1 What: /sys/class/firmware-attributes/*/attributes/*/
4 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
5 Prasanth KSR <prasanth.ksr@dell.com>
6 Dell.Client.Kernel@dell.com
8 A sysfs interface for systems management software to enable
9 configuration capability on supported systems. This directory
10 exposes interfaces for interacting with configuration options.
12 Unless otherwise specified in an attribute description all attributes are optional
13 and will accept UTF-8 input.
16 A file that can be read to obtain the type of attribute.
17 This attribute is mandatory.
19 The following are known types:
21 - enumeration: a set of pre-defined valid values
22 - integer: a range of numerical values
25 All attribute types support the following values:
28 A file that can be read to obtain the current
31 This file can also be written to in order to update the value of a
34 This attribute is mandatory.
37 A file that can be read to obtain the default
41 A file that can be read to obtain a user friendly
42 description of the at <attr>
44 display_name_language_code:
45 A file that can be read to obtain
46 the IETF language tag corresponding to the
47 "display_name" of the <attr>
49 "enumeration"-type specific properties:
52 A file that can be read to obtain the possible
53 values of the <attr>. Values are separated using
56 "integer"-type specific properties:
59 A file that can be read to obtain the lower
60 bound value of the <attr>
63 A file that can be read to obtain the upper
64 bound value of the <attr>
67 A file that can be read to obtain the scalar value used for
68 increments of current_value this attribute accepts.
70 "string"-type specific properties:
73 A file that can be read to obtain the maximum
74 length value of the <attr>
77 A file that can be read to obtain the minimum
78 length value of the <attr>
80 Dell specific class extensions
81 ------------------------------
83 On Dell systems the following additional attributes are available:
86 A file that can be read to obtain attribute-level
87 dependency rule. It says an attribute X will become read-only or
88 suppressed, if/if-not attribute Y is configured.
90 modifier rules can be in following format::
92 [ReadOnlyIf:<attribute>=<value>]
93 [ReadOnlyIfNot:<attribute>=<value>]
94 [SuppressIf:<attribute>=<value>]
95 [SuppressIfNot:<attribute>=<value>]
99 AutoOnFri/dell_modifier has value,
100 [SuppressIfNot:AutoOn=SelectDays]
102 This means AutoOnFri will be suppressed in BIOS setup if AutoOn
103 attribute is not "SelectDays" and its value will not be effective
104 through sysfs until this rule is met.
106 Enumeration attributes also support the following:
109 A file that can be read to obtain value-level dependency.
110 This file is similar to dell_modifier but here, an
111 attribute's current value will be forcefully changed based
112 dependent attributes value.
114 dell_value_modifier rules can be in following format::
116 <value>[ForceIf:<attribute>=<value>]
117 <value>[ForceIfNot:<attribute>=<value>]
121 LegacyOrom/dell_value_modifier has value:
122 Disabled[ForceIf:SecureBoot=Enabled]
124 This means LegacyOrom's current value will be forced to
125 "Disabled" in BIOS setup if SecureBoot is Enabled and its
126 value will not be effective through sysfs until this rule is
129 What: /sys/class/firmware-attributes/*/authentication/
132 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
133 Prasanth KSR <prasanth.ksr@dell.com>
134 Dell.Client.Kernel@dell.com
136 Devices support various authentication mechanisms which can be exposed
137 as a separate configuration object.
139 For example a "BIOS Admin" password and "System" Password can be set,
140 reset or cleared using these attributes.
142 - An "Admin" password is used for preventing modification to the BIOS
144 - A "System" password is required to boot a machine.
146 Change in any of these two authentication methods will also generate an
150 A file that can be read to obtain a 0/1 flag to see if
151 <attr> authentication is enabled.
152 This attribute is mandatory.
155 The type of authentication used.
156 This attribute is mandatory.
160 Representing BIOS administrator password
162 Representing a password required to use
165 Representing System Management password.
166 See Lenovo extensions section for details
168 Representing HDD password
169 See Lenovo extensions section for details
171 Representing NVMe password
172 See Lenovo extensions section for details
175 The means of authentication. This attribute is mandatory.
176 Only supported type currently is "password".
179 A file that can be read to obtain the
180 maximum length of the Password
183 A file that can be read to obtain the
184 minimum length of the Password
187 A write only value used for privileged access such as
188 setting attributes when a system or admin password is set
189 or resetting to a new password
191 This attribute is mandatory when mechanism == "password".
194 A write only value that when used in tandem with
195 current_password will reset a system or admin password.
197 Note, password management is session specific. If Admin password is set,
198 same password must be written into current_password file (required for
199 password-validation) and must be cleared once the session is over.
202 echo "password" > current_password
203 echo "disabled" > TouchScreen/current_value
204 echo "" > current_password
206 Drivers may emit a CHANGE uevent when a password is set or unset
207 userspace may check it again.
209 On Dell and Lenovo systems, if Admin password is set, then all BIOS attributes
210 require password validation.
211 On Lenovo systems if you change the Admin password the new password is not active until
214 Lenovo specific class extensions
215 --------------------------------
217 On Lenovo systems the following additional settings are available:
219 role: system-mgmt This gives the same authority as the bios-admin password to control
220 security related features. The authorities allocated can be set via
221 the BIOS menu SMP Access Control Policy
223 role: HDD & NVMe This password is used to unlock access to the drive at boot. Note see
224 'level' and 'index' extensions below.
227 The encoding method that is used. This can be either "ascii"
228 or "scancode". Default is set to "ascii"
231 The keyboard language method that is used. This is generally a
232 two char code (e.g. "us", "fr", "gr") and may vary per platform.
233 Default is set to "us"
236 Available for HDD and NVMe authentication to set 'user' or 'master'
238 If only the user password is configured then this should be used to
239 unlock the drive at boot. If both master and user passwords are set
240 then either can be used. If a master password is set a user password
242 This attribute defaults to 'user' level
245 Used with HDD and NVME authentication to set the drive index
246 that is being referenced (e.g hdd0, hdd1 etc)
247 This attribute defaults to device 0.
249 certificate, signature, save_signature:
250 These attributes are used for certificate based authentication. This is
251 used in conjunction with a signing server as an alternative to password
252 based authentication.
253 The user writes to the attribute(s) with a BASE64 encoded string obtained
254 from the signing server.
255 The attributes can be displayed to check the stored value.
259 Installing a certificate to enable feature::
261 echo "supervisor password" > authentication/Admin/current_password
262 echo "signed certificate" > authentication/Admin/certificate
264 Updating the installed certificate::
266 echo "signature" > authentication/Admin/signature
267 echo "signed certificate" > authentication/Admin/certificate
269 Removing the installed certificate::
271 echo "signature" > authentication/Admin/signature
272 echo "" > authentication/Admin/certificate
274 Changing a BIOS setting::
276 echo "signature" > authentication/Admin/signature
277 echo "save signature" > authentication/Admin/save_signature
278 echo Enable > attribute/PasswordBeep/current_value
280 You cannot enable certificate authentication if a supervisor password
282 Clearing the certificate results in no bios-admin authentication method
283 being configured allowing anyone to make changes.
284 After any of these operations the system must reboot for the changes to
287 certificate_thumbprint:
288 Read only attribute used to display the MD5, SHA1 and SHA256 thumbprints
289 for the certificate installed in the BIOS.
291 certificate_to_password:
292 Write only attribute used to switch from certificate based authentication
293 back to password based.
296 echo "signature" > authentication/Admin/signature
297 echo "password" > authentication/Admin/certificate_to_password
300 What: /sys/class/firmware-attributes/*/attributes/pending_reboot
303 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
304 Prasanth KSR <prasanth.ksr@dell.com>
305 Dell.Client.Kernel@dell.com
307 A read-only attribute reads 1 if a reboot is necessary to apply
308 pending BIOS attribute changes. Also, an uevent_KOBJ_CHANGE is
309 generated when it changes to 1.
311 == =========================================
312 0 All BIOS attributes setting are current
313 1 A reboot is necessary to get pending BIOS
314 attribute changes applied
315 == =========================================
317 Note, userspace applications need to follow below steps for efficient
320 1. Check if admin password is set. If yes, follow session method for
321 password management as briefed under authentication section above.
322 2. Before setting any attribute, check if it has any modifiers
323 or value_modifiers. If yes, incorporate them and then modify
326 Drivers may emit a CHANGE uevent when this value changes and userspace
329 What: /sys/class/firmware-attributes/*/attributes/reset_bios
332 Contact: Divya Bharathi <Divya.Bharathi@Dell.com>,
333 Prasanth KSR <prasanth.ksr@dell.com>
334 Dell.Client.Kernel@dell.com
336 This attribute can be used to reset the BIOS Configuration.
337 Specifically, it tells which type of reset BIOS configuration is being
338 requested on the host.
340 Reading from it returns a list of supported options encoded as:
342 - 'builtinsafe' (Built in safe configuration profile)
343 - 'lastknowngood' (Last known good saved configuration profile)
344 - 'factory' (Default factory settings configuration profile)
345 - 'custom' (Custom saved configuration profile)
347 The currently selected option is printed in square brackets as
350 # echo "factory" > /sys/class/firmware-attributes/*/device/attributes/reset_bios
351 # cat /sys/class/firmware-attributes/*/device/attributes/reset_bios
352 builtinsafe lastknowngood [factory] custom
354 Note that any changes to this attribute requires a reboot
355 for changes to take effect.
357 What: /sys/class/firmware-attributes/*/attributes/debug_cmd
360 Contact: Mark Pearson <markpearson@lenovo.com>
362 This write only attribute can be used to send debug commands to the BIOS.
363 This should only be used when recommended by the BIOS vendor. Vendors may
364 use it to enable extra debug attributes or BIOS features for testing purposes.
366 Note that any changes to this attribute requires a reboot for changes to take effect.