Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 | What: /sys/class/firmware-attributes/*/attributes/*/ Date: February 2021 KernelVersion: 5.11 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>, Prasanth KSR <prasanth.ksr@dell.com> Dell.Client.Kernel@dell.com Description: A sysfs interface for systems management software to enable configuration capability on supported systems. This directory exposes interfaces for interacting with configuration options. Unless otherwise specified in an attribute description all attributes are optional and will accept UTF-8 input. type: A file that can be read to obtain the type of attribute. This attribute is mandatory. The following are known types: - enumeration: a set of pre-defined valid values - integer: a range of numerical values - string HP specific types ----------------- - ordered-list - a set of ordered list valid values All attribute types support the following values: current_value: A file that can be read to obtain the current value of the <attr>. This file can also be written to in order to update the value of a <attr> This attribute is mandatory. default_value: A file that can be read to obtain the default value of the <attr> display_name: A file that can be read to obtain a user friendly description of the at <attr> display_name_language_code: A file that can be read to obtain the IETF language tag corresponding to the "display_name" of the <attr> "enumeration"-type specific properties: possible_values: A file that can be read to obtain the possible values of the <attr>. Values are separated using semi-colon (``;``). "integer"-type specific properties: min_value: A file that can be read to obtain the lower bound value of the <attr> max_value: A file that can be read to obtain the upper bound value of the <attr> scalar_increment: A file that can be read to obtain the scalar value used for increments of current_value this attribute accepts. "string"-type specific properties: max_length: A file that can be read to obtain the maximum length value of the <attr> min_length: A file that can be read to obtain the minimum length value of the <attr> Dell specific class extensions ------------------------------ On Dell systems the following additional attributes are available: dell_modifier: A file that can be read to obtain attribute-level dependency rule. It says an attribute X will become read-only or suppressed, if/if-not attribute Y is configured. modifier rules can be in following format:: [ReadOnlyIf:<attribute>=<value>] [ReadOnlyIfNot:<attribute>=<value>] [SuppressIf:<attribute>=<value>] [SuppressIfNot:<attribute>=<value>] For example:: AutoOnFri/dell_modifier has value, [SuppressIfNot:AutoOn=SelectDays] This means AutoOnFri will be suppressed in BIOS setup if AutoOn attribute is not "SelectDays" and its value will not be effective through sysfs until this rule is met. Enumeration attributes also support the following: dell_value_modifier: A file that can be read to obtain value-level dependency. This file is similar to dell_modifier but here, an attribute's current value will be forcefully changed based dependent attributes value. dell_value_modifier rules can be in following format:: <value>[ForceIf:<attribute>=<value>] <value>[ForceIfNot:<attribute>=<value>] For example:: LegacyOrom/dell_value_modifier has value: Disabled[ForceIf:SecureBoot=Enabled] This means LegacyOrom's current value will be forced to "Disabled" in BIOS setup if SecureBoot is Enabled and its value will not be effective through sysfs until this rule is met. HP specific class extensions ------------------------------ On HP systems the following additional attributes are available: "ordered-list"-type specific properties: elements: A file that can be read to obtain the possible list of values of the <attr>. Values are separated using semi-colon (``;``) and listed according to their priority. An element listed first has the highest priority. Writing the list in a different order to current_value alters the priority order for the particular attribute. What: /sys/class/firmware-attributes/*/authentication/ Date: February 2021 KernelVersion: 5.11 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>, Prasanth KSR <prasanth.ksr@dell.com> Dell.Client.Kernel@dell.com Description: Devices support various authentication mechanisms which can be exposed as a separate configuration object. For example a "BIOS Admin" password and "System" Password can be set, reset or cleared using these attributes. - An "Admin" password is used for preventing modification to the BIOS settings. - A "System" password is required to boot a machine. Change in any of these two authentication methods will also generate an uevent KOBJ_CHANGE. is_enabled: A file that can be read to obtain a 0/1 flag to see if <attr> authentication is enabled. This attribute is mandatory. role: The type of authentication used. This attribute is mandatory. Known types: bios-admin: Representing BIOS administrator password power-on: Representing a password required to use the system system-mgmt: Representing System Management password. See Lenovo extensions section for details HDD: Representing HDD password See Lenovo extensions section for details NVMe: Representing NVMe password See Lenovo extensions section for details mechanism: The means of authentication. This attribute is mandatory. Only supported type currently is "password". max_password_length: A file that can be read to obtain the maximum length of the Password min_password_length: A file that can be read to obtain the minimum length of the Password current_password: A write only value used for privileged access such as setting attributes when a system or admin password is set or resetting to a new password This attribute is mandatory when mechanism == "password". new_password: A write only value that when used in tandem with current_password will reset a system or admin password. Note, password management is session specific. If Admin password is set, same password must be written into current_password file (required for password-validation) and must be cleared once the session is over. For example:: echo "password" > current_password echo "disabled" > TouchScreen/current_value echo "" > current_password Drivers may emit a CHANGE uevent when a password is set or unset userspace may check it again. On Dell, Lenovo and HP systems, if Admin password is set, then all BIOS attributes require password validation. On Lenovo systems if you change the Admin password the new password is not active until the next boot. Lenovo specific class extensions -------------------------------- On Lenovo systems the following additional settings are available: role: system-mgmt This gives the same authority as the bios-admin password to control security related features. The authorities allocated can be set via the BIOS menu SMP Access Control Policy role: HDD & NVMe This password is used to unlock access to the drive at boot. Note see 'level' and 'index' extensions below. lenovo_encoding: The encoding method that is used. This can be either "ascii" or "scancode". Default is set to "ascii" lenovo_kbdlang: The keyboard language method that is used. This is generally a two char code (e.g. "us", "fr", "gr") and may vary per platform. Default is set to "us" level: Available for HDD and NVMe authentication to set 'user' or 'master' privilege level. If only the user password is configured then this should be used to unlock the drive at boot. If both master and user passwords are set then either can be used. If a master password is set a user password is required. This attribute defaults to 'user' level index: Used with HDD and NVME authentication to set the drive index that is being referenced (e.g hdd1, hdd2 etc) This attribute defaults to device 1. certificate, signature, save_signature: These attributes are used for certificate based authentication. This is used in conjunction with a signing server as an alternative to password based authentication. The user writes to the attribute(s) with a BASE64 encoded string obtained from the signing server. The attributes can be displayed to check the stored value. Some usage examples: Installing a certificate to enable feature:: echo "supervisor password" > authentication/Admin/current_password echo "signed certificate" > authentication/Admin/certificate Updating the installed certificate:: echo "signature" > authentication/Admin/signature echo "signed certificate" > authentication/Admin/certificate Removing the installed certificate:: echo "signature" > authentication/Admin/signature echo "" > authentication/Admin/certificate Changing a BIOS setting:: echo "signature" > authentication/Admin/signature echo "save signature" > authentication/Admin/save_signature echo Enable > attribute/PasswordBeep/current_value You cannot enable certificate authentication if a supervisor password has not been set. Clearing the certificate results in no bios-admin authentication method being configured allowing anyone to make changes. After any of these operations the system must reboot for the changes to take effect. certificate_thumbprint: Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints for the certificate installed in the BIOS. certificate_to_password: Write only attribute used to switch from certificate based authentication back to password based. Usage:: echo "signature" > authentication/Admin/signature echo "password" > authentication/Admin/certificate_to_password HP specific class extensions -------------------------------- On HP systems the following additional settings are available: role: enhanced-bios-auth: This role is specific to Secure Platform Management (SPM) attribute. It requires configuring an endorsement (kek) and signing certificate (sk). What: /sys/class/firmware-attributes/*/attributes/pending_reboot Date: February 2021 KernelVersion: 5.11 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>, Prasanth KSR <prasanth.ksr@dell.com> Dell.Client.Kernel@dell.com Description: A read-only attribute reads 1 if a reboot is necessary to apply pending BIOS attribute changes. Also, an uevent_KOBJ_CHANGE is generated when it changes to 1. == ========================================= 0 All BIOS attributes setting are current 1 A reboot is necessary to get pending BIOS attribute changes applied == ========================================= Note, userspace applications need to follow below steps for efficient BIOS management, 1. Check if admin password is set. If yes, follow session method for password management as briefed under authentication section above. 2. Before setting any attribute, check if it has any modifiers or value_modifiers. If yes, incorporate them and then modify attribute. Drivers may emit a CHANGE uevent when this value changes and userspace may check it again. What: /sys/class/firmware-attributes/*/attributes/reset_bios Date: February 2021 KernelVersion: 5.11 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>, Prasanth KSR <prasanth.ksr@dell.com> Dell.Client.Kernel@dell.com Description: This attribute can be used to reset the BIOS Configuration. Specifically, it tells which type of reset BIOS configuration is being requested on the host. Reading from it returns a list of supported options encoded as: - 'builtinsafe' (Built in safe configuration profile) - 'lastknowngood' (Last known good saved configuration profile) - 'factory' (Default factory settings configuration profile) - 'custom' (Custom saved configuration profile) The currently selected option is printed in square brackets as shown below:: # echo "factory" > /sys/class/firmware-attributes/*/device/attributes/reset_bios # cat /sys/class/firmware-attributes/*/device/attributes/reset_bios builtinsafe lastknowngood [factory] custom Note that any changes to this attribute requires a reboot for changes to take effect. What: /sys/class/firmware-attributes/*/attributes/debug_cmd Date: July 2021 KernelVersion: 5.14 Contact: Mark Pearson <markpearson@lenovo.com> Description: This write only attribute can be used to send debug commands to the BIOS. This should only be used when recommended by the BIOS vendor. Vendors may use it to enable extra debug attributes or BIOS features for testing purposes. Note that any changes to this attribute requires a reboot for changes to take effect. HP specific class extensions - Secure Platform Manager (SPM) -------------------------------- What: /sys/class/firmware-attributes/*/authentication/SPM/kek Date: March 2023 KernelVersion: 5.18 Contact: "Jorge Lopez" <jorge.lopez2@hp.com> Description: 'kek' Key-Encryption-Key is a write-only file that can be used to configure the RSA public key that will be used by the BIOS to verify signatures when setting the signing key. When written, the bytes should correspond to the KEK certificate (x509 .DER format containing an OU). The size of the certificate must be less than or equal to 4095 bytes. What: /sys/class/firmware-attributes/*/authentication/SPM/sk Date: March 2023 KernelVersion: 5.18 Contact: "Jorge Lopez" <jorge.lopez2@hp.com> Description: 'sk' Signature Key is a write-only file that can be used to configure the RSA public key that will be used by the BIOS to verify signatures when configuring BIOS settings and security features. When written, the bytes should correspond to the modulus of the public key. The exponent is assumed to be 0x10001. What: /sys/class/firmware-attributes/*/authentication/SPM/status Date: March 2023 KernelVersion: 5.18 Contact: "Jorge Lopez" <jorge.lopez2@hp.com> Description: 'status' is a read-only file that returns ASCII text in JSON format reporting the status information. "State": "not provisioned | provisioned | provisioning in progress", "Version": "Major.Minor", "Nonce": <16-bit unsigned number display in base 10>, "FeaturesInUse": <16-bit unsigned number display in base 10>, "EndorsementKeyMod": "<256 bytes in base64>", "SigningKeyMod": "<256 bytes in base64>" What: /sys/class/firmware-attributes/*/attributes/Sure_Start/audit_log_entries Date: March 2023 KernelVersion: 5.18 Contact: "Jorge Lopez" <jorge.lopez2@hp.com> Description: 'audit_log_entries' is a read-only file that returns the events in the log. Audit log entry format Byte 0-15: Requested Audit Log entry (Each Audit log is 16 bytes) Byte 16-127: Unused What: /sys/class/firmware-attributes/*/attributes/Sure_Start/audit_log_entry_count Date: March 2023 KernelVersion: 5.18 Contact: "Jorge Lopez" <jorge.lopez2@hp.com> Description: 'audit_log_entry_count' is a read-only file that returns the number of existing audit log events available to be read. Values are separated using comma. (``,``) [No of entries],[log entry size],[Max number of entries supported] log entry size identifies audit log size for the current BIOS version. The current size is 16 bytes but it can be up to 128 bytes long in future BIOS versions. |