[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b79fa66c-b8bc-125c-ccfa-9dae727022e9@redhat.com>
Date: Tue, 23 May 2023 12:46:07 +0200
From: Hans de Goede <hdegoede@...hat.com>
To: Mark Pearson <mpearson-lenovo@...ebb.ca>
Cc: markgross@...nel.org, platform-driver-x86@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/4] platform/x86: think-lmi: Enable opcode support on
BIOS settings
Hi Mark,
On 5/17/23 20:19, Mark Pearson wrote:
> Whilst reviewing some documentation from the FW team on using WMI on
> Lenovo system I noticed that we weren't using Opcode support when
> changing BIOS settings in the thinkLMI driver.
>
> We should be doing this to ensure we're future proof as the old
> non-opcode mechanism has been deprecated.
>
> Tested on X1 Carbon G10 and G11.
>
> Signed-off-by: Mark Pearson <mpearson-lenovo@...ebb.ca>
> ---
> drivers/platform/x86/think-lmi.c | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
> index 1138f770149d..d9341305eba9 100644
> --- a/drivers/platform/x86/think-lmi.c
> +++ b/drivers/platform/x86/think-lmi.c
> @@ -1001,7 +1001,28 @@ static ssize_t current_value_store(struct kobject *kobj,
> tlmi_priv.pwd_admin->save_signature);
> if (ret)
> goto out;
> - } else { /* Non certiifcate based authentication */
> + } else if (tlmi_priv.opcode_support) {
> + /* If opcode support is present use that interface */
> + set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name,
> + new_setting);
> + if (!set_str) {
> + ret = -ENOMEM;
> + goto out;
> + }
> +
> + ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTINGS_GUID, set_str);
> + if (ret)
> + goto out;
> +
> + if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
> + ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
> + tlmi_priv.pwd_admin->password);
> + if (ret)
> + goto out;
> + }
> +
> + ret = tlmi_save_bios_settings("");
I'm a bit confused about how this works. You are calling the same
LENOVO_SET_BIOS_SETTINGS_GUID as the old non opcode based authentication method
without any auth string.
And then afterwards you are calling LENOVO_OPCODE_IF_GUID with
"WmiOpcodePasswordAdmin:<passwd>"
Won't the initial LENOVO_SET_BIOS_SETTINGS_GUID get rejected since
it does not include an auth-string and you have not authenticated
yet using the opcode mechanism either. IOW shouldn't the opcode
auth call go first ?
And how does this work timing wise, vs races with userspace doing
multiple sysfs writes at once.
If the authentication done afterwards really acks the last
LENOVO_SET_BIOS_SETTINGS_GUID call then a userspace based
attacker could try to race and overwrite the last
LENOVO_SET_BIOS_SETTINGS_GUID call before the ack happens... ?
If this code really is correct I think we need to introduce
a mutex to avoid this race.
And this also needs some comments to explain what is going on.
Regards,
Hans
> + } else { /* old non opcode based authentication method (deprecated)*/
> if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
> auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s;",
> tlmi_priv.pwd_admin->password,
Powered by blists - more mailing lists