1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Think LMI BIOS configuration driver 4 * 5 * Copyright(C) 2019-2021 Lenovo 6 * 7 * Original code from Thinkpad-wmi project https://github.com/iksaif/thinkpad-wmi 8 * Copyright(C) 2017 Corentin Chary <corentin.chary@gmail.com> 9 * Distributed under the GPL-2.0 license 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <linux/acpi.h> 15 #include <linux/errno.h> 16 #include <linux/fs.h> 17 #include <linux/mutex.h> 18 #include <linux/string_helpers.h> 19 #include <linux/types.h> 20 #include <linux/dmi.h> 21 #include <linux/wmi.h> 22 #include "firmware_attributes_class.h" 23 #include "think-lmi.h" 24 25 static bool debug_support; 26 module_param(debug_support, bool, 0444); 27 MODULE_PARM_DESC(debug_support, "Enable debug command support"); 28 29 /* 30 * Name: BiosSetting 31 * Description: Get item name and settings for current LMI instance. 32 * Type: Query 33 * Returns: "Item,Value" 34 * Example: "WakeOnLAN,Enable" 35 */ 36 #define LENOVO_BIOS_SETTING_GUID "51F5230E-9677-46CD-A1CF-C0B23EE34DB7" 37 38 /* 39 * Name: SetBiosSetting 40 * Description: Change the BIOS setting to the desired value using the SetBiosSetting 41 * class. To save the settings, use the SaveBiosSetting class. 42 * BIOS settings and values are case sensitive. 43 * After making changes to the BIOS settings, you must reboot the computer 44 * before the changes will take effect. 45 * Type: Method 46 * Arguments: "Item,Value,Password,Encoding,KbdLang;" 47 * Example: "WakeOnLAN,Disable,pa55w0rd,ascii,us;" 48 */ 49 #define LENOVO_SET_BIOS_SETTINGS_GUID "98479A64-33F5-4E33-A707-8E251EBBC3A1" 50 51 /* 52 * Name: SaveBiosSettings 53 * Description: Save any pending changes in settings. 54 * Type: Method 55 * Arguments: "Password,Encoding,KbdLang;" 56 * Example: "pa55w0rd,ascii,us;" 57 */ 58 #define LENOVO_SAVE_BIOS_SETTINGS_GUID "6A4B54EF-A5ED-4D33-9455-B0D9B48DF4B3" 59 60 /* 61 * Name: BiosPasswordSettings 62 * Description: Return BIOS Password settings 63 * Type: Query 64 * Returns: PasswordMode, PasswordState, MinLength, MaxLength, 65 * SupportedEncoding, SupportedKeyboard 66 */ 67 #define LENOVO_BIOS_PASSWORD_SETTINGS_GUID "8ADB159E-1E32-455C-BC93-308A7ED98246" 68 69 /* 70 * Name: SetBiosPassword 71 * Description: Change a specific password. 72 * - BIOS settings cannot be changed at the same boot as power-on 73 * passwords (POP) and hard disk passwords (HDP). If you want to change 74 * BIOS settings and POP or HDP, you must reboot the system after changing 75 * one of them. 76 * - A password cannot be set using this method when one does not already 77 * exist. Passwords can only be updated or cleared. 78 * Type: Method 79 * Arguments: "PasswordType,CurrentPassword,NewPassword,Encoding,KbdLang;" 80 * Example: "pop,pa55w0rd,newpa55w0rd,ascii,us;” 81 */ 82 #define LENOVO_SET_BIOS_PASSWORD_GUID "2651D9FD-911C-4B69-B94E-D0DED5963BD7" 83 84 /* 85 * Name: GetBiosSelections 86 * Description: Return a list of valid settings for a given item. 87 * Type: Method 88 * Arguments: "Item" 89 * Returns: "Value1,Value2,Value3,..." 90 * Example: 91 * -> "FlashOverLAN" 92 * <- "Enabled,Disabled" 93 */ 94 #define LENOVO_GET_BIOS_SELECTIONS_GUID "7364651A-132F-4FE7-ADAA-40C6C7EE2E3B" 95 96 /* 97 * Name: DebugCmd 98 * Description: Debug entry method for entering debug commands to the BIOS 99 */ 100 #define LENOVO_DEBUG_CMD_GUID "7FF47003-3B6C-4E5E-A227-E979824A85D1" 101 102 /* 103 * Name: OpcodeIF 104 * Description: Opcode interface which provides the ability to set multiple 105 * parameters and then trigger an action with a final command. 106 * This is particularly useful for simplifying setting passwords. 107 * With this support comes the ability to set System, HDD and NVMe 108 * passwords. 109 * This is currently available on ThinkCenter and ThinkStations platforms 110 */ 111 #define LENOVO_OPCODE_IF_GUID "DFDDEF2C-57D4-48ce-B196-0FB787D90836" 112 113 /* 114 * Name: SetBiosCert 115 * Description: Install BIOS certificate. 116 * Type: Method 117 * Arguments: "Certificate,Password" 118 * You must reboot the computer before the changes will take effect. 119 */ 120 #define LENOVO_SET_BIOS_CERT_GUID "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE" 121 122 /* 123 * Name: UpdateBiosCert 124 * Description: Update BIOS certificate. 125 * Type: Method 126 * Format: "Certificate,Signature" 127 * You must reboot the computer before the changes will take effect. 128 */ 129 #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE" 130 131 /* 132 * Name: ClearBiosCert 133 * Description: Uninstall BIOS certificate. 134 * Type: Method 135 * Format: "Serial,Signature" 136 * You must reboot the computer before the changes will take effect. 137 */ 138 #define LENOVO_CLEAR_BIOS_CERT_GUID "B2BC39A7-78DD-4D71-B059-A510DEC44890" 139 /* 140 * Name: CertToPassword 141 * Description: Switch from certificate to password authentication. 142 * Type: Method 143 * Format: "Password,Signature" 144 * You must reboot the computer before the changes will take effect. 145 */ 146 #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D" 147 148 /* 149 * Name: SetBiosSettingCert 150 * Description: Set attribute using certificate authentication. 151 * Type: Method 152 * Format: "Item,Value,Signature" 153 */ 154 #define LENOVO_SET_BIOS_SETTING_CERT_GUID "34A008CC-D205-4B62-9E67-31DFA8B90003" 155 156 /* 157 * Name: SaveBiosSettingCert 158 * Description: Save any pending changes in settings. 159 * Type: Method 160 * Format: "Signature" 161 */ 162 #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551" 163 164 /* 165 * Name: CertThumbprint 166 * Description: Display Certificate thumbprints 167 * Type: Query 168 * Returns: MD5, SHA1 & SHA256 thumbprints 169 */ 170 #define LENOVO_CERT_THUMBPRINT_GUID "C59119ED-1C0D-4806-A8E9-59AA318176C4" 171 172 #define TLMI_POP_PWD BIT(0) /* Supervisor */ 173 #define TLMI_PAP_PWD BIT(1) /* Power-on */ 174 #define TLMI_HDD_PWD BIT(2) /* HDD/NVME */ 175 #define TLMI_SMP_PWD BIT(6) /* System Management */ 176 #define TLMI_CERT BIT(7) /* Certificate Based */ 177 178 #define to_tlmi_pwd_setting(kobj) container_of(kobj, struct tlmi_pwd_setting, kobj) 179 #define to_tlmi_attr_setting(kobj) container_of(kobj, struct tlmi_attr_setting, kobj) 180 181 static const struct tlmi_err_codes tlmi_errs[] = { 182 {"Success", 0}, 183 {"Not Supported", -EOPNOTSUPP}, 184 {"Invalid Parameter", -EINVAL}, 185 {"Access Denied", -EACCES}, 186 {"System Busy", -EBUSY}, 187 }; 188 189 static const char * const encoding_options[] = { 190 [TLMI_ENCODING_ASCII] = "ascii", 191 [TLMI_ENCODING_SCANCODE] = "scancode", 192 }; 193 static const char * const level_options[] = { 194 [TLMI_LEVEL_USER] = "user", 195 [TLMI_LEVEL_MASTER] = "master", 196 }; 197 static struct think_lmi tlmi_priv; 198 static const struct class *fw_attr_class; 199 static DEFINE_MUTEX(tlmi_mutex); 200 201 /* Convert BIOS WMI error string to suitable error code */ 202 static int tlmi_errstr_to_err(const char *errstr) 203 { 204 int i; 205 206 for (i = 0; i < sizeof(tlmi_errs)/sizeof(struct tlmi_err_codes); i++) { 207 if (!strcmp(tlmi_errs[i].err_str, errstr)) 208 return tlmi_errs[i].err_code; 209 } 210 return -EPERM; 211 } 212 213 /* Extract error string from WMI return buffer */ 214 static int tlmi_extract_error(const struct acpi_buffer *output) 215 { 216 const union acpi_object *obj; 217 218 obj = output->pointer; 219 if (!obj) 220 return -ENOMEM; 221 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) 222 return -EIO; 223 224 return tlmi_errstr_to_err(obj->string.pointer); 225 } 226 227 /* Utility function to execute WMI call to BIOS */ 228 static int tlmi_simple_call(const char *guid, const char *arg) 229 { 230 const struct acpi_buffer input = { strlen(arg), (char *)arg }; 231 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 232 acpi_status status; 233 int i, err; 234 235 /* 236 * Duplicated call required to match BIOS workaround for behavior 237 * seen when WMI accessed via scripting on other OS. 238 */ 239 for (i = 0; i < 2; i++) { 240 /* (re)initialize output buffer to default state */ 241 output.length = ACPI_ALLOCATE_BUFFER; 242 output.pointer = NULL; 243 244 status = wmi_evaluate_method(guid, 0, 0, &input, &output); 245 if (ACPI_FAILURE(status)) { 246 kfree(output.pointer); 247 return -EIO; 248 } 249 err = tlmi_extract_error(&output); 250 kfree(output.pointer); 251 if (err) 252 return err; 253 } 254 return 0; 255 } 256 257 /* Extract output string from WMI return buffer */ 258 static int tlmi_extract_output_string(const struct acpi_buffer *output, 259 char **string) 260 { 261 const union acpi_object *obj; 262 char *s; 263 264 obj = output->pointer; 265 if (!obj) 266 return -ENOMEM; 267 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) 268 return -EIO; 269 270 s = kstrdup(obj->string.pointer, GFP_KERNEL); 271 if (!s) 272 return -ENOMEM; 273 *string = s; 274 return 0; 275 } 276 277 /* ------ Core interface functions ------------*/ 278 279 /* Get password settings from BIOS */ 280 static int tlmi_get_pwd_settings(struct tlmi_pwdcfg *pwdcfg) 281 { 282 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 283 const union acpi_object *obj; 284 acpi_status status; 285 int copy_size; 286 287 if (!tlmi_priv.can_get_password_settings) 288 return -EOPNOTSUPP; 289 290 status = wmi_query_block(LENOVO_BIOS_PASSWORD_SETTINGS_GUID, 0, 291 &output); 292 if (ACPI_FAILURE(status)) 293 return -EIO; 294 295 obj = output.pointer; 296 if (!obj) 297 return -ENOMEM; 298 if (obj->type != ACPI_TYPE_BUFFER || !obj->buffer.pointer) { 299 kfree(obj); 300 return -EIO; 301 } 302 /* 303 * The size of thinkpad_wmi_pcfg on ThinkStation is larger than ThinkPad. 304 * To make the driver compatible on different brands, we permit it to get 305 * the data in below case. 306 * Settings must have at minimum the core fields available 307 */ 308 if (obj->buffer.length < sizeof(struct tlmi_pwdcfg_core)) { 309 pr_warn("Unknown pwdcfg buffer length %d\n", obj->buffer.length); 310 kfree(obj); 311 return -EIO; 312 } 313 314 copy_size = min_t(size_t, obj->buffer.length, sizeof(struct tlmi_pwdcfg)); 315 316 memcpy(pwdcfg, obj->buffer.pointer, copy_size); 317 kfree(obj); 318 319 if (WARN_ON(pwdcfg->core.max_length >= TLMI_PWD_BUFSIZE)) 320 pwdcfg->core.max_length = TLMI_PWD_BUFSIZE - 1; 321 return 0; 322 } 323 324 static int tlmi_save_bios_settings(const char *password) 325 { 326 return tlmi_simple_call(LENOVO_SAVE_BIOS_SETTINGS_GUID, 327 password); 328 } 329 330 static int tlmi_opcode_setting(char *setting, const char *value) 331 { 332 char *opcode_str; 333 int ret; 334 335 opcode_str = kasprintf(GFP_KERNEL, "%s:%s;", setting, value); 336 if (!opcode_str) 337 return -ENOMEM; 338 339 ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, opcode_str); 340 kfree(opcode_str); 341 return ret; 342 } 343 344 static int tlmi_setting(int item, char **value, const char *guid_string) 345 { 346 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 347 acpi_status status; 348 int ret; 349 350 status = wmi_query_block(guid_string, item, &output); 351 if (ACPI_FAILURE(status)) { 352 kfree(output.pointer); 353 return -EIO; 354 } 355 356 ret = tlmi_extract_output_string(&output, value); 357 kfree(output.pointer); 358 return ret; 359 } 360 361 static int tlmi_get_bios_selections(const char *item, char **value) 362 { 363 const struct acpi_buffer input = { strlen(item), (char *)item }; 364 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 365 acpi_status status; 366 int ret; 367 368 status = wmi_evaluate_method(LENOVO_GET_BIOS_SELECTIONS_GUID, 369 0, 0, &input, &output); 370 371 if (ACPI_FAILURE(status)) { 372 kfree(output.pointer); 373 return -EIO; 374 } 375 376 ret = tlmi_extract_output_string(&output, value); 377 kfree(output.pointer); 378 return ret; 379 } 380 381 /* ---- Authentication sysfs --------------------------------------------------------- */ 382 static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr, 383 char *buf) 384 { 385 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 386 387 return sysfs_emit(buf, "%d\n", setting->valid); 388 } 389 390 static struct kobj_attribute auth_is_pass_set = __ATTR_RO(is_enabled); 391 392 static ssize_t current_password_store(struct kobject *kobj, 393 struct kobj_attribute *attr, 394 const char *buf, size_t count) 395 { 396 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 397 size_t pwdlen; 398 399 pwdlen = strlen(buf); 400 /* pwdlen == 0 is allowed to clear the password */ 401 if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) 402 return -EINVAL; 403 404 strscpy(setting->password, buf, setting->maxlen); 405 /* Strip out CR if one is present, setting password won't work if it is present */ 406 strreplace(setting->password, '\n', '\0'); 407 return count; 408 } 409 410 static struct kobj_attribute auth_current_password = __ATTR_WO(current_password); 411 412 static ssize_t new_password_store(struct kobject *kobj, 413 struct kobj_attribute *attr, 414 const char *buf, size_t count) 415 { 416 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 417 char *auth_str, *new_pwd; 418 size_t pwdlen; 419 int ret; 420 421 if (!capable(CAP_SYS_ADMIN)) 422 return -EPERM; 423 424 if (!tlmi_priv.can_set_bios_password) 425 return -EOPNOTSUPP; 426 427 /* Strip out CR if one is present, setting password won't work if it is present */ 428 new_pwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 429 if (!new_pwd) 430 return -ENOMEM; 431 432 /* Use lock in case multiple WMI operations needed */ 433 mutex_lock(&tlmi_mutex); 434 435 pwdlen = strlen(new_pwd); 436 /* pwdlen == 0 is allowed to clear the password */ 437 if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) { 438 ret = -EINVAL; 439 goto out; 440 } 441 442 /* If opcode support is present use that interface */ 443 if (tlmi_priv.opcode_support) { 444 char pwd_type[8]; 445 446 /* Special handling required for HDD and NVMe passwords */ 447 if (setting == tlmi_priv.pwd_hdd) { 448 if (setting->level == TLMI_LEVEL_USER) 449 sprintf(pwd_type, "uhdp%d", setting->index); 450 else 451 sprintf(pwd_type, "mhdp%d", setting->index); 452 } else if (setting == tlmi_priv.pwd_nvme) { 453 if (setting->level == TLMI_LEVEL_USER) 454 sprintf(pwd_type, "udrp%d", setting->index); 455 else 456 sprintf(pwd_type, "adrp%d", setting->index); 457 } else { 458 sprintf(pwd_type, "%s", setting->pwd_type); 459 } 460 461 ret = tlmi_opcode_setting("WmiOpcodePasswordType", pwd_type); 462 if (ret) 463 goto out; 464 465 if (tlmi_priv.pwd_admin->valid) { 466 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 467 tlmi_priv.pwd_admin->password); 468 if (ret) 469 goto out; 470 } 471 ret = tlmi_opcode_setting("WmiOpcodePasswordCurrent01", setting->password); 472 if (ret) 473 goto out; 474 ret = tlmi_opcode_setting("WmiOpcodePasswordNew01", new_pwd); 475 if (ret) 476 goto out; 477 ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, "WmiOpcodePasswordSetUpdate;"); 478 } else { 479 /* Format: 'PasswordType,CurrentPw,NewPw,Encoding,KbdLang;' */ 480 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s,%s;", 481 setting->pwd_type, setting->password, new_pwd, 482 encoding_options[setting->encoding], setting->kbdlang); 483 if (!auth_str) { 484 ret = -ENOMEM; 485 goto out; 486 } 487 ret = tlmi_simple_call(LENOVO_SET_BIOS_PASSWORD_GUID, auth_str); 488 kfree(auth_str); 489 } 490 out: 491 mutex_unlock(&tlmi_mutex); 492 kfree(new_pwd); 493 return ret ?: count; 494 } 495 496 static struct kobj_attribute auth_new_password = __ATTR_WO(new_password); 497 498 static ssize_t min_password_length_show(struct kobject *kobj, struct kobj_attribute *attr, 499 char *buf) 500 { 501 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 502 503 return sysfs_emit(buf, "%d\n", setting->minlen); 504 } 505 506 static struct kobj_attribute auth_min_pass_length = __ATTR_RO(min_password_length); 507 508 static ssize_t max_password_length_show(struct kobject *kobj, struct kobj_attribute *attr, 509 char *buf) 510 { 511 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 512 513 return sysfs_emit(buf, "%d\n", setting->maxlen); 514 } 515 static struct kobj_attribute auth_max_pass_length = __ATTR_RO(max_password_length); 516 517 static ssize_t mechanism_show(struct kobject *kobj, struct kobj_attribute *attr, 518 char *buf) 519 { 520 return sysfs_emit(buf, "password\n"); 521 } 522 static struct kobj_attribute auth_mechanism = __ATTR_RO(mechanism); 523 524 static ssize_t encoding_show(struct kobject *kobj, struct kobj_attribute *attr, 525 char *buf) 526 { 527 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 528 529 return sysfs_emit(buf, "%s\n", encoding_options[setting->encoding]); 530 } 531 532 static ssize_t encoding_store(struct kobject *kobj, 533 struct kobj_attribute *attr, 534 const char *buf, size_t count) 535 { 536 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 537 int i; 538 539 /* Scan for a matching profile */ 540 i = sysfs_match_string(encoding_options, buf); 541 if (i < 0) 542 return -EINVAL; 543 544 setting->encoding = i; 545 return count; 546 } 547 548 static struct kobj_attribute auth_encoding = __ATTR_RW(encoding); 549 550 static ssize_t kbdlang_show(struct kobject *kobj, struct kobj_attribute *attr, 551 char *buf) 552 { 553 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 554 555 return sysfs_emit(buf, "%s\n", setting->kbdlang); 556 } 557 558 static ssize_t kbdlang_store(struct kobject *kobj, 559 struct kobj_attribute *attr, 560 const char *buf, size_t count) 561 { 562 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 563 int length; 564 565 /* Calculate length till '\n' or terminating 0 */ 566 length = strchrnul(buf, '\n') - buf; 567 if (!length || length >= TLMI_LANG_MAXLEN) 568 return -EINVAL; 569 570 memcpy(setting->kbdlang, buf, length); 571 setting->kbdlang[length] = '\0'; 572 return count; 573 } 574 575 static struct kobj_attribute auth_kbdlang = __ATTR_RW(kbdlang); 576 577 static ssize_t role_show(struct kobject *kobj, struct kobj_attribute *attr, 578 char *buf) 579 { 580 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 581 582 return sysfs_emit(buf, "%s\n", setting->role); 583 } 584 static struct kobj_attribute auth_role = __ATTR_RO(role); 585 586 static ssize_t index_show(struct kobject *kobj, struct kobj_attribute *attr, 587 char *buf) 588 { 589 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 590 591 return sysfs_emit(buf, "%d\n", setting->index); 592 } 593 594 static ssize_t index_store(struct kobject *kobj, 595 struct kobj_attribute *attr, 596 const char *buf, size_t count) 597 { 598 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 599 int err, val; 600 601 err = kstrtoint(buf, 10, &val); 602 if (err < 0) 603 return err; 604 605 if (val < 0 || val > TLMI_INDEX_MAX) 606 return -EINVAL; 607 608 setting->index = val; 609 return count; 610 } 611 612 static struct kobj_attribute auth_index = __ATTR_RW(index); 613 614 static ssize_t level_show(struct kobject *kobj, struct kobj_attribute *attr, 615 char *buf) 616 { 617 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 618 619 return sysfs_emit(buf, "%s\n", level_options[setting->level]); 620 } 621 622 static ssize_t level_store(struct kobject *kobj, 623 struct kobj_attribute *attr, 624 const char *buf, size_t count) 625 { 626 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 627 int i; 628 629 /* Scan for a matching profile */ 630 i = sysfs_match_string(level_options, buf); 631 if (i < 0) 632 return -EINVAL; 633 634 setting->level = i; 635 return count; 636 } 637 638 static struct kobj_attribute auth_level = __ATTR_RW(level); 639 640 static ssize_t cert_thumbprint(char *buf, const char *arg, int count) 641 { 642 const struct acpi_buffer input = { strlen(arg), (char *)arg }; 643 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 644 const union acpi_object *obj; 645 acpi_status status; 646 647 status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output); 648 if (ACPI_FAILURE(status)) { 649 kfree(output.pointer); 650 return -EIO; 651 } 652 obj = output.pointer; 653 if (!obj) 654 return -ENOMEM; 655 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) { 656 kfree(output.pointer); 657 return -EIO; 658 } 659 count += sysfs_emit_at(buf, count, "%s : %s\n", arg, (char *)obj->string.pointer); 660 kfree(output.pointer); 661 662 return count; 663 } 664 665 static ssize_t certificate_thumbprint_show(struct kobject *kobj, struct kobj_attribute *attr, 666 char *buf) 667 { 668 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 669 int count = 0; 670 671 if (!tlmi_priv.certificate_support || !setting->cert_installed) 672 return -EOPNOTSUPP; 673 674 count += cert_thumbprint(buf, "Md5", count); 675 count += cert_thumbprint(buf, "Sha1", count); 676 count += cert_thumbprint(buf, "Sha256", count); 677 return count; 678 } 679 680 static struct kobj_attribute auth_cert_thumb = __ATTR_RO(certificate_thumbprint); 681 682 static ssize_t cert_to_password_store(struct kobject *kobj, 683 struct kobj_attribute *attr, 684 const char *buf, size_t count) 685 { 686 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 687 char *auth_str, *passwd; 688 int ret; 689 690 if (!capable(CAP_SYS_ADMIN)) 691 return -EPERM; 692 693 if (!tlmi_priv.certificate_support) 694 return -EOPNOTSUPP; 695 696 if (!setting->cert_installed) 697 return -EINVAL; 698 699 if (!setting->signature || !setting->signature[0]) 700 return -EACCES; 701 702 /* Strip out CR if one is present */ 703 passwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 704 if (!passwd) 705 return -ENOMEM; 706 707 /* Format: 'Password,Signature' */ 708 auth_str = kasprintf(GFP_KERNEL, "%s,%s", passwd, setting->signature); 709 if (!auth_str) { 710 kfree_sensitive(passwd); 711 return -ENOMEM; 712 } 713 ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str); 714 kfree(auth_str); 715 kfree_sensitive(passwd); 716 717 return ret ?: count; 718 } 719 720 static struct kobj_attribute auth_cert_to_password = __ATTR_WO(cert_to_password); 721 722 static ssize_t certificate_store(struct kobject *kobj, 723 struct kobj_attribute *attr, 724 const char *buf, size_t count) 725 { 726 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 727 char *auth_str, *new_cert; 728 char *guid; 729 int ret; 730 731 if (!capable(CAP_SYS_ADMIN)) 732 return -EPERM; 733 734 if (!tlmi_priv.certificate_support) 735 return -EOPNOTSUPP; 736 737 /* If empty then clear installed certificate */ 738 if ((buf[0] == '\0') || (buf[0] == '\n')) { /* Clear installed certificate */ 739 /* Check that signature is set */ 740 if (!setting->signature || !setting->signature[0]) 741 return -EACCES; 742 743 /* Format: 'serial#, signature' */ 744 auth_str = kasprintf(GFP_KERNEL, "%s,%s", 745 dmi_get_system_info(DMI_PRODUCT_SERIAL), 746 setting->signature); 747 if (!auth_str) 748 return -ENOMEM; 749 750 ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str); 751 kfree(auth_str); 752 753 return ret ?: count; 754 } 755 756 /* Strip out CR if one is present */ 757 new_cert = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 758 if (!new_cert) 759 return -ENOMEM; 760 761 if (setting->cert_installed) { 762 /* Certificate is installed so this is an update */ 763 if (!setting->signature || !setting->signature[0]) { 764 kfree(new_cert); 765 return -EACCES; 766 } 767 guid = LENOVO_UPDATE_BIOS_CERT_GUID; 768 /* Format: 'Certificate,Signature' */ 769 auth_str = kasprintf(GFP_KERNEL, "%s,%s", 770 new_cert, setting->signature); 771 } else { 772 /* This is a fresh install */ 773 if (!setting->valid || !setting->password[0]) { 774 kfree(new_cert); 775 return -EACCES; 776 } 777 guid = LENOVO_SET_BIOS_CERT_GUID; 778 /* Format: 'Certificate,Admin-password' */ 779 auth_str = kasprintf(GFP_KERNEL, "%s,%s", 780 new_cert, setting->password); 781 } 782 kfree(new_cert); 783 if (!auth_str) 784 return -ENOMEM; 785 786 ret = tlmi_simple_call(guid, auth_str); 787 kfree(auth_str); 788 789 return ret ?: count; 790 } 791 792 static struct kobj_attribute auth_certificate = __ATTR_WO(certificate); 793 794 static ssize_t signature_store(struct kobject *kobj, 795 struct kobj_attribute *attr, 796 const char *buf, size_t count) 797 { 798 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 799 char *new_signature; 800 801 if (!capable(CAP_SYS_ADMIN)) 802 return -EPERM; 803 804 if (!tlmi_priv.certificate_support) 805 return -EOPNOTSUPP; 806 807 /* Strip out CR if one is present */ 808 new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 809 if (!new_signature) 810 return -ENOMEM; 811 812 /* Free any previous signature */ 813 kfree(setting->signature); 814 setting->signature = new_signature; 815 816 return count; 817 } 818 819 static struct kobj_attribute auth_signature = __ATTR_WO(signature); 820 821 static ssize_t save_signature_store(struct kobject *kobj, 822 struct kobj_attribute *attr, 823 const char *buf, size_t count) 824 { 825 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 826 char *new_signature; 827 828 if (!capable(CAP_SYS_ADMIN)) 829 return -EPERM; 830 831 if (!tlmi_priv.certificate_support) 832 return -EOPNOTSUPP; 833 834 /* Strip out CR if one is present */ 835 new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 836 if (!new_signature) 837 return -ENOMEM; 838 839 /* Free any previous signature */ 840 kfree(setting->save_signature); 841 setting->save_signature = new_signature; 842 843 return count; 844 } 845 846 static struct kobj_attribute auth_save_signature = __ATTR_WO(save_signature); 847 848 static umode_t auth_attr_is_visible(struct kobject *kobj, 849 struct attribute *attr, int n) 850 { 851 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 852 853 /* We only want to display level and index settings on HDD/NVMe */ 854 if (attr == &auth_index.attr || attr == &auth_level.attr) { 855 if ((setting == tlmi_priv.pwd_hdd) || (setting == tlmi_priv.pwd_nvme)) 856 return attr->mode; 857 return 0; 858 } 859 860 /* We only display certificates on Admin account, if supported */ 861 if (attr == &auth_certificate.attr || 862 attr == &auth_signature.attr || 863 attr == &auth_save_signature.attr || 864 attr == &auth_cert_thumb.attr || 865 attr == &auth_cert_to_password.attr) { 866 if ((setting == tlmi_priv.pwd_admin) && tlmi_priv.certificate_support) 867 return attr->mode; 868 return 0; 869 } 870 871 /* Don't display un-needed settings if opcode available */ 872 if ((attr == &auth_encoding.attr || attr == &auth_kbdlang.attr) && 873 tlmi_priv.opcode_support) 874 return 0; 875 876 return attr->mode; 877 } 878 879 static struct attribute *auth_attrs[] = { 880 &auth_is_pass_set.attr, 881 &auth_min_pass_length.attr, 882 &auth_max_pass_length.attr, 883 &auth_current_password.attr, 884 &auth_new_password.attr, 885 &auth_role.attr, 886 &auth_mechanism.attr, 887 &auth_encoding.attr, 888 &auth_kbdlang.attr, 889 &auth_index.attr, 890 &auth_level.attr, 891 &auth_certificate.attr, 892 &auth_signature.attr, 893 &auth_save_signature.attr, 894 &auth_cert_thumb.attr, 895 &auth_cert_to_password.attr, 896 NULL 897 }; 898 899 static const struct attribute_group auth_attr_group = { 900 .is_visible = auth_attr_is_visible, 901 .attrs = auth_attrs, 902 }; 903 904 /* ---- Attributes sysfs --------------------------------------------------------- */ 905 static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *attr, 906 char *buf) 907 { 908 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 909 910 return sysfs_emit(buf, "%s\n", setting->display_name); 911 } 912 913 static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) 914 { 915 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 916 char *item, *value; 917 int ret; 918 919 ret = tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID); 920 if (ret) 921 return ret; 922 923 /* validate and split from `item,value` -> `value` */ 924 value = strpbrk(item, ","); 925 if (!value || value == item || !strlen(value + 1)) 926 ret = -EINVAL; 927 else { 928 /* On Workstations remove the Options part after the value */ 929 strreplace(value, ';', '\0'); 930 ret = sysfs_emit(buf, "%s\n", value + 1); 931 } 932 kfree(item); 933 934 return ret; 935 } 936 937 static ssize_t possible_values_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) 938 { 939 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 940 941 return sysfs_emit(buf, "%s\n", setting->possible_values); 942 } 943 944 static ssize_t type_show(struct kobject *kobj, struct kobj_attribute *attr, 945 char *buf) 946 { 947 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 948 949 if (setting->possible_values) { 950 /* Figure out what setting type is as BIOS does not return this */ 951 if (strchr(setting->possible_values, ';')) 952 return sysfs_emit(buf, "enumeration\n"); 953 } 954 /* Anything else is going to be a string */ 955 return sysfs_emit(buf, "string\n"); 956 } 957 958 static ssize_t current_value_store(struct kobject *kobj, 959 struct kobj_attribute *attr, 960 const char *buf, size_t count) 961 { 962 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 963 char *set_str = NULL, *new_setting = NULL; 964 char *auth_str = NULL; 965 int ret; 966 967 if (!tlmi_priv.can_set_bios_settings) 968 return -EOPNOTSUPP; 969 970 /* 971 * If we are using bulk saves a reboot should be done once save has 972 * been called 973 */ 974 if (tlmi_priv.save_mode == TLMI_SAVE_BULK && tlmi_priv.reboot_required) 975 return -EPERM; 976 977 /* Strip out CR if one is present */ 978 new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 979 if (!new_setting) 980 return -ENOMEM; 981 982 /* Use lock in case multiple WMI operations needed */ 983 mutex_lock(&tlmi_mutex); 984 985 /* Check if certificate authentication is enabled and active */ 986 if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) { 987 if (!tlmi_priv.pwd_admin->signature || !tlmi_priv.pwd_admin->save_signature) { 988 ret = -EINVAL; 989 goto out; 990 } 991 set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->display_name, 992 new_setting, tlmi_priv.pwd_admin->signature); 993 if (!set_str) { 994 ret = -ENOMEM; 995 goto out; 996 } 997 998 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str); 999 if (ret) 1000 goto out; 1001 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) 1002 tlmi_priv.save_required = true; 1003 else 1004 ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID, 1005 tlmi_priv.pwd_admin->save_signature); 1006 } else if (tlmi_priv.opcode_support) { 1007 /* 1008 * If opcode support is present use that interface. 1009 * Note - this sets the variable and then the password as separate 1010 * WMI calls. Function tlmi_save_bios_settings will error if the 1011 * password is incorrect. 1012 * Workstation's require the opcode to be set before changing the 1013 * attribute. 1014 */ 1015 if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { 1016 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 1017 tlmi_priv.pwd_admin->password); 1018 if (ret) 1019 goto out; 1020 } 1021 1022 set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name, 1023 new_setting); 1024 if (!set_str) { 1025 ret = -ENOMEM; 1026 goto out; 1027 } 1028 1029 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str); 1030 if (ret) 1031 goto out; 1032 1033 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) 1034 tlmi_priv.save_required = true; 1035 else 1036 ret = tlmi_save_bios_settings(""); 1037 } else { /* old non-opcode based authentication method (deprecated) */ 1038 if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { 1039 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1040 tlmi_priv.pwd_admin->password, 1041 encoding_options[tlmi_priv.pwd_admin->encoding], 1042 tlmi_priv.pwd_admin->kbdlang); 1043 if (!auth_str) { 1044 ret = -ENOMEM; 1045 goto out; 1046 } 1047 } 1048 1049 if (auth_str) 1050 set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->display_name, 1051 new_setting, auth_str); 1052 else 1053 set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name, 1054 new_setting); 1055 if (!set_str) { 1056 ret = -ENOMEM; 1057 goto out; 1058 } 1059 1060 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str); 1061 if (ret) 1062 goto out; 1063 1064 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) { 1065 tlmi_priv.save_required = true; 1066 } else { 1067 if (auth_str) 1068 ret = tlmi_save_bios_settings(auth_str); 1069 else 1070 ret = tlmi_save_bios_settings(""); 1071 } 1072 } 1073 if (!ret && !tlmi_priv.pending_changes) { 1074 tlmi_priv.pending_changes = true; 1075 /* let userland know it may need to check reboot pending again */ 1076 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1077 } 1078 out: 1079 mutex_unlock(&tlmi_mutex); 1080 kfree(auth_str); 1081 kfree(set_str); 1082 kfree(new_setting); 1083 return ret ?: count; 1084 } 1085 1086 static struct kobj_attribute attr_displ_name = __ATTR_RO(display_name); 1087 1088 static struct kobj_attribute attr_possible_values = __ATTR_RO(possible_values); 1089 1090 static struct kobj_attribute attr_current_val = __ATTR_RW_MODE(current_value, 0600); 1091 1092 static struct kobj_attribute attr_type = __ATTR_RO(type); 1093 1094 static umode_t attr_is_visible(struct kobject *kobj, 1095 struct attribute *attr, int n) 1096 { 1097 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1098 1099 /* We don't want to display possible_values attributes if not available */ 1100 if ((attr == &attr_possible_values.attr) && (!setting->possible_values)) 1101 return 0; 1102 1103 return attr->mode; 1104 } 1105 1106 static struct attribute *tlmi_attrs[] = { 1107 &attr_displ_name.attr, 1108 &attr_current_val.attr, 1109 &attr_possible_values.attr, 1110 &attr_type.attr, 1111 NULL 1112 }; 1113 1114 static const struct attribute_group tlmi_attr_group = { 1115 .is_visible = attr_is_visible, 1116 .attrs = tlmi_attrs, 1117 }; 1118 1119 static void tlmi_attr_setting_release(struct kobject *kobj) 1120 { 1121 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1122 1123 kfree(setting->possible_values); 1124 kfree(setting); 1125 } 1126 1127 static void tlmi_pwd_setting_release(struct kobject *kobj) 1128 { 1129 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 1130 1131 kfree(setting); 1132 } 1133 1134 static const struct kobj_type tlmi_attr_setting_ktype = { 1135 .release = &tlmi_attr_setting_release, 1136 .sysfs_ops = &kobj_sysfs_ops, 1137 }; 1138 1139 static const struct kobj_type tlmi_pwd_setting_ktype = { 1140 .release = &tlmi_pwd_setting_release, 1141 .sysfs_ops = &kobj_sysfs_ops, 1142 }; 1143 1144 static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr, 1145 char *buf) 1146 { 1147 return sprintf(buf, "%d\n", tlmi_priv.pending_changes); 1148 } 1149 1150 static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot); 1151 1152 static const char * const save_mode_strings[] = { 1153 [TLMI_SAVE_SINGLE] = "single", 1154 [TLMI_SAVE_BULK] = "bulk", 1155 [TLMI_SAVE_SAVE] = "save" 1156 }; 1157 1158 static ssize_t save_settings_show(struct kobject *kobj, struct kobj_attribute *attr, 1159 char *buf) 1160 { 1161 /* Check that setting is valid */ 1162 if (WARN_ON(tlmi_priv.save_mode < TLMI_SAVE_SINGLE || 1163 tlmi_priv.save_mode > TLMI_SAVE_BULK)) 1164 return -EIO; 1165 return sysfs_emit(buf, "%s\n", save_mode_strings[tlmi_priv.save_mode]); 1166 } 1167 1168 static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *attr, 1169 const char *buf, size_t count) 1170 { 1171 char *auth_str = NULL; 1172 int ret = 0; 1173 int cmd; 1174 1175 cmd = sysfs_match_string(save_mode_strings, buf); 1176 if (cmd < 0) 1177 return cmd; 1178 1179 /* Use lock in case multiple WMI operations needed */ 1180 mutex_lock(&tlmi_mutex); 1181 1182 switch (cmd) { 1183 case TLMI_SAVE_SINGLE: 1184 case TLMI_SAVE_BULK: 1185 tlmi_priv.save_mode = cmd; 1186 goto out; 1187 case TLMI_SAVE_SAVE: 1188 /* Check if supported*/ 1189 if (!tlmi_priv.can_set_bios_settings || 1190 tlmi_priv.save_mode == TLMI_SAVE_SINGLE) { 1191 ret = -EOPNOTSUPP; 1192 goto out; 1193 } 1194 /* Check there is actually something to save */ 1195 if (!tlmi_priv.save_required) { 1196 ret = -ENOENT; 1197 goto out; 1198 } 1199 /* Check if certificate authentication is enabled and active */ 1200 if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) { 1201 if (!tlmi_priv.pwd_admin->signature || 1202 !tlmi_priv.pwd_admin->save_signature) { 1203 ret = -EINVAL; 1204 goto out; 1205 } 1206 ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID, 1207 tlmi_priv.pwd_admin->save_signature); 1208 if (ret) 1209 goto out; 1210 } else if (tlmi_priv.opcode_support) { 1211 if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { 1212 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 1213 tlmi_priv.pwd_admin->password); 1214 if (ret) 1215 goto out; 1216 } 1217 ret = tlmi_save_bios_settings(""); 1218 } else { /* old non-opcode based authentication method (deprecated) */ 1219 if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { 1220 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1221 tlmi_priv.pwd_admin->password, 1222 encoding_options[tlmi_priv.pwd_admin->encoding], 1223 tlmi_priv.pwd_admin->kbdlang); 1224 if (!auth_str) { 1225 ret = -ENOMEM; 1226 goto out; 1227 } 1228 } 1229 1230 if (auth_str) 1231 ret = tlmi_save_bios_settings(auth_str); 1232 else 1233 ret = tlmi_save_bios_settings(""); 1234 } 1235 tlmi_priv.save_required = false; 1236 tlmi_priv.reboot_required = true; 1237 1238 if (!ret && !tlmi_priv.pending_changes) { 1239 tlmi_priv.pending_changes = true; 1240 /* let userland know it may need to check reboot pending again */ 1241 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1242 } 1243 break; 1244 } 1245 out: 1246 mutex_unlock(&tlmi_mutex); 1247 kfree(auth_str); 1248 return ret ?: count; 1249 } 1250 1251 static struct kobj_attribute save_settings = __ATTR_RW(save_settings); 1252 1253 /* ---- Debug interface--------------------------------------------------------- */ 1254 static ssize_t debug_cmd_store(struct kobject *kobj, struct kobj_attribute *attr, 1255 const char *buf, size_t count) 1256 { 1257 char *set_str = NULL, *new_setting = NULL; 1258 char *auth_str = NULL; 1259 int ret; 1260 1261 if (!tlmi_priv.can_debug_cmd) 1262 return -EOPNOTSUPP; 1263 1264 /* Strip out CR if one is present */ 1265 new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 1266 if (!new_setting) 1267 return -ENOMEM; 1268 1269 if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) { 1270 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1271 tlmi_priv.pwd_admin->password, 1272 encoding_options[tlmi_priv.pwd_admin->encoding], 1273 tlmi_priv.pwd_admin->kbdlang); 1274 if (!auth_str) { 1275 ret = -ENOMEM; 1276 goto out; 1277 } 1278 } 1279 1280 if (auth_str) 1281 set_str = kasprintf(GFP_KERNEL, "%s,%s", new_setting, auth_str); 1282 else 1283 set_str = kasprintf(GFP_KERNEL, "%s;", new_setting); 1284 if (!set_str) { 1285 ret = -ENOMEM; 1286 goto out; 1287 } 1288 1289 ret = tlmi_simple_call(LENOVO_DEBUG_CMD_GUID, set_str); 1290 if (ret) 1291 goto out; 1292 1293 if (!ret && !tlmi_priv.pending_changes) { 1294 tlmi_priv.pending_changes = true; 1295 /* let userland know it may need to check reboot pending again */ 1296 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1297 } 1298 out: 1299 kfree(auth_str); 1300 kfree(set_str); 1301 kfree(new_setting); 1302 return ret ?: count; 1303 } 1304 1305 static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd); 1306 1307 /* ---- Initialisation --------------------------------------------------------- */ 1308 static void tlmi_release_attr(void) 1309 { 1310 int i; 1311 1312 /* Attribute structures */ 1313 for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { 1314 if (tlmi_priv.setting[i]) { 1315 sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); 1316 kobject_put(&tlmi_priv.setting[i]->kobj); 1317 } 1318 } 1319 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); 1320 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); 1321 1322 if (tlmi_priv.can_debug_cmd && debug_support) 1323 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr); 1324 1325 kset_unregister(tlmi_priv.attribute_kset); 1326 1327 /* Free up any saved signatures */ 1328 kfree(tlmi_priv.pwd_admin->signature); 1329 kfree(tlmi_priv.pwd_admin->save_signature); 1330 1331 /* Authentication structures */ 1332 sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); 1333 kobject_put(&tlmi_priv.pwd_admin->kobj); 1334 sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); 1335 kobject_put(&tlmi_priv.pwd_power->kobj); 1336 1337 if (tlmi_priv.opcode_support) { 1338 sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); 1339 kobject_put(&tlmi_priv.pwd_system->kobj); 1340 sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); 1341 kobject_put(&tlmi_priv.pwd_hdd->kobj); 1342 sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); 1343 kobject_put(&tlmi_priv.pwd_nvme->kobj); 1344 } 1345 1346 kset_unregister(tlmi_priv.authentication_kset); 1347 } 1348 1349 static int tlmi_validate_setting_name(struct kset *attribute_kset, char *name) 1350 { 1351 struct kobject *duplicate; 1352 1353 if (!strcmp(name, "Reserved")) 1354 return -EINVAL; 1355 1356 duplicate = kset_find_obj(attribute_kset, name); 1357 if (duplicate) { 1358 pr_debug("Duplicate attribute name found - %s\n", name); 1359 /* kset_find_obj() returns a reference */ 1360 kobject_put(duplicate); 1361 return -EBUSY; 1362 } 1363 1364 return 0; 1365 } 1366 1367 static int tlmi_sysfs_init(void) 1368 { 1369 int i, ret; 1370 1371 ret = fw_attributes_class_get(&fw_attr_class); 1372 if (ret) 1373 return ret; 1374 1375 tlmi_priv.class_dev = device_create(fw_attr_class, NULL, MKDEV(0, 0), 1376 NULL, "%s", "thinklmi"); 1377 if (IS_ERR(tlmi_priv.class_dev)) { 1378 ret = PTR_ERR(tlmi_priv.class_dev); 1379 goto fail_class_created; 1380 } 1381 1382 tlmi_priv.attribute_kset = kset_create_and_add("attributes", NULL, 1383 &tlmi_priv.class_dev->kobj); 1384 if (!tlmi_priv.attribute_kset) { 1385 ret = -ENOMEM; 1386 goto fail_device_created; 1387 } 1388 1389 for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { 1390 /* Check if index is a valid setting - skip if it isn't */ 1391 if (!tlmi_priv.setting[i]) 1392 continue; 1393 1394 /* check for duplicate or reserved values */ 1395 if (tlmi_validate_setting_name(tlmi_priv.attribute_kset, 1396 tlmi_priv.setting[i]->display_name) < 0) { 1397 kfree(tlmi_priv.setting[i]->possible_values); 1398 kfree(tlmi_priv.setting[i]); 1399 tlmi_priv.setting[i] = NULL; 1400 continue; 1401 } 1402 1403 /* Build attribute */ 1404 tlmi_priv.setting[i]->kobj.kset = tlmi_priv.attribute_kset; 1405 ret = kobject_add(&tlmi_priv.setting[i]->kobj, NULL, 1406 "%s", tlmi_priv.setting[i]->display_name); 1407 if (ret) 1408 goto fail_create_attr; 1409 1410 ret = sysfs_create_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); 1411 if (ret) 1412 goto fail_create_attr; 1413 } 1414 1415 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); 1416 if (ret) 1417 goto fail_create_attr; 1418 1419 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); 1420 if (ret) 1421 goto fail_create_attr; 1422 1423 if (tlmi_priv.can_debug_cmd && debug_support) { 1424 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr); 1425 if (ret) 1426 goto fail_create_attr; 1427 } 1428 1429 /* Create authentication entries */ 1430 tlmi_priv.authentication_kset = kset_create_and_add("authentication", NULL, 1431 &tlmi_priv.class_dev->kobj); 1432 if (!tlmi_priv.authentication_kset) { 1433 ret = -ENOMEM; 1434 goto fail_create_attr; 1435 } 1436 tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset; 1437 ret = kobject_add(&tlmi_priv.pwd_admin->kobj, NULL, "%s", "Admin"); 1438 if (ret) 1439 goto fail_create_attr; 1440 1441 ret = sysfs_create_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); 1442 if (ret) 1443 goto fail_create_attr; 1444 1445 tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset; 1446 ret = kobject_add(&tlmi_priv.pwd_power->kobj, NULL, "%s", "Power-on"); 1447 if (ret) 1448 goto fail_create_attr; 1449 1450 ret = sysfs_create_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); 1451 if (ret) 1452 goto fail_create_attr; 1453 1454 if (tlmi_priv.opcode_support) { 1455 tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset; 1456 ret = kobject_add(&tlmi_priv.pwd_system->kobj, NULL, "%s", "System"); 1457 if (ret) 1458 goto fail_create_attr; 1459 1460 ret = sysfs_create_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); 1461 if (ret) 1462 goto fail_create_attr; 1463 1464 tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset; 1465 ret = kobject_add(&tlmi_priv.pwd_hdd->kobj, NULL, "%s", "HDD"); 1466 if (ret) 1467 goto fail_create_attr; 1468 1469 ret = sysfs_create_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); 1470 if (ret) 1471 goto fail_create_attr; 1472 1473 tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset; 1474 ret = kobject_add(&tlmi_priv.pwd_nvme->kobj, NULL, "%s", "NVMe"); 1475 if (ret) 1476 goto fail_create_attr; 1477 1478 ret = sysfs_create_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); 1479 if (ret) 1480 goto fail_create_attr; 1481 } 1482 1483 return ret; 1484 1485 fail_create_attr: 1486 tlmi_release_attr(); 1487 fail_device_created: 1488 device_destroy(fw_attr_class, MKDEV(0, 0)); 1489 fail_class_created: 1490 fw_attributes_class_put(); 1491 return ret; 1492 } 1493 1494 /* ---- Base Driver -------------------------------------------------------- */ 1495 static struct tlmi_pwd_setting *tlmi_create_auth(const char *pwd_type, 1496 const char *pwd_role) 1497 { 1498 struct tlmi_pwd_setting *new_pwd; 1499 1500 new_pwd = kzalloc(sizeof(struct tlmi_pwd_setting), GFP_KERNEL); 1501 if (!new_pwd) 1502 return NULL; 1503 1504 strscpy(new_pwd->kbdlang, "us", TLMI_LANG_MAXLEN); 1505 new_pwd->encoding = TLMI_ENCODING_ASCII; 1506 new_pwd->pwd_type = pwd_type; 1507 new_pwd->role = pwd_role; 1508 new_pwd->minlen = tlmi_priv.pwdcfg.core.min_length; 1509 new_pwd->maxlen = tlmi_priv.pwdcfg.core.max_length; 1510 new_pwd->index = 0; 1511 1512 kobject_init(&new_pwd->kobj, &tlmi_pwd_setting_ktype); 1513 1514 return new_pwd; 1515 } 1516 1517 static int tlmi_analyze(void) 1518 { 1519 int i, ret; 1520 1521 if (wmi_has_guid(LENOVO_SET_BIOS_SETTINGS_GUID) && 1522 wmi_has_guid(LENOVO_SAVE_BIOS_SETTINGS_GUID)) 1523 tlmi_priv.can_set_bios_settings = true; 1524 1525 if (wmi_has_guid(LENOVO_GET_BIOS_SELECTIONS_GUID)) 1526 tlmi_priv.can_get_bios_selections = true; 1527 1528 if (wmi_has_guid(LENOVO_SET_BIOS_PASSWORD_GUID)) 1529 tlmi_priv.can_set_bios_password = true; 1530 1531 if (wmi_has_guid(LENOVO_BIOS_PASSWORD_SETTINGS_GUID)) 1532 tlmi_priv.can_get_password_settings = true; 1533 1534 if (wmi_has_guid(LENOVO_DEBUG_CMD_GUID)) 1535 tlmi_priv.can_debug_cmd = true; 1536 1537 if (wmi_has_guid(LENOVO_OPCODE_IF_GUID)) 1538 tlmi_priv.opcode_support = true; 1539 1540 if (wmi_has_guid(LENOVO_SET_BIOS_CERT_GUID) && 1541 wmi_has_guid(LENOVO_SET_BIOS_SETTING_CERT_GUID) && 1542 wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID)) 1543 tlmi_priv.certificate_support = true; 1544 1545 /* 1546 * Try to find the number of valid settings of this machine 1547 * and use it to create sysfs attributes. 1548 */ 1549 for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) { 1550 struct tlmi_attr_setting *setting; 1551 char *item = NULL; 1552 1553 tlmi_priv.setting[i] = NULL; 1554 ret = tlmi_setting(i, &item, LENOVO_BIOS_SETTING_GUID); 1555 if (ret) 1556 break; 1557 if (!item) 1558 break; 1559 if (!*item) { 1560 kfree(item); 1561 continue; 1562 } 1563 1564 /* It is not allowed to have '/' for file name. Convert it into '\'. */ 1565 strreplace(item, '/', '\\'); 1566 1567 /* Remove the value part */ 1568 strreplace(item, ',', '\0'); 1569 1570 /* Create a setting entry */ 1571 setting = kzalloc(sizeof(*setting), GFP_KERNEL); 1572 if (!setting) { 1573 ret = -ENOMEM; 1574 kfree(item); 1575 goto fail_clear_attr; 1576 } 1577 setting->index = i; 1578 strscpy(setting->display_name, item, TLMI_SETTINGS_MAXLEN); 1579 /* If BIOS selections supported, load those */ 1580 if (tlmi_priv.can_get_bios_selections) { 1581 ret = tlmi_get_bios_selections(setting->display_name, 1582 &setting->possible_values); 1583 if (ret || !setting->possible_values) 1584 pr_info("Error retrieving possible values for %d : %s\n", 1585 i, setting->display_name); 1586 } else { 1587 /* 1588 * Older Thinkstations don't support the bios_selections API. 1589 * Instead they store this as a [Optional:Option1,Option2] section of the 1590 * name string. 1591 * Try and pull that out if it's available. 1592 */ 1593 char *optitem, *optstart, *optend; 1594 1595 if (!tlmi_setting(setting->index, &optitem, LENOVO_BIOS_SETTING_GUID)) { 1596 optstart = strstr(optitem, "[Optional:"); 1597 if (optstart) { 1598 optstart += strlen("[Optional:"); 1599 optend = strstr(optstart, "]"); 1600 if (optend) 1601 setting->possible_values = 1602 kstrndup(optstart, optend - optstart, 1603 GFP_KERNEL); 1604 } 1605 kfree(optitem); 1606 } 1607 } 1608 /* 1609 * firmware-attributes requires that possible_values are separated by ';' but 1610 * Lenovo FW uses ','. Replace appropriately. 1611 */ 1612 if (setting->possible_values) 1613 strreplace(setting->possible_values, ',', ';'); 1614 1615 kobject_init(&setting->kobj, &tlmi_attr_setting_ktype); 1616 tlmi_priv.setting[i] = setting; 1617 kfree(item); 1618 } 1619 1620 /* Create password setting structure */ 1621 ret = tlmi_get_pwd_settings(&tlmi_priv.pwdcfg); 1622 if (ret) 1623 goto fail_clear_attr; 1624 1625 /* All failures below boil down to kmalloc failures */ 1626 ret = -ENOMEM; 1627 1628 tlmi_priv.pwd_admin = tlmi_create_auth("pap", "bios-admin"); 1629 if (!tlmi_priv.pwd_admin) 1630 goto fail_clear_attr; 1631 1632 if (tlmi_priv.pwdcfg.core.password_state & TLMI_PAP_PWD) 1633 tlmi_priv.pwd_admin->valid = true; 1634 1635 tlmi_priv.pwd_power = tlmi_create_auth("pop", "power-on"); 1636 if (!tlmi_priv.pwd_power) 1637 goto fail_clear_attr; 1638 1639 if (tlmi_priv.pwdcfg.core.password_state & TLMI_POP_PWD) 1640 tlmi_priv.pwd_power->valid = true; 1641 1642 if (tlmi_priv.opcode_support) { 1643 tlmi_priv.pwd_system = tlmi_create_auth("smp", "system"); 1644 if (!tlmi_priv.pwd_system) 1645 goto fail_clear_attr; 1646 1647 if (tlmi_priv.pwdcfg.core.password_state & TLMI_SMP_PWD) 1648 tlmi_priv.pwd_system->valid = true; 1649 1650 tlmi_priv.pwd_hdd = tlmi_create_auth("hdd", "hdd"); 1651 if (!tlmi_priv.pwd_hdd) 1652 goto fail_clear_attr; 1653 1654 tlmi_priv.pwd_nvme = tlmi_create_auth("nvm", "nvme"); 1655 if (!tlmi_priv.pwd_nvme) 1656 goto fail_clear_attr; 1657 1658 /* Set default hdd/nvme index to 1 as there is no device 0 */ 1659 tlmi_priv.pwd_hdd->index = 1; 1660 tlmi_priv.pwd_nvme->index = 1; 1661 1662 if (tlmi_priv.pwdcfg.core.password_state & TLMI_HDD_PWD) { 1663 /* Check if PWD is configured and set index to first drive found */ 1664 if (tlmi_priv.pwdcfg.ext.hdd_user_password || 1665 tlmi_priv.pwdcfg.ext.hdd_master_password) { 1666 tlmi_priv.pwd_hdd->valid = true; 1667 if (tlmi_priv.pwdcfg.ext.hdd_master_password) 1668 tlmi_priv.pwd_hdd->index = 1669 ffs(tlmi_priv.pwdcfg.ext.hdd_master_password) - 1; 1670 else 1671 tlmi_priv.pwd_hdd->index = 1672 ffs(tlmi_priv.pwdcfg.ext.hdd_user_password) - 1; 1673 } 1674 if (tlmi_priv.pwdcfg.ext.nvme_user_password || 1675 tlmi_priv.pwdcfg.ext.nvme_master_password) { 1676 tlmi_priv.pwd_nvme->valid = true; 1677 if (tlmi_priv.pwdcfg.ext.nvme_master_password) 1678 tlmi_priv.pwd_nvme->index = 1679 ffs(tlmi_priv.pwdcfg.ext.nvme_master_password) - 1; 1680 else 1681 tlmi_priv.pwd_nvme->index = 1682 ffs(tlmi_priv.pwdcfg.ext.nvme_user_password) - 1; 1683 } 1684 } 1685 } 1686 1687 if (tlmi_priv.certificate_support && 1688 (tlmi_priv.pwdcfg.core.password_state & TLMI_CERT)) 1689 tlmi_priv.pwd_admin->cert_installed = true; 1690 1691 return 0; 1692 1693 fail_clear_attr: 1694 for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) { 1695 if (tlmi_priv.setting[i]) { 1696 kfree(tlmi_priv.setting[i]->possible_values); 1697 kfree(tlmi_priv.setting[i]); 1698 } 1699 } 1700 kfree(tlmi_priv.pwd_admin); 1701 kfree(tlmi_priv.pwd_power); 1702 kfree(tlmi_priv.pwd_system); 1703 kfree(tlmi_priv.pwd_hdd); 1704 kfree(tlmi_priv.pwd_nvme); 1705 return ret; 1706 } 1707 1708 static void tlmi_remove(struct wmi_device *wdev) 1709 { 1710 tlmi_release_attr(); 1711 device_destroy(fw_attr_class, MKDEV(0, 0)); 1712 fw_attributes_class_put(); 1713 } 1714 1715 static int tlmi_probe(struct wmi_device *wdev, const void *context) 1716 { 1717 int ret; 1718 1719 ret = tlmi_analyze(); 1720 if (ret) 1721 return ret; 1722 1723 return tlmi_sysfs_init(); 1724 } 1725 1726 static const struct wmi_device_id tlmi_id_table[] = { 1727 { .guid_string = LENOVO_BIOS_SETTING_GUID }, 1728 { } 1729 }; 1730 MODULE_DEVICE_TABLE(wmi, tlmi_id_table); 1731 1732 static struct wmi_driver tlmi_driver = { 1733 .driver = { 1734 .name = "think-lmi", 1735 }, 1736 .id_table = tlmi_id_table, 1737 .probe = tlmi_probe, 1738 .remove = tlmi_remove, 1739 }; 1740 1741 MODULE_AUTHOR("Sugumaran L <slacshiminar@lenovo.com>"); 1742 MODULE_AUTHOR("Mark Pearson <markpearson@lenovo.com>"); 1743 MODULE_AUTHOR("Corentin Chary <corentin.chary@gmail.com>"); 1744 MODULE_DESCRIPTION("ThinkLMI Driver"); 1745 MODULE_LICENSE("GPL"); 1746 1747 module_wmi_driver(tlmi_driver); 1748