Hi, On 11/16/21 22:05, Mark Pearson wrote: > > Hi Hans, > > Thank you for the review. > > On 2021-11-16 09:00, Hans de Goede wrote: >> Hi, >> >> On 11/9/21 00:25, Mark Pearson wrote: >>> Newer Lenovo BIOS's have an opcode GUID support interface which provides >>> - improved password setting control >>> - ability to set System, hard drive and NVMe passwords >>> >>> Add the support for these new passwords, and the ability to select >>> user/master mode and the drive index. >>> >>> Signed-off-by: Mark Pearson <markpearson@xxxxxxxxxx> >>> --- >>> .../ABI/testing/sysfs-class-firmware-attributes | 17 +++++++++++++++++ >>> 1 file changed, 17 insertions(+) >>> >>> diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes >>> index 3348bf80a37c..6af4c5cf3d47 100644 >>> --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes >>> +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes >>> @@ -161,6 +161,12 @@ Description: >>> power-on: >>> Representing a password required to use >>> the system >>> + system-mgmt: >>> + Representing System Management password >> >> What is the difference between the system-mgmt password and the bios-admin one ? > > Taken from the documentation but somewhat reformatted/edited for clarity > > bios-admin - You are prompted to enter a valid password each time you > try to enter the BIOS menu > > system-mgmt - You can enable the system management password to have the > same authority as the bios-admin password to control security related > features. You can customize the authority of the system management > password through the UEFI BIOS menu (SMP Access Control Policy) Ok, so if I understand this correctly, then if both a bios-admin and a system-mgmt password are set then with the bios-admin option all options accept those on the "security settings" BIOS screen can be changed, and with the system-mgmt password everything can be changed, is that correct? Also can you update the new text here to try and explain this somewhat ? >>> + HDD: >>> + Representing HDD password >>> + NVMe: >>> + Representing NVMe password >>> >>> mechanism: >>> The means of authentication. This attribute is mandatory. >>> @@ -185,6 +191,17 @@ Description: >>> A write only value that when used in tandem with >>> current_password will reset a system or admin password. >>> >>> + level: >>> + Used with HDD and NVMe authentication to set 'user' or 'master' >>> + privilege level >>> + This attribute defaults to 'user' level >> >> What is the difference between user and master levels ? > > User: If a user hard disk password has been set, but no master hard disk > password has been, the user must enter the user hard disk password to > access files and applications on the hard disk drive. > > Master: The master hard disk password also requires a user hard disk > password. The master hard disk password is usually set and used by a > system administrator. It enables the administrator to access any hard > disk drive in a system like a master key. The administrator sets the > master password; then assigns a user password for each computer in the > network. The user can then change the user password as desired, but the > administrator still can get access by using the master password When a > master hard disk password is set, only the administrator can remove the > user hard disk password. I understand, so like a master-key vs a normal key in a big office building. Can you update the new text here to try and explain this somewhat ? >> >>> + >>> + index: >>> + Used with HDD and NVME authentication to set the drive index >>> + that is being referenced (e.g hdd0, hdd1 etc) >>> + This attribute defaults to device 0. >>> + >>> + >>> Note, password management is session specific. If Admin password is set, >>> same password must be written into current_password file (required for >>> password-validation) and must be cleared once the session is over. >>> >> >> >> Also maybe all of this needs to be moved to the Lenovo specific section for now ? >> >> If we then get other firmware APIs to set HDD / NVMe passwords we can try to re-use this >> and move it to the generic section (assuming we can make things fit ...) >> > Ah - good point. I will do that Great. Regards, Hans
