xref: /linux/drivers/platform/x86/think-lmi.c (revision 0340dc4c82590d8735c58cf904a8aa1173273ab5)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Think LMI BIOS configuration driver
4  *
5  * Copyright(C) 2019-2021 Lenovo
6  *
7  * Original code from Thinkpad-wmi project https://github.com/iksaif/thinkpad-wmi
8  * Copyright(C) 2017 Corentin Chary <corentin.chary@gmail.com>
9  * Distributed under the GPL-2.0 license
10  */
11 
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 
14 #include <linux/acpi.h>
15 #include <linux/errno.h>
16 #include <linux/fs.h>
17 #include <linux/mutex.h>
18 #include <linux/string_helpers.h>
19 #include <linux/types.h>
20 #include <linux/dmi.h>
21 #include <linux/wmi.h>
22 #include "firmware_attributes_class.h"
23 #include "think-lmi.h"
24 
25 static bool debug_support;
26 module_param(debug_support, bool, 0444);
27 MODULE_PARM_DESC(debug_support, "Enable debug command support");
28 
29 /*
30  * Name: BiosSetting
31  * Description: Get item name and settings for current LMI instance.
32  * Type: Query
33  * Returns: "Item,Value"
34  * Example: "WakeOnLAN,Enable"
35  */
36 #define LENOVO_BIOS_SETTING_GUID "51F5230E-9677-46CD-A1CF-C0B23EE34DB7"
37 
38 /*
39  * Name: SetBiosSetting
40  * Description: Change the BIOS setting to the desired value using the SetBiosSetting
41  *  class. To save the settings, use the SaveBiosSetting class.
42  *  BIOS settings and values are case sensitive.
43  *  After making changes to the BIOS settings, you must reboot the computer
44  *  before the changes will take effect.
45  * Type: Method
46  * Arguments: "Item,Value,Password,Encoding,KbdLang;"
47  * Example: "WakeOnLAN,Disable,pa55w0rd,ascii,us;"
48  */
49 #define LENOVO_SET_BIOS_SETTINGS_GUID "98479A64-33F5-4E33-A707-8E251EBBC3A1"
50 
51 /*
52  * Name: SaveBiosSettings
53  * Description: Save any pending changes in settings.
54  * Type: Method
55  * Arguments: "Password,Encoding,KbdLang;"
56  * Example: "pa55w0rd,ascii,us;"
57  */
58 #define LENOVO_SAVE_BIOS_SETTINGS_GUID "6A4B54EF-A5ED-4D33-9455-B0D9B48DF4B3"
59 
60 /*
61  * Name: BiosPasswordSettings
62  * Description: Return BIOS Password settings
63  * Type: Query
64  * Returns: PasswordMode, PasswordState, MinLength, MaxLength,
65  *  SupportedEncoding, SupportedKeyboard
66  */
67 #define LENOVO_BIOS_PASSWORD_SETTINGS_GUID "8ADB159E-1E32-455C-BC93-308A7ED98246"
68 
69 /*
70  * Name: SetBiosPassword
71  * Description: Change a specific password.
72  *  - BIOS settings cannot be changed at the same boot as power-on
73  *    passwords (POP) and hard disk passwords (HDP). If you want to change
74  *    BIOS settings and POP or HDP, you must reboot the system after changing
75  *    one of them.
76  *  - A password cannot be set using this method when one does not already
77  *    exist. Passwords can only be updated or cleared.
78  * Type: Method
79  * Arguments: "PasswordType,CurrentPassword,NewPassword,Encoding,KbdLang;"
80  * Example: "pop,pa55w0rd,newpa55w0rd,ascii,us;”
81  */
82 #define LENOVO_SET_BIOS_PASSWORD_GUID "2651D9FD-911C-4B69-B94E-D0DED5963BD7"
83 
84 /*
85  * Name: GetBiosSelections
86  * Description: Return a list of valid settings for a given item.
87  * Type: Method
88  * Arguments: "Item"
89  * Returns: "Value1,Value2,Value3,..."
90  * Example:
91  *  -> "FlashOverLAN"
92  *  <- "Enabled,Disabled"
93  */
94 #define LENOVO_GET_BIOS_SELECTIONS_GUID	"7364651A-132F-4FE7-ADAA-40C6C7EE2E3B"
95 
96 /*
97  * Name: DebugCmd
98  * Description: Debug entry method for entering debug commands to the BIOS
99  */
100 #define LENOVO_DEBUG_CMD_GUID "7FF47003-3B6C-4E5E-A227-E979824A85D1"
101 
102 /*
103  * Name: OpcodeIF
104  * Description: Opcode interface which provides the ability to set multiple
105  *  parameters and then trigger an action with a final command.
106  *  This is particularly useful for simplifying setting passwords.
107  *  With this support comes the ability to set System, HDD and NVMe
108  *  passwords.
109  *  This is currently available on ThinkCenter and ThinkStations platforms
110  */
111 #define LENOVO_OPCODE_IF_GUID "DFDDEF2C-57D4-48ce-B196-0FB787D90836"
112 
113 /*
114  * Name: SetBiosCert
115  * Description: Install BIOS certificate.
116  * Type: Method
117  * Arguments: "Certificate,Password"
118  * You must reboot the computer before the changes will take effect.
119  */
120 #define LENOVO_SET_BIOS_CERT_GUID    "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE"
121 
122 /*
123  * Name: UpdateBiosCert
124  * Description: Update BIOS certificate.
125  * Type: Method
126  * Format: "Certificate,Signature"
127  * You must reboot the computer before the changes will take effect.
128  */
129 #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE"
130 
131 /*
132  * Name: ClearBiosCert
133  * Description: Uninstall BIOS certificate.
134  * Type: Method
135  * Format: "Serial,Signature"
136  * You must reboot the computer before the changes will take effect.
137  */
138 #define LENOVO_CLEAR_BIOS_CERT_GUID  "B2BC39A7-78DD-4D71-B059-A510DEC44890"
139 /*
140  * Name: CertToPassword
141  * Description: Switch from certificate to password authentication.
142  * Type: Method
143  * Format: "Password,Signature"
144  * You must reboot the computer before the changes will take effect.
145  */
146 #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D"
147 
148 /*
149  * Name: SetBiosSettingCert
150  * Description: Set attribute using certificate authentication.
151  * Type: Method
152  * Format: "Item,Value,Signature"
153  */
154 #define LENOVO_SET_BIOS_SETTING_CERT_GUID  "34A008CC-D205-4B62-9E67-31DFA8B90003"
155 
156 /*
157  * Name: SaveBiosSettingCert
158  * Description: Save any pending changes in settings.
159  * Type: Method
160  * Format: "Signature"
161  */
162 #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551"
163 
164 /*
165  * Name: CertThumbprint
166  * Description: Display Certificate thumbprints
167  * Type: Query
168  * Returns: MD5, SHA1 & SHA256 thumbprints
169  */
170 #define LENOVO_CERT_THUMBPRINT_GUID "C59119ED-1C0D-4806-A8E9-59AA318176C4"
171 
172 #define TLMI_POP_PWD BIT(0) /* Supervisor */
173 #define TLMI_PAP_PWD BIT(1) /* Power-on */
174 #define TLMI_HDD_PWD BIT(2) /* HDD/NVME */
175 #define TLMI_SMP_PWD BIT(6) /* System Management */
176 #define TLMI_CERT    BIT(7) /* Certificate Based */
177 
178 #define to_tlmi_pwd_setting(kobj)  container_of(kobj, struct tlmi_pwd_setting, kobj)
179 #define to_tlmi_attr_setting(kobj)  container_of(kobj, struct tlmi_attr_setting, kobj)
180 
181 static const struct tlmi_err_codes tlmi_errs[] = {
182 	{"Success", 0},
183 	{"Not Supported", -EOPNOTSUPP},
184 	{"Invalid Parameter", -EINVAL},
185 	{"Access Denied", -EACCES},
186 	{"System Busy", -EBUSY},
187 };
188 
189 static const char * const encoding_options[] = {
190 	[TLMI_ENCODING_ASCII] = "ascii",
191 	[TLMI_ENCODING_SCANCODE] = "scancode",
192 };
193 static const char * const level_options[] = {
194 	[TLMI_LEVEL_USER] = "user",
195 	[TLMI_LEVEL_MASTER] = "master",
196 };
197 static struct think_lmi tlmi_priv;
198 static const struct class *fw_attr_class;
199 static DEFINE_MUTEX(tlmi_mutex);
200 
201 /* Convert BIOS WMI error string to suitable error code */
202 static int tlmi_errstr_to_err(const char *errstr)
203 {
204 	int i;
205 
206 	for (i = 0; i < sizeof(tlmi_errs)/sizeof(struct tlmi_err_codes); i++) {
207 		if (!strcmp(tlmi_errs[i].err_str, errstr))
208 			return tlmi_errs[i].err_code;
209 	}
210 	return -EPERM;
211 }
212 
213 /* Extract error string from WMI return buffer */
214 static int tlmi_extract_error(const struct acpi_buffer *output)
215 {
216 	const union acpi_object *obj;
217 
218 	obj = output->pointer;
219 	if (!obj)
220 		return -ENOMEM;
221 	if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer)
222 		return -EIO;
223 
224 	return tlmi_errstr_to_err(obj->string.pointer);
225 }
226 
227 /* Utility function to execute WMI call to BIOS */
228 static int tlmi_simple_call(const char *guid, const char *arg)
229 {
230 	const struct acpi_buffer input = { strlen(arg), (char *)arg };
231 	struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
232 	acpi_status status;
233 	int i, err;
234 
235 	/*
236 	 * Duplicated call required to match BIOS workaround for behavior
237 	 * seen when WMI accessed via scripting on other OS.
238 	 */
239 	for (i = 0; i < 2; i++) {
240 		/* (re)initialize output buffer to default state */
241 		output.length = ACPI_ALLOCATE_BUFFER;
242 		output.pointer = NULL;
243 
244 		status = wmi_evaluate_method(guid, 0, 0, &input, &output);
245 		if (ACPI_FAILURE(status)) {
246 			kfree(output.pointer);
247 			return -EIO;
248 		}
249 		err = tlmi_extract_error(&output);
250 		kfree(output.pointer);
251 		if (err)
252 			return err;
253 	}
254 	return 0;
255 }
256 
257 /* Extract output string from WMI return buffer */
258 static int tlmi_extract_output_string(const struct acpi_buffer *output,
259 				      char **string)
260 {
261 	const union acpi_object *obj;
262 	char *s;
263 
264 	obj = output->pointer;
265 	if (!obj)
266 		return -ENOMEM;
267 	if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer)
268 		return -EIO;
269 
270 	s = kstrdup(obj->string.pointer, GFP_KERNEL);
271 	if (!s)
272 		return -ENOMEM;
273 	*string = s;
274 	return 0;
275 }
276 
277 /* ------ Core interface functions ------------*/
278 
279 /* Get password settings from BIOS */
280 static int tlmi_get_pwd_settings(struct tlmi_pwdcfg *pwdcfg)
281 {
282 	struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
283 	const union acpi_object *obj;
284 	acpi_status status;
285 	int copy_size;
286 
287 	if (!tlmi_priv.can_get_password_settings)
288 		return -EOPNOTSUPP;
289 
290 	status = wmi_query_block(LENOVO_BIOS_PASSWORD_SETTINGS_GUID, 0,
291 				 &output);
292 	if (ACPI_FAILURE(status))
293 		return -EIO;
294 
295 	obj = output.pointer;
296 	if (!obj)
297 		return -ENOMEM;
298 	if (obj->type != ACPI_TYPE_BUFFER || !obj->buffer.pointer) {
299 		kfree(obj);
300 		return -EIO;
301 	}
302 	/*
303 	 * The size of thinkpad_wmi_pcfg on ThinkStation is larger than ThinkPad.
304 	 * To make the driver compatible on different brands, we permit it to get
305 	 * the data in below case.
306 	 * Settings must have at minimum the core fields available
307 	 */
308 	if (obj->buffer.length < sizeof(struct tlmi_pwdcfg_core)) {
309 		pr_warn("Unknown pwdcfg buffer length %d\n", obj->buffer.length);
310 		kfree(obj);
311 		return -EIO;
312 	}
313 
314 	copy_size = min_t(size_t, obj->buffer.length, sizeof(struct tlmi_pwdcfg));
315 
316 	memcpy(pwdcfg, obj->buffer.pointer, copy_size);
317 	kfree(obj);
318 
319 	if (WARN_ON(pwdcfg->core.max_length >= TLMI_PWD_BUFSIZE))
320 		pwdcfg->core.max_length = TLMI_PWD_BUFSIZE - 1;
321 	return 0;
322 }
323 
324 static int tlmi_save_bios_settings(const char *password)
325 {
326 	return tlmi_simple_call(LENOVO_SAVE_BIOS_SETTINGS_GUID,
327 				password);
328 }
329 
330 static int tlmi_opcode_setting(char *setting, const char *value)
331 {
332 	char *opcode_str;
333 	int ret;
334 
335 	opcode_str = kasprintf(GFP_KERNEL, "%s:%s;", setting, value);
336 	if (!opcode_str)
337 		return -ENOMEM;
338 
339 	ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, opcode_str);
340 	kfree(opcode_str);
341 	return ret;
342 }
343 
344 static int tlmi_setting(int item, char **value, const char *guid_string)
345 {
346 	struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
347 	acpi_status status;
348 	int ret;
349 
350 	status = wmi_query_block(guid_string, item, &output);
351 	if (ACPI_FAILURE(status)) {
352 		kfree(output.pointer);
353 		return -EIO;
354 	}
355 
356 	ret = tlmi_extract_output_string(&output, value);
357 	kfree(output.pointer);
358 	return ret;
359 }
360 
361 static int tlmi_get_bios_selections(const char *item, char **value)
362 {
363 	const struct acpi_buffer input = { strlen(item), (char *)item };
364 	struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
365 	acpi_status status;
366 	int ret;
367 
368 	status = wmi_evaluate_method(LENOVO_GET_BIOS_SELECTIONS_GUID,
369 				     0, 0, &input, &output);
370 
371 	if (ACPI_FAILURE(status)) {
372 		kfree(output.pointer);
373 		return -EIO;
374 	}
375 
376 	ret = tlmi_extract_output_string(&output, value);
377 	kfree(output.pointer);
378 	return ret;
379 }
380 
381 /* ---- Authentication sysfs --------------------------------------------------------- */
382 static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr,
383 					  char *buf)
384 {
385 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
386 
387 	return sysfs_emit(buf, "%d\n", setting->valid);
388 }
389 
390 static struct kobj_attribute auth_is_pass_set = __ATTR_RO(is_enabled);
391 
392 static ssize_t current_password_store(struct kobject *kobj,
393 				      struct kobj_attribute *attr,
394 				      const char *buf, size_t count)
395 {
396 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
397 	size_t pwdlen;
398 
399 	pwdlen = strlen(buf);
400 	/* pwdlen == 0 is allowed to clear the password */
401 	if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen)))
402 		return -EINVAL;
403 
404 	strscpy(setting->password, buf, setting->maxlen);
405 	/* Strip out CR if one is present, setting password won't work if it is present */
406 	strreplace(setting->password, '\n', '\0');
407 	return count;
408 }
409 
410 static struct kobj_attribute auth_current_password = __ATTR_WO(current_password);
411 
412 static ssize_t new_password_store(struct kobject *kobj,
413 				  struct kobj_attribute *attr,
414 				  const char *buf, size_t count)
415 {
416 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
417 	char *auth_str, *new_pwd;
418 	size_t pwdlen;
419 	int ret;
420 
421 	if (!capable(CAP_SYS_ADMIN))
422 		return -EPERM;
423 
424 	if (!tlmi_priv.can_set_bios_password)
425 		return -EOPNOTSUPP;
426 
427 	/* Strip out CR if one is present, setting password won't work if it is present */
428 	new_pwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
429 	if (!new_pwd)
430 		return -ENOMEM;
431 
432 	/* Use lock in case multiple WMI operations needed */
433 	mutex_lock(&tlmi_mutex);
434 
435 	pwdlen = strlen(new_pwd);
436 	/* pwdlen == 0 is allowed to clear the password */
437 	if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) {
438 		ret = -EINVAL;
439 		goto out;
440 	}
441 
442 	/* If opcode support is present use that interface */
443 	if (tlmi_priv.opcode_support) {
444 		char pwd_type[8];
445 
446 		/* Special handling required for HDD and NVMe passwords */
447 		if (setting == tlmi_priv.pwd_hdd) {
448 			if (setting->level == TLMI_LEVEL_USER)
449 				sprintf(pwd_type, "uhdp%d", setting->index);
450 			else
451 				sprintf(pwd_type, "mhdp%d", setting->index);
452 		} else if (setting == tlmi_priv.pwd_nvme) {
453 			if (setting->level == TLMI_LEVEL_USER)
454 				sprintf(pwd_type, "udrp%d", setting->index);
455 			else
456 				sprintf(pwd_type, "adrp%d", setting->index);
457 		} else {
458 			sprintf(pwd_type, "%s", setting->pwd_type);
459 		}
460 
461 		ret = tlmi_opcode_setting("WmiOpcodePasswordType", pwd_type);
462 		if (ret)
463 			goto out;
464 
465 		if (tlmi_priv.pwd_admin->valid) {
466 			ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
467 					tlmi_priv.pwd_admin->password);
468 			if (ret)
469 				goto out;
470 		}
471 		ret = tlmi_opcode_setting("WmiOpcodePasswordCurrent01", setting->password);
472 		if (ret)
473 			goto out;
474 		ret = tlmi_opcode_setting("WmiOpcodePasswordNew01", new_pwd);
475 		if (ret)
476 			goto out;
477 		ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, "WmiOpcodePasswordSetUpdate;");
478 	} else {
479 		/* Format: 'PasswordType,CurrentPw,NewPw,Encoding,KbdLang;' */
480 		auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s,%s;",
481 				setting->pwd_type, setting->password, new_pwd,
482 				encoding_options[setting->encoding], setting->kbdlang);
483 		if (!auth_str) {
484 			ret = -ENOMEM;
485 			goto out;
486 		}
487 		ret = tlmi_simple_call(LENOVO_SET_BIOS_PASSWORD_GUID, auth_str);
488 		kfree(auth_str);
489 	}
490 out:
491 	mutex_unlock(&tlmi_mutex);
492 	kfree(new_pwd);
493 	return ret ?: count;
494 }
495 
496 static struct kobj_attribute auth_new_password = __ATTR_WO(new_password);
497 
498 static ssize_t min_password_length_show(struct kobject *kobj, struct kobj_attribute *attr,
499 			 char *buf)
500 {
501 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
502 
503 	return sysfs_emit(buf, "%d\n", setting->minlen);
504 }
505 
506 static struct kobj_attribute auth_min_pass_length = __ATTR_RO(min_password_length);
507 
508 static ssize_t max_password_length_show(struct kobject *kobj, struct kobj_attribute *attr,
509 			 char *buf)
510 {
511 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
512 
513 	return sysfs_emit(buf, "%d\n", setting->maxlen);
514 }
515 static struct kobj_attribute auth_max_pass_length = __ATTR_RO(max_password_length);
516 
517 static ssize_t mechanism_show(struct kobject *kobj, struct kobj_attribute *attr,
518 			 char *buf)
519 {
520 	return sysfs_emit(buf, "password\n");
521 }
522 static struct kobj_attribute auth_mechanism = __ATTR_RO(mechanism);
523 
524 static ssize_t encoding_show(struct kobject *kobj, struct kobj_attribute *attr,
525 			 char *buf)
526 {
527 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
528 
529 	return sysfs_emit(buf, "%s\n", encoding_options[setting->encoding]);
530 }
531 
532 static ssize_t encoding_store(struct kobject *kobj,
533 				  struct kobj_attribute *attr,
534 				  const char *buf, size_t count)
535 {
536 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
537 	int i;
538 
539 	/* Scan for a matching profile */
540 	i = sysfs_match_string(encoding_options, buf);
541 	if (i < 0)
542 		return -EINVAL;
543 
544 	setting->encoding = i;
545 	return count;
546 }
547 
548 static struct kobj_attribute auth_encoding = __ATTR_RW(encoding);
549 
550 static ssize_t kbdlang_show(struct kobject *kobj, struct kobj_attribute *attr,
551 			 char *buf)
552 {
553 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
554 
555 	return sysfs_emit(buf, "%s\n", setting->kbdlang);
556 }
557 
558 static ssize_t kbdlang_store(struct kobject *kobj,
559 				  struct kobj_attribute *attr,
560 				  const char *buf, size_t count)
561 {
562 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
563 	int length;
564 
565 	/* Calculate length till '\n' or terminating 0 */
566 	length = strchrnul(buf, '\n') - buf;
567 	if (!length || length >= TLMI_LANG_MAXLEN)
568 		return -EINVAL;
569 
570 	memcpy(setting->kbdlang, buf, length);
571 	setting->kbdlang[length] = '\0';
572 	return count;
573 }
574 
575 static struct kobj_attribute auth_kbdlang = __ATTR_RW(kbdlang);
576 
577 static ssize_t role_show(struct kobject *kobj, struct kobj_attribute *attr,
578 			 char *buf)
579 {
580 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
581 
582 	return sysfs_emit(buf, "%s\n", setting->role);
583 }
584 static struct kobj_attribute auth_role = __ATTR_RO(role);
585 
586 static ssize_t index_show(struct kobject *kobj, struct kobj_attribute *attr,
587 			 char *buf)
588 {
589 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
590 
591 	return sysfs_emit(buf, "%d\n", setting->index);
592 }
593 
594 static ssize_t index_store(struct kobject *kobj,
595 				  struct kobj_attribute *attr,
596 				  const char *buf, size_t count)
597 {
598 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
599 	int err, val;
600 
601 	err = kstrtoint(buf, 10, &val);
602 	if (err < 0)
603 		return err;
604 
605 	if (val < 0 || val > TLMI_INDEX_MAX)
606 		return -EINVAL;
607 
608 	setting->index = val;
609 	return count;
610 }
611 
612 static struct kobj_attribute auth_index = __ATTR_RW(index);
613 
614 static ssize_t level_show(struct kobject *kobj, struct kobj_attribute *attr,
615 			 char *buf)
616 {
617 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
618 
619 	return sysfs_emit(buf, "%s\n", level_options[setting->level]);
620 }
621 
622 static ssize_t level_store(struct kobject *kobj,
623 				  struct kobj_attribute *attr,
624 				  const char *buf, size_t count)
625 {
626 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
627 	int i;
628 
629 	/* Scan for a matching profile */
630 	i = sysfs_match_string(level_options, buf);
631 	if (i < 0)
632 		return -EINVAL;
633 
634 	setting->level = i;
635 	return count;
636 }
637 
638 static struct kobj_attribute auth_level = __ATTR_RW(level);
639 
640 static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
641 {
642 	const struct acpi_buffer input = { strlen(arg), (char *)arg };
643 	struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
644 	const union acpi_object *obj;
645 	acpi_status status;
646 
647 	status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output);
648 	if (ACPI_FAILURE(status)) {
649 		kfree(output.pointer);
650 		return -EIO;
651 	}
652 	obj = output.pointer;
653 	if (!obj)
654 		return -ENOMEM;
655 	if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) {
656 		kfree(output.pointer);
657 		return -EIO;
658 	}
659 	count += sysfs_emit_at(buf, count, "%s : %s\n", arg, (char *)obj->string.pointer);
660 	kfree(output.pointer);
661 
662 	return count;
663 }
664 
665 static ssize_t certificate_thumbprint_show(struct kobject *kobj, struct kobj_attribute *attr,
666 			 char *buf)
667 {
668 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
669 	int count = 0;
670 
671 	if (!tlmi_priv.certificate_support || !setting->cert_installed)
672 		return -EOPNOTSUPP;
673 
674 	count += cert_thumbprint(buf, "Md5", count);
675 	count += cert_thumbprint(buf, "Sha1", count);
676 	count += cert_thumbprint(buf, "Sha256", count);
677 	return count;
678 }
679 
680 static struct kobj_attribute auth_cert_thumb = __ATTR_RO(certificate_thumbprint);
681 
682 static ssize_t cert_to_password_store(struct kobject *kobj,
683 				  struct kobj_attribute *attr,
684 				  const char *buf, size_t count)
685 {
686 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
687 	char *auth_str, *passwd;
688 	int ret;
689 
690 	if (!capable(CAP_SYS_ADMIN))
691 		return -EPERM;
692 
693 	if (!tlmi_priv.certificate_support)
694 		return -EOPNOTSUPP;
695 
696 	if (!setting->cert_installed)
697 		return -EINVAL;
698 
699 	if (!setting->signature || !setting->signature[0])
700 		return -EACCES;
701 
702 	/* Strip out CR if one is present */
703 	passwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
704 	if (!passwd)
705 		return -ENOMEM;
706 
707 	/* Format: 'Password,Signature' */
708 	auth_str = kasprintf(GFP_KERNEL, "%s,%s", passwd, setting->signature);
709 	if (!auth_str) {
710 		kfree_sensitive(passwd);
711 		return -ENOMEM;
712 	}
713 	ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str);
714 	kfree(auth_str);
715 	kfree_sensitive(passwd);
716 
717 	return ret ?: count;
718 }
719 
720 static struct kobj_attribute auth_cert_to_password = __ATTR_WO(cert_to_password);
721 
722 static ssize_t certificate_store(struct kobject *kobj,
723 				  struct kobj_attribute *attr,
724 				  const char *buf, size_t count)
725 {
726 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
727 	char *auth_str, *new_cert;
728 	char *guid;
729 	int ret;
730 
731 	if (!capable(CAP_SYS_ADMIN))
732 		return -EPERM;
733 
734 	if (!tlmi_priv.certificate_support)
735 		return -EOPNOTSUPP;
736 
737 	/* If empty then clear installed certificate */
738 	if ((buf[0] == '\0') || (buf[0] == '\n')) { /* Clear installed certificate */
739 		/* Check that signature is set */
740 		if (!setting->signature || !setting->signature[0])
741 			return -EACCES;
742 
743 		/* Format: 'serial#, signature' */
744 		auth_str = kasprintf(GFP_KERNEL, "%s,%s",
745 				dmi_get_system_info(DMI_PRODUCT_SERIAL),
746 				setting->signature);
747 		if (!auth_str)
748 			return -ENOMEM;
749 
750 		ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str);
751 		kfree(auth_str);
752 
753 		return ret ?: count;
754 	}
755 
756 	/* Strip out CR if one is present */
757 	new_cert = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
758 	if (!new_cert)
759 		return -ENOMEM;
760 
761 	if (setting->cert_installed) {
762 		/* Certificate is installed so this is an update */
763 		if (!setting->signature || !setting->signature[0]) {
764 			kfree(new_cert);
765 			return -EACCES;
766 		}
767 		guid = LENOVO_UPDATE_BIOS_CERT_GUID;
768 		/* Format: 'Certificate,Signature' */
769 		auth_str = kasprintf(GFP_KERNEL, "%s,%s",
770 				new_cert, setting->signature);
771 	} else {
772 		/* This is a fresh install */
773 		if (!setting->valid || !setting->password[0]) {
774 			kfree(new_cert);
775 			return -EACCES;
776 		}
777 		guid = LENOVO_SET_BIOS_CERT_GUID;
778 		/* Format: 'Certificate,Admin-password' */
779 		auth_str = kasprintf(GFP_KERNEL, "%s,%s",
780 				new_cert, setting->password);
781 	}
782 	kfree(new_cert);
783 	if (!auth_str)
784 		return -ENOMEM;
785 
786 	ret = tlmi_simple_call(guid, auth_str);
787 	kfree(auth_str);
788 
789 	return ret ?: count;
790 }
791 
792 static struct kobj_attribute auth_certificate = __ATTR_WO(certificate);
793 
794 static ssize_t signature_store(struct kobject *kobj,
795 				  struct kobj_attribute *attr,
796 				  const char *buf, size_t count)
797 {
798 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
799 	char *new_signature;
800 
801 	if (!capable(CAP_SYS_ADMIN))
802 		return -EPERM;
803 
804 	if (!tlmi_priv.certificate_support)
805 		return -EOPNOTSUPP;
806 
807 	/* Strip out CR if one is present */
808 	new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
809 	if (!new_signature)
810 		return -ENOMEM;
811 
812 	/* Free any previous signature */
813 	kfree(setting->signature);
814 	setting->signature = new_signature;
815 
816 	return count;
817 }
818 
819 static struct kobj_attribute auth_signature = __ATTR_WO(signature);
820 
821 static ssize_t save_signature_store(struct kobject *kobj,
822 				  struct kobj_attribute *attr,
823 				  const char *buf, size_t count)
824 {
825 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
826 	char *new_signature;
827 
828 	if (!capable(CAP_SYS_ADMIN))
829 		return -EPERM;
830 
831 	if (!tlmi_priv.certificate_support)
832 		return -EOPNOTSUPP;
833 
834 	/* Strip out CR if one is present */
835 	new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
836 	if (!new_signature)
837 		return -ENOMEM;
838 
839 	/* Free any previous signature */
840 	kfree(setting->save_signature);
841 	setting->save_signature = new_signature;
842 
843 	return count;
844 }
845 
846 static struct kobj_attribute auth_save_signature = __ATTR_WO(save_signature);
847 
848 static umode_t auth_attr_is_visible(struct kobject *kobj,
849 					     struct attribute *attr, int n)
850 {
851 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
852 
853 	/* We only want to display level and index settings on HDD/NVMe */
854 	if (attr == &auth_index.attr || attr == &auth_level.attr) {
855 		if ((setting == tlmi_priv.pwd_hdd) || (setting == tlmi_priv.pwd_nvme))
856 			return attr->mode;
857 		return 0;
858 	}
859 
860 	/* We only display certificates on Admin account, if supported */
861 	if (attr == &auth_certificate.attr ||
862 	    attr == &auth_signature.attr ||
863 	    attr == &auth_save_signature.attr ||
864 	    attr == &auth_cert_thumb.attr ||
865 	    attr == &auth_cert_to_password.attr) {
866 		if ((setting == tlmi_priv.pwd_admin) && tlmi_priv.certificate_support)
867 			return attr->mode;
868 		return 0;
869 	}
870 
871 	/* Don't display un-needed settings if opcode available */
872 	if ((attr == &auth_encoding.attr || attr == &auth_kbdlang.attr) &&
873 	    tlmi_priv.opcode_support)
874 		return 0;
875 
876 	return attr->mode;
877 }
878 
879 static struct attribute *auth_attrs[] = {
880 	&auth_is_pass_set.attr,
881 	&auth_min_pass_length.attr,
882 	&auth_max_pass_length.attr,
883 	&auth_current_password.attr,
884 	&auth_new_password.attr,
885 	&auth_role.attr,
886 	&auth_mechanism.attr,
887 	&auth_encoding.attr,
888 	&auth_kbdlang.attr,
889 	&auth_index.attr,
890 	&auth_level.attr,
891 	&auth_certificate.attr,
892 	&auth_signature.attr,
893 	&auth_save_signature.attr,
894 	&auth_cert_thumb.attr,
895 	&auth_cert_to_password.attr,
896 	NULL
897 };
898 
899 static const struct attribute_group auth_attr_group = {
900 	.is_visible = auth_attr_is_visible,
901 	.attrs = auth_attrs,
902 };
903 
904 /* ---- Attributes sysfs --------------------------------------------------------- */
905 static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *attr,
906 		char *buf)
907 {
908 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
909 
910 	return sysfs_emit(buf, "%s\n", setting->display_name);
911 }
912 
913 static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf)
914 {
915 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
916 	char *item, *value;
917 	int ret;
918 
919 	ret = tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID);
920 	if (ret)
921 		return ret;
922 
923 	/* validate and split from `item,value` -> `value` */
924 	value = strpbrk(item, ",");
925 	if (!value || value == item || !strlen(value + 1))
926 		ret = -EINVAL;
927 	else {
928 		/* On Workstations remove the Options part after the value */
929 		strreplace(value, ';', '\0');
930 		ret = sysfs_emit(buf, "%s\n", value + 1);
931 	}
932 	kfree(item);
933 
934 	return ret;
935 }
936 
937 static ssize_t possible_values_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf)
938 {
939 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
940 
941 	return sysfs_emit(buf, "%s\n", setting->possible_values);
942 }
943 
944 static ssize_t type_show(struct kobject *kobj, struct kobj_attribute *attr,
945 		char *buf)
946 {
947 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
948 
949 	if (setting->possible_values) {
950 		/* Figure out what setting type is as BIOS does not return this */
951 		if (strchr(setting->possible_values, ';'))
952 			return sysfs_emit(buf, "enumeration\n");
953 	}
954 	/* Anything else is going to be a string */
955 	return sysfs_emit(buf, "string\n");
956 }
957 
958 static ssize_t current_value_store(struct kobject *kobj,
959 		struct kobj_attribute *attr,
960 		const char *buf, size_t count)
961 {
962 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
963 	char *set_str = NULL, *new_setting = NULL;
964 	char *auth_str = NULL;
965 	int ret;
966 
967 	if (!tlmi_priv.can_set_bios_settings)
968 		return -EOPNOTSUPP;
969 
970 	/*
971 	 * If we are using bulk saves a reboot should be done once save has
972 	 * been called
973 	 */
974 	if (tlmi_priv.save_mode == TLMI_SAVE_BULK && tlmi_priv.reboot_required)
975 		return -EPERM;
976 
977 	/* Strip out CR if one is present */
978 	new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
979 	if (!new_setting)
980 		return -ENOMEM;
981 
982 	/* Use lock in case multiple WMI operations needed */
983 	mutex_lock(&tlmi_mutex);
984 
985 	/* Check if certificate authentication is enabled and active */
986 	if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) {
987 		if (!tlmi_priv.pwd_admin->signature || !tlmi_priv.pwd_admin->save_signature) {
988 			ret = -EINVAL;
989 			goto out;
990 		}
991 		set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->display_name,
992 					new_setting, tlmi_priv.pwd_admin->signature);
993 		if (!set_str) {
994 			ret = -ENOMEM;
995 			goto out;
996 		}
997 
998 		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str);
999 		if (ret)
1000 			goto out;
1001 		if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
1002 			tlmi_priv.save_required = true;
1003 		else
1004 			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
1005 					       tlmi_priv.pwd_admin->save_signature);
1006 	} else if (tlmi_priv.opcode_support) {
1007 		/*
1008 		 * If opcode support is present use that interface.
1009 		 * Note - this sets the variable and then the password as separate
1010 		 * WMI calls. Function tlmi_save_bios_settings will error if the
1011 		 * password is incorrect.
1012 		 * Workstation's require the opcode to be set before changing the
1013 		 * attribute.
1014 		 */
1015 		if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
1016 			ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
1017 						  tlmi_priv.pwd_admin->password);
1018 			if (ret)
1019 				goto out;
1020 		}
1021 
1022 		set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name,
1023 				    new_setting);
1024 		if (!set_str) {
1025 			ret = -ENOMEM;
1026 			goto out;
1027 		}
1028 
1029 		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str);
1030 		if (ret)
1031 			goto out;
1032 
1033 		if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
1034 			tlmi_priv.save_required = true;
1035 		else
1036 			ret = tlmi_save_bios_settings("");
1037 	} else { /* old non-opcode based authentication method (deprecated) */
1038 		if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
1039 			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
1040 					tlmi_priv.pwd_admin->password,
1041 					encoding_options[tlmi_priv.pwd_admin->encoding],
1042 					tlmi_priv.pwd_admin->kbdlang);
1043 			if (!auth_str) {
1044 				ret = -ENOMEM;
1045 				goto out;
1046 			}
1047 		}
1048 
1049 		if (auth_str)
1050 			set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->display_name,
1051 					new_setting, auth_str);
1052 		else
1053 			set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name,
1054 					new_setting);
1055 		if (!set_str) {
1056 			ret = -ENOMEM;
1057 			goto out;
1058 		}
1059 
1060 		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str);
1061 		if (ret)
1062 			goto out;
1063 
1064 		if (tlmi_priv.save_mode == TLMI_SAVE_BULK) {
1065 			tlmi_priv.save_required = true;
1066 		} else {
1067 			if (auth_str)
1068 				ret = tlmi_save_bios_settings(auth_str);
1069 			else
1070 				ret = tlmi_save_bios_settings("");
1071 		}
1072 	}
1073 	if (!ret && !tlmi_priv.pending_changes) {
1074 		tlmi_priv.pending_changes = true;
1075 		/* let userland know it may need to check reboot pending again */
1076 		kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE);
1077 	}
1078 out:
1079 	mutex_unlock(&tlmi_mutex);
1080 	kfree(auth_str);
1081 	kfree(set_str);
1082 	kfree(new_setting);
1083 	return ret ?: count;
1084 }
1085 
1086 static struct kobj_attribute attr_displ_name = __ATTR_RO(display_name);
1087 
1088 static struct kobj_attribute attr_possible_values = __ATTR_RO(possible_values);
1089 
1090 static struct kobj_attribute attr_current_val = __ATTR_RW_MODE(current_value, 0600);
1091 
1092 static struct kobj_attribute attr_type = __ATTR_RO(type);
1093 
1094 static umode_t attr_is_visible(struct kobject *kobj,
1095 					     struct attribute *attr, int n)
1096 {
1097 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
1098 
1099 	/* We don't want to display possible_values attributes if not available */
1100 	if ((attr == &attr_possible_values.attr) && (!setting->possible_values))
1101 		return 0;
1102 
1103 	return attr->mode;
1104 }
1105 
1106 static struct attribute *tlmi_attrs[] = {
1107 	&attr_displ_name.attr,
1108 	&attr_current_val.attr,
1109 	&attr_possible_values.attr,
1110 	&attr_type.attr,
1111 	NULL
1112 };
1113 
1114 static const struct attribute_group tlmi_attr_group = {
1115 	.is_visible = attr_is_visible,
1116 	.attrs = tlmi_attrs,
1117 };
1118 
1119 static void tlmi_attr_setting_release(struct kobject *kobj)
1120 {
1121 	struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj);
1122 
1123 	kfree(setting->possible_values);
1124 	kfree(setting);
1125 }
1126 
1127 static void tlmi_pwd_setting_release(struct kobject *kobj)
1128 {
1129 	struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj);
1130 
1131 	kfree(setting);
1132 }
1133 
1134 static const struct kobj_type tlmi_attr_setting_ktype = {
1135 	.release        = &tlmi_attr_setting_release,
1136 	.sysfs_ops	= &kobj_sysfs_ops,
1137 };
1138 
1139 static const struct kobj_type tlmi_pwd_setting_ktype = {
1140 	.release        = &tlmi_pwd_setting_release,
1141 	.sysfs_ops	= &kobj_sysfs_ops,
1142 };
1143 
1144 static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr,
1145 				   char *buf)
1146 {
1147 	return sprintf(buf, "%d\n", tlmi_priv.pending_changes);
1148 }
1149 
1150 static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot);
1151 
1152 static const char * const save_mode_strings[] = {
1153 	[TLMI_SAVE_SINGLE] = "single",
1154 	[TLMI_SAVE_BULK] = "bulk",
1155 	[TLMI_SAVE_SAVE] = "save"
1156 };
1157 
1158 static ssize_t save_settings_show(struct kobject *kobj, struct kobj_attribute *attr,
1159 				  char *buf)
1160 {
1161 	/* Check that setting is valid */
1162 	if (WARN_ON(tlmi_priv.save_mode < TLMI_SAVE_SINGLE ||
1163 		    tlmi_priv.save_mode > TLMI_SAVE_BULK))
1164 		return -EIO;
1165 	return sysfs_emit(buf, "%s\n", save_mode_strings[tlmi_priv.save_mode]);
1166 }
1167 
1168 static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *attr,
1169 				   const char *buf, size_t count)
1170 {
1171 	char *auth_str = NULL;
1172 	int ret = 0;
1173 	int cmd;
1174 
1175 	cmd = sysfs_match_string(save_mode_strings, buf);
1176 	if (cmd < 0)
1177 		return cmd;
1178 
1179 	/* Use lock in case multiple WMI operations needed */
1180 	mutex_lock(&tlmi_mutex);
1181 
1182 	switch (cmd) {
1183 	case TLMI_SAVE_SINGLE:
1184 	case TLMI_SAVE_BULK:
1185 		tlmi_priv.save_mode = cmd;
1186 		goto out;
1187 	case TLMI_SAVE_SAVE:
1188 		/* Check if supported*/
1189 		if (!tlmi_priv.can_set_bios_settings ||
1190 		    tlmi_priv.save_mode == TLMI_SAVE_SINGLE) {
1191 			ret = -EOPNOTSUPP;
1192 			goto out;
1193 		}
1194 		/* Check there is actually something to save */
1195 		if (!tlmi_priv.save_required) {
1196 			ret = -ENOENT;
1197 			goto out;
1198 		}
1199 		/* Check if certificate authentication is enabled and active */
1200 		if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) {
1201 			if (!tlmi_priv.pwd_admin->signature ||
1202 			    !tlmi_priv.pwd_admin->save_signature) {
1203 				ret = -EINVAL;
1204 				goto out;
1205 			}
1206 			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
1207 					       tlmi_priv.pwd_admin->save_signature);
1208 			if (ret)
1209 				goto out;
1210 		} else if (tlmi_priv.opcode_support) {
1211 			if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
1212 				ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
1213 							  tlmi_priv.pwd_admin->password);
1214 				if (ret)
1215 					goto out;
1216 			}
1217 			ret = tlmi_save_bios_settings("");
1218 		} else { /* old non-opcode based authentication method (deprecated) */
1219 			if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
1220 				auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
1221 						     tlmi_priv.pwd_admin->password,
1222 						     encoding_options[tlmi_priv.pwd_admin->encoding],
1223 						     tlmi_priv.pwd_admin->kbdlang);
1224 				if (!auth_str) {
1225 					ret = -ENOMEM;
1226 					goto out;
1227 				}
1228 			}
1229 
1230 			if (auth_str)
1231 				ret = tlmi_save_bios_settings(auth_str);
1232 			else
1233 				ret = tlmi_save_bios_settings("");
1234 		}
1235 		tlmi_priv.save_required = false;
1236 		tlmi_priv.reboot_required = true;
1237 
1238 		if (!ret && !tlmi_priv.pending_changes) {
1239 			tlmi_priv.pending_changes = true;
1240 			/* let userland know it may need to check reboot pending again */
1241 			kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE);
1242 		}
1243 		break;
1244 	}
1245 out:
1246 	mutex_unlock(&tlmi_mutex);
1247 	kfree(auth_str);
1248 	return ret ?: count;
1249 }
1250 
1251 static struct kobj_attribute save_settings = __ATTR_RW(save_settings);
1252 
1253 /* ---- Debug interface--------------------------------------------------------- */
1254 static ssize_t debug_cmd_store(struct kobject *kobj, struct kobj_attribute *attr,
1255 				const char *buf, size_t count)
1256 {
1257 	char *set_str = NULL, *new_setting = NULL;
1258 	char *auth_str = NULL;
1259 	int ret;
1260 
1261 	if (!tlmi_priv.can_debug_cmd)
1262 		return -EOPNOTSUPP;
1263 
1264 	/* Strip out CR if one is present */
1265 	new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL);
1266 	if (!new_setting)
1267 		return -ENOMEM;
1268 
1269 	if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
1270 		auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
1271 				tlmi_priv.pwd_admin->password,
1272 				encoding_options[tlmi_priv.pwd_admin->encoding],
1273 				tlmi_priv.pwd_admin->kbdlang);
1274 		if (!auth_str) {
1275 			ret = -ENOMEM;
1276 			goto out;
1277 		}
1278 	}
1279 
1280 	if (auth_str)
1281 		set_str = kasprintf(GFP_KERNEL, "%s,%s", new_setting, auth_str);
1282 	else
1283 		set_str = kasprintf(GFP_KERNEL, "%s;", new_setting);
1284 	if (!set_str) {
1285 		ret = -ENOMEM;
1286 		goto out;
1287 	}
1288 
1289 	ret = tlmi_simple_call(LENOVO_DEBUG_CMD_GUID, set_str);
1290 	if (ret)
1291 		goto out;
1292 
1293 	if (!ret && !tlmi_priv.pending_changes) {
1294 		tlmi_priv.pending_changes = true;
1295 		/* let userland know it may need to check reboot pending again */
1296 		kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE);
1297 	}
1298 out:
1299 	kfree(auth_str);
1300 	kfree(set_str);
1301 	kfree(new_setting);
1302 	return ret ?: count;
1303 }
1304 
1305 static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd);
1306 
1307 /* ---- Initialisation --------------------------------------------------------- */
1308 static void tlmi_release_attr(void)
1309 {
1310 	int i;
1311 
1312 	/* Attribute structures */
1313 	for (i = 0; i < TLMI_SETTINGS_COUNT; i++) {
1314 		if (tlmi_priv.setting[i]) {
1315 			sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group);
1316 			kobject_put(&tlmi_priv.setting[i]->kobj);
1317 		}
1318 	}
1319 	sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr);
1320 	sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr);
1321 
1322 	if (tlmi_priv.can_debug_cmd && debug_support)
1323 		sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr);
1324 
1325 	kset_unregister(tlmi_priv.attribute_kset);
1326 
1327 	/* Free up any saved signatures */
1328 	kfree(tlmi_priv.pwd_admin->signature);
1329 	kfree(tlmi_priv.pwd_admin->save_signature);
1330 
1331 	/* Authentication structures */
1332 	sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group);
1333 	kobject_put(&tlmi_priv.pwd_admin->kobj);
1334 	sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group);
1335 	kobject_put(&tlmi_priv.pwd_power->kobj);
1336 
1337 	if (tlmi_priv.opcode_support) {
1338 		sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group);
1339 		kobject_put(&tlmi_priv.pwd_system->kobj);
1340 		sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group);
1341 		kobject_put(&tlmi_priv.pwd_hdd->kobj);
1342 		sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group);
1343 		kobject_put(&tlmi_priv.pwd_nvme->kobj);
1344 	}
1345 
1346 	kset_unregister(tlmi_priv.authentication_kset);
1347 }
1348 
1349 static int tlmi_validate_setting_name(struct kset *attribute_kset, char *name)
1350 {
1351 	struct kobject *duplicate;
1352 
1353 	if (!strcmp(name, "Reserved"))
1354 		return -EINVAL;
1355 
1356 	duplicate = kset_find_obj(attribute_kset, name);
1357 	if (duplicate) {
1358 		pr_debug("Duplicate attribute name found - %s\n", name);
1359 		/* kset_find_obj() returns a reference */
1360 		kobject_put(duplicate);
1361 		return -EBUSY;
1362 	}
1363 
1364 	return 0;
1365 }
1366 
1367 static int tlmi_sysfs_init(void)
1368 {
1369 	int i, ret;
1370 
1371 	ret = fw_attributes_class_get(&fw_attr_class);
1372 	if (ret)
1373 		return ret;
1374 
1375 	tlmi_priv.class_dev = device_create(fw_attr_class, NULL, MKDEV(0, 0),
1376 			NULL, "%s", "thinklmi");
1377 	if (IS_ERR(tlmi_priv.class_dev)) {
1378 		ret = PTR_ERR(tlmi_priv.class_dev);
1379 		goto fail_class_created;
1380 	}
1381 
1382 	tlmi_priv.attribute_kset = kset_create_and_add("attributes", NULL,
1383 			&tlmi_priv.class_dev->kobj);
1384 	if (!tlmi_priv.attribute_kset) {
1385 		ret = -ENOMEM;
1386 		goto fail_device_created;
1387 	}
1388 
1389 	for (i = 0; i < TLMI_SETTINGS_COUNT; i++) {
1390 		/* Check if index is a valid setting - skip if it isn't */
1391 		if (!tlmi_priv.setting[i])
1392 			continue;
1393 
1394 		/* check for duplicate or reserved values */
1395 		if (tlmi_validate_setting_name(tlmi_priv.attribute_kset,
1396 					       tlmi_priv.setting[i]->display_name) < 0) {
1397 			kfree(tlmi_priv.setting[i]->possible_values);
1398 			kfree(tlmi_priv.setting[i]);
1399 			tlmi_priv.setting[i] = NULL;
1400 			continue;
1401 		}
1402 
1403 		/* Build attribute */
1404 		tlmi_priv.setting[i]->kobj.kset = tlmi_priv.attribute_kset;
1405 		ret = kobject_add(&tlmi_priv.setting[i]->kobj, NULL,
1406 				  "%s", tlmi_priv.setting[i]->display_name);
1407 		if (ret)
1408 			goto fail_create_attr;
1409 
1410 		ret = sysfs_create_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group);
1411 		if (ret)
1412 			goto fail_create_attr;
1413 	}
1414 
1415 	ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr);
1416 	if (ret)
1417 		goto fail_create_attr;
1418 
1419 	ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr);
1420 	if (ret)
1421 		goto fail_create_attr;
1422 
1423 	if (tlmi_priv.can_debug_cmd && debug_support) {
1424 		ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr);
1425 		if (ret)
1426 			goto fail_create_attr;
1427 	}
1428 
1429 	/* Create authentication entries */
1430 	tlmi_priv.authentication_kset = kset_create_and_add("authentication", NULL,
1431 								&tlmi_priv.class_dev->kobj);
1432 	if (!tlmi_priv.authentication_kset) {
1433 		ret = -ENOMEM;
1434 		goto fail_create_attr;
1435 	}
1436 	tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset;
1437 	ret = kobject_add(&tlmi_priv.pwd_admin->kobj, NULL, "%s", "Admin");
1438 	if (ret)
1439 		goto fail_create_attr;
1440 
1441 	ret = sysfs_create_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group);
1442 	if (ret)
1443 		goto fail_create_attr;
1444 
1445 	tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset;
1446 	ret = kobject_add(&tlmi_priv.pwd_power->kobj, NULL, "%s", "Power-on");
1447 	if (ret)
1448 		goto fail_create_attr;
1449 
1450 	ret = sysfs_create_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group);
1451 	if (ret)
1452 		goto fail_create_attr;
1453 
1454 	if (tlmi_priv.opcode_support) {
1455 		tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset;
1456 		ret = kobject_add(&tlmi_priv.pwd_system->kobj, NULL, "%s", "System");
1457 		if (ret)
1458 			goto fail_create_attr;
1459 
1460 		ret = sysfs_create_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group);
1461 		if (ret)
1462 			goto fail_create_attr;
1463 
1464 		tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset;
1465 		ret = kobject_add(&tlmi_priv.pwd_hdd->kobj, NULL, "%s", "HDD");
1466 		if (ret)
1467 			goto fail_create_attr;
1468 
1469 		ret = sysfs_create_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group);
1470 		if (ret)
1471 			goto fail_create_attr;
1472 
1473 		tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset;
1474 		ret = kobject_add(&tlmi_priv.pwd_nvme->kobj, NULL, "%s", "NVMe");
1475 		if (ret)
1476 			goto fail_create_attr;
1477 
1478 		ret = sysfs_create_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group);
1479 		if (ret)
1480 			goto fail_create_attr;
1481 	}
1482 
1483 	return ret;
1484 
1485 fail_create_attr:
1486 	tlmi_release_attr();
1487 fail_device_created:
1488 	device_destroy(fw_attr_class, MKDEV(0, 0));
1489 fail_class_created:
1490 	fw_attributes_class_put();
1491 	return ret;
1492 }
1493 
1494 /* ---- Base Driver -------------------------------------------------------- */
1495 static struct tlmi_pwd_setting *tlmi_create_auth(const char *pwd_type,
1496 			    const char *pwd_role)
1497 {
1498 	struct tlmi_pwd_setting *new_pwd;
1499 
1500 	new_pwd = kzalloc(sizeof(struct tlmi_pwd_setting), GFP_KERNEL);
1501 	if (!new_pwd)
1502 		return NULL;
1503 
1504 	strscpy(new_pwd->kbdlang, "us", TLMI_LANG_MAXLEN);
1505 	new_pwd->encoding = TLMI_ENCODING_ASCII;
1506 	new_pwd->pwd_type = pwd_type;
1507 	new_pwd->role = pwd_role;
1508 	new_pwd->minlen = tlmi_priv.pwdcfg.core.min_length;
1509 	new_pwd->maxlen = tlmi_priv.pwdcfg.core.max_length;
1510 	new_pwd->index = 0;
1511 
1512 	kobject_init(&new_pwd->kobj, &tlmi_pwd_setting_ktype);
1513 
1514 	return new_pwd;
1515 }
1516 
1517 static int tlmi_analyze(void)
1518 {
1519 	int i, ret;
1520 
1521 	if (wmi_has_guid(LENOVO_SET_BIOS_SETTINGS_GUID) &&
1522 	    wmi_has_guid(LENOVO_SAVE_BIOS_SETTINGS_GUID))
1523 		tlmi_priv.can_set_bios_settings = true;
1524 
1525 	if (wmi_has_guid(LENOVO_GET_BIOS_SELECTIONS_GUID))
1526 		tlmi_priv.can_get_bios_selections = true;
1527 
1528 	if (wmi_has_guid(LENOVO_SET_BIOS_PASSWORD_GUID))
1529 		tlmi_priv.can_set_bios_password = true;
1530 
1531 	if (wmi_has_guid(LENOVO_BIOS_PASSWORD_SETTINGS_GUID))
1532 		tlmi_priv.can_get_password_settings = true;
1533 
1534 	if (wmi_has_guid(LENOVO_DEBUG_CMD_GUID))
1535 		tlmi_priv.can_debug_cmd = true;
1536 
1537 	if (wmi_has_guid(LENOVO_OPCODE_IF_GUID))
1538 		tlmi_priv.opcode_support = true;
1539 
1540 	if (wmi_has_guid(LENOVO_SET_BIOS_CERT_GUID) &&
1541 		wmi_has_guid(LENOVO_SET_BIOS_SETTING_CERT_GUID) &&
1542 		wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID))
1543 		tlmi_priv.certificate_support = true;
1544 
1545 	/*
1546 	 * Try to find the number of valid settings of this machine
1547 	 * and use it to create sysfs attributes.
1548 	 */
1549 	for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) {
1550 		struct tlmi_attr_setting *setting;
1551 		char *item = NULL;
1552 
1553 		tlmi_priv.setting[i] = NULL;
1554 		ret = tlmi_setting(i, &item, LENOVO_BIOS_SETTING_GUID);
1555 		if (ret)
1556 			break;
1557 		if (!item)
1558 			break;
1559 		if (!*item) {
1560 			kfree(item);
1561 			continue;
1562 		}
1563 
1564 		/* It is not allowed to have '/' for file name. Convert it into '\'. */
1565 		strreplace(item, '/', '\\');
1566 
1567 		/* Remove the value part */
1568 		strreplace(item, ',', '\0');
1569 
1570 		/* Create a setting entry */
1571 		setting = kzalloc(sizeof(*setting), GFP_KERNEL);
1572 		if (!setting) {
1573 			ret = -ENOMEM;
1574 			kfree(item);
1575 			goto fail_clear_attr;
1576 		}
1577 		setting->index = i;
1578 		strscpy(setting->display_name, item, TLMI_SETTINGS_MAXLEN);
1579 		/* If BIOS selections supported, load those */
1580 		if (tlmi_priv.can_get_bios_selections) {
1581 			ret = tlmi_get_bios_selections(setting->display_name,
1582 					&setting->possible_values);
1583 			if (ret || !setting->possible_values)
1584 				pr_info("Error retrieving possible values for %d : %s\n",
1585 						i, setting->display_name);
1586 		} else {
1587 			/*
1588 			 * Older Thinkstations don't support the bios_selections API.
1589 			 * Instead they store this as a [Optional:Option1,Option2] section of the
1590 			 * name string.
1591 			 * Try and pull that out if it's available.
1592 			 */
1593 			char *optitem, *optstart, *optend;
1594 
1595 			if (!tlmi_setting(setting->index, &optitem, LENOVO_BIOS_SETTING_GUID)) {
1596 				optstart = strstr(optitem, "[Optional:");
1597 				if (optstart) {
1598 					optstart += strlen("[Optional:");
1599 					optend = strstr(optstart, "]");
1600 					if (optend)
1601 						setting->possible_values =
1602 							kstrndup(optstart, optend - optstart,
1603 									GFP_KERNEL);
1604 				}
1605 				kfree(optitem);
1606 			}
1607 		}
1608 		/*
1609 		 * firmware-attributes requires that possible_values are separated by ';' but
1610 		 * Lenovo FW uses ','. Replace appropriately.
1611 		 */
1612 		if (setting->possible_values)
1613 			strreplace(setting->possible_values, ',', ';');
1614 
1615 		kobject_init(&setting->kobj, &tlmi_attr_setting_ktype);
1616 		tlmi_priv.setting[i] = setting;
1617 		kfree(item);
1618 	}
1619 
1620 	/* Create password setting structure */
1621 	ret = tlmi_get_pwd_settings(&tlmi_priv.pwdcfg);
1622 	if (ret)
1623 		goto fail_clear_attr;
1624 
1625 	/* All failures below boil down to kmalloc failures */
1626 	ret = -ENOMEM;
1627 
1628 	tlmi_priv.pwd_admin = tlmi_create_auth("pap", "bios-admin");
1629 	if (!tlmi_priv.pwd_admin)
1630 		goto fail_clear_attr;
1631 
1632 	if (tlmi_priv.pwdcfg.core.password_state & TLMI_PAP_PWD)
1633 		tlmi_priv.pwd_admin->valid = true;
1634 
1635 	tlmi_priv.pwd_power = tlmi_create_auth("pop", "power-on");
1636 	if (!tlmi_priv.pwd_power)
1637 		goto fail_clear_attr;
1638 
1639 	if (tlmi_priv.pwdcfg.core.password_state & TLMI_POP_PWD)
1640 		tlmi_priv.pwd_power->valid = true;
1641 
1642 	if (tlmi_priv.opcode_support) {
1643 		tlmi_priv.pwd_system = tlmi_create_auth("smp", "system");
1644 		if (!tlmi_priv.pwd_system)
1645 			goto fail_clear_attr;
1646 
1647 		if (tlmi_priv.pwdcfg.core.password_state & TLMI_SMP_PWD)
1648 			tlmi_priv.pwd_system->valid = true;
1649 
1650 		tlmi_priv.pwd_hdd = tlmi_create_auth("hdd", "hdd");
1651 		if (!tlmi_priv.pwd_hdd)
1652 			goto fail_clear_attr;
1653 
1654 		tlmi_priv.pwd_nvme = tlmi_create_auth("nvm", "nvme");
1655 		if (!tlmi_priv.pwd_nvme)
1656 			goto fail_clear_attr;
1657 
1658 		/* Set default hdd/nvme index to 1 as there is no device 0 */
1659 		tlmi_priv.pwd_hdd->index = 1;
1660 		tlmi_priv.pwd_nvme->index = 1;
1661 
1662 		if (tlmi_priv.pwdcfg.core.password_state & TLMI_HDD_PWD) {
1663 			/* Check if PWD is configured and set index to first drive found */
1664 			if (tlmi_priv.pwdcfg.ext.hdd_user_password ||
1665 					tlmi_priv.pwdcfg.ext.hdd_master_password) {
1666 				tlmi_priv.pwd_hdd->valid = true;
1667 				if (tlmi_priv.pwdcfg.ext.hdd_master_password)
1668 					tlmi_priv.pwd_hdd->index =
1669 						ffs(tlmi_priv.pwdcfg.ext.hdd_master_password) - 1;
1670 				else
1671 					tlmi_priv.pwd_hdd->index =
1672 						ffs(tlmi_priv.pwdcfg.ext.hdd_user_password) - 1;
1673 			}
1674 			if (tlmi_priv.pwdcfg.ext.nvme_user_password ||
1675 					tlmi_priv.pwdcfg.ext.nvme_master_password) {
1676 				tlmi_priv.pwd_nvme->valid = true;
1677 				if (tlmi_priv.pwdcfg.ext.nvme_master_password)
1678 					tlmi_priv.pwd_nvme->index =
1679 						ffs(tlmi_priv.pwdcfg.ext.nvme_master_password) - 1;
1680 				else
1681 					tlmi_priv.pwd_nvme->index =
1682 						ffs(tlmi_priv.pwdcfg.ext.nvme_user_password) - 1;
1683 			}
1684 		}
1685 	}
1686 
1687 	if (tlmi_priv.certificate_support &&
1688 		(tlmi_priv.pwdcfg.core.password_state & TLMI_CERT))
1689 		tlmi_priv.pwd_admin->cert_installed = true;
1690 
1691 	return 0;
1692 
1693 fail_clear_attr:
1694 	for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) {
1695 		if (tlmi_priv.setting[i]) {
1696 			kfree(tlmi_priv.setting[i]->possible_values);
1697 			kfree(tlmi_priv.setting[i]);
1698 		}
1699 	}
1700 	kfree(tlmi_priv.pwd_admin);
1701 	kfree(tlmi_priv.pwd_power);
1702 	kfree(tlmi_priv.pwd_system);
1703 	kfree(tlmi_priv.pwd_hdd);
1704 	kfree(tlmi_priv.pwd_nvme);
1705 	return ret;
1706 }
1707 
1708 static void tlmi_remove(struct wmi_device *wdev)
1709 {
1710 	tlmi_release_attr();
1711 	device_destroy(fw_attr_class, MKDEV(0, 0));
1712 	fw_attributes_class_put();
1713 }
1714 
1715 static int tlmi_probe(struct wmi_device *wdev, const void *context)
1716 {
1717 	int ret;
1718 
1719 	ret = tlmi_analyze();
1720 	if (ret)
1721 		return ret;
1722 
1723 	return tlmi_sysfs_init();
1724 }
1725 
1726 static const struct wmi_device_id tlmi_id_table[] = {
1727 	{ .guid_string = LENOVO_BIOS_SETTING_GUID },
1728 	{ }
1729 };
1730 MODULE_DEVICE_TABLE(wmi, tlmi_id_table);
1731 
1732 static struct wmi_driver tlmi_driver = {
1733 	.driver = {
1734 		.name = "think-lmi",
1735 	},
1736 	.id_table = tlmi_id_table,
1737 	.probe = tlmi_probe,
1738 	.remove = tlmi_remove,
1739 };
1740 
1741 MODULE_AUTHOR("Sugumaran L <slacshiminar@lenovo.com>");
1742 MODULE_AUTHOR("Mark Pearson <markpearson@lenovo.com>");
1743 MODULE_AUTHOR("Corentin Chary <corentin.chary@gmail.com>");
1744 MODULE_DESCRIPTION("ThinkLMI Driver");
1745 MODULE_LICENSE("GPL");
1746 
1747 module_wmi_driver(tlmi_driver);
1748