1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Think LMI BIOS configuration driver 4 * 5 * Copyright(C) 2019-2021 Lenovo 6 * 7 * Original code from Thinkpad-wmi project https://github.com/iksaif/thinkpad-wmi 8 * Copyright(C) 2017 Corentin Chary <corentin.chary@gmail.com> 9 * Distributed under the GPL-2.0 license 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <linux/acpi.h> 15 #include <linux/array_size.h> 16 #include <linux/errno.h> 17 #include <linux/fs.h> 18 #include <linux/mutex.h> 19 #include <linux/string_helpers.h> 20 #include <linux/types.h> 21 #include <linux/dmi.h> 22 #include <linux/wmi.h> 23 #include "firmware_attributes_class.h" 24 #include "think-lmi.h" 25 26 static bool debug_support; 27 module_param(debug_support, bool, 0444); 28 MODULE_PARM_DESC(debug_support, "Enable debug command support"); 29 30 /* 31 * Name: BiosSetting 32 * Description: Get item name and settings for current LMI instance. 33 * Type: Query 34 * Returns: "Item,Value" 35 * Example: "WakeOnLAN,Enable" 36 */ 37 #define LENOVO_BIOS_SETTING_GUID "51F5230E-9677-46CD-A1CF-C0B23EE34DB7" 38 39 /* 40 * Name: SetBiosSetting 41 * Description: Change the BIOS setting to the desired value using the SetBiosSetting 42 * class. To save the settings, use the SaveBiosSetting class. 43 * BIOS settings and values are case sensitive. 44 * After making changes to the BIOS settings, you must reboot the computer 45 * before the changes will take effect. 46 * Type: Method 47 * Arguments: "Item,Value,Password,Encoding,KbdLang;" 48 * Example: "WakeOnLAN,Disable,pa55w0rd,ascii,us;" 49 */ 50 #define LENOVO_SET_BIOS_SETTINGS_GUID "98479A64-33F5-4E33-A707-8E251EBBC3A1" 51 52 /* 53 * Name: SaveBiosSettings 54 * Description: Save any pending changes in settings. 55 * Type: Method 56 * Arguments: "Password,Encoding,KbdLang;" 57 * Example: "pa55w0rd,ascii,us;" 58 */ 59 #define LENOVO_SAVE_BIOS_SETTINGS_GUID "6A4B54EF-A5ED-4D33-9455-B0D9B48DF4B3" 60 61 /* 62 * Name: BiosPasswordSettings 63 * Description: Return BIOS Password settings 64 * Type: Query 65 * Returns: PasswordMode, PasswordState, MinLength, MaxLength, 66 * SupportedEncoding, SupportedKeyboard 67 */ 68 #define LENOVO_BIOS_PASSWORD_SETTINGS_GUID "8ADB159E-1E32-455C-BC93-308A7ED98246" 69 70 /* 71 * Name: SetBiosPassword 72 * Description: Change a specific password. 73 * - BIOS settings cannot be changed at the same boot as power-on 74 * passwords (POP) and hard disk passwords (HDP). If you want to change 75 * BIOS settings and POP or HDP, you must reboot the system after changing 76 * one of them. 77 * - A password cannot be set using this method when one does not already 78 * exist. Passwords can only be updated or cleared. 79 * Type: Method 80 * Arguments: "PasswordType,CurrentPassword,NewPassword,Encoding,KbdLang;" 81 * Example: "pop,pa55w0rd,newpa55w0rd,ascii,us;” 82 */ 83 #define LENOVO_SET_BIOS_PASSWORD_GUID "2651D9FD-911C-4B69-B94E-D0DED5963BD7" 84 85 /* 86 * Name: GetBiosSelections 87 * Description: Return a list of valid settings for a given item. 88 * Type: Method 89 * Arguments: "Item" 90 * Returns: "Value1,Value2,Value3,..." 91 * Example: 92 * -> "FlashOverLAN" 93 * <- "Enabled,Disabled" 94 */ 95 #define LENOVO_GET_BIOS_SELECTIONS_GUID "7364651A-132F-4FE7-ADAA-40C6C7EE2E3B" 96 97 /* 98 * Name: DebugCmd 99 * Description: Debug entry method for entering debug commands to the BIOS 100 */ 101 #define LENOVO_DEBUG_CMD_GUID "7FF47003-3B6C-4E5E-A227-E979824A85D1" 102 103 /* 104 * Name: OpcodeIF 105 * Description: Opcode interface which provides the ability to set multiple 106 * parameters and then trigger an action with a final command. 107 * This is particularly useful for simplifying setting passwords. 108 * With this support comes the ability to set System, HDD and NVMe 109 * passwords. 110 * This is currently available on ThinkCenter and ThinkStations platforms 111 */ 112 #define LENOVO_OPCODE_IF_GUID "DFDDEF2C-57D4-48ce-B196-0FB787D90836" 113 114 /* 115 * Name: SetBiosCert 116 * Description: Install BIOS certificate. 117 * Type: Method 118 * Arguments: "Certificate,Password" 119 * You must reboot the computer before the changes will take effect. 120 */ 121 #define LENOVO_SET_BIOS_CERT_GUID "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE" 122 123 /* 124 * Name: UpdateBiosCert 125 * Description: Update BIOS certificate. 126 * Type: Method 127 * Format: "Certificate,Signature" 128 * You must reboot the computer before the changes will take effect. 129 */ 130 #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE" 131 132 /* 133 * Name: ClearBiosCert 134 * Description: Uninstall BIOS certificate. 135 * Type: Method 136 * Format: "Serial,Signature" 137 * You must reboot the computer before the changes will take effect. 138 */ 139 #define LENOVO_CLEAR_BIOS_CERT_GUID "B2BC39A7-78DD-4D71-B059-A510DEC44890" 140 /* 141 * Name: CertToPassword 142 * Description: Switch from certificate to password authentication. 143 * Type: Method 144 * Format: "Password,Signature" 145 * You must reboot the computer before the changes will take effect. 146 */ 147 #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D" 148 149 /* 150 * Name: SetBiosSettingCert 151 * Description: Set attribute using certificate authentication. 152 * Type: Method 153 * Format: "Item,Value,Signature" 154 */ 155 #define LENOVO_SET_BIOS_SETTING_CERT_GUID "34A008CC-D205-4B62-9E67-31DFA8B90003" 156 157 /* 158 * Name: SaveBiosSettingCert 159 * Description: Save any pending changes in settings. 160 * Type: Method 161 * Format: "Signature" 162 */ 163 #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551" 164 165 /* 166 * Name: CertThumbprint 167 * Description: Display Certificate thumbprints 168 * Type: Query 169 * Returns: MD5, SHA1 & SHA256 thumbprints 170 */ 171 #define LENOVO_CERT_THUMBPRINT_GUID "C59119ED-1C0D-4806-A8E9-59AA318176C4" 172 173 #define TLMI_POP_PWD BIT(0) /* Supervisor */ 174 #define TLMI_PAP_PWD BIT(1) /* Power-on */ 175 #define TLMI_HDD_PWD BIT(2) /* HDD/NVME */ 176 #define TLMI_SMP_PWD BIT(6) /* System Management */ 177 #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */ 178 #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */ 179 180 static const struct tlmi_err_codes tlmi_errs[] = { 181 {"Success", 0}, 182 {"Not Supported", -EOPNOTSUPP}, 183 {"Invalid Parameter", -EINVAL}, 184 {"Access Denied", -EACCES}, 185 {"System Busy", -EBUSY}, 186 }; 187 188 static const char * const encoding_options[] = { 189 [TLMI_ENCODING_ASCII] = "ascii", 190 [TLMI_ENCODING_SCANCODE] = "scancode", 191 }; 192 static const char * const level_options[] = { 193 [TLMI_LEVEL_USER] = "user", 194 [TLMI_LEVEL_MASTER] = "master", 195 }; 196 static struct think_lmi tlmi_priv; 197 static DEFINE_MUTEX(tlmi_mutex); 198 199 static inline struct tlmi_pwd_setting *to_tlmi_pwd_setting(struct kobject *kobj) 200 { 201 return container_of(kobj, struct tlmi_pwd_setting, kobj); 202 } 203 204 static inline struct tlmi_attr_setting *to_tlmi_attr_setting(struct kobject *kobj) 205 { 206 return container_of(kobj, struct tlmi_attr_setting, kobj); 207 } 208 209 /* Convert BIOS WMI error string to suitable error code */ 210 static int tlmi_errstr_to_err(const char *errstr) 211 { 212 int i; 213 214 for (i = 0; i < sizeof(tlmi_errs)/sizeof(struct tlmi_err_codes); i++) { 215 if (!strcmp(tlmi_errs[i].err_str, errstr)) 216 return tlmi_errs[i].err_code; 217 } 218 return -EPERM; 219 } 220 221 /* Extract error string from WMI return buffer */ 222 static int tlmi_extract_error(const struct acpi_buffer *output) 223 { 224 const union acpi_object *obj; 225 226 obj = output->pointer; 227 if (!obj) 228 return -ENOMEM; 229 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) 230 return -EIO; 231 232 return tlmi_errstr_to_err(obj->string.pointer); 233 } 234 235 /* Utility function to execute WMI call to BIOS */ 236 static int tlmi_simple_call(const char *guid, const char *arg) 237 { 238 const struct acpi_buffer input = { strlen(arg), (char *)arg }; 239 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 240 acpi_status status; 241 int i, err; 242 243 /* 244 * Duplicated call required to match BIOS workaround for behavior 245 * seen when WMI accessed via scripting on other OS. 246 */ 247 for (i = 0; i < 2; i++) { 248 /* (re)initialize output buffer to default state */ 249 output.length = ACPI_ALLOCATE_BUFFER; 250 output.pointer = NULL; 251 252 status = wmi_evaluate_method(guid, 0, 0, &input, &output); 253 if (ACPI_FAILURE(status)) { 254 kfree(output.pointer); 255 return -EIO; 256 } 257 err = tlmi_extract_error(&output); 258 kfree(output.pointer); 259 if (err) 260 return err; 261 } 262 return 0; 263 } 264 265 /* Extract output string from WMI return value */ 266 static int tlmi_extract_output_string(union acpi_object *obj, char **string) 267 { 268 char *s; 269 270 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) 271 return -EIO; 272 273 s = kstrdup(obj->string.pointer, GFP_KERNEL); 274 if (!s) 275 return -ENOMEM; 276 *string = s; 277 return 0; 278 } 279 280 /* ------ Core interface functions ------------*/ 281 282 /* Get password settings from BIOS */ 283 static int tlmi_get_pwd_settings(struct tlmi_pwdcfg *pwdcfg) 284 { 285 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 286 const union acpi_object *obj; 287 acpi_status status; 288 int copy_size; 289 290 if (!tlmi_priv.can_get_password_settings) 291 return -EOPNOTSUPP; 292 293 status = wmi_query_block(LENOVO_BIOS_PASSWORD_SETTINGS_GUID, 0, 294 &output); 295 if (ACPI_FAILURE(status)) 296 return -EIO; 297 298 obj = output.pointer; 299 if (!obj) 300 return -ENOMEM; 301 if (obj->type != ACPI_TYPE_BUFFER || !obj->buffer.pointer) { 302 kfree(obj); 303 return -EIO; 304 } 305 /* 306 * The size of thinkpad_wmi_pcfg on ThinkStation is larger than ThinkPad. 307 * To make the driver compatible on different brands, we permit it to get 308 * the data in below case. 309 * Settings must have at minimum the core fields available 310 */ 311 if (obj->buffer.length < sizeof(struct tlmi_pwdcfg_core)) { 312 pr_warn("Unknown pwdcfg buffer length %d\n", obj->buffer.length); 313 kfree(obj); 314 return -EIO; 315 } 316 317 copy_size = min_t(size_t, obj->buffer.length, sizeof(struct tlmi_pwdcfg)); 318 319 memcpy(pwdcfg, obj->buffer.pointer, copy_size); 320 kfree(obj); 321 322 if (WARN_ON(pwdcfg->core.max_length >= TLMI_PWD_BUFSIZE)) 323 pwdcfg->core.max_length = TLMI_PWD_BUFSIZE - 1; 324 return 0; 325 } 326 327 static int tlmi_save_bios_settings(const char *password) 328 { 329 return tlmi_simple_call(LENOVO_SAVE_BIOS_SETTINGS_GUID, 330 password); 331 } 332 333 static int tlmi_opcode_setting(char *setting, const char *value) 334 { 335 char *opcode_str; 336 int ret; 337 338 opcode_str = kasprintf(GFP_KERNEL, "%s:%s;", setting, value); 339 if (!opcode_str) 340 return -ENOMEM; 341 342 ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, opcode_str); 343 kfree(opcode_str); 344 return ret; 345 } 346 347 static int tlmi_setting(struct wmi_device *wdev, int item, char **value) 348 { 349 union acpi_object *obj; 350 int ret; 351 352 obj = wmidev_block_query(wdev, item); 353 if (!obj) 354 return -EIO; 355 356 ret = tlmi_extract_output_string(obj, value); 357 kfree(obj); 358 359 return ret; 360 } 361 362 static int tlmi_get_bios_selections(const char *item, char **value) 363 { 364 const struct acpi_buffer input = { strlen(item), (char *)item }; 365 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 366 union acpi_object *obj; 367 acpi_status status; 368 int ret; 369 370 status = wmi_evaluate_method(LENOVO_GET_BIOS_SELECTIONS_GUID, 371 0, 0, &input, &output); 372 if (ACPI_FAILURE(status)) 373 return -EIO; 374 375 obj = output.pointer; 376 if (!obj) 377 return -ENODATA; 378 379 ret = tlmi_extract_output_string(obj, value); 380 kfree(obj); 381 382 return ret; 383 } 384 385 /* ---- Authentication sysfs --------------------------------------------------------- */ 386 static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr, 387 char *buf) 388 { 389 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 390 391 return sysfs_emit(buf, "%d\n", setting->pwd_enabled || setting->cert_installed); 392 } 393 394 static struct kobj_attribute auth_is_pass_set = __ATTR_RO(is_enabled); 395 396 static ssize_t current_password_store(struct kobject *kobj, 397 struct kobj_attribute *attr, 398 const char *buf, size_t count) 399 { 400 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 401 size_t pwdlen; 402 403 pwdlen = strlen(buf); 404 /* pwdlen == 0 is allowed to clear the password */ 405 if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) 406 return -EINVAL; 407 408 strscpy(setting->password, buf, setting->maxlen); 409 /* Strip out CR if one is present, setting password won't work if it is present */ 410 strreplace(setting->password, '\n', '\0'); 411 return count; 412 } 413 414 static struct kobj_attribute auth_current_password = __ATTR_WO(current_password); 415 416 static ssize_t new_password_store(struct kobject *kobj, 417 struct kobj_attribute *attr, 418 const char *buf, size_t count) 419 { 420 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 421 char *auth_str, *new_pwd; 422 size_t pwdlen; 423 int ret; 424 425 if (!capable(CAP_SYS_ADMIN)) 426 return -EPERM; 427 428 if (!tlmi_priv.can_set_bios_password) 429 return -EOPNOTSUPP; 430 431 /* Strip out CR if one is present, setting password won't work if it is present */ 432 new_pwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 433 if (!new_pwd) 434 return -ENOMEM; 435 436 /* Use lock in case multiple WMI operations needed */ 437 mutex_lock(&tlmi_mutex); 438 439 pwdlen = strlen(new_pwd); 440 /* pwdlen == 0 is allowed to clear the password */ 441 if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) { 442 ret = -EINVAL; 443 goto out; 444 } 445 446 /* If opcode support is present use that interface */ 447 if (tlmi_priv.opcode_support) { 448 char pwd_type[8]; 449 450 /* Special handling required for HDD and NVMe passwords */ 451 if (setting == tlmi_priv.pwd_hdd) { 452 if (setting->level == TLMI_LEVEL_USER) 453 sprintf(pwd_type, "uhdp%d", setting->index); 454 else 455 sprintf(pwd_type, "mhdp%d", setting->index); 456 } else if (setting == tlmi_priv.pwd_nvme) { 457 if (setting->level == TLMI_LEVEL_USER) 458 sprintf(pwd_type, "udrp%d", setting->index); 459 else 460 sprintf(pwd_type, "adrp%d", setting->index); 461 } else { 462 sprintf(pwd_type, "%s", setting->pwd_type); 463 } 464 465 ret = tlmi_opcode_setting("WmiOpcodePasswordType", pwd_type); 466 if (ret) 467 goto out; 468 469 /* 470 * Note admin password is not always required if SMPControl enabled in BIOS, 471 * So only set if it's configured. 472 * Let BIOS figure it out - we'll get an error if operation is not permitted 473 */ 474 if (tlmi_priv.pwd_admin->pwd_enabled && strlen(tlmi_priv.pwd_admin->password)) { 475 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 476 tlmi_priv.pwd_admin->password); 477 if (ret) 478 goto out; 479 } 480 ret = tlmi_opcode_setting("WmiOpcodePasswordCurrent01", setting->password); 481 if (ret) 482 goto out; 483 ret = tlmi_opcode_setting("WmiOpcodePasswordNew01", new_pwd); 484 if (ret) 485 goto out; 486 ret = tlmi_simple_call(LENOVO_OPCODE_IF_GUID, "WmiOpcodePasswordSetUpdate;"); 487 } else { 488 /* Format: 'PasswordType,CurrentPw,NewPw,Encoding,KbdLang;' */ 489 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s,%s;", 490 setting->pwd_type, setting->password, new_pwd, 491 encoding_options[setting->encoding], setting->kbdlang); 492 if (!auth_str) { 493 ret = -ENOMEM; 494 goto out; 495 } 496 ret = tlmi_simple_call(LENOVO_SET_BIOS_PASSWORD_GUID, auth_str); 497 kfree(auth_str); 498 } 499 out: 500 mutex_unlock(&tlmi_mutex); 501 kfree(new_pwd); 502 return ret ?: count; 503 } 504 505 static struct kobj_attribute auth_new_password = __ATTR_WO(new_password); 506 507 static ssize_t min_password_length_show(struct kobject *kobj, struct kobj_attribute *attr, 508 char *buf) 509 { 510 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 511 512 return sysfs_emit(buf, "%d\n", setting->minlen); 513 } 514 515 static struct kobj_attribute auth_min_pass_length = __ATTR_RO(min_password_length); 516 517 static ssize_t max_password_length_show(struct kobject *kobj, struct kobj_attribute *attr, 518 char *buf) 519 { 520 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 521 522 return sysfs_emit(buf, "%d\n", setting->maxlen); 523 } 524 static struct kobj_attribute auth_max_pass_length = __ATTR_RO(max_password_length); 525 526 static ssize_t mechanism_show(struct kobject *kobj, struct kobj_attribute *attr, 527 char *buf) 528 { 529 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 530 531 if (setting->cert_installed) 532 return sysfs_emit(buf, "certificate\n"); 533 return sysfs_emit(buf, "password\n"); 534 } 535 static struct kobj_attribute auth_mechanism = __ATTR_RO(mechanism); 536 537 static ssize_t encoding_show(struct kobject *kobj, struct kobj_attribute *attr, 538 char *buf) 539 { 540 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 541 542 return sysfs_emit(buf, "%s\n", encoding_options[setting->encoding]); 543 } 544 545 static ssize_t encoding_store(struct kobject *kobj, 546 struct kobj_attribute *attr, 547 const char *buf, size_t count) 548 { 549 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 550 int i; 551 552 /* Scan for a matching profile */ 553 i = sysfs_match_string(encoding_options, buf); 554 if (i < 0) 555 return -EINVAL; 556 557 setting->encoding = i; 558 return count; 559 } 560 561 static struct kobj_attribute auth_encoding = __ATTR_RW(encoding); 562 563 static ssize_t kbdlang_show(struct kobject *kobj, struct kobj_attribute *attr, 564 char *buf) 565 { 566 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 567 568 return sysfs_emit(buf, "%s\n", setting->kbdlang); 569 } 570 571 static ssize_t kbdlang_store(struct kobject *kobj, 572 struct kobj_attribute *attr, 573 const char *buf, size_t count) 574 { 575 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 576 int length; 577 578 /* Calculate length till '\n' or terminating 0 */ 579 length = strchrnul(buf, '\n') - buf; 580 if (!length || length >= TLMI_LANG_MAXLEN) 581 return -EINVAL; 582 583 memcpy(setting->kbdlang, buf, length); 584 setting->kbdlang[length] = '\0'; 585 return count; 586 } 587 588 static struct kobj_attribute auth_kbdlang = __ATTR_RW(kbdlang); 589 590 static ssize_t role_show(struct kobject *kobj, struct kobj_attribute *attr, 591 char *buf) 592 { 593 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 594 595 return sysfs_emit(buf, "%s\n", setting->role); 596 } 597 static struct kobj_attribute auth_role = __ATTR_RO(role); 598 599 static ssize_t index_show(struct kobject *kobj, struct kobj_attribute *attr, 600 char *buf) 601 { 602 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 603 604 return sysfs_emit(buf, "%d\n", setting->index); 605 } 606 607 static ssize_t index_store(struct kobject *kobj, 608 struct kobj_attribute *attr, 609 const char *buf, size_t count) 610 { 611 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 612 int err, val; 613 614 err = kstrtoint(buf, 10, &val); 615 if (err < 0) 616 return err; 617 618 if (val < 0 || val > TLMI_INDEX_MAX) 619 return -EINVAL; 620 621 setting->index = val; 622 return count; 623 } 624 625 static struct kobj_attribute auth_index = __ATTR_RW(index); 626 627 static ssize_t level_show(struct kobject *kobj, struct kobj_attribute *attr, 628 char *buf) 629 { 630 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 631 632 return sysfs_emit(buf, "%s\n", level_options[setting->level]); 633 } 634 635 static ssize_t level_store(struct kobject *kobj, 636 struct kobj_attribute *attr, 637 const char *buf, size_t count) 638 { 639 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 640 int i; 641 642 /* Scan for a matching profile */ 643 i = sysfs_match_string(level_options, buf); 644 if (i < 0) 645 return -EINVAL; 646 647 setting->level = i; 648 return count; 649 } 650 651 static struct kobj_attribute auth_level = __ATTR_RW(level); 652 653 static char *cert_command(struct tlmi_pwd_setting *setting, const char *arg1, const char *arg2) 654 { 655 /* Prepend with SVC or SMC if multicert supported */ 656 if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) 657 return kasprintf(GFP_KERNEL, "%s,%s,%s", 658 setting == tlmi_priv.pwd_admin ? "SVC" : "SMC", 659 arg1, arg2); 660 else 661 return kasprintf(GFP_KERNEL, "%s,%s", arg1, arg2); 662 } 663 664 static ssize_t cert_thumbprint(char *buf, const char *arg, int count) 665 { 666 const struct acpi_buffer input = { strlen(arg), (char *)arg }; 667 struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; 668 const union acpi_object *obj; 669 acpi_status status; 670 671 status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output); 672 if (ACPI_FAILURE(status)) { 673 kfree(output.pointer); 674 return -EIO; 675 } 676 obj = output.pointer; 677 if (!obj) 678 return -ENOMEM; 679 if (obj->type != ACPI_TYPE_STRING || !obj->string.pointer) { 680 kfree(output.pointer); 681 return -EIO; 682 } 683 count += sysfs_emit_at(buf, count, "%s : %s\n", arg, (char *)obj->string.pointer); 684 kfree(output.pointer); 685 686 return count; 687 } 688 689 static char *thumbtypes[] = {"Md5", "Sha1", "Sha256"}; 690 691 static ssize_t certificate_thumbprint_show(struct kobject *kobj, struct kobj_attribute *attr, 692 char *buf) 693 { 694 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 695 unsigned int i; 696 int count = 0; 697 char *wmistr; 698 699 if (!tlmi_priv.certificate_support || !setting->cert_installed) 700 return -EOPNOTSUPP; 701 702 for (i = 0; i < ARRAY_SIZE(thumbtypes); i++) { 703 if (tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) { 704 /* Format: 'SVC | SMC, Thumbtype' */ 705 wmistr = kasprintf(GFP_KERNEL, "%s,%s", 706 setting == tlmi_priv.pwd_admin ? "SVC" : "SMC", 707 thumbtypes[i]); 708 } else { 709 /* Format: 'Thumbtype' */ 710 wmistr = kasprintf(GFP_KERNEL, "%s", thumbtypes[i]); 711 } 712 if (!wmistr) 713 return -ENOMEM; 714 count += cert_thumbprint(buf, wmistr, count); 715 kfree(wmistr); 716 } 717 718 return count; 719 } 720 721 static struct kobj_attribute auth_cert_thumb = __ATTR_RO(certificate_thumbprint); 722 723 static ssize_t cert_to_password_store(struct kobject *kobj, 724 struct kobj_attribute *attr, 725 const char *buf, size_t count) 726 { 727 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 728 char *auth_str, *passwd; 729 int ret; 730 731 if (!capable(CAP_SYS_ADMIN)) 732 return -EPERM; 733 734 if (!tlmi_priv.certificate_support) 735 return -EOPNOTSUPP; 736 737 if (!setting->cert_installed) 738 return -EINVAL; 739 740 if (!setting->signature || !setting->signature[0]) 741 return -EACCES; 742 743 /* Strip out CR if one is present */ 744 passwd = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 745 if (!passwd) 746 return -ENOMEM; 747 748 /* Format: 'Password,Signature' */ 749 auth_str = cert_command(setting, passwd, setting->signature); 750 if (!auth_str) { 751 kfree_sensitive(passwd); 752 return -ENOMEM; 753 } 754 ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str); 755 kfree(auth_str); 756 kfree_sensitive(passwd); 757 758 return ret ?: count; 759 } 760 761 static struct kobj_attribute auth_cert_to_password = __ATTR_WO(cert_to_password); 762 763 enum cert_install_mode { 764 TLMI_CERT_INSTALL, 765 TLMI_CERT_UPDATE, 766 }; 767 768 static ssize_t certificate_store(struct kobject *kobj, 769 struct kobj_attribute *attr, 770 const char *buf, size_t count) 771 { 772 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 773 enum cert_install_mode install_mode = TLMI_CERT_INSTALL; 774 char *auth_str, *new_cert; 775 char *signature; 776 char *guid; 777 int ret; 778 779 if (!capable(CAP_SYS_ADMIN)) 780 return -EPERM; 781 782 if (!tlmi_priv.certificate_support) 783 return -EOPNOTSUPP; 784 785 /* If empty then clear installed certificate */ 786 if ((buf[0] == '\0') || (buf[0] == '\n')) { /* Clear installed certificate */ 787 /* Check that signature is set */ 788 if (!setting->signature || !setting->signature[0]) 789 return -EACCES; 790 791 /* Format: 'serial#, signature' */ 792 auth_str = cert_command(setting, 793 dmi_get_system_info(DMI_PRODUCT_SERIAL), 794 setting->signature); 795 if (!auth_str) 796 return -ENOMEM; 797 798 ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str); 799 kfree(auth_str); 800 801 return ret ?: count; 802 } 803 804 /* Strip out CR if one is present */ 805 new_cert = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 806 if (!new_cert) 807 return -ENOMEM; 808 809 if (setting->cert_installed) { 810 /* Certificate is installed so this is an update */ 811 install_mode = TLMI_CERT_UPDATE; 812 /* If admin account enabled - need to use its signature */ 813 if (tlmi_priv.pwd_admin->pwd_enabled) 814 signature = tlmi_priv.pwd_admin->signature; 815 else 816 signature = setting->signature; 817 } else { /* Cert install */ 818 /* Check if SMC and SVC already installed */ 819 if ((setting == tlmi_priv.pwd_system) && tlmi_priv.pwd_admin->cert_installed) { 820 /* This gets treated as a cert update */ 821 install_mode = TLMI_CERT_UPDATE; 822 signature = tlmi_priv.pwd_admin->signature; 823 } else { /* Regular cert install */ 824 install_mode = TLMI_CERT_INSTALL; 825 signature = setting->signature; 826 } 827 } 828 829 if (install_mode == TLMI_CERT_UPDATE) { 830 /* This is a certificate update */ 831 if (!signature || !signature[0]) { 832 kfree(new_cert); 833 return -EACCES; 834 } 835 guid = LENOVO_UPDATE_BIOS_CERT_GUID; 836 /* Format: 'Certificate,Signature' */ 837 auth_str = cert_command(setting, new_cert, signature); 838 } else { 839 /* This is a fresh install */ 840 /* To set admin cert, a password must be enabled */ 841 if ((setting == tlmi_priv.pwd_admin) && 842 (!setting->pwd_enabled || !setting->password[0])) { 843 kfree(new_cert); 844 return -EACCES; 845 } 846 guid = LENOVO_SET_BIOS_CERT_GUID; 847 /* Format: 'Certificate, password' */ 848 auth_str = cert_command(setting, new_cert, setting->password); 849 } 850 kfree(new_cert); 851 if (!auth_str) 852 return -ENOMEM; 853 854 ret = tlmi_simple_call(guid, auth_str); 855 kfree(auth_str); 856 857 return ret ?: count; 858 } 859 860 static struct kobj_attribute auth_certificate = __ATTR_WO(certificate); 861 862 static ssize_t signature_store(struct kobject *kobj, 863 struct kobj_attribute *attr, 864 const char *buf, size_t count) 865 { 866 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 867 char *new_signature; 868 869 if (!capable(CAP_SYS_ADMIN)) 870 return -EPERM; 871 872 if (!tlmi_priv.certificate_support) 873 return -EOPNOTSUPP; 874 875 /* Strip out CR if one is present */ 876 new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 877 if (!new_signature) 878 return -ENOMEM; 879 880 /* Free any previous signature */ 881 kfree(setting->signature); 882 setting->signature = new_signature; 883 884 return count; 885 } 886 887 static struct kobj_attribute auth_signature = __ATTR_WO(signature); 888 889 static ssize_t save_signature_store(struct kobject *kobj, 890 struct kobj_attribute *attr, 891 const char *buf, size_t count) 892 { 893 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 894 char *new_signature; 895 896 if (!capable(CAP_SYS_ADMIN)) 897 return -EPERM; 898 899 if (!tlmi_priv.certificate_support) 900 return -EOPNOTSUPP; 901 902 /* Strip out CR if one is present */ 903 new_signature = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 904 if (!new_signature) 905 return -ENOMEM; 906 907 /* Free any previous signature */ 908 kfree(setting->save_signature); 909 setting->save_signature = new_signature; 910 911 return count; 912 } 913 914 static struct kobj_attribute auth_save_signature = __ATTR_WO(save_signature); 915 916 static umode_t auth_attr_is_visible(struct kobject *kobj, 917 struct attribute *attr, int n) 918 { 919 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 920 921 /* We only want to display level and index settings on HDD/NVMe */ 922 if (attr == &auth_index.attr || attr == &auth_level.attr) { 923 if ((setting == tlmi_priv.pwd_hdd) || (setting == tlmi_priv.pwd_nvme)) 924 return attr->mode; 925 return 0; 926 } 927 928 /* We only display certificates, if supported */ 929 if (attr == &auth_certificate.attr || 930 attr == &auth_signature.attr || 931 attr == &auth_save_signature.attr || 932 attr == &auth_cert_thumb.attr || 933 attr == &auth_cert_to_password.attr) { 934 if (tlmi_priv.certificate_support) { 935 if (setting == tlmi_priv.pwd_admin) 936 return attr->mode; 937 if ((tlmi_priv.pwdcfg.core.password_mode >= TLMI_PWDCFG_MODE_MULTICERT) && 938 (setting == tlmi_priv.pwd_system)) 939 return attr->mode; 940 } 941 return 0; 942 } 943 944 /* Don't display un-needed settings if opcode available */ 945 if ((attr == &auth_encoding.attr || attr == &auth_kbdlang.attr) && 946 tlmi_priv.opcode_support) 947 return 0; 948 949 return attr->mode; 950 } 951 952 static struct attribute *auth_attrs[] = { 953 &auth_is_pass_set.attr, 954 &auth_min_pass_length.attr, 955 &auth_max_pass_length.attr, 956 &auth_current_password.attr, 957 &auth_new_password.attr, 958 &auth_role.attr, 959 &auth_mechanism.attr, 960 &auth_encoding.attr, 961 &auth_kbdlang.attr, 962 &auth_index.attr, 963 &auth_level.attr, 964 &auth_certificate.attr, 965 &auth_signature.attr, 966 &auth_save_signature.attr, 967 &auth_cert_thumb.attr, 968 &auth_cert_to_password.attr, 969 NULL 970 }; 971 972 static const struct attribute_group auth_attr_group = { 973 .is_visible = auth_attr_is_visible, 974 .attrs = auth_attrs, 975 }; 976 977 /* ---- Attributes sysfs --------------------------------------------------------- */ 978 static ssize_t display_name_show(struct kobject *kobj, struct kobj_attribute *attr, 979 char *buf) 980 { 981 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 982 983 return sysfs_emit(buf, "%s\n", setting->display_name); 984 } 985 986 static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) 987 { 988 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 989 char *item, *value; 990 int ret; 991 992 ret = tlmi_setting(setting->wdev, setting->index, &item); 993 if (ret) 994 return ret; 995 996 /* validate and split from `item,value` -> `value` */ 997 value = strpbrk(item, ","); 998 if (!value || value == item || !strlen(value + 1)) 999 ret = -EINVAL; 1000 else { 1001 /* On Workstations remove the Options part after the value */ 1002 strreplace(value, ';', '\0'); 1003 ret = sysfs_emit(buf, "%s\n", value + 1); 1004 } 1005 kfree(item); 1006 1007 return ret; 1008 } 1009 1010 static ssize_t possible_values_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) 1011 { 1012 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1013 1014 return sysfs_emit(buf, "%s\n", setting->possible_values); 1015 } 1016 1017 static ssize_t type_show(struct kobject *kobj, struct kobj_attribute *attr, 1018 char *buf) 1019 { 1020 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1021 1022 if (setting->possible_values) { 1023 /* Figure out what setting type is as BIOS does not return this */ 1024 if (strchr(setting->possible_values, ';')) 1025 return sysfs_emit(buf, "enumeration\n"); 1026 } 1027 /* Anything else is going to be a string */ 1028 return sysfs_emit(buf, "string\n"); 1029 } 1030 1031 static ssize_t current_value_store(struct kobject *kobj, 1032 struct kobj_attribute *attr, 1033 const char *buf, size_t count) 1034 { 1035 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1036 char *set_str = NULL, *new_setting = NULL; 1037 char *auth_str = NULL; 1038 int ret; 1039 1040 if (!tlmi_priv.can_set_bios_settings) 1041 return -EOPNOTSUPP; 1042 1043 /* 1044 * If we are using bulk saves a reboot should be done once save has 1045 * been called 1046 */ 1047 if (tlmi_priv.save_mode == TLMI_SAVE_BULK && tlmi_priv.reboot_required) 1048 return -EPERM; 1049 1050 /* Strip out CR if one is present */ 1051 new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 1052 if (!new_setting) 1053 return -ENOMEM; 1054 1055 /* Use lock in case multiple WMI operations needed */ 1056 mutex_lock(&tlmi_mutex); 1057 1058 /* Check if certificate authentication is enabled and active */ 1059 if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) { 1060 if (!tlmi_priv.pwd_admin->signature || !tlmi_priv.pwd_admin->save_signature) { 1061 ret = -EINVAL; 1062 goto out; 1063 } 1064 set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->name, 1065 new_setting, tlmi_priv.pwd_admin->signature); 1066 if (!set_str) { 1067 ret = -ENOMEM; 1068 goto out; 1069 } 1070 1071 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str); 1072 if (ret) 1073 goto out; 1074 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) 1075 tlmi_priv.save_required = true; 1076 else 1077 ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID, 1078 tlmi_priv.pwd_admin->save_signature); 1079 } else if (tlmi_priv.opcode_support) { 1080 /* 1081 * If opcode support is present use that interface. 1082 * Note - this sets the variable and then the password as separate 1083 * WMI calls. Function tlmi_save_bios_settings will error if the 1084 * password is incorrect. 1085 * Workstation's require the opcode to be set before changing the 1086 * attribute. 1087 */ 1088 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1089 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 1090 tlmi_priv.pwd_admin->password); 1091 if (ret) 1092 goto out; 1093 } 1094 1095 set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->name, 1096 new_setting); 1097 if (!set_str) { 1098 ret = -ENOMEM; 1099 goto out; 1100 } 1101 1102 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str); 1103 if (ret) 1104 goto out; 1105 1106 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) 1107 tlmi_priv.save_required = true; 1108 else 1109 ret = tlmi_save_bios_settings(""); 1110 } else { /* old non-opcode based authentication method (deprecated) */ 1111 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1112 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1113 tlmi_priv.pwd_admin->password, 1114 encoding_options[tlmi_priv.pwd_admin->encoding], 1115 tlmi_priv.pwd_admin->kbdlang); 1116 if (!auth_str) { 1117 ret = -ENOMEM; 1118 goto out; 1119 } 1120 } 1121 1122 if (auth_str) 1123 set_str = kasprintf(GFP_KERNEL, "%s,%s,%s", setting->name, 1124 new_setting, auth_str); 1125 else 1126 set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->name, 1127 new_setting); 1128 if (!set_str) { 1129 ret = -ENOMEM; 1130 goto out; 1131 } 1132 1133 ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str); 1134 if (ret) 1135 goto out; 1136 1137 if (tlmi_priv.save_mode == TLMI_SAVE_BULK) { 1138 tlmi_priv.save_required = true; 1139 } else { 1140 if (auth_str) 1141 ret = tlmi_save_bios_settings(auth_str); 1142 else 1143 ret = tlmi_save_bios_settings(""); 1144 } 1145 } 1146 if (!ret && !tlmi_priv.pending_changes) { 1147 tlmi_priv.pending_changes = true; 1148 /* let userland know it may need to check reboot pending again */ 1149 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1150 } 1151 out: 1152 mutex_unlock(&tlmi_mutex); 1153 kfree(auth_str); 1154 kfree(set_str); 1155 kfree(new_setting); 1156 return ret ?: count; 1157 } 1158 1159 static struct kobj_attribute attr_displ_name = __ATTR_RO(display_name); 1160 1161 static struct kobj_attribute attr_possible_values = __ATTR_RO(possible_values); 1162 1163 static struct kobj_attribute attr_current_val = __ATTR_RW_MODE(current_value, 0600); 1164 1165 static struct kobj_attribute attr_type = __ATTR_RO(type); 1166 1167 static umode_t attr_is_visible(struct kobject *kobj, 1168 struct attribute *attr, int n) 1169 { 1170 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1171 1172 /* We don't want to display possible_values attributes if not available */ 1173 if ((attr == &attr_possible_values.attr) && (!setting->possible_values)) 1174 return 0; 1175 1176 return attr->mode; 1177 } 1178 1179 static struct attribute *tlmi_attrs[] = { 1180 &attr_displ_name.attr, 1181 &attr_current_val.attr, 1182 &attr_possible_values.attr, 1183 &attr_type.attr, 1184 NULL 1185 }; 1186 1187 static const struct attribute_group tlmi_attr_group = { 1188 .is_visible = attr_is_visible, 1189 .attrs = tlmi_attrs, 1190 }; 1191 1192 static void tlmi_attr_setting_release(struct kobject *kobj) 1193 { 1194 struct tlmi_attr_setting *setting = to_tlmi_attr_setting(kobj); 1195 1196 kfree(setting->possible_values); 1197 kfree(setting); 1198 } 1199 1200 static void tlmi_pwd_setting_release(struct kobject *kobj) 1201 { 1202 struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); 1203 1204 kfree(setting); 1205 } 1206 1207 static const struct kobj_type tlmi_attr_setting_ktype = { 1208 .release = &tlmi_attr_setting_release, 1209 .sysfs_ops = &kobj_sysfs_ops, 1210 }; 1211 1212 static const struct kobj_type tlmi_pwd_setting_ktype = { 1213 .release = &tlmi_pwd_setting_release, 1214 .sysfs_ops = &kobj_sysfs_ops, 1215 }; 1216 1217 static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr, 1218 char *buf) 1219 { 1220 return sprintf(buf, "%d\n", tlmi_priv.pending_changes); 1221 } 1222 1223 static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot); 1224 1225 static const char * const save_mode_strings[] = { 1226 [TLMI_SAVE_SINGLE] = "single", 1227 [TLMI_SAVE_BULK] = "bulk", 1228 [TLMI_SAVE_SAVE] = "save" 1229 }; 1230 1231 static ssize_t save_settings_show(struct kobject *kobj, struct kobj_attribute *attr, 1232 char *buf) 1233 { 1234 /* Check that setting is valid */ 1235 if (WARN_ON(tlmi_priv.save_mode < TLMI_SAVE_SINGLE || 1236 tlmi_priv.save_mode > TLMI_SAVE_BULK)) 1237 return -EIO; 1238 return sysfs_emit(buf, "%s\n", save_mode_strings[tlmi_priv.save_mode]); 1239 } 1240 1241 static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *attr, 1242 const char *buf, size_t count) 1243 { 1244 char *auth_str = NULL; 1245 int ret = 0; 1246 int cmd; 1247 1248 cmd = sysfs_match_string(save_mode_strings, buf); 1249 if (cmd < 0) 1250 return cmd; 1251 1252 /* Use lock in case multiple WMI operations needed */ 1253 mutex_lock(&tlmi_mutex); 1254 1255 switch (cmd) { 1256 case TLMI_SAVE_SINGLE: 1257 case TLMI_SAVE_BULK: 1258 tlmi_priv.save_mode = cmd; 1259 goto out; 1260 case TLMI_SAVE_SAVE: 1261 /* Check if supported*/ 1262 if (!tlmi_priv.can_set_bios_settings || 1263 tlmi_priv.save_mode == TLMI_SAVE_SINGLE) { 1264 ret = -EOPNOTSUPP; 1265 goto out; 1266 } 1267 /* Check there is actually something to save */ 1268 if (!tlmi_priv.save_required) { 1269 ret = -ENOENT; 1270 goto out; 1271 } 1272 /* Check if certificate authentication is enabled and active */ 1273 if (tlmi_priv.certificate_support && tlmi_priv.pwd_admin->cert_installed) { 1274 if (!tlmi_priv.pwd_admin->signature || 1275 !tlmi_priv.pwd_admin->save_signature) { 1276 ret = -EINVAL; 1277 goto out; 1278 } 1279 ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID, 1280 tlmi_priv.pwd_admin->save_signature); 1281 if (ret) 1282 goto out; 1283 } else if (tlmi_priv.opcode_support) { 1284 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1285 ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin", 1286 tlmi_priv.pwd_admin->password); 1287 if (ret) 1288 goto out; 1289 } 1290 ret = tlmi_save_bios_settings(""); 1291 } else { /* old non-opcode based authentication method (deprecated) */ 1292 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1293 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1294 tlmi_priv.pwd_admin->password, 1295 encoding_options[tlmi_priv.pwd_admin->encoding], 1296 tlmi_priv.pwd_admin->kbdlang); 1297 if (!auth_str) { 1298 ret = -ENOMEM; 1299 goto out; 1300 } 1301 } 1302 1303 if (auth_str) 1304 ret = tlmi_save_bios_settings(auth_str); 1305 else 1306 ret = tlmi_save_bios_settings(""); 1307 } 1308 tlmi_priv.save_required = false; 1309 tlmi_priv.reboot_required = true; 1310 1311 if (!ret && !tlmi_priv.pending_changes) { 1312 tlmi_priv.pending_changes = true; 1313 /* let userland know it may need to check reboot pending again */ 1314 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1315 } 1316 break; 1317 } 1318 out: 1319 mutex_unlock(&tlmi_mutex); 1320 kfree(auth_str); 1321 return ret ?: count; 1322 } 1323 1324 static struct kobj_attribute save_settings = __ATTR_RW(save_settings); 1325 1326 /* ---- Debug interface--------------------------------------------------------- */ 1327 static ssize_t debug_cmd_store(struct kobject *kobj, struct kobj_attribute *attr, 1328 const char *buf, size_t count) 1329 { 1330 char *set_str = NULL, *new_setting = NULL; 1331 char *auth_str = NULL; 1332 int ret; 1333 1334 if (!tlmi_priv.can_debug_cmd) 1335 return -EOPNOTSUPP; 1336 1337 /* Strip out CR if one is present */ 1338 new_setting = kstrdup_and_replace(buf, '\n', '\0', GFP_KERNEL); 1339 if (!new_setting) 1340 return -ENOMEM; 1341 1342 if (tlmi_priv.pwd_admin->pwd_enabled && tlmi_priv.pwd_admin->password[0]) { 1343 auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;", 1344 tlmi_priv.pwd_admin->password, 1345 encoding_options[tlmi_priv.pwd_admin->encoding], 1346 tlmi_priv.pwd_admin->kbdlang); 1347 if (!auth_str) { 1348 ret = -ENOMEM; 1349 goto out; 1350 } 1351 } 1352 1353 if (auth_str) 1354 set_str = kasprintf(GFP_KERNEL, "%s,%s", new_setting, auth_str); 1355 else 1356 set_str = kasprintf(GFP_KERNEL, "%s;", new_setting); 1357 if (!set_str) { 1358 ret = -ENOMEM; 1359 goto out; 1360 } 1361 1362 ret = tlmi_simple_call(LENOVO_DEBUG_CMD_GUID, set_str); 1363 if (ret) 1364 goto out; 1365 1366 if (!ret && !tlmi_priv.pending_changes) { 1367 tlmi_priv.pending_changes = true; 1368 /* let userland know it may need to check reboot pending again */ 1369 kobject_uevent(&tlmi_priv.class_dev->kobj, KOBJ_CHANGE); 1370 } 1371 out: 1372 kfree(auth_str); 1373 kfree(set_str); 1374 kfree(new_setting); 1375 return ret ?: count; 1376 } 1377 1378 static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd); 1379 1380 /* ---- Initialisation --------------------------------------------------------- */ 1381 static void tlmi_release_attr(void) 1382 { 1383 int i; 1384 1385 /* Attribute structures */ 1386 for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { 1387 if (tlmi_priv.setting[i]) { 1388 sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); 1389 kobject_put(&tlmi_priv.setting[i]->kobj); 1390 } 1391 } 1392 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); 1393 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); 1394 1395 if (tlmi_priv.can_debug_cmd && debug_support) 1396 sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr); 1397 1398 kset_unregister(tlmi_priv.attribute_kset); 1399 1400 /* Free up any saved signatures */ 1401 kfree(tlmi_priv.pwd_admin->signature); 1402 kfree(tlmi_priv.pwd_admin->save_signature); 1403 1404 /* Authentication structures */ 1405 sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); 1406 kobject_put(&tlmi_priv.pwd_admin->kobj); 1407 sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); 1408 kobject_put(&tlmi_priv.pwd_power->kobj); 1409 1410 if (tlmi_priv.opcode_support) { 1411 sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); 1412 kobject_put(&tlmi_priv.pwd_system->kobj); 1413 sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); 1414 kobject_put(&tlmi_priv.pwd_hdd->kobj); 1415 sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); 1416 kobject_put(&tlmi_priv.pwd_nvme->kobj); 1417 } 1418 1419 kset_unregister(tlmi_priv.authentication_kset); 1420 } 1421 1422 static int tlmi_validate_setting_name(struct kset *attribute_kset, char *name) 1423 { 1424 struct kobject *duplicate; 1425 1426 if (!strcmp(name, "Reserved")) 1427 return -EINVAL; 1428 1429 duplicate = kset_find_obj(attribute_kset, name); 1430 if (duplicate) { 1431 pr_debug("Duplicate attribute name found - %s\n", name); 1432 /* kset_find_obj() returns a reference */ 1433 kobject_put(duplicate); 1434 return -EBUSY; 1435 } 1436 1437 return 0; 1438 } 1439 1440 static int tlmi_sysfs_init(void) 1441 { 1442 int i, ret; 1443 1444 tlmi_priv.class_dev = device_create(&firmware_attributes_class, NULL, MKDEV(0, 0), 1445 NULL, "%s", "thinklmi"); 1446 if (IS_ERR(tlmi_priv.class_dev)) { 1447 ret = PTR_ERR(tlmi_priv.class_dev); 1448 goto fail_class_created; 1449 } 1450 1451 tlmi_priv.attribute_kset = kset_create_and_add("attributes", NULL, 1452 &tlmi_priv.class_dev->kobj); 1453 if (!tlmi_priv.attribute_kset) { 1454 ret = -ENOMEM; 1455 goto fail_device_created; 1456 } 1457 1458 for (i = 0; i < TLMI_SETTINGS_COUNT; i++) { 1459 /* Check if index is a valid setting - skip if it isn't */ 1460 if (!tlmi_priv.setting[i]) 1461 continue; 1462 1463 /* check for duplicate or reserved values */ 1464 if (tlmi_validate_setting_name(tlmi_priv.attribute_kset, 1465 tlmi_priv.setting[i]->display_name) < 0) { 1466 kfree(tlmi_priv.setting[i]->possible_values); 1467 kfree(tlmi_priv.setting[i]); 1468 tlmi_priv.setting[i] = NULL; 1469 continue; 1470 } 1471 1472 /* Build attribute */ 1473 tlmi_priv.setting[i]->kobj.kset = tlmi_priv.attribute_kset; 1474 ret = kobject_add(&tlmi_priv.setting[i]->kobj, NULL, 1475 "%s", tlmi_priv.setting[i]->display_name); 1476 if (ret) 1477 goto fail_create_attr; 1478 1479 ret = sysfs_create_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group); 1480 if (ret) 1481 goto fail_create_attr; 1482 } 1483 1484 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr); 1485 if (ret) 1486 goto fail_create_attr; 1487 1488 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &save_settings.attr); 1489 if (ret) 1490 goto fail_create_attr; 1491 1492 if (tlmi_priv.can_debug_cmd && debug_support) { 1493 ret = sysfs_create_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr); 1494 if (ret) 1495 goto fail_create_attr; 1496 } 1497 1498 /* Create authentication entries */ 1499 tlmi_priv.authentication_kset = kset_create_and_add("authentication", NULL, 1500 &tlmi_priv.class_dev->kobj); 1501 if (!tlmi_priv.authentication_kset) { 1502 ret = -ENOMEM; 1503 goto fail_create_attr; 1504 } 1505 tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset; 1506 ret = kobject_add(&tlmi_priv.pwd_admin->kobj, NULL, "%s", "Admin"); 1507 if (ret) 1508 goto fail_create_attr; 1509 1510 ret = sysfs_create_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group); 1511 if (ret) 1512 goto fail_create_attr; 1513 1514 tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset; 1515 ret = kobject_add(&tlmi_priv.pwd_power->kobj, NULL, "%s", "Power-on"); 1516 if (ret) 1517 goto fail_create_attr; 1518 1519 ret = sysfs_create_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group); 1520 if (ret) 1521 goto fail_create_attr; 1522 1523 if (tlmi_priv.opcode_support) { 1524 tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset; 1525 ret = kobject_add(&tlmi_priv.pwd_system->kobj, NULL, "%s", "System"); 1526 if (ret) 1527 goto fail_create_attr; 1528 1529 ret = sysfs_create_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group); 1530 if (ret) 1531 goto fail_create_attr; 1532 1533 tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset; 1534 ret = kobject_add(&tlmi_priv.pwd_hdd->kobj, NULL, "%s", "HDD"); 1535 if (ret) 1536 goto fail_create_attr; 1537 1538 ret = sysfs_create_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group); 1539 if (ret) 1540 goto fail_create_attr; 1541 1542 tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset; 1543 ret = kobject_add(&tlmi_priv.pwd_nvme->kobj, NULL, "%s", "NVMe"); 1544 if (ret) 1545 goto fail_create_attr; 1546 1547 ret = sysfs_create_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group); 1548 if (ret) 1549 goto fail_create_attr; 1550 } 1551 1552 return ret; 1553 1554 fail_create_attr: 1555 tlmi_release_attr(); 1556 fail_device_created: 1557 device_destroy(&firmware_attributes_class, MKDEV(0, 0)); 1558 fail_class_created: 1559 return ret; 1560 } 1561 1562 /* ---- Base Driver -------------------------------------------------------- */ 1563 static struct tlmi_pwd_setting *tlmi_create_auth(const char *pwd_type, 1564 const char *pwd_role) 1565 { 1566 struct tlmi_pwd_setting *new_pwd; 1567 1568 new_pwd = kzalloc(sizeof(struct tlmi_pwd_setting), GFP_KERNEL); 1569 if (!new_pwd) 1570 return NULL; 1571 1572 strscpy(new_pwd->kbdlang, "us"); 1573 new_pwd->encoding = TLMI_ENCODING_ASCII; 1574 new_pwd->pwd_type = pwd_type; 1575 new_pwd->role = pwd_role; 1576 new_pwd->minlen = tlmi_priv.pwdcfg.core.min_length; 1577 new_pwd->maxlen = tlmi_priv.pwdcfg.core.max_length; 1578 new_pwd->index = 0; 1579 1580 kobject_init(&new_pwd->kobj, &tlmi_pwd_setting_ktype); 1581 1582 return new_pwd; 1583 } 1584 1585 static int tlmi_analyze(struct wmi_device *wdev) 1586 { 1587 int i, ret; 1588 1589 if (wmi_has_guid(LENOVO_SET_BIOS_SETTINGS_GUID) && 1590 wmi_has_guid(LENOVO_SAVE_BIOS_SETTINGS_GUID)) 1591 tlmi_priv.can_set_bios_settings = true; 1592 1593 if (wmi_has_guid(LENOVO_GET_BIOS_SELECTIONS_GUID)) 1594 tlmi_priv.can_get_bios_selections = true; 1595 1596 if (wmi_has_guid(LENOVO_SET_BIOS_PASSWORD_GUID)) 1597 tlmi_priv.can_set_bios_password = true; 1598 1599 if (wmi_has_guid(LENOVO_BIOS_PASSWORD_SETTINGS_GUID)) 1600 tlmi_priv.can_get_password_settings = true; 1601 1602 if (wmi_has_guid(LENOVO_DEBUG_CMD_GUID)) 1603 tlmi_priv.can_debug_cmd = true; 1604 1605 if (wmi_has_guid(LENOVO_OPCODE_IF_GUID)) 1606 tlmi_priv.opcode_support = true; 1607 1608 if (wmi_has_guid(LENOVO_SET_BIOS_CERT_GUID) && 1609 wmi_has_guid(LENOVO_SET_BIOS_SETTING_CERT_GUID) && 1610 wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID)) 1611 tlmi_priv.certificate_support = true; 1612 1613 /* 1614 * Try to find the number of valid settings of this machine 1615 * and use it to create sysfs attributes. 1616 */ 1617 for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) { 1618 struct tlmi_attr_setting *setting; 1619 char *item = NULL; 1620 1621 tlmi_priv.setting[i] = NULL; 1622 ret = tlmi_setting(wdev, i, &item); 1623 if (ret) 1624 break; 1625 if (!item) 1626 break; 1627 if (!*item) { 1628 kfree(item); 1629 continue; 1630 } 1631 1632 /* Remove the value part */ 1633 strreplace(item, ',', '\0'); 1634 1635 /* Create a setting entry */ 1636 setting = kzalloc(sizeof(*setting), GFP_KERNEL); 1637 if (!setting) { 1638 ret = -ENOMEM; 1639 kfree(item); 1640 goto fail_clear_attr; 1641 } 1642 setting->wdev = wdev; 1643 setting->index = i; 1644 1645 strscpy(setting->name, item); 1646 /* It is not allowed to have '/' for file name. Convert it into '\'. */ 1647 strreplace(item, '/', '\\'); 1648 strscpy(setting->display_name, item); 1649 1650 /* If BIOS selections supported, load those */ 1651 if (tlmi_priv.can_get_bios_selections) { 1652 ret = tlmi_get_bios_selections(setting->name, 1653 &setting->possible_values); 1654 if (ret || !setting->possible_values) 1655 pr_info("Error retrieving possible values for %d : %s\n", 1656 i, setting->display_name); 1657 } else { 1658 /* 1659 * Older Thinkstations don't support the bios_selections API. 1660 * Instead they store this as a [Optional:Option1,Option2] section of the 1661 * name string. 1662 * Try and pull that out if it's available. 1663 */ 1664 char *optitem, *optstart, *optend; 1665 1666 if (!tlmi_setting(setting->wdev, setting->index, &optitem)) { 1667 optstart = strstr(optitem, "[Optional:"); 1668 if (optstart) { 1669 optstart += strlen("[Optional:"); 1670 optend = strstr(optstart, "]"); 1671 if (optend) 1672 setting->possible_values = 1673 kstrndup(optstart, optend - optstart, 1674 GFP_KERNEL); 1675 } 1676 kfree(optitem); 1677 } 1678 } 1679 /* 1680 * firmware-attributes requires that possible_values are separated by ';' but 1681 * Lenovo FW uses ','. Replace appropriately. 1682 */ 1683 if (setting->possible_values) 1684 strreplace(setting->possible_values, ',', ';'); 1685 1686 kobject_init(&setting->kobj, &tlmi_attr_setting_ktype); 1687 tlmi_priv.setting[i] = setting; 1688 kfree(item); 1689 } 1690 1691 /* Create password setting structure */ 1692 ret = tlmi_get_pwd_settings(&tlmi_priv.pwdcfg); 1693 if (ret) 1694 goto fail_clear_attr; 1695 1696 /* All failures below boil down to kmalloc failures */ 1697 ret = -ENOMEM; 1698 1699 tlmi_priv.pwd_admin = tlmi_create_auth("pap", "bios-admin"); 1700 if (!tlmi_priv.pwd_admin) 1701 goto fail_clear_attr; 1702 1703 if (tlmi_priv.pwdcfg.core.password_state & TLMI_PAP_PWD) 1704 tlmi_priv.pwd_admin->pwd_enabled = true; 1705 1706 tlmi_priv.pwd_power = tlmi_create_auth("pop", "power-on"); 1707 if (!tlmi_priv.pwd_power) 1708 goto fail_clear_attr; 1709 1710 if (tlmi_priv.pwdcfg.core.password_state & TLMI_POP_PWD) 1711 tlmi_priv.pwd_power->pwd_enabled = true; 1712 1713 if (tlmi_priv.opcode_support) { 1714 tlmi_priv.pwd_system = tlmi_create_auth("smp", "system"); 1715 if (!tlmi_priv.pwd_system) 1716 goto fail_clear_attr; 1717 1718 if (tlmi_priv.pwdcfg.core.password_state & TLMI_SMP_PWD) 1719 tlmi_priv.pwd_system->pwd_enabled = true; 1720 1721 tlmi_priv.pwd_hdd = tlmi_create_auth("hdd", "hdd"); 1722 if (!tlmi_priv.pwd_hdd) 1723 goto fail_clear_attr; 1724 1725 tlmi_priv.pwd_nvme = tlmi_create_auth("nvm", "nvme"); 1726 if (!tlmi_priv.pwd_nvme) 1727 goto fail_clear_attr; 1728 1729 /* Set default hdd/nvme index to 1 as there is no device 0 */ 1730 tlmi_priv.pwd_hdd->index = 1; 1731 tlmi_priv.pwd_nvme->index = 1; 1732 1733 if (tlmi_priv.pwdcfg.core.password_state & TLMI_HDD_PWD) { 1734 /* Check if PWD is configured and set index to first drive found */ 1735 if (tlmi_priv.pwdcfg.ext.hdd_user_password || 1736 tlmi_priv.pwdcfg.ext.hdd_master_password) { 1737 tlmi_priv.pwd_hdd->pwd_enabled = true; 1738 if (tlmi_priv.pwdcfg.ext.hdd_master_password) 1739 tlmi_priv.pwd_hdd->index = 1740 ffs(tlmi_priv.pwdcfg.ext.hdd_master_password) - 1; 1741 else 1742 tlmi_priv.pwd_hdd->index = 1743 ffs(tlmi_priv.pwdcfg.ext.hdd_user_password) - 1; 1744 } 1745 if (tlmi_priv.pwdcfg.ext.nvme_user_password || 1746 tlmi_priv.pwdcfg.ext.nvme_master_password) { 1747 tlmi_priv.pwd_nvme->pwd_enabled = true; 1748 if (tlmi_priv.pwdcfg.ext.nvme_master_password) 1749 tlmi_priv.pwd_nvme->index = 1750 ffs(tlmi_priv.pwdcfg.ext.nvme_master_password) - 1; 1751 else 1752 tlmi_priv.pwd_nvme->index = 1753 ffs(tlmi_priv.pwdcfg.ext.nvme_user_password) - 1; 1754 } 1755 } 1756 } 1757 1758 if (tlmi_priv.certificate_support) { 1759 tlmi_priv.pwd_admin->cert_installed = 1760 tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC; 1761 tlmi_priv.pwd_system->cert_installed = 1762 tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC; 1763 } 1764 return 0; 1765 1766 fail_clear_attr: 1767 for (i = 0; i < TLMI_SETTINGS_COUNT; ++i) { 1768 if (tlmi_priv.setting[i]) { 1769 kfree(tlmi_priv.setting[i]->possible_values); 1770 kfree(tlmi_priv.setting[i]); 1771 } 1772 } 1773 kfree(tlmi_priv.pwd_admin); 1774 kfree(tlmi_priv.pwd_power); 1775 kfree(tlmi_priv.pwd_system); 1776 kfree(tlmi_priv.pwd_hdd); 1777 kfree(tlmi_priv.pwd_nvme); 1778 return ret; 1779 } 1780 1781 static void tlmi_remove(struct wmi_device *wdev) 1782 { 1783 tlmi_release_attr(); 1784 device_destroy(&firmware_attributes_class, MKDEV(0, 0)); 1785 } 1786 1787 static int tlmi_probe(struct wmi_device *wdev, const void *context) 1788 { 1789 int ret; 1790 1791 ret = tlmi_analyze(wdev); 1792 if (ret) 1793 return ret; 1794 1795 return tlmi_sysfs_init(); 1796 } 1797 1798 static const struct wmi_device_id tlmi_id_table[] = { 1799 { .guid_string = LENOVO_BIOS_SETTING_GUID }, 1800 { } 1801 }; 1802 MODULE_DEVICE_TABLE(wmi, tlmi_id_table); 1803 1804 static struct wmi_driver tlmi_driver = { 1805 .driver = { 1806 .name = "think-lmi", 1807 }, 1808 .id_table = tlmi_id_table, 1809 .probe = tlmi_probe, 1810 .remove = tlmi_remove, 1811 }; 1812 1813 MODULE_AUTHOR("Sugumaran L <slacshiminar@lenovo.com>"); 1814 MODULE_AUTHOR("Mark Pearson <markpearson@lenovo.com>"); 1815 MODULE_AUTHOR("Corentin Chary <corentin.chary@gmail.com>"); 1816 MODULE_DESCRIPTION("ThinkLMI Driver"); 1817 MODULE_LICENSE("GPL"); 1818 1819 module_wmi_driver(tlmi_driver); 1820