lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <76c3ef28-0867-4711-997b-7042ee9ede75@app.fastmail.com>
Date: Thu, 28 Aug 2025 17:14:50 -0400
From: "Mark Pearson" <mpearson-lenovo@...ebb.ca>
To: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
Cc: "Hans de Goede" <hansg@...nel.org>, RenHai <kean0048@...il.com>,
 "platform-driver-x86@...r.kernel.org" <platform-driver-x86@...r.kernel.org>,
 LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 2/3] platform/x86: think-lmi: Certificate support for
 ThinkCenter

Hi Ilpo,

On Thu, Aug 28, 2025, at 6:46 AM, Ilpo Järvinen wrote:
> On Mon, 25 Aug 2025, Mark Pearson wrote:
>
>> ThinkCenter platforms use a different set of GUIDs along with some
>> differences in implementation details for their support of
>> certificate based authentication.
>> 
>> Update the think-lmi driver to work correctly on these platforms.
>> 
>> Tested on M75q Gen 5.
>> 
>> Signed-off-by: Kean Ren <kean0048@...il.com>
>> Signed-off-by: Mark Pearson <mpearson-lenovo@...ebb.ca>
>> ---
>> Changes in v2:
>>  - split patch up into series
>> Changes in v3:
>>  - Move check for no thumbprint GUID to this patch
>>  - Add structure fields and missing comma
>> 
>>  drivers/platform/x86/lenovo/think-lmi.c | 54 ++++++++++++++++++++++---
>>  drivers/platform/x86/lenovo/think-lmi.h |  1 +
>>  2 files changed, 49 insertions(+), 6 deletions(-)
>> 
>> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
>> index a22d25f6d3c6..3a1cec4625e5 100644
>> --- a/drivers/platform/x86/lenovo/think-lmi.c
>> +++ b/drivers/platform/x86/lenovo/think-lmi.c
>> @@ -119,6 +119,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_SET_BIOS_CERT_GUID    "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE"
>> +#define LENOVO_TC_SET_BIOS_CERT_GUID "955aaf7d-8bc4-4f04-90aa-97469512f167"
>>  
>>  /*
>>   * Name: UpdateBiosCert
>> @@ -128,6 +129,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE"
>> +#define LENOVO_TC_UPDATE_BIOS_CERT_GUID "5f5bbbb2-c72f-4fb8-8129-228eef4fdbed"
>>  
>>  /*
>>   * Name: ClearBiosCert
>> @@ -137,6 +139,8 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_CLEAR_BIOS_CERT_GUID  "B2BC39A7-78DD-4D71-B059-A510DEC44890"
>> +#define LENOVO_TC_CLEAR_BIOS_CERT_GUID  "97849cb6-cb44-42d1-a750-26a596a9eec4"
>> +
>>  /*
>>   * Name: CertToPassword
>>   * Description: Switch from certificate to password authentication.
>> @@ -145,6 +149,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D"
>> +#define LENOVO_TC_CERT_TO_PASSWORD_GUID "ef65480d-38c9-420d-b700-ab3d6c8ebaca"
>>  
>>  /*
>>   * Name: SetBiosSettingCert
>> @@ -153,6 +158,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * Format: "Item,Value,Signature"
>>   */
>>  #define LENOVO_SET_BIOS_SETTING_CERT_GUID  "34A008CC-D205-4B62-9E67-31DFA8B90003"
>> +#define LENOVO_TC_SET_BIOS_SETTING_CERT_GUID  "19ecba3b-b318-4192-a89b-43d94bc60cea"
>>  
>>  /*
>>   * Name: SaveBiosSettingCert
>> @@ -161,6 +167,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * Format: "Signature"
>>   */
>>  #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551"
>> +#define LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID "0afaf46f-7cca-450a-b455-a826a0bf1af5"
>>  
>>  /*
>>   * Name: CertThumbprint
>> @@ -197,6 +204,16 @@ static struct tlmi_cert_guids thinkpad_cert_guid = {
>>  	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
>>  };
>>  
>> +static struct tlmi_cert_guids thinkcenter_cert_guid = {
>> +	.thumbprint = NULL,
>> +	.set_bios_setting = LENOVO_TC_SET_BIOS_SETTING_CERT_GUID,
>> +	.save_bios_setting = LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID,
>> +	.cert_to_password = LENOVO_TC_CERT_TO_PASSWORD_GUID,
>> +	.clear_bios_cert = LENOVO_TC_CLEAR_BIOS_CERT_GUID,
>> +	.update_bios_cert = LENOVO_TC_UPDATE_BIOS_CERT_GUID,
>> +	.set_bios_cert = LENOVO_TC_SET_BIOS_CERT_GUID,
>> +};
>> +
>>  static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
>>  
>>  static const struct tlmi_err_codes tlmi_errs[] = {
>> @@ -690,6 +707,9 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
>>  	const union acpi_object *obj;
>>  	acpi_status status;
>>  
>> +	if (!cert_guid->thumbprint)
>> +		return -EOPNOTSUPP;
>> +
>>  	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
>>  	if (ACPI_FAILURE(status)) {
>>  		kfree(output.pointer);
>> @@ -868,8 +888,16 @@ static ssize_t certificate_store(struct kobject *kobj,
>>  			return -EACCES;
>>  		}
>>  		guid = cert_guid->set_bios_cert;
>> -		/* Format: 'Certificate, password' */
>> -		auth_str = cert_command(setting, new_cert, setting->password);
>> +		if (tlmi_priv.thinkcenter_mode) {
>> +			/* Format: 'Certificate, password, encoding, kbdlang' */
>> +			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s", new_cert,
>> +					     setting->password,
>> +					     encoding_options[setting->encoding],
>> +					     setting->kbdlang);
>> +		} else {
>> +			/* Format: 'Certificate, password' */
>> +			auth_str = cert_command(setting, new_cert, setting->password);
>> +		}
>>  	}
>>  	kfree(new_cert);
>>  	if (!auth_str)
>> @@ -1605,6 +1633,16 @@ static int tlmi_analyze(struct wmi_device *wdev)
>>  		wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID))
>>  		tlmi_priv.certificate_support = true;
>>  
>> +	/* ThinkCenter uses different GUIDs for certificate support */
>> +	if (wmi_has_guid(LENOVO_TC_SET_BIOS_CERT_GUID) &&
>> +	    wmi_has_guid(LENOVO_TC_SET_BIOS_SETTING_CERT_GUID) &&
>> +	    wmi_has_guid(LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID)) {
>> +		tlmi_priv.certificate_support = true;
>> +		tlmi_priv.thinkcenter_mode = true;
>> +		cert_guid = &thinkcenter_cert_guid;
>
> Now that this code is more readable :-), I started to wonder why this 
> pointer wasn't placed into tlmi_priv?
>
I never thought of it. It would be a better place for it.
Will add in v4.

Mark

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ