fix: correct SetBiosPwdHash and GetBiosPwdHash cmd
As per recent EDK core, there is a change in BIOS password handling.
User password option in BIOS setup is removed for security reasons.
Also, moved to SHA256 algo and seed size is increased from 16 bytes
to 32 bytes.
This change is to correct the two password handling commands to comply
with the the new bios changes.
Tested:
Executed both the commands D7 and D8 through KCS interface.
Verified cmd response is success and as expected.
Signed-off-by: Ayushi Smriti <smriti.ayushi@linux.intel.com>
Change-Id: I8fbd1623c5feaf33a9a8f91905bb1773163fbbae
diff --git a/include/biosconfigcommands.hpp b/include/biosconfigcommands.hpp
index 253c357..6733be5 100644
--- a/include/biosconfigcommands.hpp
+++ b/include/biosconfigcommands.hpp
@@ -25,7 +25,7 @@
constexpr uint8_t maxPayloadSupported = 0x6;
constexpr uint8_t maxHashSize = 64;
-constexpr uint8_t maxSeedSize = 16;
+constexpr uint8_t maxSeedSize = 32;
constexpr uint8_t maxPasswordSize = 64;
#pragma pack(push, 1)
diff --git a/src/biosconfigcommands.cpp b/src/biosconfigcommands.cpp
index 217d2f6..ab5fa94 100644
--- a/src/biosconfigcommands.cpp
+++ b/src/biosconfigcommands.cpp
@@ -56,6 +56,7 @@
static constexpr const char* biosConfigFolder = "/var/oob";
static constexpr const char* biosConfigNVPath = "/var/oob/nvoobdata.dat";
static constexpr const uint8_t algoSHA384 = 2;
+static constexpr const uint8_t algoSHA256 = 1;
static constexpr const uint8_t biosCapOffsetBit = 0x3;
static constexpr uint16_t maxGetPayloadDataSize = 4096;
static constexpr const char* biosXMLFilePath = "/var/oob/bios.xml";
@@ -758,8 +759,7 @@
ipmi::RspType<> ipmiOEMSetBIOSHashInfo(
ipmi::Context::ptr ctx, std::array<uint8_t, maxSeedSize>& pwdSeed,
- uint8_t algoInfo, std::array<uint8_t, maxHashSize>& adminPwdHash,
- std::array<uint8_t, maxHashSize>& userPwdHash)
+ uint8_t algoInfo, std::array<uint8_t, maxHashSize>& adminPwdHash)
{
std::string OSState;
@@ -773,38 +773,46 @@
// We should not support this command after System Booted - After Exit Boot
// service called
- if (OSState != "OperatingState")
+ if (OSState == "OperatingState")
{
+ return ipmi::response(ipmiCCNotSupportedInCurrentState);
+ }
- if ((algoInfo & 0xF) != algoSHA384)
- {
- // Atpresent, we are supporting only SHA384- HASH algo in BIOS side
- return ipmi::responseInvalidFieldRequest();
- }
- std::string HashFilePath = "/var/lib/bios-settings-manager/seedData";
+ nlohmann::json json;
- nlohmann::json json;
- json["Seed"] = pwdSeed;
+ if ((algoInfo & 0xF) == algoSHA384)
+ {
json["HashAlgo"] = "SHA384";
- json["IsAdminPwdChanged"] = false;
- json["AdminPwdHash"] = adminPwdHash;
- json["IsUserPwdChanged"] = false;
- json["UserPwdHash"] = userPwdHash;
- json["StatusFlag"] = algoInfo;
- std::ofstream ofs(HashFilePath, std::ios::out);
- const auto& writeData = json.dump();
- ofs << writeData;
- ofs.close();
- return ipmi::responseSuccess();
+ }
+ else if ((algoInfo & 0xF) == algoSHA256)
+ {
+ json["HashAlgo"] = "SHA256";
}
else
{
-
- return ipmi::response(ipmiCCNotSupportedInCurrentState);
+ return ipmi::responseInvalidFieldRequest();
}
+
+ json["Seed"] = pwdSeed;
+ json["IsAdminPwdChanged"] = false;
+ json["AdminPwdHash"] = adminPwdHash;
+ json["IsUserPwdChanged"] = false;
+
+ std::array<uint8_t, maxHashSize> userPwdHash;
+ userPwdHash.fill({}); // initializing with 0 as user password hash field
+ // is not used presently
+ json["UserPwdHash"] = userPwdHash;
+ json["StatusFlag"] = algoInfo;
+
+ std::string hashFilePath = "/var/lib/bios-settings-manager/seedData";
+ std::ofstream ofs(hashFilePath, std::ios::out);
+ const auto& writeData = json.dump();
+ ofs << writeData;
+ ofs.close();
+ return ipmi::responseSuccess();
}
-ipmi::RspType<uint8_t, std::array<uint8_t, maxHashSize>,
+ipmi::RspType<std::array<uint8_t, maxSeedSize>, uint8_t,
std::array<uint8_t, maxHashSize>>
ipmiOEMGetBIOSHash(ipmi::Context::ptr ctx)
{
@@ -845,25 +853,18 @@
}
std::array<uint8_t, maxHashSize> newAdminHash;
- std::array<uint8_t, maxHashSize> newUserHash;
+ std::array<uint8_t, maxSeedSize> seed;
+
uint8_t flag = 0;
uint8_t adminPwdChangedFlag = 0;
- uint8_t userPwdChangedFlag = 0;
if (!data.is_discarded())
{
adminPwdChangedFlag = data["IsAdminPwdChanged"];
newAdminHash = data["AdminPwdHash"];
- newUserHash = data["UserPwdHash"];
- userPwdChangedFlag = data["IsUserPwdChanged"];
+ seed = data["Seed"];
}
- // 0: BIT 4 - New Admin Password Not Present
- // 1: BIT 4 - New Admin Password Hash Present
- // 0: BIT 5 - New User Password Not Present
- // 1: BIT 5 - New User Password Hash Present
- // 0: BIT 0 - Default Setting flag is not set
- // 1: BIT 0 - Default Setting flag is set
auto status = getResetBIOSSettings(flag);
if (status)
{
@@ -873,16 +874,11 @@
{
flag |= adminPasswordChanged;
}
- if (userPwdChangedFlag)
- {
- flag |= userPasswordChanged;
- }
std::copy(std::begin(newAdminHash), std::end(newAdminHash),
std::begin(newAdminHash));
- std::copy(std::begin(newUserHash), std::end(newUserHash),
- std::begin(newUserHash));
- return ipmi::responseSuccess(flag, newAdminHash, newUserHash);
+
+ return ipmi::responseSuccess(seed, flag, newAdminHash);
}
else
{