From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (NAM02-DM3-obe.outbound.protection.outlook.com [40.107.95.63]) by mx.groups.io with SMTP id smtpd.web11.6930.1678340922085083221 for ; Wed, 08 Mar 2023 21:48:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@nvidia.com header.s=selector2 header.b=Td/gwCq6; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.95.63, mailfrom: nicklew@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X34ErDrSLYLDJd95Q43cir+7DLAZg47eRUBggGIxXvZzTIky2eOJmGRA6Hn/2eMGojTAsT/66FRShiyU52+TcOcCZw6wAK0KtHBriCcBXDPHYisXxf/k1s+zu5U6CGC0r43nH8ENvFCpYnnv0jpPihN5Ofm+HOggG8ZegrcAkVA8EbinXr/FzVjrn1sAYu+p9BN7xhBwABEsCoCVVYjAtYyyQm9ZzIoL9kWjd4OpStPtdF2VVa5psPzb/dQb/736+qNYcGkfzo8OFa0ooj7bGhiAje6fZr8+qcqHa2jTCqmq24X4IxY2Mw7B7tabVnFnjkPzTkozgrBt5lE20139gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PQVMZzgKr8EEf7KJx+an5jJmYH0a7ASVZFeJsHyw/HQ=; b=PTerSiASd8Cv5neerz/BL+FEmR6ndw+jMdNbRLKftMbHjXR/T1yooPEvk5NlQz4Tqsx8RryTOrj5R90PQ+ywlkS1GL8EZfMTYvaLIru1y7avby1c5yfJ8LgT2OH5rSwnoS7eI6Amh1KAi865lBLWf+VboWIYr7YTQOmf/g+8vvrinJi9OQl+jypsgym37Wd0Ims2PR9iO62sn7hAWBaVOEAnc9R9PX9MEdBdPFIv9kz73fREsQWl/EJgZ8XEgsDRqkNxuoi2pK6DuOJ5LDSbhVy/zV/JZuNPgJcTGRZ9orG8PRNSozyPuo+ldWKOFjuNuc45Wt3saFUUlhhKsiXvSg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PQVMZzgKr8EEf7KJx+an5jJmYH0a7ASVZFeJsHyw/HQ=; b=Td/gwCq6R4mA7/r68AE38k3biF0wk8ROmDk+j8ZOSlBi0wXGsLxATVrRj1OzOUSXOANVZZxUOzkC7m8A+Lh1h/6plVru50j5Qp0V+XTh3zQfOwpr28zTkDqJnftrX3TNE2xWXcg4VDVtlGISM7nzC1FvguAlrmoLpyHorz5WjS8oUkum8KDcjpQDeQ0esx51WtmKkcTzbNpzoeAfnSZJimaki+rPU+023WHoFXne84xNh3dkgCLTw8ZItun5/4VWAnnOj9IuazoTyk9Y11kq/TlamPSLiFz4gxHp2zl0b0USXXi6tbHOK/TK/6/q+w7wz15bBK1q2DyL3vYHYCM9sQ== Received: from MW4PR12MB7031.namprd12.prod.outlook.com (2603:10b6:303:1ef::6) by DS0PR12MB7804.namprd12.prod.outlook.com (2603:10b6:8:142::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.19; Thu, 9 Mar 2023 05:48:39 +0000 Received: from MW4PR12MB7031.namprd12.prod.outlook.com ([fe80::c27a:fa4b:66ea:d266]) by MW4PR12MB7031.namprd12.prod.outlook.com ([fe80::c27a:fa4b:66ea:d266%5]) with mapi id 15.20.6156.029; Thu, 9 Mar 2023 05:48:38 +0000 From: "Nickle Wang" To: "Chang, Abner" , "devel@edk2.groups.io" CC: Igor Kulchytskyy , Nick Ramirez Subject: Re: [PATCH] RedfishPkg/RedfishPlatformCredentialIpmiLib: IPMI implementation Thread-Topic: [PATCH] RedfishPkg/RedfishPlatformCredentialIpmiLib: IPMI implementation Thread-Index: AQHZUkc2Sys5jXYDckSp3ztAxGR9Oq7x8BGA Date: Thu, 9 Mar 2023 05:48:38 +0000 Message-ID: References: <20230308072048.354-1-nicklew@nvidia.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Enabled=true; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SetDate=2023-03-09T05:22:58Z; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Method=Standard; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Name=General; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SiteId=3dd8961f-e488-4e60-8e11-a82d994e183d; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ActionId=9a95c3e1-3518-4cea-ba37-f9315238dd37; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ContentBits=1 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR12MB7031:EE_|DS0PR12MB7804:EE_ x-ms-office365-filtering-correlation-id: afe3c9c7-544b-452c-fa63-08db2061ee7a x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: MbnoPzNCi94U0dtQJKK8WQiEBmFfB8i1aO2Rz3WK36afs0kimnQOBW9iU2k9jJB8Xb9QqPIboaFJ8uoLZqvVkBzal5LBWTWMmte+W3iy6WFHZffZaYhcOCD+rFCYbi2wKIwE0c+DEQd2Fp/8IL4ga0q+N/xX2J8r4hcQegEOHexj5iEfFbWP2Buv1BmAckrhGga3WBHet32SElcMxpT44DFvTn/opAk2kKCM+4pDCo1m6zKWAeTFs2SkA+nH8a9mT2qliWka4iFbI1cZsyIJX7AbyljY60oZhDcycQH/nlZN39wCvUPFHstIN2Rkb3HNehmVgcNb8ToiJh0shRub6c6sQx4kY3L8d5ywE7ksTwBU5mztZ1dUbdCTCclQqt8k9WltxjVaz4cqgS/pbB8T7qQR+X2ShAtJnDMXB8nfY8Z+E6WSzmchu7vO4ZcfjSPgmJe3LJ689gEzl/7E3fdqrZI47SrWeVRUE005xqPejsqjql+3NU39U0Cg4vIhbnFp/5duUsHUWvOsqrHuaoQTuwqb3m6BzgllGF5HSZ1A14wdWkv8SkluJlq6d6n+IKao86ZxOHQEIYfPu4l11kp6UbOQ4sBsyRNnbGeGtgVXeFQvRPmftHXm/zR8MyHzP94vpOh9jP5/En2hp/XpiQ6z0qf6GoW7UXopZZplqs/2ZES2Z2X7SZhBIM97FVk/7BaJHnDv3Ag+zxwVnQnmqhFKYlmaawLYK6CZxR1iLPZ0z34= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR12MB7031.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(136003)(396003)(366004)(376002)(39860400002)(346002)(451199018)(33656002)(55016003)(186003)(71200400001)(7696005)(53546011)(41300700001)(107886003)(83380400001)(9686003)(26005)(6506007)(5660300002)(8936002)(52536014)(66946007)(76116006)(66476007)(66556008)(4326008)(8676002)(64756008)(2906002)(66446008)(30864003)(38070700005)(122000001)(110136005)(38100700002)(316002)(86362001)(54906003)(45080400002)(478600001)(213903007)(579004)(559001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?SuVRJ89kLpyWM8cBlggHg1rqDFLeqcQ18o+bN+y7dyHMzrHZEFmqha3cFlzR?= =?us-ascii?Q?qgmql2ni9GCLGO0+a6gjAyToJ+Eg5+fjGnn3E4A7k98Ez8JAL0GQQ8MkEL0c?= =?us-ascii?Q?G5rph/BB25JEso3ecqD907MW+T73teS8Vyv7eL7i2lc60lzjNMUecmQIHP5e?= =?us-ascii?Q?GHwCUNRkN6ogfSYcLGyE+JIHA5De3XxGqe2rzfhhCwXWLgslQQ2eo4cPhZwP?= =?us-ascii?Q?I1aZstwrr4W5EkzaUIL8zA4ISmbK7+kzpH/coUpRPkVnoPOsgdzrf277I6rI?= =?us-ascii?Q?aO+fx+EnFkVcm/hRNk6ohMhZTVesyQZyo+kUJ9fao3AK5ynoa4dtdxwZU0zF?= =?us-ascii?Q?ak/3UBTpVDgfSSHcXgz4gNN7qyGaTbvj6uXRh35UPVOz5rT/aM1G4B5BS9Hn?= =?us-ascii?Q?txZ0l5hHM8UqH/s5F2kuInBTF0Z4xAaLXas8v+a28cbc3z/3nLh3cNR95txo?= =?us-ascii?Q?d877+gwhwfj1yW+DHJAli+9I6h3ySCFx5D7EF4BKOkOekZQa1qm92vvdK0wb?= =?us-ascii?Q?mzl+qB2VxBxmtWNSZndEdafXbLuete7vWGDvpb3d4M8OrmElQfhNkolJ+jEJ?= =?us-ascii?Q?sL2OSbWNBsjRyrZvLtwtwMUUTmbB5Pk3P4qzx2wy9qOFfmA+S0MoZfr2IE/D?= =?us-ascii?Q?gYqHgdiG24dCk6cBiIexzqCQTSjb88IVaKg3nQDoXp9mmoHUy5Sr7/OKud8s?= =?us-ascii?Q?NrAKRCqSVUAGUxceyPjA4BCDPkGJcrgZr2l9zl1OOfdbQEO9hoLfJSjwySKS?= =?us-ascii?Q?ffd1oHXN9pR2Tp57VZpAy3duu2ZAgYMtY66uSpkeildZzviHIFPwxdyBkRLf?= =?us-ascii?Q?CR0eg2nRwGPa3s9exTw2eb+6bHJGaLy9yteXFPT5Qnx1LRtw/515LOYyF4Lv?= =?us-ascii?Q?+qqnl5xeK5v9BnPriSzOChu+EjGAaMh70nHb42hf5Eyb0Ttlx/VYdNJmmTzH?= =?us-ascii?Q?9uBKGLTuFZxSe3EziYWBt6jGbckXvGCU0ytQzws31d5VPHKEwkq0nunZBJIv?= =?us-ascii?Q?1LnVE8Cx/lGMsas6v9qzMKd0Hf0Hfyneu7rpJufZEbfw9d+8lWNQjcHDftUO?= =?us-ascii?Q?CNCym5i5S+RaL9ZW5dwyqaFsU6hBBz8jU4vgFlL1LYiOa7Ot4QPq704fBVsV?= =?us-ascii?Q?l+f+W1mUqR0Spq7NGfnsPMKfhDDItgvz3cRhyODdaq8mD44RIaSQehv1lu9r?= =?us-ascii?Q?L6dsFxW22ZOBGrKZLTA9bHVPFh4+sLPFlWyDIvOD98l2l+BiByZYev7pc7xt?= =?us-ascii?Q?Miimuh+z0uraSTWL1rM61vgffHFKPVgeCJfNrMRkbGUSlsfAHBGTsE6NOFik?= =?us-ascii?Q?KOrCz1uAZQiBaM0a0PyrsZl0ZV0CiP7JOCBvo+H0pWSBRxeASZywYStwkm0G?= =?us-ascii?Q?qmirQFnN9CSvwnfkcq0wCUuZj6uSQzZPWIkhEt2nq17zm9WrUTQXLpkO0CUy?= =?us-ascii?Q?HUvWX814Z4t1xLhZtJtj9tz07BJEhdwJEJH3Yc2Vhg84VjggfzU91ETkIuR5?= =?us-ascii?Q?942jNv5O+1UarcLHl3XvkDl24r0zW1OXuCWl1dmmmIuhB6hTsAEjKjQ2gXIm?= =?us-ascii?Q?arvzd4c/gkJWNgz3wEI=3D?= MIME-Version: 1.0 X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR12MB7031.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: afe3c9c7-544b-452c-fa63-08db2061ee7a X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2023 05:48:38.7385 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4o5nCvyE6WkU3aGzdhy+ZnRpLfT8gJAww4pyumvIc7eeyGRV6hL6mqccrfYxDTOW9gHjFplwaKZnkpNYD0xQoA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB7804 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Abner, Thanks for your review. >> + // >> + // Get bootstrap credential from variable first // Status =3D=20 >> + GetBootstrapAccountCredentialsFromVariable (*UserId, *Password); if=20 >> + (!EFI_ERROR (Status)) { >> + return EFI_SUCCESS; >> + } > I think the process should keep going if the error status is EFI_NOT_FOUN= D? Besides this, all others look fine to me. This function turns EFI_SUCCESS when we can get credentials from variable. = If it failed (including EFI_NOT_FOUND), the process will move forward and g= et credentials via IPMI command. > BTW, how about the conclusions we had in the previous discussion? Which i= s to probe "/redfish/v1/Systems" to get the supported authentication metho= d? Is this idea is valid? This must be done in RedfishCredentailDxe driver. I will create separated p= atch to address this comment. Regards, Nickle -----Original Message----- From: Chang, Abner =20 Sent: Thursday, March 9, 2023 1:23 PM To: Nickle Wang ; devel@edk2.groups.io Cc: Igor Kulchytskyy ; Nick Ramirez Subject: RE: [PATCH] RedfishPkg/RedfishPlatformCredentialIpmiLib: IPMI impl= ementation External email: Use caution opening links or attachments [AMD Official Use Only - General] Hi Nickle, My comments in below, > -----Original Message----- > From: Nickle Wang > Sent: Wednesday, March 8, 2023 3:21 PM > To: devel@edk2.groups.io > Cc: Chang, Abner ; Igor Kulchytskyy=20 > ; Nick Ramirez > Subject: [PATCH] RedfishPkg/RedfishPlatformCredentialIpmiLib: IPMI=20 > implementation > > Caution: This message originated from an External Source. Use proper=20 > caution when opening attachments, clicking links, or responding. > > > This library follows Redfish Host Interface specification and use IPMI=20 > command to get bootstrap account credential(NetFn 2Ch, Command 02h)=20 > from BMC. RedfishHostInterfaceDxe will use this credential for the=20 > following communication between BIOS and BMC. > > Signed-off-by: Nickle Wang > Cc: Abner Chang > Cc: Igor Kulchytskyy > Cc: Nick Ramirez > --- > .../RedfishPlatformCredentialIpmiLib.c | 443 ++++++++++++++++++ > .../RedfishPlatformCredentialIpmiLib.h | 86 ++++ > .../RedfishPlatformCredentialIpmiLib.inf | 42 ++ > RedfishPkg/RedfishPkg.dec | 7 + > RedfishPkg/RedfishPkg.dsc | 2 + > 5 files changed, 580 insertions(+) > create mode 100644 > RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCreden > ti > alIpmiLib.c > create mode 100644 > RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCreden > ti > alIpmiLib.h > create mode 100644 > RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCreden > ti > alIpmiLib.inf > > diff --git > a/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCred > e > ntialIpmiLib.c > b/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCred > e > ntialIpmiLib.c > new file mode 100644 > index 0000000000..2706b8508b > --- /dev/null > +++ b/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatform > +++ Cr > +++ edentialIpmiLib.c > @@ -0,0 +1,443 @@ > +/** @file > + Implementation of getting bootstrap credential via IPMI. > + > + Copyright (c) 2022-2023 NVIDIA CORPORATION & AFFILIATES. All rights > reserved. > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > + @par Specification Reference: > + - Redfish Host Interface Specification > + > +(https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fww > +w.dmtf.org%2Fsites%2Fdefault%2Ffiles%2Fstandards%2Fdocuments%2FDSP027 > +0&data=3D05%7C01%7Cnicklew%40nvidia.com%7C623e0d3c9ed04505bb0e08db205e5 > +bc6%7C43083d15727340c1b7db39efd9ccc17a%7C0%7C0%7C638139361867841554%7 > +CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik > +1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3DSHkhXpaxboVMDDWipEgzgNg5TN > +54lzWAs8Xn%2F8T1cNk%3D&reserved=3D0 > _1 > +.3.0.pdf) > +**/ > + > +#include "RedfishPlatformCredentialIpmiLib.h" > + > +// > +// Global flag of controlling credential service // BOOLEAN=20 > +mRedfishServiceStopped =3D FALSE; > + > +/** > + Notify the Redfish service provide to stop provide configuration=20 > +service to > this platform. > + > + This function should be called when the platform is about to leave=20 > + the safe > environment. > + It will notify the Redfish service provider to abort all login=20 > + session, and prohibit further login with original auth info. > + GetAuthInfo() will return EFI_UNSUPPORTED once this function is > returned. > + > + @param[in] This Pointer to > EDKII_REDFISH_CREDENTIAL_PROTOCOL instance. > + @param[in] ServiceStopType Reason of stopping Redfish service. > + > + @retval EFI_SUCCESS Service has been stoped successfully. > + @retval EFI_INVALID_PARAMETER This is NULL. > + @retval Others Some error happened. > + > +**/ > +EFI_STATUS > +EFIAPI > +LibStopRedfishService ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This, > + IN EDKII_REDFISH_CREDENTIAL_STOP_SERVICE_TYPE ServiceStopType > + ) > +{ > + EFI_STATUS Status; > + > + if ((ServiceStopType <=3D ServiceStopTypeNone) || (ServiceStopType >= =3D > ServiceStopTypeMax)) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // Only stop credential service after leaving BIOS // if=20 > + (ServiceStopType !=3D ServiceStopTypeExitBootService) { > + return EFI_UNSUPPORTED; > + } > + > + // > + // Raise flag first > + // > + mRedfishServiceStopped =3D TRUE; > + > + // > + // Notify BMC to disable credential bootstrapping support. > + // > + if (PcdGetBool (PcdRedfishDisableBootstrapCredentialService)) { > + Status =3D GetBootstrapAccountCredentials (TRUE, NULL, NULL); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: fail to disable bootstrap credential:=20 > + %r\n", > __FUNCTION__, Status)); > + return Status; > + } > + } > + > + // > + // Delete cached variable > + // > + Status =3D SetBootstrapAccountCredentialsToVariable (NULL, NULL,=20 > + TRUE); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: fail to remove bootstrap credential: > + %r\n", __FUNCTION__, Status)); } > + > + DEBUG ((DEBUG_INFO, "%a: bootstrap credential service stopped\n",=20 > + __FUNCTION__)); > + > + return EFI_SUCCESS; > +} > + > +/** > + Notification of Exit Boot Service. > + > + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL. > +**/ > +VOID > +EFIAPI > +LibCredentialExitBootServicesNotify ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This > + ) > +{ > + // > + // Stop the credential support when system is about to enter OS. > + // > + LibStopRedfishService (This, ServiceStopTypeExitBootService); } > + > +/** > + Notification of End of DXe. > + > + @param[in] This Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL. > +**/ > +VOID > +EFIAPI > +LibCredentialEndOfDxeNotify ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This > + ) > +{ > + // > + // Do nothing now. > + // We can stop credential support when system reach end-of-dxe for > security reason. > + // > +} > + > +/** > + Function to retrieve temporary user credentials for the UEFI=20 > +redfish client. This function can > + also disable bootstrap credential service in BMC. > + > + @param[in] DisableBootstrapControl > + TRUE - Tell the BMC to disable the= bootstrap credential > + service to ensure no one el= se gains credentials > + FALSE Allow the bootstrap=20 > + credential service to continue @param[in,out] BootstrapUsername > + A pointer to a Ascii encoded=20 > + string for the credential > username > + When DisableBootstrapControl is=20 > + TRUE, this pointer can be NULL > + > + @param[in,out] BootstrapPassword > + A pointer to a Ascii encoded=20 > + string for the credential > password > + When DisableBootstrapControl is=20 > + TRUE, this pointer can be NULL > + > + @retval EFI_SUCCESS Credentials were successfully fetc= hed and > returned. When DisableBootstrapControl > + is set to TRUE, the bootstrap=20 > + credential service is > disabled successfully. > + @retval EFI_INVALID_PARAMETER BootstrapUsername or > BootstrapPassword is NULL when DisableBootstrapControl > + is set to FALSE > + @retval EFI_DEVICE_ERROR An IPMI failure occurred > +**/ > +EFI_STATUS > +GetBootstrapAccountCredentials ( > + IN BOOLEAN DisableBootstrapControl, > + IN OUT CHAR8 *BootstrapUsername, OPTIONAL > + IN OUT CHAR8 *BootstrapPassword OPTIONAL > + ) > +{ > + EFI_STATUS Status; > + IPMI_BOOTSTRAP_CREDENTIALS_COMMAND_DATA CommandData; > + IPMI_BOOTSTRAP_CREDENTIALS_RESULT_RESPONSE ResponseData; > + UINT32 ResponseSize; > + > + // > + // NULL buffer check > + // > + if (!DisableBootstrapControl && ((BootstrapUsername =3D=3D NULL) || > (BootstrapPassword =3D=3D NULL))) { > + return EFI_INVALID_PARAMETER; > + } > + > + DEBUG ((DEBUG_VERBOSE, "%a: Disable bootstrap control: 0x%x\n",=20 > + __FUNCTION__, DisableBootstrapControl)); > + > + // > + // IPMI callout to NetFn 2C, command 02 > + // Request data: > + // Byte 1: REDFISH_IPMI_GROUP_EXTENSION > + // Byte 2: DisableBootstrapControl > + // > + CommandData.GroupExtensionId =3D > REDFISH_IPMI_GROUP_EXTENSION; > + CommandData.DisableBootstrapControl =3D (DisableBootstrapControl ? > + REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_DISABLE : > + REDFISH_IPMI_BOOTSTRAP_CREDENTIAL_ENABLE); > + > + ResponseSize =3D sizeof (ResponseData); > + > + // > + // Response data: > + // Byte 1 : Completion code > + // Byte 2 : REDFISH_IPMI_GROUP_EXTENSION > + // Byte 3-18 : Username > + // Byte 19-34: Password > + // > + Status =3D IpmiSubmitCommand ( > + IPMI_NETFN_GROUP_EXT, > + REDFISH_IPMI_GET_BOOTSTRAP_CREDENTIALS_CMD, > + (UINT8 *)&CommandData, > + sizeof (CommandData), > + (UINT8 *)&ResponseData, > + &ResponseSize > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: IPMI transaction failure. Returning\n", > __FUNCTION__)); > + return Status; > + } else { > + if (ResponseData.CompletionCode !=3D IPMI_COMP_CODE_NORMAL) { > + if (ResponseData.CompletionCode =3D=3D > REDFISH_IPMI_COMP_CODE_BOOTSTRAP_CREDENTIAL_DISABLED) { > + DEBUG ((DEBUG_ERROR, "%a: bootstrap credential support was > disabled\n", __FUNCTION__)); > + return EFI_ACCESS_DENIED; > + } > + > + DEBUG ((DEBUG_ERROR, "%a: Completion code =3D 0x%x. Returning\n", > __FUNCTION__, ResponseData.CompletionCode)); > + return EFI_PROTOCOL_ERROR; > + } else if (ResponseData.GroupExtensionId !=3D > REDFISH_IPMI_GROUP_EXTENSION) { > + DEBUG ((DEBUG_ERROR, "%a: Group Extension Response =3D 0x%x. > Returning\n", __FUNCTION__, ResponseData.GroupExtensionId)); > + return EFI_DEVICE_ERROR; > + } else { > + if (BootstrapUsername !=3D NULL) { > + CopyMem (BootstrapUsername, ResponseData.Username, > USERNAME_MAX_LENGTH); > + // > + // Manually append null-terminator in case 16 characters=20 > + username > returned. > + // > + BootstrapUsername[USERNAME_MAX_LENGTH] =3D '\0'; > + } > + > + if (BootstrapPassword !=3D NULL) { > + CopyMem (BootstrapPassword, ResponseData.Password, > PASSWORD_MAX_LENGTH); > + // > + // Manually append null-terminator in case 16 characters=20 > + password > returned. > + // > + BootstrapPassword[PASSWORD_MAX_LENGTH] =3D '\0'; > + } > + } > + } > + > + DEBUG ((DEBUG_INFO, "%a: get bootstrap credential via IPMI: %r\n",=20 > + __FUNCTION__, Status)); > + > + return Status; > +} > + > +/** > + Function to retrieve temporary user credentials from cached boot=20 > +time > variable. > + > + @param[in,out] BootstrapUsername A pointer to a Ascii encoded strin= g > for the credential username > + @param[in,out] BootstrapPassword A pointer to a Ascii encoded strin= g > for the credential password > + > + @retval EFI_SUCCESS Credentials were successfully fetc= hed and > returned > + @retval EFI_INVALID_PARAMETER BootstrapUsername or > BootstrapPassword is NULL > + @retval EFI_NOT_FOUND No variable found for account and > credentials > +**/ > +EFI_STATUS > +GetBootstrapAccountCredentialsFromVariable ( > + IN OUT CHAR8 *BootstrapUsername, > + IN OUT CHAR8 *BootstrapPassword > + ) > +{ > + EFI_STATUS Status; > + BOOTSTRAP_CREDENTIALS_VARIABLE *CredentialVariable; > + VOID *Data; > + UINTN DataSize; > + > + if ((BootstrapUsername =3D=3D NULL) || (BootstrapPassword =3D=3D NULL)= ) { > + return EFI_INVALID_PARAMETER; > + } > + > + DataSize =3D 0; > + Status =3D GetVariable2 ( > + CREDENTIAL_VARIABLE_NAME, > + &gEfiRedfishVariableGuid, > + (VOID *)&Data, > + &DataSize > + ); > + if (EFI_ERROR (Status)) { > + return EFI_NOT_FOUND; > + } > + > + if (DataSize !=3D sizeof (BOOTSTRAP_CREDENTIALS_VARIABLE)) { > + DEBUG ((DEBUG_ERROR, "%a: data corruption. returned size: %d !=3D > structure size: %d\n", __FUNCTION__, DataSize, sizeof=20 > (BOOTSTRAP_CREDENTIALS_VARIABLE))); > + return EFI_NOT_FOUND; > + } > + > + CredentialVariable =3D (BOOTSTRAP_CREDENTIALS_VARIABLE *)Data; > + > + AsciiStrCpyS (BootstrapUsername, USERNAME_MAX_SIZE, > + CredentialVariable->Username); AsciiStrCpyS (BootstrapPassword, > + PASSWORD_MAX_SIZE, CredentialVariable->Password); > + > + ZeroMem (CredentialVariable->Username, USERNAME_MAX_SIZE); > ZeroMem > + (CredentialVariable->Password, PASSWORD_MAX_SIZE); > + > + FreePool (Data); > + > + DEBUG ((DEBUG_INFO, "%a: get bootstrap credential from variable\n",=20 > + __FUNCTION__)); > + > + return EFI_SUCCESS; > +} > + > +/** > + Function to save temporary user credentials into boot time variable. > +When DeleteVariable is True, > + this function delete boot time variable. > + > + @param[in] BootstrapUsername A pointer to a Ascii encoded string= for > the credential username. > + @param[in] BootstrapPassword A pointer to a Ascii encoded string= for > the credential password. > + @param[in] DeleteVariable True to remove boot time variable. = False > otherwise. > + > + @retval EFI_SUCCESS Credentials were successfully save= d. > + @retval EFI_INVALID_PARAMETER BootstrapUsername or > BootstrapPassword is NULL > + @retval Others Error occurs > +**/ > +EFI_STATUS > +SetBootstrapAccountCredentialsToVariable ( > + IN CHAR8 *BootstrapUsername, OPTIONAL > + IN CHAR8 *BootstrapPassword, OPTIONAL > + IN BOOLEAN DeleteVariable > + ) > +{ > + EFI_STATUS Status; > + BOOTSTRAP_CREDENTIALS_VARIABLE CredentialVariable; > + VOID *Data; > + > + if (!DeleteVariable && ((BootstrapUsername =3D=3D NULL) || > (BootstrapUsername[0] =3D=3D '\0'))) { > + return EFI_INVALID_PARAMETER; > + } > + > + if (!DeleteVariable && ((BootstrapPassword =3D=3D NULL) || > (BootstrapPassword[0] =3D=3D '\0'))) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // Delete variable > + // > + if (DeleteVariable) { > + Status =3D GetVariable2 ( > + CREDENTIAL_VARIABLE_NAME, > + &gEfiRedfishVariableGuid, > + (VOID *)&Data, > + NULL > + ); > + if (!EFI_ERROR (Status)) { > + FreePool (Data); > + gRT->SetVariable (CREDENTIAL_VARIABLE_NAME, > &gEfiRedfishVariableGuid, EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL); > + } > + > + return EFI_SUCCESS; > + } > + > + ZeroMem (CredentialVariable.Username, USERNAME_MAX_SIZE); > ZeroMem > + (CredentialVariable.Password, PASSWORD_MAX_SIZE); > + > + AsciiStrCpyS (CredentialVariable.Username, USERNAME_MAX_SIZE,=20 > + BootstrapUsername); AsciiStrCpyS (CredentialVariable.Password,=20 > + PASSWORD_MAX_SIZE, BootstrapPassword); > + > + // > + // Check if variable exists already. If yes, remove it first. > + // > + Status =3D GetVariable2 ( > + CREDENTIAL_VARIABLE_NAME, > + &gEfiRedfishVariableGuid, > + (VOID *)&Data, > + NULL > + ); > + if (!EFI_ERROR (Status)) { > + FreePool (Data); > + gRT->SetVariable (CREDENTIAL_VARIABLE_NAME,=20 > + &gEfiRedfishVariableGuid, EFI_VARIABLE_BOOTSERVICE_ACCESS, 0, NULL);=20 > + } > + > + Status =3D gRT->SetVariable (CREDENTIAL_VARIABLE_NAME,=20 > + &gEfiRedfishVariableGuid, EFI_VARIABLE_BOOTSERVICE_ACCESS, sizeof=20 > + (BOOTSTRAP_CREDENTIALS_VARIABLE), (VOID *)&CredentialVariable); > + > + ZeroMem (CredentialVariable.Username, USERNAME_MAX_SIZE); > ZeroMem > + (CredentialVariable.Password, PASSWORD_MAX_SIZE); > + > + return Status; > +} > + > +/** > + Retrieve platform's Redfish authentication information. > + > + This functions returns the Redfish authentication method together=20 > + with the user Id and password. > + - For AuthMethodNone, the UserId and Password could be used for=20 > + HTTP > header authentication > + as defined by RFC7235. > + - For AuthMethodRedfishSession, the UserId and Password could be=20 > + used > for Redfish > + session login as defined by Redfish API specification (DSP0266). > + > + Callers are responsible for and freeing the returned string storage. > + > + @param[in] This Pointer to > EDKII_REDFISH_CREDENTIAL_PROTOCOL instance. > + @param[out] AuthMethod Type of Redfish authentication method= . > + @param[out] UserId The pointer to store the returned Use= rId > string. > + @param[out] Password The pointer to store the returned Pas= sword > string. > + > + @retval EFI_SUCCESS Get the authentication information > successfully. > + @retval EFI_ACCESS_DENIED SecureBoot is disabled after EndOfDxe= . > + @retval EFI_INVALID_PARAMETER This or AuthMethod or UserId or > Password is NULL. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory > resources. > + @retval EFI_UNSUPPORTED Unsupported authentication method is > found. > + > +**/ > +EFI_STATUS > +EFIAPI > +LibCredentialGetAuthInfo ( > + IN EDKII_REDFISH_CREDENTIAL_PROTOCOL *This, > + OUT EDKII_REDFISH_AUTH_METHOD *AuthMethod, > + OUT CHAR8 **UserId, > + OUT CHAR8 **Password > + ) > +{ > + EFI_STATUS Status; > + > + if ((AuthMethod =3D=3D NULL) || (UserId =3D=3D NULL) || (Password =3D= =3D NULL)) { > + return EFI_INVALID_PARAMETER; > + } > + > + *UserId =3D NULL; > + *Password =3D NULL; > + > + if (mRedfishServiceStopped) { > + DEBUG ((DEBUG_ERROR, "%a: credential service is stopped due to > security reason\n", __FUNCTION__)); > + return EFI_ACCESS_DENIED; > + } > + > + *AuthMethod =3D AuthMethodHttpBasic; > + > + *UserId =3D AllocateZeroPool (sizeof (CHAR8) * USERNAME_MAX_SIZE); =20 > + if (*UserId =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + *Password =3D AllocateZeroPool (sizeof (CHAR8) * PASSWORD_MAX_SIZE);=20 > + if (*Password =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + // > + // Get bootstrap credential from variable first // Status =3D=20 > + GetBootstrapAccountCredentialsFromVariable (*UserId, *Password); if=20 > + (!EFI_ERROR (Status)) { > + return EFI_SUCCESS; > + } I think the process should keep going if the error status is EFI_NOT_FOUND?= Besides this, all others look fine to me. BTW, how about the conclusions we had in the previous discussion? Which is = to probe "/redfish/v1/Systems" to get the supported authentication method?= Is this idea is valid? Thanks Abner > + > + // > + // Make a IPMI query > + // > + Status =3D GetBootstrapAccountCredentials (FALSE, *UserId,=20 > + *Password); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: fail to get bootstrap credential:=20 > + %r\n", > __FUNCTION__, Status)); > + return Status; > + } > + > + Status =3D SetBootstrapAccountCredentialsToVariable (*UserId,=20 > + *Password, FALSE); if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: fail to cache bootstrap credential: > + %r\n", __FUNCTION__, Status)); } > + > + return EFI_SUCCESS; > +} > diff --git > a/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCred > e > ntialIpmiLib.h > b/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCred > e > ntialIpmiLib.h > new file mode 100644 > index 0000000000..5325767eab > --- /dev/null > +++ b/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatform > +++ Cr > +++ edentialIpmiLib.h > @@ -0,0 +1,86 @@ > +/** @file > + Header file for RedfishPlatformCredentialIpmiLib. > + > + Copyright (c) 2022-2023 NVIDIA CORPORATION & AFFILIATES. All rights > reserved. > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef REDFISH_PLATFORM_CREDENTIAL_IPMI_LIB_H_ > +#define REDFISH_PLATFORM_CREDENTIAL_IPMI_LIB_H_ > + > +#include > +#include > +#include > + > +#include > + > +#include > +#include > +#include > +#include > +#include #include=20 > + #include =20 > +#include > + > +#define CREDENTIAL_VARIABLE_NAME L"Partstooblaitnederc" > + > +/// > +/// The bootstrap credential keeping in UEFI variable /// typedef=20 > +struct { > + CHAR8 Username[USERNAME_MAX_SIZE]; > + CHAR8 Password[PASSWORD_MAX_SIZE]; > +} BOOTSTRAP_CREDENTIALS_VARIABLE; > + > +/** > + Function to retrieve temporary user credentials for the UEFI=20 > +redfish client. This function can > + also disable bootstrap credential service in BMC. > + > + @param[in] DisableBootstrapControl > + TRUE - Tell the BMC to disable the= bootstrap credential > + service to ensure no one el= se gains credentials > + FALSE Allow the bootstrap=20 > + credential service to continue @param[out] BootstrapUsername > + A pointer to a Ascii encoded=20 > + string for the credential > username > + When DisableBootstrapControl is=20 > + TRUE, this pointer can be NULL > + > + @param[out] BootstrapPassword > + A pointer to a Ascii encoded=20 > + string for the credential > password > + When DisableBootstrapControl is=20 > + TRUE, this pointer can be NULL > + > + @retval EFI_SUCCESS Credentials were successfully fetc= hed and > returned. When DisableBootstrapControl > + is set to TRUE, the bootstrap=20 > + credential service is > disabled successfully. > + @retval EFI_INVALID_PARAMETER BootstrapUsername or > BootstrapPassword is NULL when DisableBootstrapControl > + is set to FALSE > + @retval EFI_DEVICE_ERROR An IPMI failure occurred > +**/ > +EFI_STATUS > +GetBootstrapAccountCredentials ( > + IN BOOLEAN DisableBootstrapControl, > + IN OUT CHAR8 *BootstrapUsername, > + IN OUT CHAR8 *BootstrapPassword > + ); > + > +/** > + Function to save temporary user credentials into boot time variable. > +When DeleteVariable is True, > + this function delete boot time variable. > + > + @param[in] BootstrapUsername A pointer to a Ascii encoded string= for > the credential username. > + @param[in] BootstrapPassword A pointer to a Ascii encoded string= for > the credential password. > + @param[in] DeleteVariable True to remove boot time variable. = False > otherwise. > + > + @retval EFI_SUCCESS Credentials were successfully save= d. > + @retval EFI_INVALID_PARAMETER BootstrapUsername or > BootstrapPassword is NULL > + @retval Others Error occurs > +**/ > +EFI_STATUS > +SetBootstrapAccountCredentialsToVariable ( > + IN CHAR8 *BootstrapUsername, OPTIONAL > + IN CHAR8 *BootstrapPassword, OPTIONAL > + IN BOOLEAN DeleteVariable > + ); > + > +#endif > diff --git > a/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCred > e > ntialIpmiLib.inf > b/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCred > e > ntialIpmiLib.inf > new file mode 100644 > index 0000000000..694e401ad9 > --- /dev/null > +++ b/RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatform > +++ Cr > +++ edentialIpmiLib.inf > @@ -0,0 +1,42 @@ > +## @file > +# INF file for RedfishPlatformCredentialIpmiLib. > +# > +# Copyright (c) 2022-2023 NVIDIA CORPORATION & AFFILIATES. All=20 > +rights > reserved. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ## > + > +[Defines] > + INF_VERSION =3D 0x0001000b > + BASE_NAME =3D RedfishPlatformCredentialIpmiLib > + FILE_GUID =3D 9C45D622-4C66-417F-814C-F76246D9723= 3 > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D RedfishPlatformCredentialIpmiLib > + > +[Sources] > + RedfishPlatformCredentialIpmiLib.c > + RedfishPlatformCredentialIpmiLib.h > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + RedfishPkg/RedfishPkg.dec > + > +[LibraryClasses] > + UefiLib > + DebugLib > + IpmiBaseLib > + MemoryAllocationLib > + BaseMemoryLib > + UefiRuntimeServicesTableLib > + > +[Pcd] > + > +gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDisableBootstrapCredentialServ > +i > c > +e > + > +[Guids] > + gEfiRedfishVariableGuid > + > +[Depex] > + TRUE > diff --git a/RedfishPkg/RedfishPkg.dec b/RedfishPkg/RedfishPkg.dec=20 > index 53e52c2b00..86102b8ffd 100644 > --- a/RedfishPkg/RedfishPkg.dec > +++ b/RedfishPkg/RedfishPkg.dec > @@ -81,6 +81,9 @@ > [Guids] > gEfiRedfishPkgTokenSpaceGuid =3D { 0x4fdbccb7, 0xe829, 0x4b4c, { = 0x88, > 0x87, 0xb2, 0x3f, 0xd7, 0x25, 0x4b, 0x85 }} > > + # Redfish variable guid > + gEfiRedfishVariableGuid =3D { 0x85ef8dd3, 0xe606, 0x4b89, { = 0x8b, 0xbd, > 0x93, 0xbf, 0x5c, 0xbe, 0x1c, 0x18 } } > + > [PcdsFixedAtBuild, PcdsPatchableInModule] > # > # This PCD is the UEFI device path which is used as the Redfish=20 > host interface. > @@ -113,3 +116,7 @@ > # Default is set to not add. > # > > gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExAddingExpect|FALSE|BOO > LEAN|0x00001004 > + # > + # This PCD indicates that if BMC bootstrap credential service will=20 > + be > disabled by BIOS or not. > + # > + > + > gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDisableBootstrapCredentialServi > + ce|FALSE|BOOLEAN|0x00001005 > diff --git a/RedfishPkg/RedfishPkg.dsc b/RedfishPkg/RedfishPkg.dsc=20 > index cf25b63cc2..f2ca212bea 100644 > --- a/RedfishPkg/RedfishPkg.dsc > +++ b/RedfishPkg/RedfishPkg.dsc > @@ -3,6 +3,7 @@ > # > # Copyright (c) 2019 - 2021, Intel Corporation. All rights=20 > reserved.
# (C) Copyright 2021 Hewlett-Packard Enterprise Developmen= t LP. > +# Copyright (c) 2023, NVIDIA CORPORATION & AFFILIATES. All rights > reserved. > # > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > @@ -52,6 +53,7 @@ > [Components] > > RedfishPkg/Library/PlatformHostInterfaceLibNull/PlatformHostInterfaceL > ibN > ull.inf > =20 > RedfishPkg/Library/PlatformCredentialLibNull/PlatformCredentialLibNull > .inf > + > + > RedfishPkg/Library/RedfishPlatformCredentialIpmi/RedfishPlatformCreden > + tialIpmiLib.inf Please also add this library to RedfishLibs.dsc.inc. The one in the [Compon= ent] section should be kept as well so the CI can build it even no module u= ses it, if my understanding of having library in [Component] section is cor= rect. Those *.inc under RedfishPkg should be relocated to under \Include later so= the platform can pull it in to the platform dsc. RedfishPkg.dsc is used to build the individual package. > > RedfishPkg/Library/RedfishContentCodingLibNull/RedfishContentCodingLib > Null.inf > RedfishPkg/Library/DxeRestExLib/DxeRestExLib.inf > RedfishPkg/Library/BaseUcs2Utf8Lib/BaseUcs2Utf8Lib.inf > -- > 2.39.2.windows.1