[PATCH v2 1/3] platform/x86: think-lmi: Add certificate GUID structure

[PATCH v2 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Mark Pearson]

Add a certificate GUID structure to make it easier to add different
options for other platforms that need different GUIDs.

Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 drivers/platform/x86/lenovo/think-lmi.c | 41 ++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
index 0992b41b6221..88bae5b33c57 100644
--- a/drivers/platform/x86/lenovo/think-lmi.c
+++ b/drivers/platform/x86/lenovo/think-lmi.c
@@ -177,6 +177,28 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
 #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
 #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
 
+struct tlmi_cert_guids {
+	char *thumbprint;
+	char *set_bios_setting;
+	char *save_bios_setting;
+	char *cert_to_password;
+	char *clear_bios_cert;
+	char *update_bios_cert;
+	char *set_bios_cert;
+};
+
+static struct tlmi_cert_guids thinkpad_cert_guid = {
+	LENOVO_CERT_THUMBPRINT_GUID,
+	LENOVO_SET_BIOS_SETTING_CERT_GUID,
+	LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
+	LENOVO_CERT_TO_PASSWORD_GUID,
+	LENOVO_CLEAR_BIOS_CERT_GUID,
+	LENOVO_UPDATE_BIOS_CERT_GUID,
+	LENOVO_SET_BIOS_CERT_GUID
+};
+
+static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
+
 static const struct tlmi_err_codes tlmi_errs[] = {
 	{"Success", 0},
 	{"Not Supported", -EOPNOTSUPP},
@@ -668,7 +690,10 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
 	const union acpi_object *obj;
 	acpi_status status;
 
-	status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output);
+	if (!cert_guid->thumbprint)
+		return -EOPNOTSUPP;
+
+	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
 	if (ACPI_FAILURE(status)) {
 		kfree(output.pointer);
 		return -EIO;
@@ -751,7 +776,7 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
 		kfree_sensitive(passwd);
 		return -ENOMEM;
 	}
-	ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str);
+	ret = tlmi_simple_call(cert_guid->cert_to_password, auth_str);
 	kfree(auth_str);
 	kfree_sensitive(passwd);
 
@@ -797,7 +822,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 		if (!auth_str)
 			return -ENOMEM;
 
-		ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str);
+		ret = tlmi_simple_call(cert_guid->clear_bios_cert, auth_str);
 		kfree(auth_str);
 
 		return ret ?: count;
@@ -834,7 +859,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 			kfree(new_cert);
 			return -EACCES;
 		}
-		guid = LENOVO_UPDATE_BIOS_CERT_GUID;
+		guid = cert_guid->update_bios_cert;
 		/* Format: 'Certificate,Signature' */
 		auth_str = cert_command(setting, new_cert, signature);
 	} else {
@@ -845,7 +870,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 			kfree(new_cert);
 			return -EACCES;
 		}
-		guid = LENOVO_SET_BIOS_CERT_GUID;
+		guid = cert_guid->set_bios_cert;
 		/* Format: 'Certificate, password' */
 		auth_str = cert_command(setting, new_cert, setting->password);
 	}
@@ -1071,13 +1096,13 @@ static ssize_t current_value_store(struct kobject *kobj,
 			goto out;
 		}
 
-		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str);
+		ret = tlmi_simple_call(cert_guid->set_bios_setting, set_str);
 		if (ret)
 			goto out;
 		if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
 			tlmi_priv.save_required = true;
 		else
-			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
+			ret = tlmi_simple_call(cert_guid->save_bios_setting,
 					       tlmi_priv.pwd_admin->save_signature);
 	} else if (tlmi_priv.opcode_support) {
 		/*
@@ -1282,7 +1307,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
 				ret = -EINVAL;
 				goto out;
 			}
-			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
+			ret = tlmi_simple_call(cert_guid->save_bios_setting,
 					       tlmi_priv.pwd_admin->save_signature);
 			if (ret)
 				goto out;
-- 
2.43.0

[PATCH v2 2/3] platform/x86: think-lmi: Certificate support for ThinkCenter

[Mark Pearson]

ThinkCenter platforms use a different set of GUIDs along with some
differences in implementation details for their support of
certificate based authentication.

Update the think-lmi driver to work correctly on these platforms.

Tested on M75q Gen 5.

Signed-off-by: Kean Ren <kean0048@gmail.com>
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 drivers/platform/x86/lenovo/think-lmi.c | 51 ++++++++++++++++++++++---
 drivers/platform/x86/lenovo/think-lmi.h |  1 +
 2 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
index 88bae5b33c57..f7843f3a3325 100644
--- a/drivers/platform/x86/lenovo/think-lmi.c
+++ b/drivers/platform/x86/lenovo/think-lmi.c
@@ -119,6 +119,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_SET_BIOS_CERT_GUID    "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE"
+#define LENOVO_TC_SET_BIOS_CERT_GUID "955aaf7d-8bc4-4f04-90aa-97469512f167"
 
 /*
  * Name: UpdateBiosCert
@@ -128,6 +129,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE"
+#define LENOVO_TC_UPDATE_BIOS_CERT_GUID "5f5bbbb2-c72f-4fb8-8129-228eef4fdbed"
 
 /*
  * Name: ClearBiosCert
@@ -137,6 +139,8 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_CLEAR_BIOS_CERT_GUID  "B2BC39A7-78DD-4D71-B059-A510DEC44890"
+#define LENOVO_TC_CLEAR_BIOS_CERT_GUID  "97849cb6-cb44-42d1-a750-26a596a9eec4"
+
 /*
  * Name: CertToPassword
  * Description: Switch from certificate to password authentication.
@@ -145,6 +149,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D"
+#define LENOVO_TC_CERT_TO_PASSWORD_GUID "ef65480d-38c9-420d-b700-ab3d6c8ebaca"
 
 /*
  * Name: SetBiosSettingCert
@@ -153,6 +158,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * Format: "Item,Value,Signature"
  */
 #define LENOVO_SET_BIOS_SETTING_CERT_GUID  "34A008CC-D205-4B62-9E67-31DFA8B90003"
+#define LENOVO_TC_SET_BIOS_SETTING_CERT_GUID  "19ecba3b-b318-4192-a89b-43d94bc60cea"
 
 /*
  * Name: SaveBiosSettingCert
@@ -161,6 +167,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * Format: "Signature"
  */
 #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551"
+#define LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID "0afaf46f-7cca-450a-b455-a826a0bf1af5"
 
 /*
  * Name: CertThumbprint
@@ -197,6 +204,16 @@ static struct tlmi_cert_guids thinkpad_cert_guid = {
 	LENOVO_SET_BIOS_CERT_GUID
 };
 
+static struct tlmi_cert_guids thinkcenter_cert_guid = {
+	NULL,
+	LENOVO_TC_SET_BIOS_SETTING_CERT_GUID,
+	LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID,
+	LENOVO_TC_CERT_TO_PASSWORD_GUID,
+	LENOVO_TC_CLEAR_BIOS_CERT_GUID,
+	LENOVO_TC_UPDATE_BIOS_CERT_GUID,
+	LENOVO_TC_SET_BIOS_CERT_GUID
+};
+
 static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
 
 static const struct tlmi_err_codes tlmi_errs[] = {
@@ -871,8 +888,16 @@ static ssize_t certificate_store(struct kobject *kobj,
 			return -EACCES;
 		}
 		guid = cert_guid->set_bios_cert;
-		/* Format: 'Certificate, password' */
-		auth_str = cert_command(setting, new_cert, setting->password);
+		if (tlmi_priv.thinkcenter_mode) {
+			/* Format: 'Certificate, password, encoding, kbdlang' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s", new_cert,
+					     setting->password,
+					     encoding_options[setting->encoding],
+					     setting->kbdlang);
+		} else {
+			/* Format: 'Certificate, password' */
+			auth_str = cert_command(setting, new_cert, setting->password);
+		}
 	}
 	kfree(new_cert);
 	if (!auth_str)
@@ -1608,6 +1633,16 @@ static int tlmi_analyze(struct wmi_device *wdev)
 		wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID))
 		tlmi_priv.certificate_support = true;
 
+	/* ThinkCenter uses different GUIDs for certificate support */
+	if (wmi_has_guid(LENOVO_TC_SET_BIOS_CERT_GUID) &&
+	    wmi_has_guid(LENOVO_TC_SET_BIOS_SETTING_CERT_GUID) &&
+	    wmi_has_guid(LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID)) {
+		tlmi_priv.certificate_support = true;
+		tlmi_priv.thinkcenter_mode = true;
+		cert_guid = &thinkcenter_cert_guid;
+		pr_info("ThinkCenter modified support being used\n");
+	}
+
 	/*
 	 * Try to find the number of valid settings of this machine
 	 * and use it to create sysfs attributes.
@@ -1753,10 +1788,14 @@ static int tlmi_analyze(struct wmi_device *wdev)
 	}
 
 	if (tlmi_priv.certificate_support) {
-		tlmi_priv.pwd_admin->cert_installed =
-			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
-		tlmi_priv.pwd_system->cert_installed =
-			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
+		if (tlmi_priv.thinkcenter_mode) {
+			tlmi_priv.pwd_admin->cert_installed = tlmi_priv.pwdcfg.core.password_mode;
+		} else {
+			tlmi_priv.pwd_admin->cert_installed =
+				tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
+			tlmi_priv.pwd_system->cert_installed =
+				tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
+		}
 	}
 	return 0;
 
diff --git a/drivers/platform/x86/lenovo/think-lmi.h b/drivers/platform/x86/lenovo/think-lmi.h
index 9b014644d316..c805ee312539 100644
--- a/drivers/platform/x86/lenovo/think-lmi.h
+++ b/drivers/platform/x86/lenovo/think-lmi.h
@@ -109,6 +109,7 @@ struct think_lmi {
 	enum save_mode save_mode;
 	bool save_required;
 	bool reboot_required;
+	bool thinkcenter_mode;
 
 	struct tlmi_attr_setting *setting[TLMI_SETTINGS_COUNT];
 	struct device *class_dev;
-- 
2.43.0

[PATCH v2 3/3] platform/x86: think-lmi: Add extra TC BIOS error messages

[Mark Pearson]

Add extra error messages that are used by ThinkCenter platforms.

Signed-off-by: Kean Ren <kean0048@gmail.com>
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
 drivers/platform/x86/lenovo/think-lmi.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
index f7843f3a3325..7c20d522e243 100644
--- a/drivers/platform/x86/lenovo/think-lmi.c
+++ b/drivers/platform/x86/lenovo/think-lmi.c
@@ -218,10 +218,21 @@ static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
 
 static const struct tlmi_err_codes tlmi_errs[] = {
 	{"Success", 0},
+	{"Set Certificate operation was successful.", 0},
 	{"Not Supported", -EOPNOTSUPP},
 	{"Invalid Parameter", -EINVAL},
 	{"Access Denied", -EACCES},
 	{"System Busy", -EBUSY},
+	{"Set Certificate operation failed with status:Invalid Parameter.", -EINVAL},
+	{"Set Certificate operation failed with status:Invalid certificate type.", -EINVAL},
+	{"Set Certificate operation failed with status:Invalid password format.", -EINVAL},
+	{"Set Certificate operation failed with status:Password retry count exceeded.", -EACCES},
+	{"Set Certificate operation failed with status:Password Invalid.", -EACCES},
+	{"Set Certificate operation failed with status:Operation aborted.", -EBUSY},
+	{"Set Certificate operation failed with status:No free slots to write.", -ENOSPC},
+	{"Set Certificate operation failed with status:Certificate not found.", -EEXIST},
+	{"Set Certificate operation failed with status:Internal error.", -EFAULT},
+	{"Set Certificate operation failed with status:Certificate too large.", -EFBIG},
 };
 
 static const char * const encoding_options[] = {
-- 
2.43.0

Re: [PATCH v2 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Ilpo Järvinen]

[-- Attachment #1: Type: text/plain, Size: 4867 bytes --]

On Fri, 22 Aug 2025, Mark Pearson wrote:

> Add a certificate GUID structure to make it easier to add different
> options for other platforms that need different GUIDs.
> 
> Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
> Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
> ---
>  drivers/platform/x86/lenovo/think-lmi.c | 41 ++++++++++++++++++++-----
>  1 file changed, 33 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
> index 0992b41b6221..88bae5b33c57 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.c
> +++ b/drivers/platform/x86/lenovo/think-lmi.c
> @@ -177,6 +177,28 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>  #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
>  #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
>  
> +struct tlmi_cert_guids {
> +	char *thumbprint;
> +	char *set_bios_setting;
> +	char *save_bios_setting;
> +	char *cert_to_password;
> +	char *clear_bios_cert;
> +	char *update_bios_cert;
> +	char *set_bios_cert;
> +};
> +
> +static struct tlmi_cert_guids thinkpad_cert_guid = {
> +	LENOVO_CERT_THUMBPRINT_GUID,

Don't use the anonymous initialization but name the members for better 
readability.

> +	LENOVO_SET_BIOS_SETTING_CERT_GUID,
> +	LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> +	LENOVO_CERT_TO_PASSWORD_GUID,
> +	LENOVO_CLEAR_BIOS_CERT_GUID,
> +	LENOVO_UPDATE_BIOS_CERT_GUID,
> +	LENOVO_SET_BIOS_CERT_GUID

Always remember to add comma to any non-terminator entry.

...And thanks for reworking these, they look so simple now to review. :-)

> +};
> +
> +static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
> +
>  static const struct tlmi_err_codes tlmi_errs[] = {
>  	{"Success", 0},
>  	{"Not Supported", -EOPNOTSUPP},
> @@ -668,7 +690,10 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
>  	const union acpi_object *obj;
>  	acpi_status status;
>  
> -	status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output);
> +	if (!cert_guid->thumbprint)
> +		return -EOPNOTSUPP;

Either mention this in the changelog or move it into the next patch
that is the one needing the check. The latter of those seems more logical 
as this is the only GUID you're NULL checking.

-- 
 i.

> +
> +	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
>  	if (ACPI_FAILURE(status)) {
>  		kfree(output.pointer);
>  		return -EIO;
> @@ -751,7 +776,7 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
>  		kfree_sensitive(passwd);
>  		return -ENOMEM;
>  	}
> -	ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str);
> +	ret = tlmi_simple_call(cert_guid->cert_to_password, auth_str);
>  	kfree(auth_str);
>  	kfree_sensitive(passwd);
>  
> @@ -797,7 +822,7 @@ static ssize_t certificate_store(struct kobject *kobj,
>  		if (!auth_str)
>  			return -ENOMEM;
>  
> -		ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str);
> +		ret = tlmi_simple_call(cert_guid->clear_bios_cert, auth_str);
>  		kfree(auth_str);
>  
>  		return ret ?: count;
> @@ -834,7 +859,7 @@ static ssize_t certificate_store(struct kobject *kobj,
>  			kfree(new_cert);
>  			return -EACCES;
>  		}
> -		guid = LENOVO_UPDATE_BIOS_CERT_GUID;
> +		guid = cert_guid->update_bios_cert;
>  		/* Format: 'Certificate,Signature' */
>  		auth_str = cert_command(setting, new_cert, signature);
>  	} else {
> @@ -845,7 +870,7 @@ static ssize_t certificate_store(struct kobject *kobj,
>  			kfree(new_cert);
>  			return -EACCES;
>  		}
> -		guid = LENOVO_SET_BIOS_CERT_GUID;
> +		guid = cert_guid->set_bios_cert;
>  		/* Format: 'Certificate, password' */
>  		auth_str = cert_command(setting, new_cert, setting->password);
>  	}
> @@ -1071,13 +1096,13 @@ static ssize_t current_value_store(struct kobject *kobj,
>  			goto out;
>  		}
>  
> -		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str);
> +		ret = tlmi_simple_call(cert_guid->set_bios_setting, set_str);
>  		if (ret)
>  			goto out;
>  		if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
>  			tlmi_priv.save_required = true;
>  		else
> -			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> +			ret = tlmi_simple_call(cert_guid->save_bios_setting,
>  					       tlmi_priv.pwd_admin->save_signature);
>  	} else if (tlmi_priv.opcode_support) {
>  		/*
> @@ -1282,7 +1307,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
>  				ret = -EINVAL;
>  				goto out;
>  			}
> -			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> +			ret = tlmi_simple_call(cert_guid->save_bios_setting,
>  					       tlmi_priv.pwd_admin->save_signature);
>  			if (ret)
>  				goto out;
> 

Re: [PATCH v2 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Mark Pearson]

Thanks Ilpo,

On Fri, Aug 22, 2025, at 11:41 AM, Ilpo Järvinen wrote:
> On Fri, 22 Aug 2025, Mark Pearson wrote:
>
>> Add a certificate GUID structure to make it easier to add different
>> options for other platforms that need different GUIDs.
>> 
>> Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
>> Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
>> ---
>>  drivers/platform/x86/lenovo/think-lmi.c | 41 ++++++++++++++++++++-----
>>  1 file changed, 33 insertions(+), 8 deletions(-)
>> 
>> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
>> index 0992b41b6221..88bae5b33c57 100644
>> --- a/drivers/platform/x86/lenovo/think-lmi.c
>> +++ b/drivers/platform/x86/lenovo/think-lmi.c
>> @@ -177,6 +177,28 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>  #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
>>  #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
>>  
>> +struct tlmi_cert_guids {
>> +	char *thumbprint;
>> +	char *set_bios_setting;
>> +	char *save_bios_setting;
>> +	char *cert_to_password;
>> +	char *clear_bios_cert;
>> +	char *update_bios_cert;
>> +	char *set_bios_cert;
>> +};
>> +
>> +static struct tlmi_cert_guids thinkpad_cert_guid = {
>> +	LENOVO_CERT_THUMBPRINT_GUID,
>
> Don't use the anonymous initialization but name the members for better 
> readability.
>
Sure - I will fix that

>> +	LENOVO_SET_BIOS_SETTING_CERT_GUID,
>> +	LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
>> +	LENOVO_CERT_TO_PASSWORD_GUID,
>> +	LENOVO_CLEAR_BIOS_CERT_GUID,
>> +	LENOVO_UPDATE_BIOS_CERT_GUID,
>> +	LENOVO_SET_BIOS_CERT_GUID
>
> Always remember to add comma to any non-terminator entry.
>
Yep - will do. Interesting that the checkpatch --strict didn't catch that one.

> ...And thanks for reworking these, they look so simple now to review. :-)
>
It was a good suggestion :)

>> +};
>> +
>> +static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
>> +
>>  static const struct tlmi_err_codes tlmi_errs[] = {
>>  	{"Success", 0},
>>  	{"Not Supported", -EOPNOTSUPP},
>> @@ -668,7 +690,10 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
>>  	const union acpi_object *obj;
>>  	acpi_status status;
>>  
>> -	status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output);
>> +	if (!cert_guid->thumbprint)
>> +		return -EOPNOTSUPP;
>
> Either mention this in the changelog or move it into the next patch
> that is the one needing the check. The latter of those seems more logical 
> as this is the only GUID you're NULL checking.
>
I did debate whether it was patch 1 or 2.
I think you're right...I'll move it to patch 2

> -- 
>  i.
>
>> +
>> +	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
>>  	if (ACPI_FAILURE(status)) {
>>  		kfree(output.pointer);
>>  		return -EIO;
>> @@ -751,7 +776,7 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
>>  		kfree_sensitive(passwd);
>>  		return -ENOMEM;
>>  	}
>> -	ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str);
>> +	ret = tlmi_simple_call(cert_guid->cert_to_password, auth_str);
>>  	kfree(auth_str);
>>  	kfree_sensitive(passwd);
>>  
>> @@ -797,7 +822,7 @@ static ssize_t certificate_store(struct kobject *kobj,
>>  		if (!auth_str)
>>  			return -ENOMEM;
>>  
>> -		ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str);
>> +		ret = tlmi_simple_call(cert_guid->clear_bios_cert, auth_str);
>>  		kfree(auth_str);
>>  
>>  		return ret ?: count;
>> @@ -834,7 +859,7 @@ static ssize_t certificate_store(struct kobject *kobj,
>>  			kfree(new_cert);
>>  			return -EACCES;
>>  		}
>> -		guid = LENOVO_UPDATE_BIOS_CERT_GUID;
>> +		guid = cert_guid->update_bios_cert;
>>  		/* Format: 'Certificate,Signature' */
>>  		auth_str = cert_command(setting, new_cert, signature);
>>  	} else {
>> @@ -845,7 +870,7 @@ static ssize_t certificate_store(struct kobject *kobj,
>>  			kfree(new_cert);
>>  			return -EACCES;
>>  		}
>> -		guid = LENOVO_SET_BIOS_CERT_GUID;
>> +		guid = cert_guid->set_bios_cert;
>>  		/* Format: 'Certificate, password' */
>>  		auth_str = cert_command(setting, new_cert, setting->password);
>>  	}
>> @@ -1071,13 +1096,13 @@ static ssize_t current_value_store(struct kobject *kobj,
>>  			goto out;
>>  		}
>>  
>> -		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str);
>> +		ret = tlmi_simple_call(cert_guid->set_bios_setting, set_str);
>>  		if (ret)
>>  			goto out;
>>  		if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
>>  			tlmi_priv.save_required = true;
>>  		else
>> -			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
>> +			ret = tlmi_simple_call(cert_guid->save_bios_setting,
>>  					       tlmi_priv.pwd_admin->save_signature);
>>  	} else if (tlmi_priv.opcode_support) {
>>  		/*
>> @@ -1282,7 +1307,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
>>  				ret = -EINVAL;
>>  				goto out;
>>  			}
>> -			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
>> +			ret = tlmi_simple_call(cert_guid->save_bios_setting,
>>  					       tlmi_priv.pwd_admin->save_signature);
>>  			if (ret)
>>  				goto out;
>>

Re: [PATCH v2 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Markus Elfring]

> Add a certificate GUID structure to make it easier to add different
> options for other platforms that need different GUIDs.

Would a cover letter become helpful for such a patch series?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.17-rc3#n310

Regards,
Markus

Re: [PATCH v2 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Mark Pearson]

Hi Markus

On Mon, Aug 25, 2025, at 9:36 AM, Markus Elfring wrote:
>> Add a certificate GUID structure to make it easier to add different
>> options for other platforms that need different GUIDs.
>
> Would a cover letter become helpful for such a patch series?
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.17-rc3#n310
>
Yep - I'll add that (good timing - I was just about to push v3)

Thanks for the review
Mark