From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.80]) by mx.groups.io with SMTP id smtpd.web08.6425.1666877151983908448 for ; Thu, 27 Oct 2022 06:25:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@nvidia.com header.s=selector2 header.b=lrz4iuU9; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.223.80, mailfrom: nicklew@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cHjWFZirDAxlVhQwGq7g8xB5u3qmFL30dYoJU29pWNNIXGxGQXhDypq0GTYdFfIC6a2qWgqucnKZSs+Vv8TW/IMIZuqlyyRVZroJAhZZeu5O7rHaExRF6WYdTGL/G5j4ZLLB657AsZoM+CV8pC4myc6ddh6yFPQXz0aMpSk8NeSn6WUDHWgVmWI/+YM7yxdJDkHcXyaSpJKmvIAOfsA7graAH5yU/Rsz0vmvYlWVKJqQoTr8H0o5b5kl10hClQo67hCSdrfeKElFrCAGiRejrOGwKGVqZDhmw3jnT72TrM35kAnGJE05dAvxySb411HWBPlxvq1/M/iuFoAYapRm7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3d6hhnHgTBAN8pVuwd2R5wmG9rQTw46io6BwLtB3aYw=; b=joJ3GQAKJXr++VQAh7V5oXeiTsBeGaPYFVoiAZ5UzQEAXkXsMdqNNinYdWAg8ubpktZVsKtU1OB1+PjAt09VglQNQ584rVmrc1LU1BU/0xZx2wA69lAMZgKFAeSZYI793Wcnf/wKHby1ZhH2WCa6knZQJkaproqrCKSwTYJcmgGPdoSzBHrpSH/OUu217oGdr2V4ZJm3gA4lYPlXnmCLQsQCLji3rBa7YOFfo7IKZ8uBmUrUJTzXIOqTG+Kxo2S62pSzwzMpFJylw2mlMfuwAuVvoKOLw0hkMh0cKlER8h+XcD5LPvP/r599faeZsn4CKi7S59xa0+9ae/c4+0MKiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3d6hhnHgTBAN8pVuwd2R5wmG9rQTw46io6BwLtB3aYw=; b=lrz4iuU9vOm42MWCVs1ZvpY8NYGf1ui7EelVXSUnx4QtdzXMlZ99sDJJHAhEEMIBLRDmuwuQdfQroNOrb3P6Vu4hdppFJJmT+zymcZ/PI2sMDc7Gt2AeQsoKvPiLMCDpBScDkamskCkt/1e56gJc4k8UtIGLOe9vHZ9D4ITBOoFTsOGcyx5W0J9CnwodcTRKdF5/Wj+AZepg/rVgK+CXmWphA+h2h4uE4es3EUFpeDOTqCuEEwGltgABNl3pM/EZXHgwDDpSGUkhQPmK8JYaiszpmx5hHI6BpvTeu6uzxPpcdWFQIJ2alQyGJCSpjyXQH++hPZTdWP4dBEwnox13GA== Received: from MW4PR12MB7031.namprd12.prod.outlook.com (2603:10b6:303:1ef::6) by BL1PR12MB5756.namprd12.prod.outlook.com (2603:10b6:208:393::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Thu, 27 Oct 2022 13:25:48 +0000 Received: from MW4PR12MB7031.namprd12.prod.outlook.com ([fe80::7fe8:da93:95dc:6657]) by MW4PR12MB7031.namprd12.prod.outlook.com ([fe80::7fe8:da93:95dc:6657%8]) with mapi id 15.20.5769.015; Thu, 27 Oct 2022 13:25:47 +0000 From: "Nickle Wang" To: "devel@edk2.groups.io" , "igork@ami.com" , "abner.chang@amd.com" CC: Nick Ramirez Subject: Re: [edk2-devel] [PATCH] RedfishPkg/RedfishPlatformCredentialLib: IPMI implementation Thread-Topic: [edk2-devel] [PATCH] RedfishPkg/RedfishPlatformCredentialLib: IPMI implementation Thread-Index: AQHY5C9PGUTe6vZyy0GPSakTdTeet64ZvY7ggAUNBrCAAguhAIABYxxA Date: Thu, 27 Oct 2022 13:25:47 +0000 Message-ID: References: <20221020025434.29969-1-nicklew@nvidia.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Enabled=true; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SetDate=2022-10-22T06:54:31Z; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Method=Standard; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Name=General; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SiteId=3dd8961f-e488-4e60-8e11-a82d994e183d; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ActionId=f317d2a2-540a-4f78-af60-076270a05f0a; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ContentBits=1 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR12MB7031:EE_|BL1PR12MB5756:EE_ x-ms-office365-filtering-correlation-id: 98578e0f-f378-4ec4-f8da-08dab81ec276 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: cC3CXv54nYeuK8/vN3NNI72dKUAKWWIZgOX6OGhmWbGfjeYH6J+xAx/jPLiivdo87cvTYjbjGgpXNEIk1pYaqpmo4z39oKiyIpyeohyzr9TZI1GJHVL1mW8gpOztc/BVeISJ3Dvbm9VGP3qnbEFhcV4PzmRl/Hzg996wh9EgvQBaZbFcAh0U5rT0IIPKcGJMDyF6Tk4/kgH7J6PxEMDbvWCuyNv7xbEMYNh83rMuZnJgzfJt9biZ9bDdYnWkSaqQfSl5WPb/qtL6BM/e2TDxygFSYn/C7LfDj9AbU6rTF6IwaGt76Vf96sYtyr5a7fibF3/ji5XzWUY1CM6lHl/M68PCs827fwQ4PSKlW0tzNRJLQ66e0xLpX0AmBZmGCON/ckFU1AvvHS6th2H56z/gCexUDAAiy7LHRzcCw5CY4VQxdUW+0RSoF9OKPg6f5KQLJcbDNM8hIsQOYlLcqZUQvBCUsDrmSiDwUtA+dtmrAf3QMt0BsU/Y5EvhN8AQP3aJhbQseGrEU8OXsUMlBhrrgDJDv3Q02r7fae7v+OVuwWZvLa+hhEbGLdNO6GZMerfhHhxLblVfSVHhNyi7nj9CmVSdiD+SO8/omqpTp3vUpYqJWVXs3VU3/10H8sTxofSNECS47pPPYD3dYa7eM4hCNZU4v2g/dghufBTh+KE6FClNqUUOrxweVl7NLkqP7UwrfV4DlNiLNMcJRJjdTENfGXXUdFf+std0txE4YQ+sl6i74HdTSpBMD31b4d0B47QMsNMIbYHzhDSb3NADB7YN0a3zVhls6AB1cJMamc8skw0= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR12MB7031.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(396003)(376002)(136003)(39860400002)(366004)(346002)(451199015)(66556008)(33656002)(83380400001)(66946007)(66446008)(64756008)(41300700001)(186003)(40140700001)(19627235002)(76116006)(4326008)(66476007)(966005)(8676002)(122000001)(38070700005)(45080400002)(71200400001)(316002)(38100700002)(2906002)(86362001)(110136005)(66899015)(55016003)(478600001)(26005)(30864003)(53546011)(6506007)(107886003)(52536014)(8936002)(7696005)(5660300002)(9686003)(579004)(559001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?6xQAh2yzRPqC/LokaVTFdXyaBUSoEQAdk4q7VUwWAoO9yyZVlkXtiF6ECkl3?= =?us-ascii?Q?d/FZ6FYFj5EuWZAE7qCyXSovDQ0WxOzrcvmFf2mhw84Ugz7YDJ2Ha6nIgL/s?= =?us-ascii?Q?7BDWegac6ALaG6BU5tC6hiSQEfO+QJiycuXoJIBeDlEV6oJWNOjfi02/lejC?= =?us-ascii?Q?OXndpJSehNxhNjDqAVKJe1KyLbImiQ6xwfJ2H0YVnklJtjKHOiGcsFyAf6Rk?= =?us-ascii?Q?NWCYim5IsFLD+d81e3HHsTXtd6Wq9OGnvNN3y6+dWB4cqc2V3MDrWaeQxYkm?= =?us-ascii?Q?9bo/vR3piyEqIoda3cduP4opBUBTNMTvkuSkWNMuadCOrFTOIvD3ANsmFAR0?= =?us-ascii?Q?LbFj7Kl2Ww3UP3uyh0MuYyGUW2QuDLznzbWURJOrhm1uA+7gm0WllqN/oMfj?= =?us-ascii?Q?HL1oNt2JLkNi2Lmv1tUnhjEzbkHXlqpNoMsiIlDoAXclUkrKRNRd36zXbcVi?= =?us-ascii?Q?QwpHPJ83SbZekc43hihSE8ptjZ5+OBaEft7RUyHdb/DyPQuu7JKka1vZemKO?= =?us-ascii?Q?Ab59Df14Mgg5Q10X5iqhMILAIyh7LT6PJt8es5Ne7miHzyvfMwHfoeTFnN08?= =?us-ascii?Q?mn3gr3pznbbbYm50KatTYwkYFFXGsPYBssecH/JBUucxvXu9MOJdzrSwasHC?= =?us-ascii?Q?Px49kgJSBvHNzi9Tj8SWdBcey8XMvWLeseIHE1LwMWh1MoWULLyBq9zlz7jR?= =?us-ascii?Q?U5cAuqmuQ9KW5ZU4CB4YbVBo6r8sjHy62NLVMUWwfIVK/AGGYwVdftRgzFV5?= =?us-ascii?Q?wj05SUrz4vZV+DxaoZNIYH+0n1ZVMvhdiEVAAVGzNqWOo5SOLO5zyifgngKQ?= =?us-ascii?Q?Tj5oHy+RtOwag0gXv/Yczc87KdMhuNI0WQNLlhq8Nt5QPcLO1jhgcEBMvEBg?= =?us-ascii?Q?rlN0AvLgV/RrBpOl0nYeml0yIiuA4MPTcylTZfA6eoQPTNxhfC8E4LGmwBIW?= =?us-ascii?Q?bxU62+38d0SDmrI3NjkASsSJ/680hThGbOdeQfdRMP2OpJAsdvb4WXB+iZ5n?= =?us-ascii?Q?JUlzM2if2aWmutAtkH/HETcOak4j+FXqZn6g6z/ahmECGUewb0aszZMaFJi4?= =?us-ascii?Q?N4p6MOhEQFWi2JiARY8T14c36IG3VDiTjAzOZap/Euev7rGtYmydY7aNipBY?= =?us-ascii?Q?18ZCbuG3mfnGiSrKVEIRR01+bfVHtC2IkYiJoxMAxn0Q+OaE7yZK8XH0HDeM?= =?us-ascii?Q?GDhjwInUCHJnL/shxuH5RPd/0XoBqRlIiTFKuEQAiW/9pALJ40wevBDFeD7n?= =?us-ascii?Q?1FpfGcG6cuOQG+OdYs/kUVrlO9yx6ej7NnNBuej3gGochQ6b5SM1e/TFn3p/?= =?us-ascii?Q?KR5BgX4FCPMl9f5dGnNhounYsq5Y5NH/AWva262WBunbSgH18fEDv274mMYo?= =?us-ascii?Q?F8Q5zjO8PEPouiEq0Lv7wKCDFvjTlyAYJfzVolHrmjOCqpZ3PXyVUfeNjqLV?= =?us-ascii?Q?M6I6O955MWjHRRvS7tQJo4Sugz9NoRvUPfADiXbCFaDL1PekmTcIEU4raams?= =?us-ascii?Q?UIzy5o9bc/k31T/GEWnxHrXuondhLEjG5ftGBzz+13/kmTQGBjDjp70cyjcs?= =?us-ascii?Q?wpIEajZEGEXPF4JGyBs=3D?= MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR12MB7031.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 98578e0f-f378-4ec4-f8da-08dab81ec276 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 13:25:47.6984 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Olf4DK/C9KWu6h2rt0byX44pLDLULb0OMg+/1fTbb8btYNAJYSiBFuY+s441qT4BpCbURbsDYuw7OzLAbudNgA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5756 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Igor, Thank you for your help to review my changes.=20 > And it will be blocked by our IPMI call. I see your point. So, BIOS should never be the person to shutdown credentia= l service because BIOS always get executed prior to OS, right?=20 > Should it be configured with some PCD? Maybe user may select in Setup wha= t method should be used? Or it could be build time configuration? I have below assumption while I implemented the library. I admit this is no= t always true. No Auth: I think this is rare case for Redfish service which gives anonymou= s privilege to change BIOS settings. Basic Auth: this is the authentication method which uses username and passw= ord to build base64 encoded string. Session Auth: I assume that client must have a session token first and then= use this authentication method. Can we use username and password to genera= te session token on our own? If my memory serves me correctly, client has t= o do a login with username and password first and then client can receive s= ession token from server. If we really like to know what authentication method that Redfish service u= sed, we can issue a HTTP query to "/redfish/v1/Systems" with "No Auth". The= n we can know what authentication method is required by reading the "WWW-Au= thenticate " filed in returned HTTP header. Thanks, Nickle -----Original Message----- From: devel@edk2.groups.io On Behalf Of Igor Kulchyt= skyy via groups.io Sent: Wednesday, October 26, 2022 11:26 PM To: Nickle Wang ; devel@edk2.groups.io; abner.chang@amd= .com Cc: Nick Ramirez Subject: Re: [edk2-devel] [PATCH] RedfishPkg/RedfishPlatformCredentialLib: = IPMI implementation External email: Use caution opening links or attachments Hi Nickle, I would like to discuss that DisableBootstrapControl flag and how it is use= d in our implementation. According to Redfish HI specification we can use this flag to disable crede= ntial bootstrapping control. It can be disabled permanently or till next reboot of the host or service. = That depend on the EnableAfterReset setting on BMC side: CredentialBootstrapping (v1.3+) { object The credential bootstrapping settings for this interface. EnableAfterReset (v1.3+) Boolean read-write (null) An indication of= whether credential bootstrapping is enabled after a reset for this interfa= ce. Enabled (v1.3+) Boolean read-write (null) An indication of whether = credential bootstrapping is enabled for this interface. RoleId (v1.3+) string read-write The role used for the bootstrap ac= count created for this interface. } So, if EnableAfterReset set to false, that means BMC will response with 0x8= 0 error and will not return any credentials after reboot. And BIOS BMC comm= unication will fail. Another concern with disabling credential bootstrapping control is that we= do it on Exit Boot event before passing a control to OS. But OS may also need to communicate to BMC through Redfish Host Interface t= o post some information. And it will be blocked by our IPMI call. We create that SMBIOS Type 42 table with Redfish Host Interface settings wh= ich can be used by OS to communicate with BMC. But without the credentials = it will not be possible. Another question is AuthMethod parameter you initialize in this library: *AuthMethod =3D AuthMethodHttpBasic; According to Redfish HI specification 3 methods may be used - No Auth, Basi= c Auth and Session Auth. Basic Auth and Session Auth methods are required the credentials to be used= by BIOS. And both of them should be supported by BMC. And your high level function RedfishCreateLibredfishService also supports o= f creation Basic or Session Auth service. I'm not sure why low level library which is created to get credentials from= BMC should decide what Authentication method should be used? Should it be configured with some PCD? Maybe user may select in Setup what = method should be used? Or it could be build time configuration? Thank you, Igor -----Original Message----- From: Nickle Wang Sent: Tuesday, October 25, 2022 4:24 AM To: devel@edk2.groups.io; abner.chang@amd.com Cc: Nick Ramirez ; Igor Kulchytskyy Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] RedfishPkg/RedfishPlatformCred= entialLib: IPMI implementation **CAUTION: The e-mail below is from an external source. Please exercise cau= tion before opening attachments, clicking links, or following guidance.** Thanks for your review comments, Abner! I will update new version patch lat= er. The CI build error will be handled together. > please add Igor as reviewer too Sure! > + *UserId =3D AllocateZeroPool (sizeof (CHAR8) * USERNAME_MAX_SIZE); if [Chang, Abner] Allocation memory with the size (USERNAME_MAX_LENGTH + 1) for both BootUse= rname and BootstrapPassword? Because the maximum number of characters def= ined in the spec is USERNAME_MAX_LENGTH for the user/password. Yes, the additional one byte is for NULL terminator. USERNAME_MAX_LENGTH is= defined as 16 and follow host interface specification. Regards, Nickle -----Original Message----- From: devel@edk2.groups.io On Behalf Of Chang, Abner= via groups.io Sent: Saturday, October 22, 2022 3:01 PM To: Nickle Wang ; devel@edk2.groups.io Cc: Nick Ramirez ; Igor Kulchytskyy Subject: Re: [edk2-devel] [PATCH] RedfishPkg/RedfishPlatformCredentialLib: = IPMI implementation External email: Use caution opening links or attachments [AMD Official Use Only - General] Hi Nickle, please add Igor as reviewer too. My comments is in below, > -----Original Message----- > From: Nickle Wang > Sent: Thursday, October 20, 2022 10:55 AM > To: devel@edk2.groups.io > Cc: Chang, Abner ; Nick Ramirez=20 > > Subject: [PATCH] RedfishPkg/RedfishPlatformCredentialLib: IPMI=20 > implementation > > Caution: This message originated from an External Source. Use proper=20 > caution when opening attachments, clicking links, or responding. > > > This library follows Redfish Host Interface specification and use IPMI=20 > command to get bootstrap account credential(NetFn 2Ch, Command 02h) from = BMC. > RedfishHostInterfaceDxe will use this credential for the following=20 > communication between BIOS and BMC. > > Cc: Abner Chang > Cc: Nick Ramirez > Signed-off-by: Nickle Wang > --- > .../RedfishPlatformCredentialLib.c | 273 ++++++++++++++++++ > .../RedfishPlatformCredentialLib.h | 75 +++++ > .../RedfishPlatformCredentialLib.inf | 37 +++ [Chang, Abner] Could we name this library RedfishPlatformCredentialIpmi so the naming styl= e is consistent with RedfishPlatformCredentialNull? > 3 files changed, 385 insertions(+) > create mode 100644 > RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredential= Lib. > c > create mode 100644 > RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredential= Lib. > h > create mode 100644 > RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredent > ialLib.i > nf > > diff --git > a/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCrede > ntialLi > b.c > b/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCrede > ntialLi > b.c > new file mode 100644 > index 0000000000..23a15ab1fa > --- /dev/null > +++ b/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformC > +++ re > +++ dentialLib.c > @@ -0,0 +1,273 @@ > +/** @file > +* > +* Copyright (c) 2022 NVIDIA CORPORATION & AFFILIATES. All rights reserv= ed. > +* > +* SPDX-License-Identifier: BSD-2-Clause-Patent [Chang, Abner] We can have "@par Revision Reference:" in the file header to point out the= spec. https://nam12.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.dmt= f.org%2Fsites%2Fdefault%2Ffiles%2Fstandards%2Fdocuments%2FDSP0270_1.3.0.pdf= &data=3D05%7C01%7Cigork%40ami.com%7Cebc4dc0526a34fad9c1108dab662388d%7C= 27e97857e15f486cb58e86c2b3040f93%7C1%7C1%7C638022830242966537%7CUnknown%7CT= WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%= 3D%7C3000%7C%7C%7C&sdata=3DywFQL6E7TjNtBuos89mYh4TtlUCa4QWd3uEByRsRU8c%= 3D&reserved=3D0 > +* > +**/ > + > +#include "RedfishPlatformCredentialLib.h" > + > +// > +// Global flag of controlling credential service // BOOLEAN=20 > +mRedfishServiceStopped =3D FALSE; > + > +/** > + Notify the Redfish service provide to stop provide configuration=20 > +service to this > platform. > + > + This function should be called when the platfrom is about to leave=20 > + the safe > environment. > + It will notify the Redfish service provider to abort all logined=20 > + session, and prohibit further login with original auth info. > + GetAuthInfo() will return EFI_UNSUPPORTED once this function is return= ed. > + > + @param[in] This Pointer to > EDKII_REDFISH_CREDENTIAL_PROTOCOL instance. > + @param[in] ServiceStopType Reason of stopping Redfish service. > + > + @retval EFI_SUCCESS Service has been stoped successfully. > + @retval EFI_INVALID_PARAMETER This is NULL. > + @retval Others Some error happened. > + > +**/ > +EFI_STATUS > +EFIAPI > +LibStopRedfishService ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This, > + IN EDKII_REDFISH_CREDENTIAL_STOP_SERVICE_TYPE ServiceStopType > + ) > +{ > + EFI_STATUS Status; > + > + if ((ServiceStopType <=3D ServiceStopTypeNone) || (ServiceStopType >= =3D > ServiceStopTypeMax)) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // Raise flag first > + // > + mRedfishServiceStopped =3D TRUE; > + > + // > + // Notify BMC to disable credential bootstrapping support. > + // > + Status =3D GetBootstrapAccountCredentials (TRUE, NULL, NULL); if=20 > + (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: fail to disable bootstrap credential: > + %r\n", > __FUNCTION__, Status)); > + return Status; > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + Notification of Exit Boot Service. > + > + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL. > +**/ > +VOID > +EFIAPI > +LibCredentialExitBootServicesNotify ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This > + ) > +{ > + // > + // Stop the credential support when system is about to enter OS. > + // > + LibStopRedfishService (This, ServiceStopTypeExitBootService); } > + > +/** > + Notification of End of DXe. > + > + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL. > +**/ > +VOID > +EFIAPI > +LibCredentialEndOfDxeNotify ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This > + ) > +{ > + // > + // Do nothing now. > + // We can stop credential support when system reach end-of-dxe for=20 > +security > reason. > + // > +} > + > +/** > + Function to retrieve temporary use credentials for the UEFI redfish=20 > +client [Chang, Abner] We miss the functionality to disable bootstrap credential service in the fu= nction description. > + > + @param[in] DisableBootstrapControl > + TRUE - Tell the BMC to disable the= bootstrap credential > + service to ensure no one el= se gains credentials > + FALSE Allow the bootstrap=20 > + credential service to continue @param[out] BootstrapUsername > + A pointer to a UTF-8 encoded=20 > + string for the credential > username > + When DisableBootstrapControl is=20 > + TRUE, this pointer can be NULL > + > + @param[out] BootstrapPassword > + A pointer to a UTF-8 encoded=20 > + string for the credential > password > + When DisableBootstrapControl is=20 > + TRUE, this pointer can be NULL > + > + @retval EFI_SUCCESS Credentials were successfully fetc= hed and > returned > + @retval EFI_INVALID_PARAMETER BootstrapUsername or > BootstrapPassword is NULL when DisableBootstrapControl > + is set to FALSE > + @retval EFI_DEVICE_ERROR An IPMI failure occurred [Chang, Abner] The return status should also include the status of disabling bootstrap cre= dential. > +**/ > +EFI_STATUS > +GetBootstrapAccountCredentials ( > + IN BOOLEAN DisableBootstrapControl, > + IN OUT CHAR8 *BootstrapUsername, OPTIONAL > + IN OUT CHAR8 *BootstrapPassword OPTIONAL > + ) > +{ > + EFI_STATUS Status; > + IPMI_BOOTSTRAP_CREDENTIALS_COMMAND_DATA CommandData; > + IPMI_BOOTSTRAP_CREDENTIALS_RESULT_RESPONSE ResponseData; > + UINT32 ResponseSize; > + > + if (!PcdGetBool (PcdIpmiFeatureEnable)) { > + DEBUG ((DEBUG_ERROR, "%a: IPMI is not enabled! Unable to fetch=20 > + Redfish > credentials\n", __FUNCTION__)); > + return EFI_UNSUPPORTED; > + } > + > + // > + // NULL buffer check > + // > + if (!DisableBootstrapControl && ((BootstrapUsername =3D=3D NULL) || > (BootstrapPassword =3D=3D NULL))) { > + return EFI_INVALID_PARAMETER; > + } > + > + DEBUG ((DEBUG_VERBOSE, "%a: Disable bootstrap control: 0x%x\n",=20 > + __FUNCTION__, DisableBootstrapControl)); > + > + // > + // IPMI callout to NetFn 2C, command 02 > + // Request data: > + // Byte 1: REDFISH_IPMI_GROUP_EXTENSION > + // Byte 2: DisableBootstrapControl > + // > + CommandData.GroupExtensionId =3D REDFISH_IPMI_GROUP_EXTENSION; > + CommandData.DisableBootstrapControl =3D (DisableBootstrapControl ? > + REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_DISABLE : > + REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_ENABLE); > + > + ResponseSize =3D sizeof (ResponseData); > + > + // > + // Response data: > + // Byte 1 : Completion code > + // Byte 2 : REDFISH_IPMI_GROUP_EXTENSION > + // Byte 3-18 : Username > + // Byte 19-34: Password > + // > + Status =3D IpmiSubmitCommand ( > + IPMI_NETFN_GROUP_EXT, > + REDFISH_IPMI_GET_BOOTSTRAP_CREDENTIALS_CMD, > + (UINT8 *)&CommandData, > + sizeof (CommandData), > + (UINT8 *)&ResponseData, > + &ResponseSize > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: IPMI transaction failure. Returning\n", > __FUNCTION__)); > + ASSERT_EFI_ERROR (Status); > + return Status; > + } else { > + if (ResponseData.CompletionCode !=3D IPMI_COMP_CODE_NORMAL) { > + if (ResponseData.CompletionCode =3D=3D > REDFISH_IPMI_COMP_CODE_BOOTSTRAP_CREDENTIAL_DISABLED) { > + DEBUG ((DEBUG_ERROR, "%a: bootstrap credential support was > disabled\n", __FUNCTION__)); > + return EFI_ACCESS_DENIED; > + } > + > + DEBUG ((DEBUG_ERROR, "%a: Completion code =3D 0x%x. Returning\n", > __FUNCTION__, ResponseData.CompletionCode)); > + return EFI_PROTOCOL_ERROR; > + } else if (ResponseData.GroupExtensionId !=3D > REDFISH_IPMI_GROUP_EXTENSION) { > + DEBUG ((DEBUG_ERROR, "%a: Group Extension Response =3D 0x%x. > Returning\n", __FUNCTION__, ResponseData.GroupExtensionId)); > + return EFI_DEVICE_ERROR; > + } else { > + if (BootstrapUsername !=3D NULL) { > + CopyMem (BootstrapUsername, ResponseData.Username, > USERNAME_MAX_LENGTH); > + // > + // Manually append null-terminator in case 16 characters=20 > + username > returned. > + // > + BootstrapUsername[USERNAME_MAX_LENGTH] =3D '\0'; > + } > + > + if (BootstrapPassword !=3D NULL) { > + CopyMem (BootstrapPassword, ResponseData.Password, > PASSWORD_MAX_LENGTH); > + // > + // Manually append null-terminator in case 16 characters=20 > + password > returned. > + // > + BootstrapPassword[PASSWORD_MAX_LENGTH] =3D '\0'; > + } > + } > + } > + > + return Status; > +} > + > +/** > + Retrieve platform's Redfish authentication information. > + > + This functions returns the Redfish authentication method together=20 > + with the user Id and password. > + - For AuthMethodNone, the UserId and Password could be used for=20 > + HTTP > header authentication > + as defined by RFC7235. > + - For AuthMethodRedfishSession, the UserId and Password could be=20 > + used for > Redfish > + session login as defined by Redfish API specification (DSP0266). > + > + Callers are responsible for and freeing the returned string storage. > + > + @param[in] This Pointer to > EDKII_REDFISH_CREDENTIAL_PROTOCOL instance. > + @param[out] AuthMethod Type of Redfish authentication method= . > + @param[out] UserId The pointer to store the returned Use= rId string. > + @param[out] Password The pointer to store the returned Pas= sword > string. > + > + @retval EFI_SUCCESS Get the authentication information su= ccessfully. > + @retval EFI_ACCESS_DENIED SecureBoot is disabled after EndOfDxe= . > + @retval EFI_INVALID_PARAMETER This or AuthMethod or UserId or > Password is NULL. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources= . > + @retval EFI_UNSUPPORTED Unsupported authentication method is > found. > + > +**/ > +EFI_STATUS > +EFIAPI > +LibCredentialGetAuthInfo ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This, > + OUT EDKII_REDFISH_AUTH_METHOD *AuthMethod, > + OUT CHAR8 **UserId, > + OUT CHAR8 **Password > + ) > +{ > + EFI_STATUS Status; > + > + if ((AuthMethod =3D=3D NULL) || (UserId =3D=3D NULL) || (Password =3D= =3D NULL)) { > + return EFI_INVALID_PARAMETER; > + } > + > + *UserId =3D NULL; > + *Password =3D NULL; > + > + if (mRedfishServiceStopped) { > + DEBUG ((DEBUG_ERROR, "%a: credential service is stopped due to=20 > + security > reason\n", __FUNCTION__)); > + return EFI_ACCESS_DENIED; > + } > + > + *AuthMethod =3D AuthMethodHttpBasic; > + > + *UserId =3D AllocateZeroPool (sizeof (CHAR8) * USERNAME_MAX_SIZE); if [Chang, Abner] Allocation memory with the size (USERNAME_MAX_LENGTH + 1) for both BootUse= rname and BootstrapPassword? Because the maximum number of characters def= ined in the spec is USERNAME_MAX_LENGTH for the user/password. > + (*UserId =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + *Password =3D AllocateZeroPool (sizeof (CHAR8) * PASSWORD_MAX_SIZE);= =20 > + if (*Password =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + Status =3D GetBootstrapAccountCredentials (FALSE, *UserId,=20 > + *Password); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: fail to get bootstrap credential: > + %r\n", > __FUNCTION__, Status)); > + return Status; > + } > + > + return EFI_SUCCESS; > +} > diff --git > a/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCrede > ntialLi > b.h > b/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCrede > ntialLi > b.h > new file mode 100644 > index 0000000000..5b448e01be > --- /dev/null > +++ b/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformC > +++ re > +++ dentialLib.h > @@ -0,0 +1,75 @@ > +/** @file > +* > +* Copyright (c) 2022 NVIDIA CORPORATION & AFFILIATES. All rights reserv= ed. > +* > +* SPDX-License-Identifier: BSD-2-Clause-Patent > +* > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include #include=20 > + > + > +#define REDFISH_IPMI_GROUP_EXTENSION 0x52 > +#define REDFISH_IPMI_GET_BOOTSTRAP_CREDENTIALS_CMD 0x02 > +#define REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_ENABLE 0xA5 > +#define REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_DISABLE 0x00 > +#define REDFISH_IPMI_COMP_CODE_BOOTSTRAP_CREDENTIAL_DISABLED > 0x80 > + > +// > +// Per Redfish Host Interface Specification 1.3, The maximum lenght=20 > +of // username and password is 16 characters long. > +// > +#define USERNAME_MAX_LENGTH 16 > +#define PASSWORD_MAX_LENGTH 16 > +#define USERNAME_MAX_SIZE (USERNAME_MAX_LENGTH + 1) // NULL > terminator > +#define PASSWORD_MAX_SIZE (PASSWORD_MAX_LENGTH + 1) // NULL > terminator > + > +#pragma pack(1) > +/// > +/// The definition of IPMI command to get bootstrap account=20 > +credentials /// typedef struct { > + UINT8 GroupExtensionId; > + UINT8 DisableBootstrapControl; > +} IPMI_BOOTSTRAP_CREDENTIALS_COMMAND_DATA; > + > +/// > +/// The response data of getting bootstrap credential /// typedef=20 > +struct { > + UINT8 CompletionCode; > + UINT8 GroupExtensionId; > + CHAR8 Username[USERNAME_MAX_LENGTH]; > + CHAR8 Password[PASSWORD_MAX_LENGTH]; > +} IPMI_BOOTSTRAP_CREDENTIALS_RESULT_RESPONSE; > + > +#pragma pack() > + > +/** > + Function to retrieve temporary use credentials for the UEFI redfish=20 > +client [Chang, Abner] We miss the functionality to disable bootstrap credential service in the fu= nction description. > + > + @param[in] DisableBootstrapControl > + TRUE - Tell the BMC to disable the= bootstrap credential > + service to ensure no one el= se gains credentials > + FALSE Allow the bootstrap=20 > + credential service to continue @param[out] BootstrapUsername > + A pointer to a UTF-8 encoded=20 > + string for the credential username > + > + @param[out] BootstrapPassword > + A pointer to a UTF-8 encoded=20 > + string for the credential password > + > + @retval EFI_SUCCESS Credentials were successfully fetc= hed and > returned [Chang, Abner] Or the bootstrap credential service is disabled successfully, right? > + @retval EFI_DEVICE_ERROR An IPMI failure occurred > +**/ > +EFI_STATUS > +GetBootstrapAccountCredentials ( > + IN BOOLEAN DisableBootstrapControl, > + IN OUT CHAR8 *BootstrapUsername, > + IN OUT CHAR8 *BootstrapPassword > + ); > diff --git > a/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCrede > ntialLi > b.inf > b/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCrede > ntialLi > b.inf > new file mode 100644 > index 0000000000..a990d28363 > --- /dev/null > +++ b/RedfishPkg/Library/RedfishPlatformCredentialLib/RedfishPlatformC > +++ re > +++ dentialLib.inf > @@ -0,0 +1,37 @@ > +## @file > +# > +# Copyright (c) 2022 NVIDIA CORPORATION & AFFILIATES. All rights reserve= d. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ## > + > +[Defines] > + INF_VERSION =3D 0x0001000b > + BASE_NAME =3D RedfishPlatformCredentialLib > + FILE_GUID =3D 9C45D622-4C66-417F-814C-F76246D9723= 3 > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D RedfishPlatformCredentialLib > + > +[Sources] > + RedfishPlatformCredentialLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + RedfishPkg/RedfishPkg.dec > + IpmiFeaturePkg/IpmiFeaturePkg.dec [Chang, Abner] Could you please add a comment to the reference of IpmiFeaturePkg? We have= to give customers a notice that the dependence of "edk2-platforms/Features= /Intel/OutOfBandManagement/". They have to add the path to PACKAGES_PATH. Y= ou also have to skip this dependence in the RedfishPkg.yaml to avoid the CI= error. Another thing is I propose to move out IpmiFeaturePkg from edk2-platforms/F= eatures/Intel/OutOfBandManagement to edk2-platforms/Features/ManageabilityP= kg that also provides the implementation of PLDM/MCTP/IPMI/KCS. I had an = initial talk with IpmiFeaturePkg owner and get the positive response on thi= s proposal. I will kick off the discussion on the dev mailing list. That is= to say this module may need a little bit change later, however that is goo= d to me having this implementation now. Thanks Abner > + > +[LibraryClasses] > + UefiLib > + DebugLib > + IpmiBaseLib > + MemoryAllocationLib > + BaseMemoryLib > + > +[Pcd] > + gIpmiFeaturePkgTokenSpaceGuid.PcdIpmiFeatureEnable > + > +[Depex] > + TRUE > -- > 2.17.1 -The information contained in this message may be confidential and propriet= ary to American Megatrends (AMI). This communication is intended to be read= only by the individual or entity to whom it is addressed or by their desig= nee. If the reader of this message is not the intended recipient, you are o= n notice that any distribution of this message, in any form, is strictly pr= ohibited. Please promptly notify the sender by reply e-mail or by telephone= at 770-246-8600, and then delete or destroy all copies of the transmission= .