Support to remotely configure UEFI SecureBoot Settings
Redfish added schema for SecureBoot contains UEFI Secure Boot
information and represents properties for managing the UEFI Secure
Boot functionality of a system. This patch adds support to configure
the settings from BMC.
Introduced option 'ENABLE_BIOS_SECUREBOOT` to selectively create
SecureBoot object.
The PDI Changes for SecureBoot:
[1]: https://github.com/openbmc/phosphor-dbus-interfaces/commit/b235159e0acc9943bc5f4e428ba6536f2e3cb621#diff-dbd3a29b95a6a0d436ba19696c3db9852172311f363b6781cc48b49d62ee28fa
Redfish URI enabled with this change
`/redfish/v1/Systems/<system>/SecureBoot`
Tested:
1) Dbus tree view with the change
```
busctl tree xyz.openbmc_project.BIOSConfigManager
`- /xyz
`- /xyz/openbmc_project
`- /xyz/openbmc_project/bios_config
|- /xyz/openbmc_project/bios_config/manager
|- /xyz/openbmc_project/bios_config/password
`- /xyz/openbmc_project/bios_config/secure_boot
```
2) Runtime Check at Redfish Level:
On platforms where the ENABLE_BIOS_SECUREBOOT is disabled the
redfish URI at the redfish level is disabled as the dbus path
does not exists.
3) For persistence of BIOS secureboot values the data is written to
separate file `securebootData` under
`/var/lib/bios-settings-manager`. This will avoid any issues for
current platforms.
Change-Id: I51cb42671bb7c62ef51f8d77b17265ab24edbcff
Signed-off-by: Prithvi Pai <ppai@nvidia.com>
diff --git a/src/secureboot.cpp b/src/secureboot.cpp
new file mode 100644
index 0000000..36dc875
--- /dev/null
+++ b/src/secureboot.cpp
@@ -0,0 +1,84 @@
+#include "secureboot.hpp"
+
+#include <cereal/archives/binary.hpp>
+
+#include <fstream>
+
+// Register class version with Cereal
+CEREAL_CLASS_VERSION(bios_config::SecureBoot, 0)
+
+namespace bios_config
+{
+
+SecureBoot::SecureBoot(sdbusplus::asio::object_server& objectServer,
+ std::shared_ptr<sdbusplus::asio::connection>& systemBus,
+ std::string persistPath) :
+ sdbusplus::xyz::openbmc_project::BIOSConfig::server::SecureBoot(
+ *systemBus, secureBootObjectPath),
+ objServer(objectServer), systemBus(systemBus)
+{
+ fs::path secureBootDir(persistPath);
+ fs::create_directories(secureBootDir);
+ secureBootFile = secureBootDir / secureBootPersistFile;
+ deserialize();
+}
+
+SecureBootBase::CurrentBootType SecureBoot::currentBoot(
+ SecureBootBase::CurrentBootType value)
+{
+ auto ret = SecureBootBase::currentBoot(value);
+ serialize();
+ return ret;
+}
+
+bool SecureBoot::pendingEnable(bool value)
+{
+ auto ret = SecureBootBase::pendingEnable(value);
+ serialize();
+ return ret;
+}
+
+SecureBootBase::ModeType SecureBoot::mode(SecureBootBase::ModeType value)
+{
+ auto ret = SecureBootBase::mode(value);
+ serialize();
+ return ret;
+}
+
+void SecureBoot::serialize()
+{
+ try
+ {
+ std::filesystem::create_directories(secureBootFile.parent_path());
+ std::ofstream os(secureBootFile.c_str(),
+ std::ios::out | std::ios::binary);
+ cereal::BinaryOutputArchive oarchive(os);
+ oarchive(*this);
+ }
+ catch (const std::exception& e)
+ {
+ lg2::error("Failed to serialize SecureBoot: {ERROR}", "ERROR", e);
+ }
+}
+
+bool SecureBoot::deserialize()
+{
+ try
+ {
+ if (std::filesystem::exists(secureBootFile))
+ {
+ std::ifstream is(secureBootFile.c_str(),
+ std::ios::in | std::ios::binary);
+ cereal::BinaryInputArchive iarchive(is);
+ iarchive(*this);
+ return true;
+ }
+ return false;
+ }
+ catch (const std::exception& e)
+ {
+ lg2::error("Failed to deserialize SecureBoot: {ERROR}", "ERROR", e);
+ return false;
+ }
+}
+} // namespace bios_config