From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.83]) by mx.groups.io with SMTP id smtpd.web11.68688.1680014910816787357 for ; Tue, 28 Mar 2023 07:48:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ami.com header.s=selector1 header.b=BFiZc70y; spf=pass (domain: ami.com, ip: 40.107.100.83, mailfrom: igork@ami.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=luxngXuErf0ZglJHAicb87egPHF1Po86RlpdtYqJ4fA42jZ4DICmZ635MXsrjYROruIOm2qoooSP61KxXpbvOw2D76gL3NoSOo/a7mWiyyDniRzvL9XH9monqX9qCGPkAqMBCEKh+XFFKa5QKTzXX2fXsiQ8uPMCqxzdJEEbArNfEoagjwj9FkLYmnYrZBahGAi8c9SKJHQapkTmmTURtjTW8wpu+jGu72yD3xTmS6Zqb9jM5Z//7nbdlbEOreUNFUlgqSfOcpfnc1sO2rHhq/2m5BUZPgKkhYSu+aFVa5V9HJ344opMMUZ8t+DVsqs/x5YXFLa9xALwEBhcY2zlVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UQjrMNPToZ69hd0Y8Z4TsZd9fkat0iIzKkoF7h79FQk=; b=PWmXl59HPV6ppZxYcCX7qjL/oLw86tEISCGzTmsOG74FVsVt3iBFnQ5WtMy0/zC4I1FKAUXBINXVFdJQZ8xpnxYV6mudf5HmCSXcHM4/2R/RSnmHk0ZfddQmBKk+YXNKZOBbj+ERrr8AO/keatp0pC0i33wRv9KTJP/Z8NbAUPO8RqyFeC5hWcsgUsVbIY9Yayh05SDEuiF2B/2T+tYgcP/0sCWF1q8e6PD+hUc9VhGcI6XBsQMu2j9Efnv0UBS/iTsbfmzUiZ6MKULHAeMobZiPMzcBJg7hCBwknyDAStgwS8ny46F+hOPUEsR+mEwRj31OrZHn2BzdneGA5L+cyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ami.com; dmarc=pass action=none header.from=ami.com; dkim=pass header.d=ami.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ami.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UQjrMNPToZ69hd0Y8Z4TsZd9fkat0iIzKkoF7h79FQk=; b=BFiZc70yNWFHpmvUVJ+8xKsVgYD2BSqGC89AHKJHTuL46exrAv1wCViM9ZXP+mtxBRXNLMmxJyajGiVLE4nSfA4gwrxOVZgQa2szUTtKSET0Q35iT4YHuVxa4jY/fwFiH5jWoEKdBVe29cedvmS8llxOWd/jRninmVxobpM+r/Q= Received: from BLAPR10MB5185.namprd10.prod.outlook.com (2603:10b6:208:328::16) by DS7PR10MB7322.namprd10.prod.outlook.com (2603:10b6:8:e5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.41; Tue, 28 Mar 2023 14:48:25 +0000 Received: from BLAPR10MB5185.namprd10.prod.outlook.com ([fe80::f4f0:b5eb:8103:b782]) by BLAPR10MB5185.namprd10.prod.outlook.com ([fe80::f4f0:b5eb:8103:b782%3]) with mapi id 15.20.6222.030; Tue, 28 Mar 2023 14:48:24 +0000 From: "Igor Kulchytskyy" To: Nickle Wang , "devel@edk2.groups.io" CC: Abner Chang , Nick Ramirez Subject: Re: [PATCH v3] RedfishPkg/RedfishPlatformCredentialIpmiLib: IPMI implementation Thread-Topic: [EXTERNAL] [PATCH v3] RedfishPkg/RedfishPlatformCredentialIpmiLib: IPMI implementation Thread-Index: AQHZYRaOop/h/avewk+bbR5QaYgLuq8QRRjA Date: Tue, 28 Mar 2023 14:48:24 +0000 Message-ID: References: <20230328014208.48-1-nicklew@nvidia.com> In-Reply-To: <20230328014208.48-1-nicklew@nvidia.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ami.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BLAPR10MB5185:EE_|DS7PR10MB7322:EE_ x-ms-office365-filtering-correlation-id: cdc876dd-1b15-4190-5f7a-08db2f9b7bda x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8YzJLucSoRO+pnyjrNhNF7X5Cv5go0Ukv3Ok9MxVEXYiFOdRlGN2r1ulFqoK1GgTwfgq9AauEvcWQP5mXNzFGtYlS3Zj9WAZ15SdNc6bA749Ez0l8wqJuUrIXmnIbY9ofrpxMyNVfY3Grlduv2I9w5I+gBMSf1t08bPL4XwABoklDen4rirD1C1cQyr83UcIZ4oZARzOaC10ctapqCI9sqDjVp3HdX+/MfGPn86kRoiTr3MhAzDjdDiuU19m6TP1irkAPGyrHKZlb34IoAlopGZLPaRioQv7ROHlW08tGRBfO96Zu/pg/jJNjs2NGV1ODVHWGWjTKqSVa6Z55V1QWCAWXBILkYG6ueppumHSOywBqO51fY7j+VPT36aWV/W3YYS5EjDZorzfyoorQ/r53iXSxKwAS5OqxSQrw2c/t8dTU6nAFRESEcJZzxuBYJ1naAve0FxuTgLBIJu/EF8AsL+1lix1UQ35flr13IbUcBB6q7JAvzKUF5REuMqC0ixJWWlT9DFiJaCpGtVADL/wg4pRX3TzycpiezYM7QH0WR41GZbn+tpauxOUmWec0Zu5oun1xIJ/maQnM0cJycSHhFigNm+bjWkJ4Bog/aNQ8oTCaAe+JsJWkbNHia/mVrzb x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR10MB5185.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(366004)(376002)(136003)(39850400004)(396003)(346002)(451199021)(7696005)(45080400002)(478600001)(71200400001)(186003)(6506007)(54906003)(26005)(52536014)(8936002)(316002)(53546011)(9686003)(5660300002)(41300700001)(30864003)(83380400001)(2906002)(110136005)(4326008)(38070700005)(38100700002)(122000001)(33656002)(66446008)(66946007)(40140700001)(8676002)(76116006)(66476007)(66556008)(64756008)(86362001)(55016003)(213903007)(559001)(579004);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?T2b1r9q9cr4mKVVGBpCjxl52jf6HE9zuQ/GE23f7xmjYPcH0XLh80slCSOAk?= =?us-ascii?Q?0WMBd/yXBGINYrVezuLZ3cNXPGr/tSef8ecoWeBD+siyARWF/VZqoKBcynlV?= =?us-ascii?Q?e+J9YH7GuaNvM3rNDn2RBeJWKur9vtQzPa93nKAZe0DXfl9iyznaqEfVN0eY?= =?us-ascii?Q?q2lkmgCKM0lT/uLAjDNrJS51g3tIXOhC1jYq37V4hD5HjXfvxSJtGHYqHb8z?= =?us-ascii?Q?KII4qt9rZSgKrqQXJo2Ww5I74/2zbssVJAu9uyTuPFHCfxf9J0bb5Afja/Xo?= =?us-ascii?Q?f+RqKd3nt3K80s0w4oTdpuJwwrcgAxS+DA4jSGi7WKm5HDl+loV66ygrAQ03?= =?us-ascii?Q?hDSC2q5GuGRnKc/vvguQ3h8Gpn7fZl4mHinEpHSt0TYVkSjm5MNDXmPCZvN6?= =?us-ascii?Q?uljBWhfx46As5wLLenD10XilaSntEI2ZaXpzYyzPTbubsVFyILIRUhLjImxd?= =?us-ascii?Q?rn78oDDrWEtYW1inYFQk0+cLOCDYyK9uUHDVPFBXbOZfkye00/IDZZtt7nVz?= =?us-ascii?Q?fVs+U9hJqdl8E0juPNP2gc3LnnwNDWdpkjLBUoDSq2Vlr0kmsFKMVZVLb6wf?= =?us-ascii?Q?rb1duU7s8WBGlcLiKdZUqAbD4hA47+HfflORDAwprWU0XYZCk+UlWuqXsIvK?= =?us-ascii?Q?Lmy2mDEqlK+3Z6oMeXWHU/rjLa8sq+903POAafEc4mqrp55DOtcbZ6RZWLH8?= =?us-ascii?Q?z+447cs/UfzRJTgye1HevvoinZ/NsG9GOMy6P99UkdwyzrT0cMjoqzBLhDxA?= =?us-ascii?Q?MyLOybJyxqu4jF4eWCP23BA4BKdjWO6isCr/5lbBpUxp2xfZxSESRvBrP14S?= =?us-ascii?Q?uQO4JTS619o2h8IC/Lr65HoKj5XvNv0inNmHRP3GFtRIRAJkXOyNKRLbf6Rv?= =?us-ascii?Q?FfNn8DKkS+5Qg9uvWiVeuhIv/Leyuueh8EyxOJCojFXol2rybVLJZgv4274U?= =?us-ascii?Q?Zhkaoo8A1oELZMkbfpaWm3KixNIgzyRaxvGVT49NWpz1/gb5HTQacDnkr2yV?= =?us-ascii?Q?ItgiqVYXeu2xWufFl+w2h7/f/ICaXzfSYYoGfY4Cwv8OlS3X1WLoUpR0Cx2J?= =?us-ascii?Q?lyx5PtD5dbvHFgoBR/vkczTUyzml+w9IwEyByEagIBjzhhH/TE5BpiaGgmEJ?= =?us-ascii?Q?2glzNYICLXYjsxZVxk5xghaf4O+hYaaTm5rD4ifqjfJU/H//JeCRVLVq0BBv?= =?us-ascii?Q?SK9bSff4BMU8b6M8DoZAXUSG8XHVLn29feSUOf2IXxStP3A57Wygzo0eK9tG?= =?us-ascii?Q?TQkaGCVTPalxNsnbIb1CyPEHaSBb0ux/k7NfejFubEqwuazCQZaUJ7QCtXqc?= =?us-ascii?Q?mKG6FQVfQX4/VCI6MDf4sBC2yDH0W8LMKgp82uY6fFjVaCc5xrhPq8hOKfbP?= =?us-ascii?Q?UmyakP1JdXEH+DfpB8iiMV29znfFWnMN0bRmCQMhm9zco6iCpu84H4csEPaO?= =?us-ascii?Q?ODF2ZdBFWmShIQWbOYpvNXZzWykDx9MaVRU3+k42GtoEV0RXbIKoBgqH0kkQ?= =?us-ascii?Q?E5xv3D42KPNjMuVRvkSgpg4XNkCqaa6AZP5OZ97MpXU17zIzkjFaNcKVAf50?= =?us-ascii?Q?l/YB8KMZKg4oTSR+J3U=3D?= MIME-Version: 1.0 X-OriginatorOrg: ami.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BLAPR10MB5185.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: cdc876dd-1b15-4190-5f7a-08db2f9b7bda X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2023 14:48:24.6877 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 27e97857-e15f-486c-b58e-86c2b3040f93 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 9QUAwkAqVCjlnz8QOJYjrxjNj2Y3z7sVrflv0OLjmcwVilhdnaDLFbpKQDCRuBBW X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB7322 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Nickle, It looks good except one small question I would like to raise. Please check my comment below. Thank you, Igor -----Original Message----- From: Nickle Wang Sent: Monday, March 27, 2023 9:42 PM To: devel@edk2.groups.io Cc: Abner Chang ; Igor Kulchytskyy ; Ni= ck Ramirez Subject: [EXTERNAL] [PATCH v3] RedfishPkg/RedfishPlatformCredentialIpmiLib:= IPMI implementation **CAUTION: The e-mail below is from an external source. Please exercise cau= tion before opening attachments, clicking links, or following guidance.** This library follows Redfish Host Interface specification and use IPMI command to get bootstrap account credential(NetFn 2Ch, Command 02h) from BMC. RedfishHostInterfaceDxe will use this credential for the following communication between BIOS and BMC. Signed-off-by: Nickle Wang Cc: Abner Chang Cc: Igor Kulchytskyy Cc: Nick Ramirez --- RedfishPkg/RedfishPkg.dec | 7 + RedfishPkg/RedfishLibs.dsc.inc | 1 + RedfishPkg/RedfishPkg.dsc | 2 + .../RedfishPlatformCredentialIpmiLib.inf | 42 ++ .../RedfishPlatformCredentialIpmiLib.h | 89 ++++ .../RedfishPlatformCredentialIpmiLib.c | 457 ++++++++++++++++++ 6 files changed, 598 insertions(+) create mode 100644 RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/Red= fishPlatformCredentialIpmiLib.inf create mode 100644 RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/Red= fishPlatformCredentialIpmiLib.h create mode 100644 RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/Red= fishPlatformCredentialIpmiLib.c diff --git a/RedfishPkg/RedfishPkg.dec b/RedfishPkg/RedfishPkg.dec index 42d28d6dac..f171053aec 100644 --- a/RedfishPkg/RedfishPkg.dec +++ b/RedfishPkg/RedfishPkg.dec @@ -81,6 +81,9 @@ [Guids] gEfiRedfishPkgTokenSpaceGuid =3D { 0x4fdbccb7, 0xe829, 0x4b4c, { 0x= 88, 0x87, 0xb2, 0x3f, 0xd7, 0x25, 0x4b, 0x85 }} + # Redfish variable guid + gEfiRedfishVariableGuid =3D { 0x85ef8dd3, 0xe606, 0x4b89, { 0x= 8b, 0xbd, 0x93, 0xbf, 0x5c, 0xbe, 0x1c, 0x18 } } + [PcdsFixedAtBuild, PcdsPatchableInModule] # # This PCD is the UEFI device path which is used as the Redfish host int= erface. @@ -123,3 +126,7 @@ # specification for that. # gEfiRedfishPkgTokenSpaceGuid.PcdRedfishServiceUuid|L"00000000-0000-0000-= 0000-000000000000"|VOID*|0x00001006 + # + # This PCD indicates that if BMC bootstrap credential service will be di= sabled by BIOS or not. + # + gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDisableBootstrapCredentialService= |FALSE|BOOLEAN|0x00001007 diff --git a/RedfishPkg/RedfishLibs.dsc.inc b/RedfishPkg/RedfishLibs.dsc.in= c index 84f52d4b27..110526738c 100644 --- a/RedfishPkg/RedfishLibs.dsc.inc +++ b/RedfishPkg/RedfishLibs.dsc.inc @@ -19,5 +19,6 @@ JsonLib|RedfishPkg/Library/JsonLib/JsonLib.inf RedfishLib|RedfishPkg/PrivateLibrary/RedfishLib/RedfishLib.inf RedfishDebugLib|RedfishPkg/Library/RedfishDebugLib/RedfishDebugLib.inf + RedfishPlatformCredentialLib|RedfishPkg/Library/RedfishPlatformCredentia= lIpmiLib/RedfishPlatformCredentialIpmiLib.inf !endif diff --git a/RedfishPkg/RedfishPkg.dsc b/RedfishPkg/RedfishPkg.dsc index 223ab72c1d..5503e65de4 100644 --- a/RedfishPkg/RedfishPkg.dsc +++ b/RedfishPkg/RedfishPkg.dsc @@ -4,6 +4,7 @@ # Copyright (c) 2019 - 2021, Intel Corporation. All rights reserved.
# (C) Copyright 2021 Hewlett-Packard Enterprise Development LP. # Copyright (C) 2023 Advanced Micro Devices, Inc. All rights reserved. +# Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved= . # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -59,6 +60,7 @@ RedfishPkg/Library/PlatformHostInterfaceLibNull/PlatformHostInterfaceLib= Null.inf RedfishPkg/Library/PlatformHostInterfaceBmcUsbNicLib/PlatformHostInterfa= ceBmcUsbNicLib.inf RedfishPkg/Library/PlatformCredentialLibNull/PlatformCredentialLibNull.i= nf + RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPlatformCrede= ntialIpmiLib.inf RedfishPkg/Library/RedfishContentCodingLibNull/RedfishContentCodingLibNu= ll.inf RedfishPkg/Library/DxeRestExLib/DxeRestExLib.inf RedfishPkg/Library/BaseUcs2Utf8Lib/BaseUcs2Utf8Lib.inf diff --git a/RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPla= tformCredentialIpmiLib.inf b/RedfishPkg/Library/RedfishPlatformCredentialIp= miLib/RedfishPlatformCredentialIpmiLib.inf new file mode 100644 index 0000000000..5c20ea22f8 --- /dev/null +++ b/RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPlatformCr= edentialIpmiLib.inf @@ -0,0 +1,42 @@ +## @file +# INF file for RedfishPlatformCredentialIpmiLib. +# +# Copyright (c) 2022-2023 NVIDIA CORPORATION & AFFILIATES. All rights res= erved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x0001000b + BASE_NAME =3D RedfishPlatformCredentialIpmiLib + FILE_GUID =3D 9C45D622-4C66-417F-814C-F76246D97233 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D RedfishPlatformCredentialIpmiLib + +[Sources] + RedfishPlatformCredentialIpmiLib.c + RedfishPlatformCredentialIpmiLib.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + RedfishPkg/RedfishPkg.dec + +[LibraryClasses] + UefiLib + DebugLib + IpmiLib + MemoryAllocationLib + BaseMemoryLib + UefiRuntimeServicesTableLib + +[Pcd] + gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDisableBootstrapCredentialService + +[Guids] + gEfiRedfishVariableGuid + +[Depex] + TRUE diff --git a/RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPla= tformCredentialIpmiLib.h b/RedfishPkg/Library/RedfishPlatformCredentialIpmi= Lib/RedfishPlatformCredentialIpmiLib.h new file mode 100644 index 0000000000..898ee88844 --- /dev/null +++ b/RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPlatformCr= edentialIpmiLib.h @@ -0,0 +1,89 @@ +/** @file + Header file for RedfishPlatformCredentialIpmiLib. + + Copyright (c) 2022-2023 NVIDIA CORPORATION & AFFILIATES. All rights rese= rved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef REDFISH_PLATFORM_CREDENTIAL_IPMI_LIB_H_ +#define REDFISH_PLATFORM_CREDENTIAL_IPMI_LIB_H_ + +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#define CREDENTIAL_VARIABLE_NAME L"Partstooblaitnederc" + +/// +/// The bootstrap credential keeping in UEFI variable +/// +typedef struct { + CHAR8 Username[USERNAME_MAX_SIZE]; + CHAR8 Password[PASSWORD_MAX_SIZE]; +} BOOTSTRAP_CREDENTIALS_VARIABLE; + +/** + Function to retrieve temporary user credentials for the UEFI redfish cli= ent. This function can + also disable bootstrap credential service in BMC. + + @param[in] DisableBootstrapControl TRUE - Tell the BMC to disable th= e bootstrap credential + service to ensure no one e= lse gains credentials + FALSE Allow the bootstrap creden= tial service to continue + @param[in,out] BootstrapUsername A pointer to a Ascii encoded stri= ng for the credential username + When DisableBootstrapControl is T= RUE, this pointer can be NULL + @param[in] BootstrapUsernameSize The size of BootstrapUsername inc= luding NULL terminator in bytes. + Per specification, the size is US= ERNAME_MAX_SIZE. + @param[in,out] BootstrapPassword A pointer to a Ascii encoded stri= ng for the credential password + When DisableBootstrapControl is T= RUE, this pointer can be NULL + @param[in] BootstrapPasswordSize The size of BootstrapPassword inc= luding NULL terminator in bytes. + Per specification, the size is PA= SSWORD_MAX_SIZE. + + @retval EFI_SUCCESS Credentials were successfully fetche= d and returned. When DisableBootstrapControl + is set to TRUE, the bootstrap creden= tial service is disabled successfully. + @retval EFI_INVALID_PARAMETER BootstrapUsername or BootstrapPasswo= rd is NULL when DisableBootstrapControl + is set to FALSE. BootstrapUsernameSi= ze or BootstrapPasswordSize is incorrect when + DisableBootstrapControl is set to FA= LSE. + @retval EFI_DEVICE_ERROR An IPMI failure occurred +**/ +EFI_STATUS +GetBootstrapAccountCredentials ( + IN BOOLEAN DisableBootstrapControl, + IN OUT CHAR8 *BootstrapUsername, OPTIONAL + IN UINTN BootstrapUsernameSize, + IN OUT CHAR8 *BootstrapPassword, OPTIONAL + IN UINTN BootstrapPasswordSize + ); + +/** + Function to save temporary user credentials into boot time variable. Whe= n DeleteVariable is True, + this function delete boot time variable. + + @param[in] BootstrapUsername A pointer to a Ascii encoded string f= or the credential username. + @param[in] BootstrapPassword A pointer to a Ascii encoded string f= or the credential password. + @param[in] DeleteVariable True to remove boot time variable. Fa= lse otherwise. + + @retval EFI_SUCCESS Credentials were successfully saved. + @retval EFI_INVALID_PARAMETER BootstrapUsername or BootstrapPasswo= rd is NULL + @retval Others Error occurs +**/ +EFI_STATUS +SetBootstrapAccountCredentialsToVariable ( + IN CHAR8 *BootstrapUsername, OPTIONAL + IN CHAR8 *BootstrapPassword, OPTIONAL + IN BOOLEAN DeleteVariable + ); + +#endif diff --git a/RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPla= tformCredentialIpmiLib.c b/RedfishPkg/Library/RedfishPlatformCredentialIpmi= Lib/RedfishPlatformCredentialIpmiLib.c new file mode 100644 index 0000000000..7fccf1795d --- /dev/null +++ b/RedfishPkg/Library/RedfishPlatformCredentialIpmiLib/RedfishPlatformCr= edentialIpmiLib.c @@ -0,0 +1,457 @@ +/** @file + Implementation of getting bootstrap credential via IPMI. + + Copyright (c) 2022-2023 NVIDIA CORPORATION & AFFILIATES. All rights rese= rved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + - Redfish Host Interface Specification + (https://nam12.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww= .dmtf.org%2Fsites%2Fdefault%2Ffiles%2Fstandards%2Fdocuments%2FDSP0270_1.3.0= .pdf&data=3D05%7C01%7Cigork%40ami.com%7C161990c6849e4c32d2fa08db2f2daecc%7C= 27e97857e15f486cb58e86c2b3040f93%7C1%7C1%7C638155645493575932%7CUnknown%7CT= WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%= 3D%7C3000%7C%7C%7C&sdata=3DuFc4G56EXmukiU9OxabYXBkwmJnxr8C5J6gcBXZYnoI%3D&r= eserved=3D0) +**/ + +#include "RedfishPlatformCredentialIpmiLib.h" + +// +// Global flag of controlling credential service +// +BOOLEAN mRedfishServiceStopped =3D FALSE; + +/** + Notify the Redfish service provide to stop provide configuration service= to this platform. + + This function should be called when the platform is about to leave the s= afe environment. + It will notify the Redfish service provider to abort all login session, = and prohibit + further login with original auth info. GetAuthInfo() will return EFI_UNS= UPPORTED once this + function is returned. + + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PRO= TOCOL instance. + @param[in] ServiceStopType Reason of stopping Redfish service. + + @retval EFI_SUCCESS Service has been stoped successfully. + @retval EFI_INVALID_PARAMETER This is NULL. + @retval Others Some error happened. + +**/ +EFI_STATUS +EFIAPI +LibStopRedfishService ( + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This, + IN EDKII_REDFISH_CREDENTIAL_STOP_SERVICE_TYPE ServiceStopType + ) +{ + EFI_STATUS Status; + + if ((ServiceStopType <=3D ServiceStopTypeNone) || (ServiceStopType >=3D = ServiceStopTypeMax)) { + return EFI_INVALID_PARAMETER; + } + + // + // Only stop credential service after leaving BIOS + // + if (ServiceStopType !=3D ServiceStopTypeExitBootService) { + return EFI_UNSUPPORTED; + } + + // + // Raise flag first + // + mRedfishServiceStopped =3D TRUE; + + // + // Delete cached variable + // + Status =3D SetBootstrapAccountCredentialsToVariable (NULL, NULL, TRUE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: fail to remove bootstrap credential: %r\n", = __FUNCTION__, Status)); + } + + DEBUG ((DEBUG_INFO, "%a: bootstrap credential service stopped\n", __FUNC= TION__)); + + return EFI_SUCCESS; +} + +/** + Notification of Exit Boot Service. + + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL. +**/ +VOID +EFIAPI +LibCredentialExitBootServicesNotify ( + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This + ) +{ + // + // Stop the credential support when system is about to enter OS. + // + LibStopRedfishService (This, ServiceStopTypeExitBootService); +} + +/** + Notification of End of DXe. + + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL. +**/ +VOID +EFIAPI +LibCredentialEndOfDxeNotify ( + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This + ) +{ + // + // Do nothing now. + // We can stop credential support when system reach end-of-dxe for secur= ity reason. + // +} + +/** + Function to retrieve temporary user credentials for the UEFI redfish cli= ent. This function can + also disable bootstrap credential service in BMC. + + @param[in] DisableBootstrapControl TRUE - Tell the BMC to disable th= e bootstrap credential + service to ensure no one e= lse gains credentials + FALSE Allow the bootstrap creden= tial service to continue + @param[in,out] BootstrapUsername A pointer to a Ascii encoded stri= ng for the credential username + When DisableBootstrapControl is T= RUE, this pointer can be NULL + @param[in] BootstrapUsernameSize The size of BootstrapUsername inc= luding NULL terminator in bytes. + Per specification, the size is US= ERNAME_MAX_SIZE. + @param[in,out] BootstrapPassword A pointer to a Ascii encoded stri= ng for the credential password + When DisableBootstrapControl is T= RUE, this pointer can be NULL + @param[in] BootstrapPasswordSize The size of BootstrapPassword inc= luding NULL terminator in bytes. + Per specification, the size is PA= SSWORD_MAX_SIZE. + + @retval EFI_SUCCESS Credentials were successfully fetche= d and returned. When DisableBootstrapControl + is set to TRUE, the bootstrap creden= tial service is disabled successfully. + @retval EFI_INVALID_PARAMETER BootstrapUsername or BootstrapPasswo= rd is NULL when DisableBootstrapControl + is set to FALSE. BootstrapUsernameSi= ze or BootstrapPasswordSize is incorrect when + DisableBootstrapControl is set to FA= LSE. + @retval EFI_DEVICE_ERROR An IPMI failure occurred +**/ +EFI_STATUS +GetBootstrapAccountCredentials ( + IN BOOLEAN DisableBootstrapControl, + IN OUT CHAR8 *BootstrapUsername, OPTIONAL + IN UINTN BootstrapUsernameSize, + IN OUT CHAR8 *BootstrapPassword, OPTIONAL + IN UINTN BootstrapPasswordSize + ) +{ + EFI_STATUS Status; + IPMI_BOOTSTRAP_CREDENTIALS_COMMAND_DATA CommandData; + IPMI_BOOTSTRAP_CREDENTIALS_RESULT_RESPONSE ResponseData; + UINT32 ResponseSize; + + // + // NULL buffer check + // + if (!DisableBootstrapControl && ((BootstrapUsername =3D=3D NULL) || (Boo= tstrapPassword =3D=3D NULL))) { + return EFI_INVALID_PARAMETER; + } + + if ((BootstrapUsernameSize !=3D USERNAME_MAX_SIZE) || (BootstrapPassword= Size !=3D PASSWORD_MAX_SIZE)) { + return EFI_INVALID_PARAMETER; + } + + DEBUG ((DEBUG_VERBOSE, "%a: Disable bootstrap control: 0x%x\n", __FUNCTI= ON__, DisableBootstrapControl)); + + // + // IPMI callout to NetFn 2C, command 02 + // Request data: + // Byte 1: REDFISH_IPMI_GROUP_EXTENSION + // Byte 2: DisableBootstrapControl + // + CommandData.GroupExtensionId =3D REDFISH_IPMI_GROUP_EXTENSION; + CommandData.DisableBootstrapControl =3D (DisableBootstrapControl ? REDFI= SH_IPMI_BOOTSTRAP_CREDENTIAL_DISABLE : REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_EN= ABLE); + + ResponseSize =3D sizeof (ResponseData); + + // + // Response data: + // Byte 1 : Completion code + // Byte 2 : REDFISH_IPMI_GROUP_EXTENSION + // Byte 3-18 : Username + // Byte 19-34: Password + // + Status =3D IpmiSubmitCommand ( + IPMI_NETFN_GROUP_EXT, + REDFISH_IPMI_GET_BOOTSTRAP_CREDENTIALS_CMD, + (UINT8 *)&CommandData, + sizeof (CommandData), + (UINT8 *)&ResponseData, + &ResponseSize + ); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: IPMI transaction failure. Returning\n", __FU= NCTION__)); + return Status; + } else { + if (ResponseData.CompletionCode !=3D IPMI_COMP_CODE_NORMAL) { + if (ResponseData.CompletionCode =3D=3D REDFISH_IPMI_COMP_CODE_BOOTST= RAP_CREDENTIAL_DISABLED) { + DEBUG ((DEBUG_ERROR, "%a: bootstrap credential support was disable= d\n", __FUNCTION__)); + return EFI_ACCESS_DENIED; + } + + DEBUG ((DEBUG_ERROR, "%a: Completion code =3D 0x%x. Returning\n", __= FUNCTION__, ResponseData.CompletionCode)); + return EFI_PROTOCOL_ERROR; + } else if (ResponseData.GroupExtensionId !=3D REDFISH_IPMI_GROUP_EXTEN= SION) { + DEBUG ((DEBUG_ERROR, "%a: Group Extension Response =3D 0x%x. Returni= ng\n", __FUNCTION__, ResponseData.GroupExtensionId)); + return EFI_DEVICE_ERROR; + } else { + if (BootstrapUsername !=3D NULL) { + CopyMem (BootstrapUsername, ResponseData.Username, USERNAME_MAX_LE= NGTH); + // + // Manually append null-terminator in case 16 characters username = returned. + // + BootstrapUsername[USERNAME_MAX_LENGTH] =3D '\0'; + } + + if (BootstrapPassword !=3D NULL) { + CopyMem (BootstrapPassword, ResponseData.Password, PASSWORD_MAX_LE= NGTH); + // + // Manually append null-terminator in case 16 characters password = returned. + // + BootstrapPassword[PASSWORD_MAX_LENGTH] =3D '\0'; + } + } + } + + DEBUG ((DEBUG_INFO, "%a: get bootstrap credential via IPMI: %r\n", __FUN= CTION__, Status)); + + return Status; +} + +/** + Function to retrieve temporary user credentials from cached boot time va= riable. + + @param[in,out] BootstrapUsername A pointer to a Ascii encoded string= for the credential username. + @param[in] BootstrapUsernameSize The size of BootstrapUsername inclu= ding NULL terminator in bytes. + Per specification, the size is USER= NAME_MAX_SIZE. + @param[in,out] BootstrapPassword A pointer to a Ascii encoded string= for the credential password. + @param[in] BootstrapPasswordSize The size of BootstrapPassword inclu= ding NULL terminator in bytes. + Per specification, the size is PASS= WORD_MAX_SIZE. + + @retval EFI_SUCCESS Credentials were successfully fetche= d and returned. + @retval EFI_INVALID_PARAMETER BootstrapUsername or BootstrapPasswo= rd is NULL. + BootstrapUsernameSize or BootstrapPa= sswordSize is incorrect. + @retval EFI_NOT_FOUND No variable found for account and cr= edentials. +**/ +EFI_STATUS +GetBootstrapAccountCredentialsFromVariable ( + IN OUT CHAR8 *BootstrapUsername, + IN UINTN BootstrapUsernameSize, + IN OUT CHAR8 *BootstrapPassword, + IN UINTN BootstrapPasswordSize + ) +{ + EFI_STATUS Status; + BOOTSTRAP_CREDENTIALS_VARIABLE *CredentialVariable; + VOID *Data; + UINTN DataSize; + + if ((BootstrapUsername =3D=3D NULL) || (BootstrapPassword =3D=3D NULL)) = { + return EFI_INVALID_PARAMETER; + } + + if ((BootstrapUsernameSize !=3D USERNAME_MAX_SIZE) || (BootstrapPassword= Size !=3D PASSWORD_MAX_SIZE)) { + return EFI_INVALID_PARAMETER; + } + + DataSize =3D 0; + Status =3D GetVariable2 ( + CREDENTIAL_VARIABLE_NAME, + &gEfiRedfishVariableGuid, + (VOID *)&Data, + &DataSize + ); + if (EFI_ERROR (Status)) { + return EFI_NOT_FOUND; + } + + if (DataSize !=3D sizeof (BOOTSTRAP_CREDENTIALS_VARIABLE)) { + DEBUG ((DEBUG_ERROR, "%a: data corruption. returned size: %d !=3D stru= cture size: %d\n", __FUNCTION__, DataSize, sizeof (BOOTSTRAP_CREDENTIALS_VA= RIABLE))); Igor: Since we get here when Status is success, then "Data" buffer will be = allocated in that case. Should we free that buffer before return? + return EFI_NOT_FOUND; + } + + CredentialVariable =3D (BOOTSTRAP_CREDENTIALS_VARIABLE *)Data; + + AsciiStrCpyS (BootstrapUsername, USERNAME_MAX_SIZE, CredentialVariable->= Username); + AsciiStrCpyS (BootstrapPassword, PASSWORD_MAX_SIZE, CredentialVariable->= Password); + + ZeroMem (CredentialVariable->Username, USERNAME_MAX_SIZE); + ZeroMem (CredentialVariable->Password, PASSWORD_MAX_SIZE); + + FreePool (Data); + + DEBUG ((DEBUG_INFO, "%a: get bootstrap credential from variable\n", __FU= NCTION__)); + + return EFI_SUCCESS; +} + +/** + Function to save temporary user credentials into boot time variable. Whe= n DeleteVariable is True, + this function delete boot time variable. + + @param[in] BootstrapUsername A pointer to a Ascii encoded string f= or the credential username. + @param[in] BootstrapPassword A pointer to a Ascii encoded string f= or the credential password. + @param[in] DeleteVariable True to remove boot time variable. Fa= lse otherwise. + + @retval EFI_SUCCESS Credentials were successfully saved. + @retval EFI_INVALID_PARAMETER BootstrapUsername or BootstrapPasswo= rd is NULL + @retval Others Error occurs +**/ +EFI_STATUS +SetBootstrapAccountCredentialsToVariable ( + IN CHAR8 *BootstrapUsername, OPTIONAL + IN CHAR8 *BootstrapPassword, OPTIONAL + IN BOOLEAN DeleteVariable + ) +{ + EFI_STATUS Status; + BOOTSTRAP_CREDENTIALS_VARIABLE CredentialVariable; + VOID *Data; + + if (!DeleteVariable && ((BootstrapUsername =3D=3D NULL) || (BootstrapUse= rname[0] =3D=3D '\0'))) { + return EFI_INVALID_PARAMETER; + } + + if (!DeleteVariable && ((BootstrapPassword =3D=3D NULL) || (BootstrapPas= sword[0] =3D=3D '\0'))) { + return EFI_INVALID_PARAMETER; + } + + // + // Delete variable + // + Status =3D GetVariable2 ( + CREDENTIAL_VARIABLE_NAME, + &gEfiRedfishVariableGuid, + (VOID *)&Data, + NULL + ); + if (!EFI_ERROR (Status)) { + FreePool (Data); + gRT->SetVariable ( + CREDENTIAL_VARIABLE_NAME, + &gEfiRedfishVariableGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + NULL + ); + } + + // + // This is request to delete credentials. We are done. + // + if (DeleteVariable) { + return EFI_SUCCESS; + } + + ZeroMem (CredentialVariable.Username, USERNAME_MAX_SIZE); + ZeroMem (CredentialVariable.Password, PASSWORD_MAX_SIZE); + + AsciiStrCpyS (CredentialVariable.Username, USERNAME_MAX_SIZE, BootstrapU= sername); + AsciiStrCpyS (CredentialVariable.Password, PASSWORD_MAX_SIZE, BootstrapP= assword); + + Status =3D gRT->SetVariable ( + CREDENTIAL_VARIABLE_NAME, + &gEfiRedfishVariableGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS, + sizeof (BOOTSTRAP_CREDENTIALS_VARIABLE), + (VOID *)&CredentialVariable + ); + + ZeroMem (CredentialVariable.Username, USERNAME_MAX_SIZE); + ZeroMem (CredentialVariable.Password, PASSWORD_MAX_SIZE); + + return Status; +} + +/** + Retrieve platform's Redfish authentication information. + + This functions returns the Redfish authentication method together with t= he user Id and + password. + - For AuthMethodNone, the UserId and Password could be used for HTTP hea= der authentication + as defined by RFC7235. + - For AuthMethodRedfishSession, the UserId and Password could be used fo= r Redfish + session login as defined by Redfish API specification (DSP0266). + + Callers are responsible for and freeing the returned string storage. + + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PRO= TOCOL instance. + @param[out] AuthMethod Type of Redfish authentication method. + @param[out] UserId The pointer to store the returned UserI= d string. + @param[out] Password The pointer to store the returned Passw= ord string. + + @retval EFI_SUCCESS Get the authentication information succ= essfully. + @retval EFI_ACCESS_DENIED SecureBoot is disabled after EndOfDxe. + @retval EFI_INVALID_PARAMETER This or AuthMethod or UserId or Passwor= d is NULL. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources. + @retval EFI_UNSUPPORTED Unsupported authentication method is fo= und. + +**/ +EFI_STATUS +EFIAPI +LibCredentialGetAuthInfo ( + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This, + OUT EDKII_REDFISH_AUTH_METHOD *AuthMethod, + OUT CHAR8 **UserId, + OUT CHAR8 **Password + ) +{ + EFI_STATUS Status; + BOOLEAN DisableCredentialService; + + if ((AuthMethod =3D=3D NULL) || (UserId =3D=3D NULL) || (Password =3D=3D= NULL)) { + return EFI_INVALID_PARAMETER; + } + + *UserId =3D NULL; + *Password =3D NULL; + DisableCredentialService =3D PcdGetBool (PcdRedfishDisableBootstrapCrede= ntialService); + + if (mRedfishServiceStopped) { + DEBUG ((DEBUG_ERROR, "%a: credential service is stopped due to securit= y reason\n", __FUNCTION__)); + return EFI_ACCESS_DENIED; + } + + *AuthMethod =3D AuthMethodHttpBasic; + + *UserId =3D AllocateZeroPool (sizeof (CHAR8) * USERNAME_MAX_SIZE); + if (*UserId =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + *Password =3D AllocateZeroPool (sizeof (CHAR8) * PASSWORD_MAX_SIZE); + if (*Password =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Get bootstrap credential from variable first + // + Status =3D GetBootstrapAccountCredentialsFromVariable (*UserId, USERNAME= _MAX_SIZE, *Password, PASSWORD_MAX_SIZE); + if (!EFI_ERROR (Status)) { + return EFI_SUCCESS; + } + + // + // Make a IPMI query + // + Status =3D GetBootstrapAccountCredentials (DisableCredentialService, *Us= erId, USERNAME_MAX_SIZE, *Password, PASSWORD_MAX_SIZE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: fail to get bootstrap credential: %r\n", __F= UNCTION__, Status)); + return Status; + } + + if (DisableCredentialService) { + DEBUG ((DEBUG_INFO, "%a: credential bootstrapping control disabled\n",= __FUNCTION__)); + } + + Status =3D SetBootstrapAccountCredentialsToVariable (*UserId, *Password,= FALSE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: fail to cache bootstrap credential: %r\n", _= _FUNCTION__, Status)); + } + + return EFI_SUCCESS; +} -- 2.40.0.windows.1 -The information contained in this message may be confidential and propriet= ary to American Megatrends (AMI). This communication is intended to be read= only by the individual or entity to whom it is addressed or by their desig= nee. If the reader of this message is not the intended recipient, you are o= n notice that any distribution of this message, in any form, is strictly pr= ohibited. Please promptly notify the sender by reply e-mail or by telephone= at 770-246-8600, and then delete or destroy all copies of the transmission= .