Hi, On 3/12/22 01:04, Mark Pearson wrote: > Certificate based authentication is available as an alternative to > password based authentication. > > The WMI commands are cryptographically signed using a separate > signing server and will be verified by the BIOS before being > accepted. > > This commit details the fields that are needed to support that > implementation. At present the changes are intended for Lenovo > platforms, but have been designed to keep them as flexible as possible > for future implementations from other vendors. > > Signed-off-by: Mark Pearson <markpearson@xxxxxxxxxx> Thanks, patch looks good to me: Reviewed-by: Hans de Goede <hdegoede@xxxxxxxxxx> Regards, Hans > --- > .../testing/sysfs-class-firmware-attributes | 52 +++++++++++++++++++ > 1 file changed, 52 insertions(+) > > diff --git a/Documentation/ABI/testing/sysfs-class-firmware-attributes b/Documentation/ABI/testing/sysfs-class-firmware-attributes > index 13e31c6a0e9c..1d9c3bb1dbcd 100644 > --- a/Documentation/ABI/testing/sysfs-class-firmware-attributes > +++ b/Documentation/ABI/testing/sysfs-class-firmware-attributes > @@ -246,6 +246,43 @@ Description: > that is being referenced (e.g hdd0, hdd1 etc) > This attribute defaults to device 0. > > + certificate: > + signature: > + These attributes are used for certificate based authentication. This is > + used in conjunction with a signing server as an alternative to password > + based authentication. > + The user writes to the attribute with a BASE64 encoded string obtained > + from the signing server. > + The attribute can be displayed to check the stored value. > + > + Some usage examples: > + Installing a certificate to enable feature: > + echo <supervisor password > authentication/Admin/current_password > + echo <signed certificate> > authentication/Admin/certificate > + > + Updating the installed certificate: > + echo <signature> > authentication/Admin/signature > + echo <signed certificate> > authentication/Admin/certificate > + > + Removing the installed certificate: > + echo <signature> > authentication/Admin/signature > + echo '' > authentication/Admin/signature > + > + You cannot enable certificate authentication if a supervisor password > + has not been set. > + After any of these operations the system must reboot for the changes to > + take effect > + > + certificate_thumbprint > + Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints > + for the certificate installed in the BIOS. > + > + certificate_to_password > + Write only attribute used to switch from certificate based authentication > + back to password based. > + Usage: > + echo <signature> > authentication/Admin/signature > + echo <password> > authentication/Admin/certificate_to_password > > > What: /sys/class/firmware-attributes/*/attributes/pending_reboot > @@ -315,3 +352,18 @@ Description: > use it to enable extra debug attributes or BIOS features for testing purposes. > > Note that any changes to this attribute requires a reboot for changes to take effect. > + > +What: /sys/class/firmware-attributes/*/attributes/set_signature > +What: /sys/class/firmware-attributes/*/attributes/save_signature > +Date: March 2022 > +KernelVersion: 5.18 > +Contact: Mark Pearson <markpearson@xxxxxxxxxx> > +Description: > + These attributes are used when certificate based authentication are enabled. > + The set_signature and save_signature are both obtained from the signing server > + and both need to be set when changing an attribute. > + Usage example: > + echo <set signature> > set_signature > + echo <save signature> > save_signature > + echo Enable > PasswordBeep/current_value > + The attributes can be read to display the stored value.
