1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Think LMI BIOS configuration driver 4 * 5 * Copyright(C) 2019-2021 Lenovo 6 * 7 * Original code from Thinkpad-wmi project https://github.com/iksaif/thinkpad-wmi 8 * Copyright(C) 2017 Corentin Chary <corentin.chary@gmail.com> 9 * Distributed under the GPL-2.0 license 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <linux/acpi.h> 15 #include <linux/array_size.h> 16 #include <linux/errno.h> 17 #include <linux/fs.h> 18 #include <linux/mutex.h> 19 #include <linux/string_helpers.h> 20 #include <linux/types.h> 21 #include <linux/dmi.h> 22 #include <linux/wmi.h> 23 #include "firmware_attributes_class.h" 24 #include "think-lmi.h" 25 26 static bool debug_support; 27 module_param(debug_support, bool, 0444); 28 MODULE_PARM_DESC(debug_support, "Enable debug command support"); 29 30 /* 31 * Name: BiosSetting 32 * Description: Get item name and settings for current LMI instance. 33 * Type: Query 34 * Returns: "Item,Value" 35 * Example: "WakeOnLAN,Enable" 36 */ 37 #define LENOVO_BIOS_SETTING_GUID "51F5230E-9677-46CD-A1CF-C0B23EE34DB7" 38 39 /* 40 * Name: SetBiosSetting 41 * Description: Change the BIOS setting to the desired value using the SetBiosSetting 42 * class. To save the settings, use the SaveBiosSetting class. 43 * BIOS settings and values are case sensitive. 44 * After making changes to the BIOS settings, you must reboot the computer 45 * before the changes will take effect. 46 * Type: Method 47 * Arguments: "Item,Value,Password,Encoding,KbdLang;" 48 * Example: "WakeOnLAN,Disable,pa55w0rd,ascii,us;" 49 */ 50 #define LENOVO_SET_BIOS_SETTINGS_GUID "98479A64-33F5-4E33-A707-8E251EBBC3A1" 51 52 /* 53 * Name: SaveBiosSettings 54 * Description: Save any pending changes in settings. 55 * Type: Method 56 * Arguments: "Password,Encoding,KbdLang;" 57 * Example: "pa55w0rd,ascii,us;" 58 */ 59 #define LENOVO_SAVE_BIOS_SETTINGS_GUID "6A4B54EF-A5ED-4D33-9455-B0D9B48DF4B3" 60 61 /* 62 * Name: BiosPasswordSettings 63 * Description: Return BIOS Password settings 64 * Type: Query 65 * Returns: PasswordMode, PasswordState, MinLength, MaxLength, 66 * SupportedEncoding, SupportedKeyboard 67 */ 68 #define LENOVO_BIOS_PASSWORD_SETTINGS_GUID "8ADB159E-1E32-455C-BC93-308A7ED98246" 69 70 /* 71 * Name: SetBiosPassword 72 * Description: Change a specific password. 73 * - BIOS settings cannot be changed at the same boot as power-on 74 * passwords (POP) and hard disk passwords (HDP). If you want to change 75 * BIOS settings and POP or HDP, you must reboot the system after changing 76 * one of them. 77 * - A password cannot be set using this method when one does not already 78 * exist. Passwords can only be updated or cleared. 79 * Type: Method 80 * Arguments: "PasswordType,CurrentPassword,NewPassword,Encoding,KbdLang;" 81 * Example: "pop,pa55w0rd,newpa55w0rd,ascii,us;” 82 */ 83 #define LENOVO_SET_BIOS_PASSWORD_GUID "2651D9FD-911C-4B69-B94E-D0DED5963BD7" 84 85 /* 86 * Name: GetBiosSelections 87 * Description: Return a list of valid settings for a given item. 88 * Type: Method 89 * Arguments: "Item" 90 * Returns: "Value1,Value2,Value3,..." 91 * Example: 92 * -> "FlashOverLAN" 93 * <- "Enabled,Disabled" 94 */ 95 #define LENOVO_GET_BIOS_SELECTIONS_GUID "7364651A-132F-4FE7-ADAA-40C6C7EE2E3B" 96 97 /* 98 * Name: DebugCmd 99 * Description: Debug entry method for entering debug commands to the BIOS 100 */ 101 #define LENOVO_DEBUG_CMD_GUID "7FF47003-3B6C-4E5E-A227-E979824A85D1" 102 103 /* 104 * Name: OpcodeIF 105 * Description: Opcode interface which provides the ability to set multiple 106 * parameters and then trigger an action with a final command. 107 * This is particularly useful for simplifying setting passwords. 108 * With this support comes the ability to set System, HDD and NVMe 109 * passwords. 110 * This is currently available on ThinkCenter and ThinkStations platforms 111 */ 112 #define LENOVO_OPCODE_IF_GUID "DFDDEF2C-57D4-48ce-B196-0FB787D90836" 113 114 /* 115 * Name: SetBiosCert 116 * Description: Install BIOS certificate. 117 * Type: Method 118 * Arguments: "Certificate,Password" 119 * You must reboot the computer before the changes will take effect. 120 */ 121 #define LENOVO_SET_BIOS_CERT_GUID "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE" 122 123 /* 124 * Name: UpdateBiosCert 125 * Description: Update BIOS certificate. 126 * Type: Method 127 * Format: "Certificate,Signature" 128 * You must reboot the computer before the changes will take effect. 129 */ 130 #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE" 131 132 /* 133 * Name: ClearBiosCert 134 * Description: Uninstall BIOS certificate. 135 * Type: Method 136 * Format: "Serial,Signature" 137 * You must reboot the computer before the changes will take effect. 138 */ 139 #define LENOVO_CLEAR_BIOS_CERT_GUID "B2BC39A7-78DD-4D71-B059-A510DEC44890" 140 /* 141 * Name: CertToPassword 142 * Description: Switch from certificate to password authentication. 143 * Type: Method 144 * Format: "Password,Signature" 145 * You must reboot the computer before the changes will take effect. 146 */ 147 #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D" 148 149 /* 150 * Name: SetBiosSettingCert 151 * Description: Set attribute using certificate authentication. 152 * Type: Method 153 * Format: "Item,Value,Signature" 154 */ 155 #define LENOVO_SET_BIOS_SETTING_CERT_GUID "34A008CC-D205-4B62-9E67-31DFA8B90003" 156 157 /* 158 * Name: SaveBiosSettingCert 159 * Description: Save any pending changes in settings. 160 * Type: Method 161 * Format: "Signature" 162 */ 163 #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551" 164 165 /* 166 * Name: CertThumbprint 167 * Description: Display Certificate thumbprints 168 * Type: Query 169 * Returns: MD5, SHA1 & SHA256 thumbprints 170 */ 171 #define LENOVO_CERT_THUMBPRINT_GUID "C59119ED-1C0D-4806-A8E9-59AA318176C4" 172 173 #define TLMI_POP_PWD BIT(0) /* Supervisor */ 174 #define TLMI_PAP_PWD BIT(1) /* Power-on */ 175 #define TLMI_HDD_PWD BIT(2) /* HDD/NVME */ 176 #define TLMI_SMP_PWD BIT(6) /* System Management */ 177 #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */ 178 #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */ 179 180 static const struct tlmi_err_codes tlmi_errs[] = { 181 {"Success", 0}, 182 {"Not Supported", -EOPNOTSUPP}, 183 {"Invalid Parameter", -EINVAL}, 184 {"Access Denied", -EACCES}, 185 {"System Busy", -EBUSY}, 186 }; 187 188 static const char * const encoding_options[] = { 189 [TLMI_ENCODING_ASCII] = "ascii", 190 [TLMI_ENCODING_SCANCODE] = "scancode", 191 }; 192 static const char * const level_options[] = { 193 [TLMI_LEVEL_USER] = "user", 194 [TLMI_LEVEL_MASTER] = "master", 195 }; 196 static struct think_lmi tlmi_priv; 197 static const struct class *fw_attr_class; 198 static DEFINE_MUTEX(tlmi_mutex); 199 200 static inline struct tlmi_pwd_setting *to_tlmi_pwd_setting(struct kobject *kobj) 201 { 202 return container_of(kobj, struct tlmi_pwd_setting, kobj); 203 } 204 205 static inline struct tlmi_attr_setting *to_tlmi_attr_setting(struct kobject *kobj) 206 { 207 return container_of(kobj, struct tlmi_attr_setting, kobj); 208 } 209 210 /* Convert BIOS WMI error string to suitable error code */ 211 static int tlmi_errstr_to_err(const char *errstr) 212 { 213 int i; 214 215 for (i = 0; i < sizeof(tlmi_errs)/sizeof(struct tlmi_err_codes); i++) { 216 if (!strcmp(tlmi_errs[i].err_str, errstr)) 217 return tlmi_errs[i].err_code; 218 } 219 return -EPERM; 220 } 221 222 /* Extract error string from WMI return buffer */ 223 static int tlmi_extract_error(const struct acpi_buffer *output) 224 { 225 const union acpi_object *obj; 226 227 obj = output->pointer; 228 if (!obj) 229 return -ENOMEM; 230 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) 231 return -EIO; 232 233 return tlmi_errstr_to_err(obj->string.pointer); 234 } 235 236 /* Utility function to execute WMI call to BIOS */ 237 static int tlmi_simple_call(const char *guid, const char *arg) 238 { 239 const struct acpi_buffer input = { strlen(arg), (char *)arg }; 240 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 241 acpi_status status; 242 int i, err; 243 244 /* 245 * Duplicated call required to match BIOS workaround for behavior 246 * seen when WMI accessed via scripting on other OS. 247 */ 248 for (i = 0; i < 2; i++) { 249 /* (re)initialize output buffer to default state */ 250 output.length = ACPI_ALLOCATE_BUFFER; 251 output.pointer = NULL; 252 253 status = wmi_evaluate_method(guid, 0, 0, &input, &output); 254 if (ACPI_FAILURE(status)) { 255 kfree(output.pointer); 256 return -EIO; 257 } 258 err = tlmi_extract_error(&output); 259 kfree(output.pointer); 260 if (err) 261 return err; 262 } 263 return 0; 264 } 265 266 /* Extract output string from WMI return buffer */ 267 static int tlmi_extract_output_string(const struct acpi_buffer *output, 268 char **string) 269 { 270 const union acpi_object *obj; 271 char *s; 272 273 obj = output->pointer; 274 if (!obj) 275 return -ENOMEM; 276 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) 277 return -EIO; 278 279 s = kstrdup(obj->string.pointer, GFP_KERNEL); 280 if (!s) 281 return -ENOMEM; 282 *string = s; 283 return 0; 284 } 285 286 /* ------ Core interface functions ------------*/ 287 288 /* Get password settings from BIOS */ 289 static int tlmi_get_pwd_settings(struct tlmi_pwdcfg *pwdcfg) 290 { 291 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 292 const union acpi_object *obj; 293 acpi_status status; 294 int copy_size; 295 296 if (!tlmi_priv.can_get_password_settings) 297 return -EOPNOTSUPP; 298 299 status = wmi_query_block(LENOVO_BIOS_PASSWORD_SETTINGS_GUID, 0, 300 &output); 301 if (ACPI_FAILURE(status)) 302 return -EIO; 303 304 obj = output.pointer; 305 if (!obj) 306 return -ENOMEM; 307 if (obj->type != ACPI_TYPE_BUFFER || !obj->buffer.pointer) { 308 kfree(obj); 309 return -EIO; 310 } 311 /* 312 * The size of thinkpad_wmi_pcfg on ThinkStation is larger than ThinkPad. 313 * To make the driver compatible on different brands, we permit it to get 314 * the data in below case. 315 * Settings must have at minimum the core fields available 316 */ 317 if (obj->buffer.length < sizeof(struct tlmi_pwdcfg_core)) { 318 pr_warn("Unknown pwdcfg buffer length %d\n", obj->buffer.length); 319 kfree(obj); 320 return -EIO; 321 } 322 323 copy_size = min_t(size_t, obj->buffer.length, sizeof(struct tlmi_pwdcfg)); 324 325 memcpy(pwdcfg, obj->buffer.pointer, copy_size); 326 kfree(obj); 327 328 if (WARN_ON(pwdcfg->core.max_length >= TLMI_PWD_BUFSIZE)) 329 pwdcfg->core.max_length = TLMI_PWD_BUFSIZE - 1; 330 return 0; 331 } 332 333 static int tlmi_save_bios_settings(const char *password) 334 { 335 return tlmi_simple_call(LENOVO_SAVE_BIOS_SETTINGS_GUID, 336 password); 337 } 338 339 static int tlmi_opcode_setting(char *setting, const char *value) 340 { 341 char *opcode_str; 342 int ret; 343 344 opcode_str = kasprintf(GFP_KERNEL, "%s:%s;", setting, value); 345 if (!opcode_str) 346 return -ENOMEM; 347 348 ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, opcode_str); 349 kfree(opcode_str); 350 return ret; 351 } 352 353 static int tlmi_setting(int item, char **value, const char *guid_string) 354 { 355 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 356 acpi_status status; 357 int ret; 358 359 status = wmi_query_block(guid_string, item, &output); 360 if (ACPI_FAILURE(status)) { 361 kfree(output.pointer); 362 return -EIO; 363 } 364 365 ret = tlmi_extract_output_string(&output, value); 366 kfree(output.pointer); 367 return ret; 368 } 369 370 static int tlmi_get_bios_selections(const char *item, char **value) 371 { 372 const struct acpi_buffer input = { strlen(item), (char *)item }; 373 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 374 acpi_status status; 375 int ret; 376 377 status = wmi_evaluate_method(LENOVO_GET_BIOS_SELECTIONS_GUID, 378 0, 0, &input, &output); 379 380 if (ACPI_FAILURE(status)) { 381 kfree(output.pointer); 382 return -EIO; 383 } 384 385 ret = tlmi_extract_output_string(&output, value); 386 kfree(output.pointer); 387 return ret; 388 } 389 390 /* ---- Authentication sysfs --------------------------------------------------------- */ 391 static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr, 392 char *buf) 393 { 394 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 395 396 return sysfs_emit(buf, "%d\n", setting->pwd_enabled || setting->cert_installed); 397 } 398 399 static struct kobj_attribute auth_is_pass_set = __ATTR_RO(is_enabled); 400 401 static ssize_t current_password_store(struct kobject *kobj, 402 struct kobj_attribute *attr, 403 const char *buf, size_t count) 404 { 405 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 406 size_t pwdlen; 407 408 pwdlen = strlen(buf); 409 /* pwdlen == 0 is allowed to clear the password */ 410 if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) 411 return -EINVAL; 412 413 strscpy(setting->password, buf, setting->maxlen); 414 /* Strip out CR if one is present, setting password won't work if it is present */ 415 strreplace(setting->password, '\n', '\0'); 416 return count; 417 } 418 419 static struct kobj_attribute auth_current_password = __ATTR_WO(current_password); 420 421 static ssize_t new_password_store(struct kobject *kobj, 422 struct kobj_attribute *attr, 423 const char *buf, size_t count) 424 { 425 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 426 char *auth_str, *new_pwd; 427 size_t pwdlen; 428 int ret; 429 430 if (!capable(CAP_SYS_ADMIN)) 431 return -EPERM; 432 433 if (!tlmi_priv.can_set_bios_password) 434 return -EOPNOTSUPP; 435 436 /* Strip out CR if one is present, setting password won't work if it is present */ 437 new_pwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 438 if (!new_pwd) 439 return -ENOMEM; 440 441 /* Use lock in case multiple WMI operations needed */ 442 mutex_lock(&tlmi_mutex); 443 444 pwdlen = strlen(new_pwd); 445 /* pwdlen == 0 is allowed to clear the password */ 446 if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) { 447 ret = -EINVAL; 448 goto out; 449 } 450 451 /* If opcode support is present use that interface */ 452 if (tlmi_priv.opcode_support) { 453 char pwd_type[8]; 454 455 /* Special handling required for HDD and NVMe passwords */ 456 if (setting == tlmi_priv.pwd_hdd) { 457 if (setting->level == TLMI_LEVEL_USER) 458 sprintf(pwd_type, "uhdp%d", setting->index); 459 else 460 sprintf(pwd_type, "mhdp%d", setting->index); 461 } else if (setting == tlmi_priv.pwd_nvme) { 462 if (setting->level == TLMI_LEVEL_USER) 463 sprintf(pwd_type, "udrp%d", setting->index); 464 else 465 sprintf(pwd_type, "adrp%d", setting->index); 466 } else { 467 sprintf(pwd_type, "%s", setting->pwd_type); 468 } 469 470 ret = tlmi_opcode_setting("WmiOpcodePasswordType", pwd_type); 471 if (ret) 472 goto out; 473 474 /* 475 * Note admin password is not always required if SMPControl enabled in BIOS, 476 * So only set if it's configured. 477 * Let BIOS figure it out - we'll get an error if operation is not permitted 478 */ 479 if (tlmi_priv.pwd_admin->pwd_enabled && strlen(tlmi_priv.pwd_admin->password)) { 480 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 481 tlmi_priv.pwd_admin->password); 482 if (ret) 483 goto out; 484 } 485 ret = tlmi_opcode_setting("WmiOpcodePasswordCurrent01", setting->password); 486 if (ret) 487 goto out; 488 ret = tlmi_opcode_setting("WmiOpcodePasswordNew01", new_pwd); 489 if (ret) 490 goto out; 491 ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, "WmiOpcodePasswordSetUpdate;"); 492 } else { 493 /* Format: 'PasswordType,CurrentPw,NewPw,Encoding,KbdLang;' */ 494 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s,%s;", 495 setting->pwd_type, setting->password, new_pwd, 496 encoding_options[setting->encoding], setting->kbdlang); 497 if (!auth_str) { 498 ret = -ENOMEM; 499 goto out; 500 } 501 ret = tlmi_simple_call(LENOVO_SET_BIOS_PASSWORD_GUID, auth_str); 502 kfree(auth_str); 503 } 504 out: 505 mutex_unlock(&tlmi_mutex); 506 kfree(new_pwd); 507 return ret ?: count; 508 } 509 510 static struct kobj_attribute auth_new_password = __ATTR_WO(new_password); 511 512 static ssize_t min_password_length_show(struct kobject *kobj, struct kobj_attribute *attr, 513 char *buf) 514 { 515 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 516 517 return sysfs_emit(buf, "%d\n", setting->minlen); 518 } 519 520 static struct kobj_attribute auth_min_pass_length = __ATTR_RO(min_password_length); 521 522 static ssize_t max_password_length_show(struct kobject *kobj, struct kobj_attribute *attr, 523 char *buf) 524 { 525 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 526 527 return sysfs_emit(buf, "%d\n", setting->maxlen); 528 } 529 static struct kobj_attribute auth_max_pass_length = __ATTR_RO(max_password_length); 530 531 static ssize_t mechanism_show(struct kobject *kobj, struct kobj_attribute *attr, 532 char *buf) 533 { 534 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 535 536 if (setting->cert_installed) 537 return sysfs_emit(buf, "certificate\n"); 538 return sysfs_emit(buf, "password\n"); 539 } 540 static struct kobj_attribute auth_mechanism = __ATTR_RO(mechanism); 541 542 static ssize_t encoding_show(struct kobject *kobj, struct kobj_attribute *attr, 543 char *buf) 544 { 545 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 546 547 return sysfs_emit(buf, "%s\n", encoding_options[setting->encoding]); 548 } 549 550 static ssize_t encoding_store(struct kobject *kobj, 551 struct kobj_attribute *attr, 552 const char *buf, size_t count) 553 { 554 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 555 int i; 556 557 /* Scan for a matching profile */ 558 i = sysfs_match_string(encoding_options, buf); 559 if (i < 0) 560 return -EINVAL; 561 562 setting->encoding = i; 563 return count; 564 } 565 566 static struct kobj_attribute auth_encoding = __ATTR_RW(encoding); 567 568 static ssize_t kbdlang_show(struct kobject *kobj, struct kobj_attribute *attr, 569 char *buf) 570 { 571 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 572 573 return sysfs_emit(buf, "%s\n", setting->kbdlang); 574 } 575 576 static ssize_t kbdlang_store(struct kobject *kobj, 577 struct kobj_attribute *attr, 578 const char *buf, size_t count) 579 { 580 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 581 int length; 582 583 /* Calculate length till '\n' or terminating 0 */ 584 length = strchrnul(buf, '\n') - buf; 585 if (!length || length >= TLMI_LANG_MAXLEN) 586 return -EINVAL; 587 588 memcpy(setting->kbdlang, buf, length); 589 setting->kbdlang[length] = '\0'; 590 return count; 591 } 592 593 static struct kobj_attribute auth_kbdlang = __ATTR_RW(kbdlang); 594 595 static ssize_t role_show(struct kobject *kobj, struct kobj_attribute *attr, 596 char *buf) 597 { 598 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 599 600 return sysfs_emit(buf, "%s\n", setting->role); 601 } 602 static struct kobj_attribute auth_role = __ATTR_RO(role); 603 604 static ssize_t index_show(struct kobject *kobj, struct kobj_attribute *attr, 605 char *buf) 606 { 607 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 608 609 return sysfs_emit(buf, "%d\n", setting->index); 610 } 611 612 static ssize_t index_store(struct kobject *kobj, 613 struct kobj_attribute *attr, 614 const char *buf, size_t count) 615 { 616 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 617 int err, val; 618 619 err = kstrtoint(buf, 10, &val); 620 if (err < 0) 621 return err; 622 623 if (val < 0 || val > TLMI_INDEX_MAX) 624 return -EINVAL; 625 626 setting->index = val; 627 return count; 628 } 629 630 static struct kobj_attribute auth_index = __ATTR_RW(index); 631 632 static ssize_t level_show(struct kobject *kobj, struct kobj_attribute *attr, 633 char *buf) 634 { 635 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 636 637 return sysfs_emit(buf, "%s\n", level_options[setting->level]); 638 } 639 640 static ssize_t level_store(struct kobject *kobj, 641 struct kobj_attribute *attr, 642 const char *buf, size_t count) 643 { 644 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 645 int i; 646 647 /* Scan for a matching profile */ 648 i = sysfs_match_string(level_options, buf); 649 if (i < 0) 650 return -EINVAL; 651 652 setting->level = i; 653 return count; 654 } 655 656 static struct kobj_attribute auth_level = __ATTR_RW(level); 657 658 static char *cert_command(struct tlmi_pwd_setting *setting, const char *arg1, const char *arg2) 659 { 660 /* Prepend with SVC or SMC if multicert supported */ 661 if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) 662 return kasprintf(GFP_KERNEL, "%s,%s,%s", 663 setting == tlmi_priv.pwd_admin ? "SVC" : "SMC", 664 arg1, arg2); 665 else 666 return kasprintf(GFP_KERNEL, "%s,%s", arg1, arg2); 667 } 668 669 static ssize_t cert_thumbprint(char *buf, const char *arg, int count) 670 { 671 const struct acpi_buffer input = { strlen(arg), (char *)arg }; 672 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 673 const union acpi_object *obj; 674 acpi_status status; 675 676 status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output); 677 if (ACPI_FAILURE(status)) { 678 kfree(output.pointer); 679 return -EIO; 680 } 681 obj = output.pointer; 682 if (!obj) 683 return -ENOMEM; 684 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) { 685 kfree(output.pointer); 686 return -EIO; 687 } 688 count += sysfs_emit_at(buf, count, "%s : %s\n", arg, (char *)obj->string.pointer); 689 kfree(output.pointer); 690 691 return count; 692 } 693 694 static char *thumbtypes[] = {"Md5", "Sha1", "Sha256"}; 695 696 static ssize_t certificate_thumbprint_show(struct kobject *kobj, struct kobj_attribute *attr, 697 char *buf) 698 { 699 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 700 unsigned int i; 701 int count = 0; 702 char *wmistr; 703 704 if (!tlmi_priv.certificate_support || !setting->cert_installed) 705 return -EOPNOTSUPP; 706 707 for (i = 0; i < ARRAY_SIZE(thumbtypes); i++) { 708 if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) { 709 /* Format: 'SVC | SMC, Thumbtype' */ 710 wmistr = kasprintf(GFP_KERNEL, "%s,%s", 711 setting == tlmi_priv.pwd_admin ? "SVC" : "SMC", 712 thumbtypes[i]); 713 } else { 714 /* Format: 'Thumbtype' */ 715 wmistr = kasprintf(GFP_KERNEL, "%s", thumbtypes[i]); 716 } 717 if (!wmistr) 718 return -ENOMEM; 719 count += cert_thumbprint(buf, wmistr, count); 720 kfree(wmistr); 721 } 722 723 return count; 724 } 725 726 static struct kobj_attribute auth_cert_thumb = __ATTR_RO(certificate_thumbprint); 727 728 static ssize_t cert_to_password_store(struct kobject *kobj, 729 struct kobj_attribute *attr, 730 const char *buf, size_t count) 731 { 732 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 733 char *auth_str, *passwd; 734 int ret; 735 736 if (!capable(CAP_SYS_ADMIN)) 737 return -EPERM; 738 739 if (!tlmi_priv.certificate_support) 740 return -EOPNOTSUPP; 741 742 if (!setting->cert_installed) 743 return -EINVAL; 744 745 if (!setting->signature || !setting->signature[0]) 746 return -EACCES; 747 748 /* Strip out CR if one is present */ 749 passwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 750 if (!passwd) 751 return -ENOMEM; 752 753 /* Format: 'Password,Signature' */ 754 auth_str = cert_command(setting, passwd, setting->signature); 755 if (!auth_str) { 756 kfree_sensitive(passwd); 757 return -ENOMEM; 758 } 759 ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str); 760 kfree(auth_str); 761 kfree_sensitive(passwd); 762 763 return ret ?: count; 764 } 765 766 static struct kobj_attribute auth_cert_to_password = __ATTR_WO(cert_to_password); 767 768 enum cert_install_mode { 769 TLMI_CERT_INSTALL, 770 TLMI_CERT_UPDATE, 771 }; 772 773 static ssize_t certificate_store(struct kobject *kobj, 774 struct kobj_attribute *attr, 775 const char *buf, size_t count) 776 { 777 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 778 enum cert_install_mode install_mode = TLMI_CERT_INSTALL; 779 char *auth_str, *new_cert; 780 char *signature; 781 char *guid; 782 int ret; 783 784 if (!capable(CAP_SYS_ADMIN)) 785 return -EPERM; 786 787 if (!tlmi_priv.certificate_support) 788 return -EOPNOTSUPP; 789 790 /* If empty then clear installed certificate */ 791 if ((buf[0] == '\0') || (buf[0] == '\n')) { /* Clear installed certificate */ 792 /* Check that signature is set */ 793 if (!setting->signature || !setting->signature[0]) 794 return -EACCES; 795 796 /* Format: 'serial#, signature' */ 797 auth_str = cert_command(setting, 798 dmi_get_system_info(DMI_PRODUCT_SERIAL), 799 setting->signature); 800 if (!auth_str) 801 return -ENOMEM; 802 803 ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str); 804 kfree(auth_str); 805 806 return ret ?: count; 807 } 808 809 /* Strip out CR if one is present */ 810 new_cert = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 811 if (!new_cert) 812 return -ENOMEM; 813 814 if (setting->cert_installed) { 815 /* Certificate is installed so this is an update */ 816 install_mode = TLMI_CERT_UPDATE; 817 /* If admin account enabled - need to use its signature */ 818 if (tlmi_priv.pwd_admin->pwd_enabled) 819 signature = tlmi_priv.pwd_admin->signature; 820 else 821 signature = setting->signature; 822 } else { /* Cert install */ 823 /* Check if SMC and SVC already installed */ 824 if ((setting == tlmi_priv.pwd_system) && tlmi_priv.pwd_admin->cert_installed) { 825 /* This gets treated as a cert update */ 826 install_mode = TLMI_CERT_UPDATE; 827 signature = tlmi_priv.pwd_admin->signature; 828 } else { /* Regular cert install */ 829 install_mode = TLMI_CERT_INSTALL; 830 signature = setting->signature; 831 } 832 } 833 834 if (install_mode == TLMI_CERT_UPDATE) { 835 /* This is a certificate update */ 836 if (!signature || !signature[0]) { 837 kfree(new_cert); 838 return -EACCES; 839 } 840 guid = LENOVO_UPDATE_BIOS_CERT_GUID; 841 /* Format: 'Certificate,Signature' */ 842 auth_str = cert_command(setting, new_cert, signature); 843 } else { 844 /* This is a fresh install */ 845 /* To set admin cert, a password must be enabled */ 846 if ((setting == tlmi_priv.pwd_admin) && 847 (!setting->pwd_enabled || !setting->password[0])) { 848 kfree(new_cert); 849 return -EACCES; 850 } 851 guid = LENOVO_SET_BIOS_CERT_GUID; 852 /* Format: 'Certificate, password' */ 853 auth_str = cert_command(setting, new_cert, setting->password); 854 } 855 kfree(new_cert); 856 if (!auth_str) 857 return -ENOMEM; 858 859 ret = tlmi_simple_call(guid, auth_str); 860 kfree(auth_str); 861 862 return ret ?: count; 863 } 864 865 static struct kobj_attribute auth_certificate = __ATTR_WO(certificate); 866 867 static ssize_t signature_store(struct kobject *kobj, 868 struct kobj_attribute *attr, 869 const char *buf, size_t count) 870 { 871 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 872 char *new_signature; 873 874 if (!capable(CAP_SYS_ADMIN)) 875 return -EPERM; 876 877 if (!tlmi_priv.certificate_support) 878 return -EOPNOTSUPP; 879 880 /* Strip out CR if one is present */ 881 new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 882 if (!new_signature) 883 return -ENOMEM; 884 885 /* Free any previous signature */ 886 kfree(setting->signature); 887 setting->signature = new_signature; 888 889 return count; 890 } 891 892 static struct kobj_attribute auth_signature = __ATTR_WO(signature); 893 894 static ssize_t save_signature_store(struct kobject *kobj, 895 struct kobj_attribute *attr, 896 const char *buf, size_t count) 897 { 898 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 899 char *new_signature; 900 901 if (!capable(CAP_SYS_ADMIN)) 902 return -EPERM; 903 904 if (!tlmi_priv.certificate_support) 905 return -EOPNOTSUPP; 906 907 /* Strip out CR if one is present */ 908 new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 909 if (!new_signature) 910 return -ENOMEM; 911 912 /* Free any previous signature */ 913 kfree(setting->save_signature); 914 setting->save_signature = new_signature; 915 916 return count; 917 } 918 919 static struct kobj_attribute auth_save_signature = __ATTR_WO(save_signature); 920 921 static umode_t auth_attr_is_visible(struct kobject *kobj, 922 struct attribute *attr, int n) 923 { 924 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 925 926 /* We only want to display level and index settings on HDD/NVMe */ 927 if (attr == &auth_index.attr || attr == &auth_level.attr) { 928 if ((setting == tlmi_priv.pwd_hdd) || (setting == tlmi_priv.pwd_nvme)) 929 return attr->mode; 930 return 0; 931 } 932 933 /* We only display certificates, if supported */ 934 if (attr == &auth_certificate.attr || 935 attr == &auth_signature.attr || 936 attr == &auth_save_signature.attr || 937 attr == &auth_cert_thumb.attr || 938 attr == &auth_cert_to_password.attr) { 939 if (tlmi_priv.certificate_support) { 940 if (setting == tlmi_priv.pwd_admin) 941 return attr->mode; 942 if ((tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) && 943 (setting == tlmi_priv.pwd_system)) 944 return attr->mode; 945 } 946 return 0; 947 } 948 949 /* Don't display un-needed settings if opcode available */ 950 if ((attr == &auth_encoding.attr || attr == &auth_kbdlang.attr) && 951 tlmi_priv.opcode_support) 952 return 0; 953 954 return attr->mode; 955 } 956 957 static struct attribute *auth_attrs[] = { 958 &auth_is_pass_set.attr, 959 &auth_min_pass_length.attr, 960 &auth_max_pass_length.attr, 961 &auth_current_password.attr, 962 &auth_new_password.attr, 963 &auth_role.attr, 964 &auth_mechanism.attr, 965 &auth_encoding.attr, 966 &auth_kbdlang.attr, 967 &auth_index.attr, 968 &auth_level.attr, 969 &auth_certificate.attr, 970 &auth_signature.attr, 971 &auth_save_signature.attr, 972 &auth_cert_thumb.attr, 973 &auth_cert_to_password.attr, 974 NULL 975 }; 976 977 static const struct attribute_group auth_attr_group = { 978 .is_visible = auth_attr_is_visible, 979 .attrs = auth_attrs, 980 }; 981 982 /* ---- Attributes sysfs --------------------------------------------------------- */ 983 static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *attr, 984 char *buf) 985 { 986 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 987 988 return sysfs_emit(buf, "%s\n", setting->display_name); 989 } 990 991 static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) 992 { 993 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 994 char *item, *value; 995 int ret; 996 997 ret = tlmi_setting(setting->index, &item, LENOVO_BIOS_SETTING_GUID); 998 if (ret) 999 return ret; 1000 1001 /* validate and split from `item,value` -> `value` */ 1002 value = strpbrk(item, ","); 1003 if (!value || value == item || !strlen(value + 1)) 1004 ret = -EINVAL; 1005 else { 1006 /* On Workstations remove the Options part after the value */ 1007 strreplace(value, ';', '\0'); 1008 ret = sysfs_emit(buf, "%s\n", value + 1); 1009 } 1010 kfree(item); 1011 1012 return ret; 1013 } 1014 1015 static ssize_t possible_values_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) 1016 { 1017 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1018 1019 return sysfs_emit(buf, "%s\n", setting->possible_values); 1020 } 1021 1022 static ssize_t type_show(struct kobject *kobj, struct kobj_attribute *attr, 1023 char *buf) 1024 { 1025 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1026 1027 if (setting->possible_values) { 1028 /* Figure out what setting type is as BIOS does not return this */ 1029 if (strchr(setting->possible_values, ';')) 1030 return sysfs_emit(buf, "enumeration\n"); 1031 } 1032 /* Anything else is going to be a string */ 1033 return sysfs_emit(buf, "string\n"); 1034 } 1035 1036 static ssize_t current_value_store(struct kobject *kobj, 1037 struct kobj_attribute *attr, 1038 const char *buf, size_t count) 1039 { 1040 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1041 char *set_str = NULL, *new_setting = NULL; 1042 char *auth_str = NULL; 1043 int ret; 1044 1045 if (!tlmi_priv.can_set_bios_settings) 1046 return -EOPNOTSUPP; 1047 1048 /* 1049 * If we are using bulk saves a reboot should be done once save has 1050 * been called 1051 */ 1052 if (tlmi_priv.save_mode == TLMI_SAVE_BULK && tlmi_priv.reboot_required) 1053 return -EPERM; 1054 1055 /* Strip out CR if one is present */ 1056 new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 1057 if (!new_setting) 1058 return -ENOMEM; 1059 1060 /* Use lock in case multiple WMI operations needed */ 1061 mutex_lock(&tlmi_mutex); 1062 1063 /* Check if certificate authentication is enabled and active */ 1064 if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) { 1065 if (!tlmi_priv.pwd_admin->signature || !tlmi_priv.pwd_admin->save_signature) { 1066 ret = -EINVAL; 1067 goto out; 1068 } 1069 set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->display_name, 1070 new_setting, tlmi_priv.pwd_admin->signature); 1071 if (!set_str) { 1072 ret = -ENOMEM; 1073 goto out; 1074 } 1075 1076 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str); 1077 if (ret) 1078 goto out; 1079 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) 1080 tlmi_priv.save_required = true; 1081 else 1082 ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID, 1083 tlmi_priv.pwd_admin->save_signature); 1084 } else if (tlmi_priv.opcode_support) { 1085 /* 1086 * If opcode support is present use that interface. 1087 * Note - this sets the variable and then the password as separate 1088 * WMI calls. Function tlmi_save_bios_settings will error if the 1089 * password is incorrect. 1090 * Workstation's require the opcode to be set before changing the 1091 * attribute. 1092 */ 1093 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1094 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 1095 tlmi_priv.pwd_admin->password); 1096 if (ret) 1097 goto out; 1098 } 1099 1100 set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name, 1101 new_setting); 1102 if (!set_str) { 1103 ret = -ENOMEM; 1104 goto out; 1105 } 1106 1107 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str); 1108 if (ret) 1109 goto out; 1110 1111 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) 1112 tlmi_priv.save_required = true; 1113 else 1114 ret = tlmi_save_bios_settings(""); 1115 } else { /* old non-opcode based authentication method (deprecated) */ 1116 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1117 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1118 tlmi_priv.pwd_admin->password, 1119 encoding_options[tlmi_priv.pwd_admin->encoding], 1120 tlmi_priv.pwd_admin->kbdlang); 1121 if (!auth_str) { 1122 ret = -ENOMEM; 1123 goto out; 1124 } 1125 } 1126 1127 if (auth_str) 1128 set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->display_name, 1129 new_setting, auth_str); 1130 else 1131 set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name, 1132 new_setting); 1133 if (!set_str) { 1134 ret = -ENOMEM; 1135 goto out; 1136 } 1137 1138 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str); 1139 if (ret) 1140 goto out; 1141 1142 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) { 1143 tlmi_priv.save_required = true; 1144 } else { 1145 if (auth_str) 1146 ret = tlmi_save_bios_settings(auth_str); 1147 else 1148 ret = tlmi_save_bios_settings(""); 1149 } 1150 } 1151 if (!ret && !tlmi_priv.pending_changes) { 1152 tlmi_priv.pending_changes = true; 1153 /* let userland know it may need to check reboot pending again */ 1154 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1155 } 1156 out: 1157 mutex_unlock(&tlmi_mutex); 1158 kfree(auth_str); 1159 kfree(set_str); 1160 kfree(new_setting); 1161 return ret ?: count; 1162 } 1163 1164 static struct kobj_attribute attr_displ_name = __ATTR_RO(display_name); 1165 1166 static struct kobj_attribute attr_possible_values = __ATTR_RO(possible_values); 1167 1168 static struct kobj_attribute attr_current_val = __ATTR_RW_MODE(current_value, 0600); 1169 1170 static struct kobj_attribute attr_type = __ATTR_RO(type); 1171 1172 static umode_t attr_is_visible(struct kobject *kobj, 1173 struct attribute *attr, int n) 1174 { 1175 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1176 1177 /* We don't want to display possible_values attributes if not available */ 1178 if ((attr == &attr_possible_values.attr) && (!setting->possible_values)) 1179 return 0; 1180 1181 return attr->mode; 1182 } 1183 1184 static struct attribute *tlmi_attrs[] = { 1185 &attr_displ_name.attr, 1186 &attr_current_val.attr, 1187 &attr_possible_values.attr, 1188 &attr_type.attr, 1189 NULL 1190 }; 1191 1192 static const struct attribute_group tlmi_attr_group = { 1193 .is_visible = attr_is_visible, 1194 .attrs = tlmi_attrs, 1195 }; 1196 1197 static void tlmi_attr_setting_release(struct kobject *kobj) 1198 { 1199 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1200 1201 kfree(setting->possible_values); 1202 kfree(setting); 1203 } 1204 1205 static void tlmi_pwd_setting_release(struct kobject *kobj) 1206 { 1207 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 1208 1209 kfree(setting); 1210 } 1211 1212 static const struct kobj_type tlmi_attr_setting_ktype = { 1213 .release = &tlmi_attr_setting_release, 1214 .sysfs_ops = &kobj_sysfs_ops, 1215 }; 1216 1217 static const struct kobj_type tlmi_pwd_setting_ktype = { 1218 .release = &tlmi_pwd_setting_release, 1219 .sysfs_ops = &kobj_sysfs_ops, 1220 }; 1221 1222 static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr, 1223 char *buf) 1224 { 1225 return sprintf(buf, "%d\n", tlmi_priv.pending_changes); 1226 } 1227 1228 static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot); 1229 1230 static const char * const save_mode_strings[] = { 1231 [TLMI_SAVE_SINGLE] = "single", 1232 [TLMI_SAVE_BULK] = "bulk", 1233 [TLMI_SAVE_SAVE] = "save" 1234 }; 1235 1236 static ssize_t save_settings_show(struct kobject *kobj, struct kobj_attribute *attr, 1237 char *buf) 1238 { 1239 /* Check that setting is valid */ 1240 if (WARN_ON(tlmi_priv.save_mode < TLMI_SAVE_SINGLE || 1241 tlmi_priv.save_mode > TLMI_SAVE_BULK)) 1242 return -EIO; 1243 return sysfs_emit(buf, "%s\n", save_mode_strings[tlmi_priv.save_mode]); 1244 } 1245 1246 static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *attr, 1247 const char *buf, size_t count) 1248 { 1249 char *auth_str = NULL; 1250 int ret = 0; 1251 int cmd; 1252 1253 cmd = sysfs_match_string(save_mode_strings, buf); 1254 if (cmd < 0) 1255 return cmd; 1256 1257 /* Use lock in case multiple WMI operations needed */ 1258 mutex_lock(&tlmi_mutex); 1259 1260 switch (cmd) { 1261 case TLMI_SAVE_SINGLE: 1262 case TLMI_SAVE_BULK: 1263 tlmi_priv.save_mode = cmd; 1264 goto out; 1265 case TLMI_SAVE_SAVE: 1266 /* Check if supported*/ 1267 if (!tlmi_priv.can_set_bios_settings || 1268 tlmi_priv.save_mode == TLMI_SAVE_SINGLE) { 1269 ret = -EOPNOTSUPP; 1270 goto out; 1271 } 1272 /* Check there is actually something to save */ 1273 if (!tlmi_priv.save_required) { 1274 ret = -ENOENT; 1275 goto out; 1276 } 1277 /* Check if certificate authentication is enabled and active */ 1278 if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) { 1279 if (!tlmi_priv.pwd_admin->signature || 1280 !tlmi_priv.pwd_admin->save_signature) { 1281 ret = -EINVAL; 1282 goto out; 1283 } 1284 ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID, 1285 tlmi_priv.pwd_admin->save_signature); 1286 if (ret) 1287 goto out; 1288 } else if (tlmi_priv.opcode_support) { 1289 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1290 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 1291 tlmi_priv.pwd_admin->password); 1292 if (ret) 1293 goto out; 1294 } 1295 ret = tlmi_save_bios_settings(""); 1296 } else { /* old non-opcode based authentication method (deprecated) */ 1297 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1298 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1299 tlmi_priv.pwd_admin->password, 1300 encoding_options[tlmi_priv.pwd_admin->encoding], 1301 tlmi_priv.pwd_admin->kbdlang); 1302 if (!auth_str) { 1303 ret = -ENOMEM; 1304 goto out; 1305 } 1306 } 1307 1308 if (auth_str) 1309 ret = tlmi_save_bios_settings(auth_str); 1310 else 1311 ret = tlmi_save_bios_settings(""); 1312 } 1313 tlmi_priv.save_required = false; 1314 tlmi_priv.reboot_required = true; 1315 1316 if (!ret && !tlmi_priv.pending_changes) { 1317 tlmi_priv.pending_changes = true; 1318 /* let userland know it may need to check reboot pending again */ 1319 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1320 } 1321 break; 1322 } 1323 out: 1324 mutex_unlock(&tlmi_mutex); 1325 kfree(auth_str); 1326 return ret ?: count; 1327 } 1328 1329 static struct kobj_attribute save_settings = __ATTR_RW(save_settings); 1330 1331 /* ---- Debug interface--------------------------------------------------------- */ 1332 static ssize_t debug_cmd_store(struct kobject *kobj, struct kobj_attribute *attr, 1333 const char *buf, size_t count) 1334 { 1335 char *set_str = NULL, *new_setting = NULL; 1336 char *auth_str = NULL; 1337 int ret; 1338 1339 if (!tlmi_priv.can_debug_cmd) 1340 return -EOPNOTSUPP; 1341 1342 /* Strip out CR if one is present */ 1343 new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 1344 if (!new_setting) 1345 return -ENOMEM; 1346 1347 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1348 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1349 tlmi_priv.pwd_admin->password, 1350 encoding_options[tlmi_priv.pwd_admin->encoding], 1351 tlmi_priv.pwd_admin->kbdlang); 1352 if (!auth_str) { 1353 ret = -ENOMEM; 1354 goto out; 1355 } 1356 } 1357 1358 if (auth_str) 1359 set_str = kasprintf(GFP_KERNEL, "%s,%s", new_setting, auth_str); 1360 else 1361 set_str = kasprintf(GFP_KERNEL, "%s;", new_setting); 1362 if (!set_str) { 1363 ret = -ENOMEM; 1364 goto out; 1365 } 1366 1367 ret = tlmi_simple_call(LENOVO_DEBUG_CMD_GUID, set_str); 1368 if (ret) 1369 goto out; 1370 1371 if (!ret && !tlmi_priv.pending_changes) { 1372 tlmi_priv.pending_changes = true; 1373 /* let userland know it may need to check reboot pending again */ 1374 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1375 } 1376 out: 1377 kfree(auth_str); 1378 kfree(set_str); 1379 kfree(new_setting); 1380 return ret ?: count; 1381 } 1382 1383 static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd); 1384 1385 /* ---- Initialisation --------------------------------------------------------- */ 1386 static void tlmi_release_attr(void) 1387 { 1388 int i; 1389 1390 /* Attribute structures */ 1391 for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { 1392 if (tlmi_priv.setting[i]) { 1393 sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); 1394 kobject_put(&tlmi_priv.setting[i]->kobj); 1395 } 1396 } 1397 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); 1398 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); 1399 1400 if (tlmi_priv.can_debug_cmd && debug_support) 1401 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr); 1402 1403 kset_unregister(tlmi_priv.attribute_kset); 1404 1405 /* Free up any saved signatures */ 1406 kfree(tlmi_priv.pwd_admin->signature); 1407 kfree(tlmi_priv.pwd_admin->save_signature); 1408 1409 /* Authentication structures */ 1410 sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); 1411 kobject_put(&tlmi_priv.pwd_admin->kobj); 1412 sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); 1413 kobject_put(&tlmi_priv.pwd_power->kobj); 1414 1415 if (tlmi_priv.opcode_support) { 1416 sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); 1417 kobject_put(&tlmi_priv.pwd_system->kobj); 1418 sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); 1419 kobject_put(&tlmi_priv.pwd_hdd->kobj); 1420 sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); 1421 kobject_put(&tlmi_priv.pwd_nvme->kobj); 1422 } 1423 1424 kset_unregister(tlmi_priv.authentication_kset); 1425 } 1426 1427 static int tlmi_validate_setting_name(struct kset *attribute_kset, char *name) 1428 { 1429 struct kobject *duplicate; 1430 1431 if (!strcmp(name, "Reserved")) 1432 return -EINVAL; 1433 1434 duplicate = kset_find_obj(attribute_kset, name); 1435 if (duplicate) { 1436 pr_debug("Duplicate attribute name found - %s\n", name); 1437 /* kset_find_obj() returns a reference */ 1438 kobject_put(duplicate); 1439 return -EBUSY; 1440 } 1441 1442 return 0; 1443 } 1444 1445 static int tlmi_sysfs_init(void) 1446 { 1447 int i, ret; 1448 1449 ret = fw_attributes_class_get(&fw_attr_class); 1450 if (ret) 1451 return ret; 1452 1453 tlmi_priv.class_dev = device_create(fw_attr_class, NULL, MKDEV(0, 0), 1454 NULL, "%s", "thinklmi"); 1455 if (IS_ERR(tlmi_priv.class_dev)) { 1456 ret = PTR_ERR(tlmi_priv.class_dev); 1457 goto fail_class_created; 1458 } 1459 1460 tlmi_priv.attribute_kset = kset_create_and_add("attributes", NULL, 1461 &tlmi_priv.class_dev->kobj); 1462 if (!tlmi_priv.attribute_kset) { 1463 ret = -ENOMEM; 1464 goto fail_device_created; 1465 } 1466 1467 for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { 1468 /* Check if index is a valid setting - skip if it isn't */ 1469 if (!tlmi_priv.setting[i]) 1470 continue; 1471 1472 /* check for duplicate or reserved values */ 1473 if (tlmi_validate_setting_name(tlmi_priv.attribute_kset, 1474 tlmi_priv.setting[i]->display_name) < 0) { 1475 kfree(tlmi_priv.setting[i]->possible_values); 1476 kfree(tlmi_priv.setting[i]); 1477 tlmi_priv.setting[i] = NULL; 1478 continue; 1479 } 1480 1481 /* Build attribute */ 1482 tlmi_priv.setting[i]->kobj.kset = tlmi_priv.attribute_kset; 1483 ret = kobject_add(&tlmi_priv.setting[i]->kobj, NULL, 1484 "%s", tlmi_priv.setting[i]->display_name); 1485 if (ret) 1486 goto fail_create_attr; 1487 1488 ret = sysfs_create_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); 1489 if (ret) 1490 goto fail_create_attr; 1491 } 1492 1493 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); 1494 if (ret) 1495 goto fail_create_attr; 1496 1497 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); 1498 if (ret) 1499 goto fail_create_attr; 1500 1501 if (tlmi_priv.can_debug_cmd && debug_support) { 1502 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr); 1503 if (ret) 1504 goto fail_create_attr; 1505 } 1506 1507 /* Create authentication entries */ 1508 tlmi_priv.authentication_kset = kset_create_and_add("authentication", NULL, 1509 &tlmi_priv.class_dev->kobj); 1510 if (!tlmi_priv.authentication_kset) { 1511 ret = -ENOMEM; 1512 goto fail_create_attr; 1513 } 1514 tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset; 1515 ret = kobject_add(&tlmi_priv.pwd_admin->kobj, NULL, "%s", "Admin"); 1516 if (ret) 1517 goto fail_create_attr; 1518 1519 ret = sysfs_create_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); 1520 if (ret) 1521 goto fail_create_attr; 1522 1523 tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset; 1524 ret = kobject_add(&tlmi_priv.pwd_power->kobj, NULL, "%s", "Power-on"); 1525 if (ret) 1526 goto fail_create_attr; 1527 1528 ret = sysfs_create_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); 1529 if (ret) 1530 goto fail_create_attr; 1531 1532 if (tlmi_priv.opcode_support) { 1533 tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset; 1534 ret = kobject_add(&tlmi_priv.pwd_system->kobj, NULL, "%s", "System"); 1535 if (ret) 1536 goto fail_create_attr; 1537 1538 ret = sysfs_create_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); 1539 if (ret) 1540 goto fail_create_attr; 1541 1542 tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset; 1543 ret = kobject_add(&tlmi_priv.pwd_hdd->kobj, NULL, "%s", "HDD"); 1544 if (ret) 1545 goto fail_create_attr; 1546 1547 ret = sysfs_create_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); 1548 if (ret) 1549 goto fail_create_attr; 1550 1551 tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset; 1552 ret = kobject_add(&tlmi_priv.pwd_nvme->kobj, NULL, "%s", "NVMe"); 1553 if (ret) 1554 goto fail_create_attr; 1555 1556 ret = sysfs_create_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); 1557 if (ret) 1558 goto fail_create_attr; 1559 } 1560 1561 return ret; 1562 1563 fail_create_attr: 1564 tlmi_release_attr(); 1565 fail_device_created: 1566 device_destroy(fw_attr_class, MKDEV(0, 0)); 1567 fail_class_created: 1568 fw_attributes_class_put(); 1569 return ret; 1570 } 1571 1572 /* ---- Base Driver -------------------------------------------------------- */ 1573 static struct tlmi_pwd_setting *tlmi_create_auth(const char *pwd_type, 1574 const char *pwd_role) 1575 { 1576 struct tlmi_pwd_setting *new_pwd; 1577 1578 new_pwd = kzalloc(sizeof(struct tlmi_pwd_setting), GFP_KERNEL); 1579 if (!new_pwd) 1580 return NULL; 1581 1582 strscpy(new_pwd->kbdlang, "us"); 1583 new_pwd->encoding = TLMI_ENCODING_ASCII; 1584 new_pwd->pwd_type = pwd_type; 1585 new_pwd->role = pwd_role; 1586 new_pwd->minlen = tlmi_priv.pwdcfg.core.min_length; 1587 new_pwd->maxlen = tlmi_priv.pwdcfg.core.max_length; 1588 new_pwd->index = 0; 1589 1590 kobject_init(&new_pwd->kobj, &tlmi_pwd_setting_ktype); 1591 1592 return new_pwd; 1593 } 1594 1595 static int tlmi_analyze(void) 1596 { 1597 int i, ret; 1598 1599 if (wmi_has_guid(LENOVO_SET_BIOS_SETTINGS_GUID) && 1600 wmi_has_guid(LENOVO_SAVE_BIOS_SETTINGS_GUID)) 1601 tlmi_priv.can_set_bios_settings = true; 1602 1603 if (wmi_has_guid(LENOVO_GET_BIOS_SELECTIONS_GUID)) 1604 tlmi_priv.can_get_bios_selections = true; 1605 1606 if (wmi_has_guid(LENOVO_SET_BIOS_PASSWORD_GUID)) 1607 tlmi_priv.can_set_bios_password = true; 1608 1609 if (wmi_has_guid(LENOVO_BIOS_PASSWORD_SETTINGS_GUID)) 1610 tlmi_priv.can_get_password_settings = true; 1611 1612 if (wmi_has_guid(LENOVO_DEBUG_CMD_GUID)) 1613 tlmi_priv.can_debug_cmd = true; 1614 1615 if (wmi_has_guid(LENOVO_OPCODE_IF_GUID)) 1616 tlmi_priv.opcode_support = true; 1617 1618 if (wmi_has_guid(LENOVO_SET_BIOS_CERT_GUID) && 1619 wmi_has_guid(LENOVO_SET_BIOS_SETTING_CERT_GUID) && 1620 wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID)) 1621 tlmi_priv.certificate_support = true; 1622 1623 /* 1624 * Try to find the number of valid settings of this machine 1625 * and use it to create sysfs attributes. 1626 */ 1627 for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) { 1628 struct tlmi_attr_setting *setting; 1629 char *item = NULL; 1630 1631 tlmi_priv.setting[i] = NULL; 1632 ret = tlmi_setting(i, &item, LENOVO_BIOS_SETTING_GUID); 1633 if (ret) 1634 break; 1635 if (!item) 1636 break; 1637 if (!*item) { 1638 kfree(item); 1639 continue; 1640 } 1641 1642 /* It is not allowed to have '/' for file name. Convert it into '\'. */ 1643 strreplace(item, '/', '\\'); 1644 1645 /* Remove the value part */ 1646 strreplace(item, ',', '\0'); 1647 1648 /* Create a setting entry */ 1649 setting = kzalloc(sizeof(*setting), GFP_KERNEL); 1650 if (!setting) { 1651 ret = -ENOMEM; 1652 kfree(item); 1653 goto fail_clear_attr; 1654 } 1655 setting->index = i; 1656 strscpy(setting->display_name, item); 1657 /* If BIOS selections supported, load those */ 1658 if (tlmi_priv.can_get_bios_selections) { 1659 ret = tlmi_get_bios_selections(setting->display_name, 1660 &setting->possible_values); 1661 if (ret || !setting->possible_values) 1662 pr_info("Error retrieving possible values for %d : %s\n", 1663 i, setting->display_name); 1664 } else { 1665 /* 1666 * Older Thinkstations don't support the bios_selections API. 1667 * Instead they store this as a [Optional:Option1,Option2] section of the 1668 * name string. 1669 * Try and pull that out if it's available. 1670 */ 1671 char *optitem, *optstart, *optend; 1672 1673 if (!tlmi_setting(setting->index, &optitem, LENOVO_BIOS_SETTING_GUID)) { 1674 optstart = strstr(optitem, "[Optional:"); 1675 if (optstart) { 1676 optstart += strlen("[Optional:"); 1677 optend = strstr(optstart, "]"); 1678 if (optend) 1679 setting->possible_values = 1680 kstrndup(optstart, optend - optstart, 1681 GFP_KERNEL); 1682 } 1683 kfree(optitem); 1684 } 1685 } 1686 /* 1687 * firmware-attributes requires that possible_values are separated by ';' but 1688 * Lenovo FW uses ','. Replace appropriately. 1689 */ 1690 if (setting->possible_values) 1691 strreplace(setting->possible_values, ',', ';'); 1692 1693 kobject_init(&setting->kobj, &tlmi_attr_setting_ktype); 1694 tlmi_priv.setting[i] = setting; 1695 kfree(item); 1696 } 1697 1698 /* Create password setting structure */ 1699 ret = tlmi_get_pwd_settings(&tlmi_priv.pwdcfg); 1700 if (ret) 1701 goto fail_clear_attr; 1702 1703 /* All failures below boil down to kmalloc failures */ 1704 ret = -ENOMEM; 1705 1706 tlmi_priv.pwd_admin = tlmi_create_auth("pap", "bios-admin"); 1707 if (!tlmi_priv.pwd_admin) 1708 goto fail_clear_attr; 1709 1710 if (tlmi_priv.pwdcfg.core.password_state & TLMI_PAP_PWD) 1711 tlmi_priv.pwd_admin->pwd_enabled = true; 1712 1713 tlmi_priv.pwd_power = tlmi_create_auth("pop", "power-on"); 1714 if (!tlmi_priv.pwd_power) 1715 goto fail_clear_attr; 1716 1717 if (tlmi_priv.pwdcfg.core.password_state & TLMI_POP_PWD) 1718 tlmi_priv.pwd_power->pwd_enabled = true; 1719 1720 if (tlmi_priv.opcode_support) { 1721 tlmi_priv.pwd_system = tlmi_create_auth("smp", "system"); 1722 if (!tlmi_priv.pwd_system) 1723 goto fail_clear_attr; 1724 1725 if (tlmi_priv.pwdcfg.core.password_state & TLMI_SMP_PWD) 1726 tlmi_priv.pwd_system->pwd_enabled = true; 1727 1728 tlmi_priv.pwd_hdd = tlmi_create_auth("hdd", "hdd"); 1729 if (!tlmi_priv.pwd_hdd) 1730 goto fail_clear_attr; 1731 1732 tlmi_priv.pwd_nvme = tlmi_create_auth("nvm", "nvme"); 1733 if (!tlmi_priv.pwd_nvme) 1734 goto fail_clear_attr; 1735 1736 /* Set default hdd/nvme index to 1 as there is no device 0 */ 1737 tlmi_priv.pwd_hdd->index = 1; 1738 tlmi_priv.pwd_nvme->index = 1; 1739 1740 if (tlmi_priv.pwdcfg.core.password_state & TLMI_HDD_PWD) { 1741 /* Check if PWD is configured and set index to first drive found */ 1742 if (tlmi_priv.pwdcfg.ext.hdd_user_password || 1743 tlmi_priv.pwdcfg.ext.hdd_master_password) { 1744 tlmi_priv.pwd_hdd->pwd_enabled = true; 1745 if (tlmi_priv.pwdcfg.ext.hdd_master_password) 1746 tlmi_priv.pwd_hdd->index = 1747 ffs(tlmi_priv.pwdcfg.ext.hdd_master_password) - 1; 1748 else 1749 tlmi_priv.pwd_hdd->index = 1750 ffs(tlmi_priv.pwdcfg.ext.hdd_user_password) - 1; 1751 } 1752 if (tlmi_priv.pwdcfg.ext.nvme_user_password || 1753 tlmi_priv.pwdcfg.ext.nvme_master_password) { 1754 tlmi_priv.pwd_nvme->pwd_enabled = true; 1755 if (tlmi_priv.pwdcfg.ext.nvme_master_password) 1756 tlmi_priv.pwd_nvme->index = 1757 ffs(tlmi_priv.pwdcfg.ext.nvme_master_password) - 1; 1758 else 1759 tlmi_priv.pwd_nvme->index = 1760 ffs(tlmi_priv.pwdcfg.ext.nvme_user_password) - 1; 1761 } 1762 } 1763 } 1764 1765 if (tlmi_priv.certificate_support) { 1766 tlmi_priv.pwd_admin->cert_installed = 1767 tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC; 1768 tlmi_priv.pwd_system->cert_installed = 1769 tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC; 1770 } 1771 return 0; 1772 1773 fail_clear_attr: 1774 for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) { 1775 if (tlmi_priv.setting[i]) { 1776 kfree(tlmi_priv.setting[i]->possible_values); 1777 kfree(tlmi_priv.setting[i]); 1778 } 1779 } 1780 kfree(tlmi_priv.pwd_admin); 1781 kfree(tlmi_priv.pwd_power); 1782 kfree(tlmi_priv.pwd_system); 1783 kfree(tlmi_priv.pwd_hdd); 1784 kfree(tlmi_priv.pwd_nvme); 1785 return ret; 1786 } 1787 1788 static void tlmi_remove(struct wmi_device *wdev) 1789 { 1790 tlmi_release_attr(); 1791 device_destroy(fw_attr_class, MKDEV(0, 0)); 1792 fw_attributes_class_put(); 1793 } 1794 1795 static int tlmi_probe(struct wmi_device *wdev, const void *context) 1796 { 1797 int ret; 1798 1799 ret = tlmi_analyze(); 1800 if (ret) 1801 return ret; 1802 1803 return tlmi_sysfs_init(); 1804 } 1805 1806 static const struct wmi_device_id tlmi_id_table[] = { 1807 { .guid_string = LENOVO_BIOS_SETTING_GUID }, 1808 { } 1809 }; 1810 MODULE_DEVICE_TABLE(wmi, tlmi_id_table); 1811 1812 static struct wmi_driver tlmi_driver = { 1813 .driver = { 1814 .name = "think-lmi", 1815 }, 1816 .id_table = tlmi_id_table, 1817 .probe = tlmi_probe, 1818 .remove = tlmi_remove, 1819 }; 1820 1821 MODULE_AUTHOR("Sugumaran L <slacshiminar@lenovo.com>"); 1822 MODULE_AUTHOR("Mark Pearson <markpearson@lenovo.com>"); 1823 MODULE_AUTHOR("Corentin Chary <corentin.chary@gmail.com>"); 1824 MODULE_DESCRIPTION("ThinkLMI Driver"); 1825 MODULE_LICENSE("GPL"); 1826 1827 module_wmi_driver(tlmi_driver); 1828