commit 627c99dec58b6c5012b6c271935ad7902def9e64
author Prithvi Pai <ppai@nvidia.com> Sat Feb 08 14:05:25 2025 +0530
committer Prithvi Pai <ppai@nvidia.com> Tue May 06 14:37:23 2025 +0530
tree b2af46a7a765fcfd4170092fa341c7cdda448796
parent ddb22e22446e2fef6e63298cbfd0f6b05d934442

Support to remotely configure UEFI SecureBoot Settings

Redfish added schema for SecureBoot contains UEFI Secure Boot
information and represents properties for managing the UEFI Secure
Boot functionality of a system. This patch adds support to configure
the settings from BMC.

Introduced option 'ENABLE_BIOS_SECUREBOOT` to selectively create
SecureBoot object.

The PDI Changes for SecureBoot:
[1]: https://github.com/openbmc/phosphor-dbus-interfaces/commit/b235159e0acc9943bc5f4e428ba6536f2e3cb621#diff-dbd3a29b95a6a0d436ba19696c3db9852172311f363b6781cc48b49d62ee28fa

Redfish URI enabled with this change
`/redfish/v1/Systems/<system>/SecureBoot`

Tested:
1) Dbus tree view with the change
```
busctl tree xyz.openbmc_project.BIOSConfigManager
`- /xyz
  `- /xyz/openbmc_project
    `- /xyz/openbmc_project/bios_config
      |- /xyz/openbmc_project/bios_config/manager
      |- /xyz/openbmc_project/bios_config/password
      `- /xyz/openbmc_project/bios_config/secure_boot
```
2) Runtime Check at Redfish Level:
On platforms where the ENABLE_BIOS_SECUREBOOT is disabled the
redfish URI at the redfish level is disabled as the dbus path
does not exists.
3) For persistence of BIOS secureboot values the data is written to
separate file `securebootData` under
`/var/lib/bios-settings-manager`. This will avoid any issues for
current platforms.

Change-Id: I51cb42671bb7c62ef51f8d77b17265ab24edbcff
Signed-off-by: Prithvi Pai <ppai@nvidia.com>

src/main.cpp

diff --git a/src/main.cpp b/src/main.cpp
index df1f9e6..af48808 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -13,10 +13,12 @@
  See the License for the specific language governing permissions and
  limitations under the License.
 */
+#include "configuration.h"
 
 #include "config.hpp"
 #include "manager.hpp"
 #include "password.hpp"
+#include "secureboot.hpp"
 
 #include <boost/asio.hpp>
 #include <phosphor-logging/elog-errors.hpp>
@@ -59,6 +61,18 @@
      */
     bios_config_pwd::Password password(objectServer, systemBus, persistPath);
 
+#ifdef ENABLE_BIOS_SECUREBOOT
+    /**
+     * SecureBoot class is responsible for handling methods and signals under
+     * the following object path and interface.
+     *
+     * Object path : /xyz/openbmc_project/bios_config/secure_boot
+     * Interface : xyz.openbmc_project.BIOSConfig.SecureBoot
+     */
+    bios_config_sec::SecureBoot secureboot(objectServer, systemBus,
+                                           persistPath);
+#endif
+
     io.run();
     return 0;
 }