1 What: /sys/class/firmware-attributes 1 What: /sys/class/firmware-attributes/*/attributes/*/
2 Date: February 2021 2 Date: February 2021
3 KernelVersion: 5.11 3 KernelVersion: 5.11
4 Contact: Divya Bharathi <Divya.Bharathi@ 4 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
5 Prasanth KSR <prasanth.ksr@dell 5 Prasanth KSR <prasanth.ksr@dell.com>
6 Dell.Client.Kernel@dell.com 6 Dell.Client.Kernel@dell.com
7 Description: 7 Description:
8 A sysfs interface for systems 8 A sysfs interface for systems management software to enable
9 configuration capability on su 9 configuration capability on supported systems. This directory
10 exposes interfaces for interac 10 exposes interfaces for interacting with configuration options.
11 11
12 Unless otherwise specified in 12 Unless otherwise specified in an attribute description all attributes are optional
13 and will accept UTF-8 input. 13 and will accept UTF-8 input.
14 14
15 type: 15 type:
16 A file that can be read to 16 A file that can be read to obtain the type of attribute.
17 This attribute is mandator 17 This attribute is mandatory.
18 18
19 The following are known types: 19 The following are known types:
20 20
21 - enumeration: a set o 21 - enumeration: a set of pre-defined valid values
22 - integer: a range of 22 - integer: a range of numerical values
23 - string 23 - string
24 24
25 HP specific types <<
26 ----------------- <<
27 - ordered-list - a set <<
28 <<
29 <<
30 All attribute types support th 25 All attribute types support the following values:
31 26
32 current_value: 27 current_value:
33 A file that ca 28 A file that can be read to obtain the current
34 value of the < 29 value of the <attr>.
35 30
36 This file can 31 This file can also be written to in order to update the value of a
37 <attr> 32 <attr>
38 33
39 This attribute 34 This attribute is mandatory.
40 35
41 default_value: 36 default_value:
42 A file that ca 37 A file that can be read to obtain the default
43 value of the < 38 value of the <attr>
44 39
45 display_name: 40 display_name:
46 A file that ca 41 A file that can be read to obtain a user friendly
47 description of 42 description of the at <attr>
48 43
49 display_name_language_code: 44 display_name_language_code:
50 45 A file that can be read to obtain
51 46 the IETF language tag corresponding to the
52 47 "display_name" of the <attr>
53 48
54 "enumeration"-type specific pr 49 "enumeration"-type specific properties:
55 50
56 possible_values: 51 possible_values:
57 A file 52 A file that can be read to obtain the possible
58 values 53 values of the <attr>. Values are separated using
59 semi-c 54 semi-colon (``;``).
60 55
61 "integer"-type specific proper 56 "integer"-type specific properties:
62 57
63 min_value: 58 min_value:
64 A file that ca 59 A file that can be read to obtain the lower
65 bound value of 60 bound value of the <attr>
66 61
67 max_value: 62 max_value:
68 A file that ca 63 A file that can be read to obtain the upper
69 bound value of 64 bound value of the <attr>
70 65
71 scalar_increment: 66 scalar_increment:
72 A file 67 A file that can be read to obtain the scalar value used for
73 increm 68 increments of current_value this attribute accepts.
74 69
75 "string"-type specific propert 70 "string"-type specific properties:
76 71
77 max_length: 72 max_length:
78 A file that ca 73 A file that can be read to obtain the maximum
79 length value o 74 length value of the <attr>
80 75
81 min_length: 76 min_length:
82 A file that ca 77 A file that can be read to obtain the minimum
83 length value o 78 length value of the <attr>
84 79
85 Dell specific class extensions 80 Dell specific class extensions
86 ------------------------------ 81 ------------------------------
87 82
88 On Dell systems the following 83 On Dell systems the following additional attributes are available:
89 84
90 dell_modifier: 85 dell_modifier:
91 A file that ca 86 A file that can be read to obtain attribute-level
92 dependency rul 87 dependency rule. It says an attribute X will become read-only or
93 suppressed, if 88 suppressed, if/if-not attribute Y is configured.
94 89
95 modifier rules 90 modifier rules can be in following format::
96 91
97 [ReadOnlyI 92 [ReadOnlyIf:<attribute>=<value>]
98 [ReadOnlyI 93 [ReadOnlyIfNot:<attribute>=<value>]
99 [SuppressI 94 [SuppressIf:<attribute>=<value>]
100 [SuppressI 95 [SuppressIfNot:<attribute>=<value>]
101 96
102 For example:: 97 For example::
103 98
104 AutoOnFri/ 99 AutoOnFri/dell_modifier has value,
105 [S 100 [SuppressIfNot:AutoOn=SelectDays]
106 101
107 This means Aut 102 This means AutoOnFri will be suppressed in BIOS setup if AutoOn
108 attribute is n 103 attribute is not "SelectDays" and its value will not be effective
109 through sysfs 104 through sysfs until this rule is met.
110 105
111 Enumeration attributes also su 106 Enumeration attributes also support the following:
112 107
113 dell_value_modifier: 108 dell_value_modifier:
114 A file 109 A file that can be read to obtain value-level dependency.
115 This f 110 This file is similar to dell_modifier but here, an
116 attrib 111 attribute's current value will be forcefully changed based
117 depend 112 dependent attributes value.
118 113
119 dell_v 114 dell_value_modifier rules can be in following format::
120 115
121 <v 116 <value>[ForceIf:<attribute>=<value>]
122 <v 117 <value>[ForceIfNot:<attribute>=<value>]
123 118
124 For ex 119 For example::
125 120
126 Le 121 LegacyOrom/dell_value_modifier has value:
127 122 Disabled[ForceIf:SecureBoot=Enabled]
128 123
129 This m 124 This means LegacyOrom's current value will be forced to
130 "Disab 125 "Disabled" in BIOS setup if SecureBoot is Enabled and its
131 value 126 value will not be effective through sysfs until this rule is
132 met. 127 met.
133 128
134 HP specific class extensions <<
135 ------------------------------ <<
136 <<
137 On HP systems the following ad <<
138 <<
139 "ordered-list"-type specific p <<
140 <<
141 elements: <<
142 A file <<
143 list o <<
144 semi-c <<
145 An ele <<
146 the li <<
147 the pr <<
148 <<
149 What: /sys/class/firmware-attributes 129 What: /sys/class/firmware-attributes/*/authentication/
150 Date: February 2021 130 Date: February 2021
151 KernelVersion: 5.11 131 KernelVersion: 5.11
152 Contact: Divya Bharathi <Divya.Bharathi@ 132 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
153 Prasanth KSR <prasanth.ksr@dell 133 Prasanth KSR <prasanth.ksr@dell.com>
154 Dell.Client.Kernel@dell.com 134 Dell.Client.Kernel@dell.com
155 Description: 135 Description:
156 Devices support various authen 136 Devices support various authentication mechanisms which can be exposed
157 as a separate configuration ob 137 as a separate configuration object.
158 138
159 For example a "BIOS Admin" pas 139 For example a "BIOS Admin" password and "System" Password can be set,
160 reset or cleared using these a 140 reset or cleared using these attributes.
161 141
162 - An "Admin" password is used 142 - An "Admin" password is used for preventing modification to the BIOS
163 settings. 143 settings.
164 - A "System" password is requi 144 - A "System" password is required to boot a machine.
165 145
166 Change in any of these two aut 146 Change in any of these two authentication methods will also generate an
167 uevent KOBJ_CHANGE. 147 uevent KOBJ_CHANGE.
168 148
169 is_enabled: 149 is_enabled:
170 A file 150 A file that can be read to obtain a 0/1 flag to see if
171 <attr> 151 <attr> authentication is enabled.
172 This a 152 This attribute is mandatory.
173 153
174 role: 154 role:
175 The ty 155 The type of authentication used.
176 This a 156 This attribute is mandatory.
177 157
178 Known 158 Known types:
179 159 bios-admin:
180 160 Representing BIOS administrator password
181 161 power-on:
182 162 Representing a password required to use
183 163 the system
184 164 system-mgmt:
185 165 Representing System Management password.
186 166 See Lenovo extensions section for details
187 167 HDD:
188 168 Representing HDD password
189 169 See Lenovo extensions section for details
190 170 NVMe:
191 171 Representing NVMe password
192 172 See Lenovo extensions section for details
193 173
194 mechanism: 174 mechanism:
195 The me 175 The means of authentication. This attribute is mandatory.
196 Only s 176 Only supported type currently is "password".
197 177
198 max_password_length: 178 max_password_length:
199 A file 179 A file that can be read to obtain the
200 maximu 180 maximum length of the Password
201 181
202 min_password_length: 182 min_password_length:
203 A file 183 A file that can be read to obtain the
204 minimu 184 minimum length of the Password
205 185
206 current_password: 186 current_password:
207 A writ 187 A write only value used for privileged access such as
208 settin 188 setting attributes when a system or admin password is set
209 or res 189 or resetting to a new password
210 190
211 This a 191 This attribute is mandatory when mechanism == "password".
212 192
213 new_password: 193 new_password:
214 A writ 194 A write only value that when used in tandem with
215 curren 195 current_password will reset a system or admin password.
216 196
217 Note, password management is s 197 Note, password management is session specific. If Admin password is set,
218 same password must be written 198 same password must be written into current_password file (required for
219 password-validation) and must 199 password-validation) and must be cleared once the session is over.
220 For example:: 200 For example::
221 201
222 echo "password" > curr 202 echo "password" > current_password
223 echo "disabled" > Touc 203 echo "disabled" > TouchScreen/current_value
224 echo "" > current_pass 204 echo "" > current_password
225 205
226 Drivers may emit a CHANGE ueve 206 Drivers may emit a CHANGE uevent when a password is set or unset
227 userspace may check it again. 207 userspace may check it again.
228 208
229 On Dell, Lenovo and HP systems !! 209 On Dell and Lenovo systems, if Admin password is set, then all BIOS attributes
230 require password validation. 210 require password validation.
231 On Lenovo systems if you chang 211 On Lenovo systems if you change the Admin password the new password is not active until
232 the next boot. 212 the next boot.
233 213
234 Lenovo specific class extensio 214 Lenovo specific class extensions
235 ------------------------------ 215 --------------------------------
236 216
237 On Lenovo systems the followin 217 On Lenovo systems the following additional settings are available:
238 218
239 role: system-mgmt This g 219 role: system-mgmt This gives the same authority as the bios-admin password to control
240 securi 220 security related features. The authorities allocated can be set via
241 the BI 221 the BIOS menu SMP Access Control Policy
242 222
243 role: HDD & NVMe This p 223 role: HDD & NVMe This password is used to unlock access to the drive at boot. Note see
244 'level 224 'level' and 'index' extensions below.
245 225
246 lenovo_encoding: 226 lenovo_encoding:
247 The en 227 The encoding method that is used. This can be either "ascii"
248 or "sc 228 or "scancode". Default is set to "ascii"
249 229
250 lenovo_kbdlang: 230 lenovo_kbdlang:
251 The ke 231 The keyboard language method that is used. This is generally a
252 two ch 232 two char code (e.g. "us", "fr", "gr") and may vary per platform.
253 Defaul 233 Default is set to "us"
254 234
255 level: 235 level:
256 Availa 236 Available for HDD and NVMe authentication to set 'user' or 'master'
257 privil 237 privilege level.
258 If onl 238 If only the user password is configured then this should be used to
259 unlock 239 unlock the drive at boot. If both master and user passwords are set
260 then e 240 then either can be used. If a master password is set a user password
261 is req 241 is required.
262 This a 242 This attribute defaults to 'user' level
263 243
264 index: 244 index:
265 Used w 245 Used with HDD and NVME authentication to set the drive index
266 that i !! 246 that is being referenced (e.g hdd0, hdd1 etc)
267 This a !! 247 This attribute defaults to device 0.
268 248
269 certificate, signature, save_s 249 certificate, signature, save_signature:
270 These 250 These attributes are used for certificate based authentication. This is
271 used i 251 used in conjunction with a signing server as an alternative to password
272 based 252 based authentication.
273 The us 253 The user writes to the attribute(s) with a BASE64 encoded string obtained
274 from t 254 from the signing server.
275 The at 255 The attributes can be displayed to check the stored value.
276 256
277 Some u 257 Some usage examples:
278 258
279 259 Installing a certificate to enable feature::
280 260
281 261 echo "supervisor password" > authentication/Admin/current_password
282 262 echo "signed certificate" > authentication/Admin/certificate
283 263
284 264 Updating the installed certificate::
285 265
286 266 echo "signature" > authentication/Admin/signature
287 267 echo "signed certificate" > authentication/Admin/certificate
288 268
289 269 Removing the installed certificate::
290 270
291 271 echo "signature" > authentication/Admin/signature
292 272 echo "" > authentication/Admin/certificate
293 273
294 274 Changing a BIOS setting::
295 275
296 276 echo "signature" > authentication/Admin/signature
297 277 echo "save signature" > authentication/Admin/save_signature
298 278 echo Enable > attribute/PasswordBeep/current_value
299 279
300 You ca 280 You cannot enable certificate authentication if a supervisor password
301 has no 281 has not been set.
302 Cleari 282 Clearing the certificate results in no bios-admin authentication method
303 being 283 being configured allowing anyone to make changes.
304 After 284 After any of these operations the system must reboot for the changes to
305 take e 285 take effect.
306 286
307 certificate_thumbprint: 287 certificate_thumbprint:
308 Read o 288 Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints
309 for th 289 for the certificate installed in the BIOS.
310 290
311 certificate_to_password: 291 certificate_to_password:
312 Write 292 Write only attribute used to switch from certificate based authentication
313 back t 293 back to password based.
314 Usage: 294 Usage::
315 295
316 296 echo "signature" > authentication/Admin/signature
317 297 echo "password" > authentication/Admin/certificate_to_password
318 298
319 HP specific class extensions <<
320 ------------------------------ <<
321 <<
322 On HP systems the following ad <<
323 <<
324 role: enhanced-bios-auth: <<
325 This r <<
326 It req <<
327 <<
328 299
329 What: /sys/class/firmware-attributes 300 What: /sys/class/firmware-attributes/*/attributes/pending_reboot
330 Date: February 2021 301 Date: February 2021
331 KernelVersion: 5.11 302 KernelVersion: 5.11
332 Contact: Divya Bharathi <Divya.Bharathi@ 303 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
333 Prasanth KSR <prasanth.ksr@dell 304 Prasanth KSR <prasanth.ksr@dell.com>
334 Dell.Client.Kernel@dell.com 305 Dell.Client.Kernel@dell.com
335 Description: 306 Description:
336 A read-only attribute reads 1 307 A read-only attribute reads 1 if a reboot is necessary to apply
337 pending BIOS attribute changes 308 pending BIOS attribute changes. Also, an uevent_KOBJ_CHANGE is
338 generated when it changes to 1 309 generated when it changes to 1.
339 310
340 == ============== 311 == =========================================
341 0 All BIOS attri 312 0 All BIOS attributes setting are current
342 1 A reboot is ne 313 1 A reboot is necessary to get pending BIOS
343 attribute chan !! 314 attribute changes applied
344 == ============== 315 == =========================================
345 316
346 Note, userspace applications n 317 Note, userspace applications need to follow below steps for efficient
347 BIOS management, 318 BIOS management,
348 319
349 1. Check if admin passwor 320 1. Check if admin password is set. If yes, follow session method for
350 password management as 321 password management as briefed under authentication section above.
351 2. Before setting any att 322 2. Before setting any attribute, check if it has any modifiers
352 or value_modifiers. If 323 or value_modifiers. If yes, incorporate them and then modify
353 attribute. 324 attribute.
354 325
355 Drivers may emit a CHANGE ueve 326 Drivers may emit a CHANGE uevent when this value changes and userspace
356 may check it again. 327 may check it again.
357 328
358 What: /sys/class/firmware-attributes 329 What: /sys/class/firmware-attributes/*/attributes/reset_bios
359 Date: February 2021 330 Date: February 2021
360 KernelVersion: 5.11 331 KernelVersion: 5.11
361 Contact: Divya Bharathi <Divya.Bharathi@ 332 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
362 Prasanth KSR <prasanth.ksr@dell 333 Prasanth KSR <prasanth.ksr@dell.com>
363 Dell.Client.Kernel@dell.com 334 Dell.Client.Kernel@dell.com
364 Description: 335 Description:
365 This attribute can be used to 336 This attribute can be used to reset the BIOS Configuration.
366 Specifically, it tells which t 337 Specifically, it tells which type of reset BIOS configuration is being
367 requested on the host. 338 requested on the host.
368 339
369 Reading from it returns a list 340 Reading from it returns a list of supported options encoded as:
370 341
371 - 'builtinsafe' (Built 342 - 'builtinsafe' (Built in safe configuration profile)
372 - 'lastknowngood' (Las 343 - 'lastknowngood' (Last known good saved configuration profile)
373 - 'factory' (Default f 344 - 'factory' (Default factory settings configuration profile)
374 - 'custom' (Custom sav 345 - 'custom' (Custom saved configuration profile)
375 346
376 The currently selected option 347 The currently selected option is printed in square brackets as
377 shown below:: 348 shown below::
378 349
379 # echo "factory" > /sys/cl 350 # echo "factory" > /sys/class/firmware-attributes/*/device/attributes/reset_bios
380 # cat /sys/class/firmware- 351 # cat /sys/class/firmware-attributes/*/device/attributes/reset_bios
381 builtinsafe lastknowngood 352 builtinsafe lastknowngood [factory] custom
382 353
383 Note that any changes to this 354 Note that any changes to this attribute requires a reboot
384 for changes to take effect. 355 for changes to take effect.
385 356
386 What: /sys/class/firmware-attributes <<
387 Date: August 2023 <<
388 KernelVersion: 6.6 <<
389 Contact: Mark Pearson <mpearson-lenovo@s <<
390 Description: <<
391 On Lenovo platforms there is a <<
392 saved. This is an architectura <<
393 that can be modified to 48. <<
394 A solution for this is instead <<
395 to allow a user to bulk set th <<
396 unlimited attributes. <<
397 <<
398 Read the attribute to check wh <<
399 E.g: <<
400 # cat /sys/class/firmware-attr <<
401 single <<
402 <<
403 Write the attribute with 'bulk <<
404 Write the attribute with 'sing <<
405 The default setting is single <<
406 E.g: <<
407 # echo bulk > /sys/class/firmw <<
408 <<
409 When in bulk mode write 'save' <<
410 Note, once a save has been tri <<
411 will return a permissions erro <<
412 (which requires entering the B <<
413 E.g: <<
414 # echo save > /sys/class/firmw <<
415 <<
416 What: /sys/class/firmware-attributes 357 What: /sys/class/firmware-attributes/*/attributes/debug_cmd
417 Date: July 2021 358 Date: July 2021
418 KernelVersion: 5.14 359 KernelVersion: 5.14
419 Contact: Mark Pearson <markpearson@lenov 360 Contact: Mark Pearson <markpearson@lenovo.com>
420 Description: 361 Description:
421 This write only attribute can 362 This write only attribute can be used to send debug commands to the BIOS.
422 This should only be used when 363 This should only be used when recommended by the BIOS vendor. Vendors may
423 use it to enable extra debug a 364 use it to enable extra debug attributes or BIOS features for testing purposes.
424 365
425 Note that any changes to this 366 Note that any changes to this attribute requires a reboot for changes to take effect.
426 <<
427 <<
428 HP specific class extensions - <<
429 ------------------------------ <<
430 <<
431 What: /sys/class/firmware-attributes <<
432 Date: March 2023 <<
433 KernelVersion: 5.18 <<
434 Contact: "Jorge Lopez" <jorge.lopez2@hp. <<
435 Description: <<
436 'kek' Key-Encryption-Key is a <<
437 RSA public key that will be us <<
438 signatures when setting the si <<
439 the bytes should correspond to <<
440 (x509 .DER format containing a <<
441 certificate must be less than <<
442 <<
443 What: /sys/class/firmware-attributes <<
444 Date: March 2023 <<
445 KernelVersion: 5.18 <<
446 Contact: "Jorge Lopez" <jorge.lopez2@hp. <<
447 Description: <<
448 'sk' Signature Key is a write- <<
449 public key that will be used b <<
450 when configuring BIOS settings <<
451 written, the bytes should corr <<
452 public key. The exponent is a <<
453 <<
454 What: /sys/class/firmware-attributes <<
455 Date: March 2023 <<
456 KernelVersion: 5.18 <<
457 Contact: "Jorge Lopez" <jorge.lopez2@hp. <<
458 Description: <<
459 'status' is a read-only file t <<
460 the status information. <<
461 <<
462 "State": "not provisioned | <<
463 "Version": "Major.Minor", <<
464 "Nonce": <16-bit unsigned nu <<
465 "FeaturesInUse": <16-bit uns <<
466 "EndorsementKeyMod": "<256 b <<
467 "SigningKeyMod": "<256 bytes <<
468 <<
469 What: /sys/class/firmware-attributes <<
470 Date: March 2023 <<
471 KernelVersion: 5.18 <<
472 Contact: "Jorge Lopez" <jorge.lopez2@hp. <<
473 Description: <<
474 'audit_log_entries' is a read- <<
475 <<
476 Audit log entry format <<
477 <<
478 Byte 0-15: Requested <<
479 Byte 16-127: Unused <<
480 <<
481 What: /sys/class/firmware-attributes <<
482 Date: March 2023 <<
483 KernelVersion: 5.18 <<
484 Contact: "Jorge Lopez" <jorge.lopez2@hp. <<
485 Description: <<
486 'audit_log_entry_count' is a r <<
487 audit log events available to <<
488 <<
489 [No of entries],[log e <<
490 <<
491 log entry size identifies audi <<
492 The current size is 16 bytes b <<
493 versions. <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.