > current_password
203			echo "disabled" > TouchScreen/current_value
204			echo "" > current_password
205
206		Drivers may emit a CHANGE uevent when a password is set or unset
207		userspace may check it again.
208
209		On Dell and Lenovo systems, if Admin password is set, then all BIOS attributes
210		require password validation.
211		On Lenovo systems if you change the Admin password the new password is not active until
212		the next boot.
213
214		Lenovo specific class extensions
215		------------------------------
216
217		On Lenovo systems the following additional settings are available:
218
219		role: system-mgmt	This gives the same authority as the bios-admin password to control
220					security related features. The authorities allocated can be set via
221					the BIOS menu SMP Access Control Policy
222
223		role: HDD & NVMe	This password is used to unlock access to the drive at boot. Note see
224					'level' and 'index' extensions below.
225
226		lenovo_encoding:
227					The encoding method that is used. This can be either "ascii"
228					or "scancode". Default is set to "ascii"
229
230		lenovo_kbdlang:
231					The keyboard language method that is used. This is generally a
232					two char code (e.g. "us", "fr", "gr") and may vary per platform.
233					Default is set to "us"
234
235		level:
236					Available for HDD and NVMe authentication to set 'user' or 'master'
237					privilege level.
238					If only the user password is configured then this should be used to
239					unlock the drive at boot. If both master and user passwords are set
240					then either can be used. If a master password is set a user password
241					is required.
242					This attribute defaults to 'user' level
243
244		index:
245					Used with HDD and NVME authentication to set the drive index
246					that is being referenced (e.g hdd0, hdd1 etc)
247					This attribute defaults to device 0.
248
249		certificate:
250		signature:
251		save_signature:
252					These attributes are used for certificate based authentication. This is
253					used in conjunction with a signing server as an alternative to password
254					based authentication.
255					The user writes to the attribute(s) with a BASE64 encoded string obtained
256					from the signing server.
257					The attributes can be displayed to check the stored value.
258
259					Some usage examples:
260					Installing a certificate to enable feature:
261						echo <supervisor password > authentication/Admin/current_password
262						echo <signed certificate> > authentication/Admin/certificate
263
264					Updating the installed certificate:
265						echo <signature> > authentication/Admin/signature
266						echo <signed certificate> > authentication/Admin/certificate
267
268					Removing the installed certificate:
269						echo <signature> > authentication/Admin/signature
270						echo '' > authentication/Admin/certificate
271
272					Changing a BIOS setting:
273						echo <signature> > authentication/Admin/signature
274						echo <save signature> > authentication/Admin/save_signature
275						echo Enable > attribute/PasswordBeep/current_value
276
277					You cannot enable certificate authentication if a supervisor password
278					has not been set.
279					Clearing the certificate results in no bios-admin authentication method
280					being configured allowing anyone to make changes.
281					After any of these operations the system must reboot for the changes to
282					take effect.
283
284		certificate_thumbprint:
285					Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints
286					for the certificate installed in the BIOS.
287
288		certificate_to_password:
289					Write only attribute used to switch from certificate based authentication
290					back to password based.
291					Usage:
292						echo <signature> > authentication/Admin/signature
293						echo <password> > authentication/Admin/certificate_to_password
294
295
296What:		/sys/class/firmware-attributes/*/attributes/pending_reboot
297Date:		February 2021
298KernelVersion:	5.11
299Contact:	Divya Bharathi <Divya.Bharathi@Dell.com>,
300		Prasanth KSR <prasanth.ksr@dell.com>
301		Dell.Client.Kernel@dell.com
302Description:
303		A read-only attribute reads 1 if a reboot is necessary to apply
304		pending BIOS attribute changes. Also, an uevent_KOBJ_CHANGE is
305		generated when it changes to 1.
306
307			==	=========================================
308			0	All BIOS attributes setting are current
309			1	A reboot is necessary to get pending BIOS
310			        attribute changes applied
311			==	=========================================
312
313		Note, userspace applications need to follow below steps for efficient
314		BIOS management,
315
316		1.	Check if admin password is set. If yes, follow session method for
317			password management as briefed under authentication section above.
318		2.	Before setting any attribute, check if it has any modifiers
319			or value_modifiers. If yes, incorporate them and then modify
320			attribute.
321
322		Drivers may emit a CHANGE uevent when this value changes and userspace
323		may check it again.
324
325What:		/sys/class/firmware-attributes/*/attributes/reset_bios
326Date:		February 2021
327KernelVersion:	5.11
328Contact:	Divya Bharathi <Divya.Bharathi@Dell.com>,
329		Prasanth KSR <prasanth.ksr@dell.com>
330		Dell.Client.Kernel@dell.com
331Description:
332		This attribute can be used to reset the BIOS Configuration.
333		Specifically, it tells which type of reset BIOS configuration is being
334		requested on the host.
335
336		Reading from it returns a list of supported options encoded as:
337
338			- 'builtinsafe' (Built in safe configuration profile)
339			- 'lastknowngood' (Last known good saved configuration profile)
340			- 'factory' (Default factory settings configuration profile)
341			- 'custom' (Custom saved configuration profile)
342
343		The currently selected option is printed in square brackets as
344		shown below::
345
346		    # echo "factory" > /sys/class/firmware-attributes/*/device/attributes/reset_bios
347		    # cat /sys/class/firmware-attributes/*/device/attributes/reset_bios
348		    # builtinsafe lastknowngood [factory] custom
349
350		Note that any changes to this attribute requires a reboot
351		for changes to take effect.
352
353What:		/sys/class/firmware-attributes/*/attributes/debug_cmd
354Date:		July 2021
355KernelVersion:	5.14
356Contact:	Mark Pearson <markpearson@lenovo.com>
357Description:
358		This write only attribute can be used to send debug commands to the BIOS.
359		This should only be used when recommended by the BIOS vendor. Vendors may
360		use it to enable extra debug attributes or BIOS features for testing purposes.
361
362		Note that any changes to this attribute requires a reboot for changes to take effect.
363