| commit | 627c99dec58b6c5012b6c271935ad7902def9e64 | [log] [tgz] |
|---|---|---|
| author | Prithvi Pai <ppai@nvidia.com> | Sat Feb 08 14:05:25 2025 +0530 |
| committer | Prithvi Pai <ppai@nvidia.com> | Tue May 06 14:37:23 2025 +0530 |
| tree | b2af46a7a765fcfd4170092fa341c7cdda448796 | |
| parent | ddb22e22446e2fef6e63298cbfd0f6b05d934442 [diff] |
Support to remotely configure UEFI SecureBoot Settings Redfish added schema for SecureBoot contains UEFI Secure Boot information and represents properties for managing the UEFI Secure Boot functionality of a system. This patch adds support to configure the settings from BMC. Introduced option 'ENABLE_BIOS_SECUREBOOT` to selectively create SecureBoot object. The PDI Changes for SecureBoot: [1]: https://github.com/openbmc/phosphor-dbus-interfaces/commit/b235159e0acc9943bc5f4e428ba6536f2e3cb621#diff-dbd3a29b95a6a0d436ba19696c3db9852172311f363b6781cc48b49d62ee28fa Redfish URI enabled with this change `/redfish/v1/Systems/<system>/SecureBoot` Tested: 1) Dbus tree view with the change ``` busctl tree xyz.openbmc_project.BIOSConfigManager `- /xyz `- /xyz/openbmc_project `- /xyz/openbmc_project/bios_config |- /xyz/openbmc_project/bios_config/manager |- /xyz/openbmc_project/bios_config/password `- /xyz/openbmc_project/bios_config/secure_boot ``` 2) Runtime Check at Redfish Level: On platforms where the ENABLE_BIOS_SECUREBOOT is disabled the redfish URI at the redfish level is disabled as the dbus path does not exists. 3) For persistence of BIOS secureboot values the data is written to separate file `securebootData` under `/var/lib/bios-settings-manager`. This will avoid any issues for current platforms. Change-Id: I51cb42671bb7c62ef51f8d77b17265ab24edbcff Signed-off-by: Prithvi Pai <ppai@nvidia.com>
- README.md[diff]
- include/secureboot.hpp[Added - diff]
- meson.build[diff]
- meson.options[Added - diff]
- src/main.cpp[diff]
- src/secureboot.cpp[Added - diff]
- include/
- service_files/
- src/
- subprojects/
- .clang-format
- .gitignore
- LICENSE
- meson.build
- meson.options
- OWNERS
- README.md
Remote BIOS Configuration
Overview
The biosconfig_manager service enables users to view and modify the BIOS setup configuration parameters remotely through the Baseboard Management Controller (BMC) at any host state. Changes to these parameters will take effect upon the next system reboot or immediately, depending on the host firmware.
For more details, please refer to design document.
Features
- Remote management of BIOS settings.
- Immediate updates or scheduled changes upon reboot.
- Reset BIOS Settings support through the dbus.
- ChangePassword support to change the BIOS setup password.
RBC Manager Interface
The Manager interface exposes methods and properties to Get & Set BIOS attributes via dbus and its documented here
Service Name
xyz.openbmc_project.BIOSConfigManager
Object Path
/xyz/openbmc_project/bios_config/manager
Interface Name
xyz.openbmc_project.BIOSConfig.Manager
Methods
- SetAttribute Sets a specific BIOS attribute to a new value.
- GetAttribute Retrieves the current and pending values of a BIOS attribute.
Properties
- ResetBIOSSettings To reset the BIOS settings based on the Reset Flag.
- BaseBIOSTable Captures the entire BIOS table (collective information of all the BIOS attributes and their properties)
Signature of BaseBIOSTable
The BaseBIOSTable property in the RBC Manager Interface is a complex dictionary that defines the structure of BIOS attributes. Its type signature is as follows:
dict[string, struct[ enum[self.AttributeType], boolean, string, string, string, variant[int64, string], variant[int64, string], array[struct[enum[self.BoundType], variant[int64, string], string]] ]]
This structure consists of:
- Attribute Name (string): The name of the BIOS attribute.
- Attribute Type (enum): The type of the BIOS attribute (e.g., String, Integer).
- Read-only Status (boolean): Whether the attribute is read-only.
- Display Name (string): The human-readable name of the attribute.
- Description (string): A description of what the attribute does.
- Menu Path (string): The BIOS menu path where this attribute can be found.
- Current Value (variant[int64, string]): The current value of the attribute.
- Default Value (variant[int64, string]): The default value of the attribute.
- Options (array of structs): The available options or bounds for this attribute.
Examples
Here is an example json structure of a String attribute with attributeName DrdFreqLimit & its various properties in BaseBIOSTable signature.
{ "DdrFreqLimit": { "attributeType": "xyz.openbmc_project.BIOSConfig.Manager.AttributeType.String", "readonlyStatus": false, "displayname": "Memory Operating Speed Selection", "description": "Force specific Memory Operating Speed or use Auto setting.", "menuPath": "Advanced/Memory Configuration/Memory Operating Speed Selection", "current": "0x00", "default": "0x0B", "options": [ { "optionstring": "auto", "optionvalue": "enum0" }, { "optionstring": "2133", "optionvalue": "enum1" }, { "optionstring": "2400", "optionvalue": "enum2" }, { "optionstring": "2664", "optionvalue": "enum3" }, { "optionstring": "2933", "optionvalue": "enum4" } ] } }
Here is another example json structure of a Integer attribute with attribute with name BIOSSerialDebugLevel & its various properties in BaseBIOSTable signature.
{ "BIOSSerialDebugLevel": { "attributeType": "xyz.openbmc_project.BIOSConfig.Manager.AttributeType.Integer", "readonlyStatus": false, "displayname": "BIOS Serial Debug level", "description": "BIOS Serial Debug level during system boot.", "menuPath": "Advanced/Debug Feature Selection", "current": "0x00", "default": "0x01", "options": [ { "optionstring": "MinBound", "optionvalue": 0 }, { "optionstring": "MaxBound", "optionvalue": 4 }, { "optionstring": "ScalarIncrement", "optionvalue": 1 } ] } }
Initialization of BaseBIOSTable
When the bios-settings-mgr daemon starts, it initializes with an empty BaseBIOSTable. It is the responsibility of provider daemons, such as PLDM or IPMI, to populate this table by fetching or defining the BIOS settings. These provider daemons are expected to gather the necessary BIOS attributes and values from their respective sources (ex: bmc, system firmware) and then initialize the BaseBIOSTable property with those settings.
BIOS with PLDM as Communication Protocol
For systems that use the PLDM (Platform Level Data Model) protocol between BMC & Host, OEM vendors can define their own BIOS attributes in the form of JSON files. The PLDM daemon parses these files and initializes the BaseBIOSTable property accordingly. This allows for flexible and custom BIOS configuration options based on the vendor's specifications.
For more details , refer to the BIOS Support in PLDM.
BIOS with IPMI as Communication Protocol
For systems that use the Intelligent Platform Management Interface protocol between BMC & Host, BIOS attributes are gathered from BIOS as an xml file & BaseBIOSTable would then be initialized with the attributes data from the parsed xml file.
For more details, refer to the code BIOS Support in IPMI.
RBC Password Interface
Service Name
xyz.openbmc_project.BIOSConfigManager
Object Path
/xyz/openbmc_project/bios_config/password
Interface Name
xyz.openbmc_project.BIOSConfig.Password
Methods
- ChangePassword
Used to change the BIOS setup password.
Properties
- PasswordInitialized Used to indicate whether the BIOS password-related details have been received.
RBC SecureBoot Interface
The SecureBoot interface exposes methods and properties to Get & Set UEFI SecureBoot settings via dbus and its documented here
Object Path
xyz.openbmc_project.BIOSConfig.SecureBoot
Properties
- CurrentBoot Used to indicate UEFI Secure Boot state during current boot cycle
- PendingEnable An indication of whether the UEFI Secure Boot takes effect on next boot
- Mode The current UEFI Secure Boot Mode
SecureBoot with Redfish Host Interface as Communication Protocol
For systems that use the Redfish Host Interface protocol between BMC & Host, UEFI SecureBoot configuration is gathered by BMC via redfish. The settings are transformed to native dbus format and properties are set accordingly.