| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5e27f8b6-1d11-aafd-917d-478dba10ec94@linux.intel.com>
Date: Thu, 4 Sep 2025 15:46:45 +0300 (EEST)
From: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
To: Mark Pearson <mpearson-lenovo@...ebb.ca>
cc: ilpo.jarvinen@...ux.intel.com, hansg@...nel.org, kean0048@...il.com,
platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 1/3] platform/x86: think-lmi: Add certificate GUID
structure
On Wed, 3 Sep 2025, Mark Pearson wrote:
> Add a certificate GUID structure to make it easier to add different
> options for other platforms that need different GUIDs.
>
> Suggested-by: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
> Signed-off-by: Mark Pearson <mpearson-lenovo@...ebb.ca>
> ---
> Changes in v2:
> - split patch up into series
> Changes in v3:
> - add field details to thinkpad_cert_guid declare.
> - add missing comma
> - Move null thumbprint GUID check to later in series
> Changes in v4:
> - Moved cert_guid into tlmi_priv
> - applied const where needed
>
> drivers/platform/x86/lenovo/think-lmi.c | 29 +++++++++++++++++--------
> drivers/platform/x86/lenovo/think-lmi.h | 13 +++++++++++
> 2 files changed, 33 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
> index 0992b41b6221..de287987f20c 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.c
> +++ b/drivers/platform/x86/lenovo/think-lmi.c
> @@ -177,6 +177,16 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
> #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
> #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
>
> +static const struct tlmi_cert_guids thinkpad_cert_guid = {
> + .thumbprint = LENOVO_CERT_THUMBPRINT_GUID,
> + .set_bios_setting = LENOVO_SET_BIOS_SETTING_CERT_GUID,
> + .save_bios_setting = LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> + .cert_to_password = LENOVO_CERT_TO_PASSWORD_GUID,
> + .clear_bios_cert = LENOVO_CLEAR_BIOS_CERT_GUID,
> + .update_bios_cert = LENOVO_UPDATE_BIOS_CERT_GUID,
> + .set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
> +};
> +
> static const struct tlmi_err_codes tlmi_errs[] = {
> {"Success", 0},
> {"Not Supported", -EOPNOTSUPP},
> @@ -668,7 +678,7 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
> const union acpi_object *obj;
> acpi_status status;
>
> - status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output);
> + status = wmi_evaluate_method(tlmi_priv.cert_guid->thumbprint, 0, 0, &input, &output);
> if (ACPI_FAILURE(status)) {
> kfree(output.pointer);
> return -EIO;
> @@ -751,7 +761,7 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
> kfree_sensitive(passwd);
> return -ENOMEM;
> }
> - ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str);
> + ret = tlmi_simple_call(tlmi_priv.cert_guid->cert_to_password, auth_str);
> kfree(auth_str);
> kfree_sensitive(passwd);
>
> @@ -774,7 +784,7 @@ static ssize_t certificate_store(struct kobject *kobj,
> char *auth_str, *new_cert;
> const char *serial;
> char *signature;
> - char *guid;
> + const char *guid;
> int ret;
>
> if (!capable(CAP_SYS_ADMIN))
> @@ -797,7 +807,7 @@ static ssize_t certificate_store(struct kobject *kobj,
> if (!auth_str)
> return -ENOMEM;
>
> - ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str);
> + ret = tlmi_simple_call(tlmi_priv.cert_guid->clear_bios_cert, auth_str);
> kfree(auth_str);
>
> return ret ?: count;
> @@ -834,7 +844,7 @@ static ssize_t certificate_store(struct kobject *kobj,
> kfree(new_cert);
> return -EACCES;
> }
> - guid = LENOVO_UPDATE_BIOS_CERT_GUID;
> + guid = tlmi_priv.cert_guid->update_bios_cert;
> /* Format: 'Certificate,Signature' */
> auth_str = cert_command(setting, new_cert, signature);
> } else {
> @@ -845,7 +855,7 @@ static ssize_t certificate_store(struct kobject *kobj,
> kfree(new_cert);
> return -EACCES;
> }
> - guid = LENOVO_SET_BIOS_CERT_GUID;
> + guid = tlmi_priv.cert_guid->set_bios_cert;
> /* Format: 'Certificate, password' */
> auth_str = cert_command(setting, new_cert, setting->password);
> }
> @@ -1071,13 +1081,13 @@ static ssize_t current_value_store(struct kobject *kobj,
> goto out;
> }
>
> - ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str);
> + ret = tlmi_simple_call(tlmi_priv.cert_guid->set_bios_setting, set_str);
> if (ret)
> goto out;
> if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
> tlmi_priv.save_required = true;
> else
> - ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> + ret = tlmi_simple_call(tlmi_priv.cert_guid->save_bios_setting,
> tlmi_priv.pwd_admin->save_signature);
> } else if (tlmi_priv.opcode_support) {
> /*
> @@ -1282,7 +1292,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
> ret = -EINVAL;
> goto out;
> }
> - ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> + ret = tlmi_simple_call(tlmi_priv.cert_guid->save_bios_setting,
> tlmi_priv.pwd_admin->save_signature);
> if (ret)
> goto out;
> @@ -1728,6 +1738,7 @@ static int tlmi_analyze(struct wmi_device *wdev)
> }
>
> if (tlmi_priv.certificate_support) {
> + tlmi_priv.cert_guid = &thinkpad_cert_guid;
> tlmi_priv.pwd_admin->cert_installed =
> tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
> tlmi_priv.pwd_system->cert_installed =
> diff --git a/drivers/platform/x86/lenovo/think-lmi.h b/drivers/platform/x86/lenovo/think-lmi.h
> index 9b014644d316..59aa03c3f846 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.h
> +++ b/drivers/platform/x86/lenovo/think-lmi.h
> @@ -41,6 +41,17 @@ enum save_mode {
> TLMI_SAVE_SAVE,
> };
>
> +/* GUIDs can differ between platforms */
> +struct tlmi_cert_guids {
> + const char *thumbprint;
> + const char *set_bios_setting;
> + const char *save_bios_setting;
> + const char *cert_to_password;
> + const char *clear_bios_cert;
> + const char *update_bios_cert;
> + const char *set_bios_cert;
> +};
> +
> /* password configuration details */
> #define TLMI_PWDCFG_MODE_LEGACY 0
> #define TLMI_PWDCFG_MODE_PASSWORD 1
> @@ -121,6 +132,8 @@ struct think_lmi {
> struct tlmi_pwd_setting *pwd_system;
> struct tlmi_pwd_setting *pwd_hdd;
> struct tlmi_pwd_setting *pwd_nvme;
> +
> + const struct tlmi_cert_guids *cert_guid;
> };
>
> #endif /* !_THINK_LMI_H_ */
>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
--
i.
Powered by blists - more mailing lists