Commit 06384573 authored by Mark Pearson's avatar Mark Pearson Committed by Hans de Goede
Browse files

Documentation: syfs-class-firmware-attributes: Lenovo Certificate support 



Certificate based authentication is available as an alternative to
password based authentication.

The WMI commands are cryptographically signed using a separate
signing server and will be verified by the BIOS before being
accepted.

This commit details the fields that are needed to support that
implementation. At present the changes are intended for Lenovo
platforms, but have been designed to keep them as flexible as possible
for future implementations from other vendors.

Signed-off-by: default avatarMark Pearson <markpearson@lenovo.com>
Link: https://lore.kernel.org/r/20220317214008.3459-1-markpearson@lenovo.com


Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
parent 0c2c21a1

Documentation/ABI/testing/sysfs-class-firmware-attributes

+45 −0
Original line number Original line Diff line number Diff line
@@ -246,6 +246,51 @@ Description: 
					that is being referenced (e.g hdd0, hdd1 etc)

					that is being referenced (e.g hdd0, hdd1 etc)

					This attribute defaults to device 0.

					This attribute defaults to device 0.





		certificate:

		signature:

		save_signature:

					These attributes are used for certificate based authentication. This is

					used in conjunction with a signing server as an alternative to password

					based authentication.

					The user writes to the attribute(s) with a BASE64 encoded string obtained

					from the signing server.

					The attributes can be displayed to check the stored value.



					Some usage examples:

					Installing a certificate to enable feature:

						echo <supervisor password > authentication/Admin/current_password

						echo <signed certificate> > authentication/Admin/certificate



					Updating the installed certificate:

						echo <signature> > authentication/Admin/signature

						echo <signed certificate> > authentication/Admin/certificate



					Removing the installed certificate:

						echo <signature> > authentication/Admin/signature

						echo '' > authentication/Admin/certificate



					Changing a BIOS setting:

						echo <signature> > authentication/Admin/signature

						echo <save signature> > authentication/Admin/save_signature

						echo Enable > attribute/PasswordBeep/current_value



					You cannot enable certificate authentication if a supervisor password

					has not been set.

					Clearing the certificate results in no bios-admin authentication method

					being configured allowing anyone to make changes.

					After any of these operations the system must reboot for the changes to

					take effect.



		certificate_thumbprint:

					Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints

					for the certificate installed in the BIOS.



		certificate_to_password:

					Write only attribute used to switch from certificate based authentication

					back to password based.

					Usage:

						echo <signature> > authentication/Admin/signature

						echo <password> > authentication/Admin/certificate_to_password









What:		/sys/class/firmware-attributes/*/attributes/pending_reboot

What:		/sys/class/firmware-attributes/*/attributes/pending_reboot