[PATCH v3 0/3] platform/x86: think-lmi: ThinkCenter certificate

[PATCH v3 0/3] platform/x86: think-lmi: ThinkCenter certificate

[Mark Pearson]

Patch series to implement certificate based authentication on
ThinkCenter platforms

Patch 1 introduce a certificate GUID structure to make it easier to
support different GUIDs for certificate authentication
Patch 2 implements the changes needed to support ThinkCenter platforms
Patch3 adds some extra error message handling as used on ThinkCenter
platforms.

Tested on M75q Gen 5

Mark Pearson (3):
  platform/x86: think-lmi: Add certificate GUID structure
  platform/x86: think-lmi: Certificate support for ThinkCenter
  platform/x86: think-lmi: Add extra TC BIOS error messages

 drivers/platform/x86/lenovo/think-lmi.c | 103 ++++++++++++++++++++----
 drivers/platform/x86/lenovo/think-lmi.h |   1 +
 2 files changed, 90 insertions(+), 14 deletions(-)

-- 
2.43.0

[PATCH v3 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Mark Pearson]

Add a certificate GUID structure to make it easier to add different
options for other platforms that need different GUIDs.

Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
Changes in v2:
 - split patch up into series
Changes in v3:
 - add field details to thinkpad_cert_guid declare.
 - add missing comma
 - Move null thumbprint GUID check to later in series

 drivers/platform/x86/lenovo/think-lmi.c | 38 +++++++++++++++++++------
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
index 0992b41b6221..a22d25f6d3c6 100644
--- a/drivers/platform/x86/lenovo/think-lmi.c
+++ b/drivers/platform/x86/lenovo/think-lmi.c
@@ -177,6 +177,28 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
 #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
 #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
 
+struct tlmi_cert_guids {
+	char *thumbprint;
+	char *set_bios_setting;
+	char *save_bios_setting;
+	char *cert_to_password;
+	char *clear_bios_cert;
+	char *update_bios_cert;
+	char *set_bios_cert;
+};
+
+static struct tlmi_cert_guids thinkpad_cert_guid = {
+	.thumbprint = LENOVO_CERT_THUMBPRINT_GUID,
+	.set_bios_setting = LENOVO_SET_BIOS_SETTING_CERT_GUID,
+	.save_bios_setting = LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
+	.cert_to_password = LENOVO_CERT_TO_PASSWORD_GUID,
+	.clear_bios_cert = LENOVO_CLEAR_BIOS_CERT_GUID,
+	.update_bios_cert = LENOVO_UPDATE_BIOS_CERT_GUID,
+	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
+};
+
+static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
+
 static const struct tlmi_err_codes tlmi_errs[] = {
 	{"Success", 0},
 	{"Not Supported", -EOPNOTSUPP},
@@ -668,7 +690,7 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
 	const union acpi_object *obj;
 	acpi_status status;
 
-	status = wmi_evaluate_method(LENOVO_CERT_THUMBPRINT_GUID, 0, 0, &input, &output);
+	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
 	if (ACPI_FAILURE(status)) {
 		kfree(output.pointer);
 		return -EIO;
@@ -751,7 +773,7 @@ static ssize_t cert_to_password_store(struct kobject *kobj,
 		kfree_sensitive(passwd);
 		return -ENOMEM;
 	}
-	ret = tlmi_simple_call(LENOVO_CERT_TO_PASSWORD_GUID, auth_str);
+	ret = tlmi_simple_call(cert_guid->cert_to_password, auth_str);
 	kfree(auth_str);
 	kfree_sensitive(passwd);
 
@@ -797,7 +819,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 		if (!auth_str)
 			return -ENOMEM;
 
-		ret = tlmi_simple_call(LENOVO_CLEAR_BIOS_CERT_GUID, auth_str);
+		ret = tlmi_simple_call(cert_guid->clear_bios_cert, auth_str);
 		kfree(auth_str);
 
 		return ret ?: count;
@@ -834,7 +856,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 			kfree(new_cert);
 			return -EACCES;
 		}
-		guid = LENOVO_UPDATE_BIOS_CERT_GUID;
+		guid = cert_guid->update_bios_cert;
 		/* Format: 'Certificate,Signature' */
 		auth_str = cert_command(setting, new_cert, signature);
 	} else {
@@ -845,7 +867,7 @@ static ssize_t certificate_store(struct kobject *kobj,
 			kfree(new_cert);
 			return -EACCES;
 		}
-		guid = LENOVO_SET_BIOS_CERT_GUID;
+		guid = cert_guid->set_bios_cert;
 		/* Format: 'Certificate, password' */
 		auth_str = cert_command(setting, new_cert, setting->password);
 	}
@@ -1071,13 +1093,13 @@ static ssize_t current_value_store(struct kobject *kobj,
 			goto out;
 		}
 
-		ret = tlmi_simple_call(LENOVO_SET_BIOS_SETTING_CERT_GUID, set_str);
+		ret = tlmi_simple_call(cert_guid->set_bios_setting, set_str);
 		if (ret)
 			goto out;
 		if (tlmi_priv.save_mode == TLMI_SAVE_BULK)
 			tlmi_priv.save_required = true;
 		else
-			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
+			ret = tlmi_simple_call(cert_guid->save_bios_setting,
 					       tlmi_priv.pwd_admin->save_signature);
 	} else if (tlmi_priv.opcode_support) {
 		/*
@@ -1282,7 +1304,7 @@ static ssize_t save_settings_store(struct kobject *kobj, struct kobj_attribute *
 				ret = -EINVAL;
 				goto out;
 			}
-			ret = tlmi_simple_call(LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
+			ret = tlmi_simple_call(cert_guid->save_bios_setting,
 					       tlmi_priv.pwd_admin->save_signature);
 			if (ret)
 				goto out;
-- 
2.43.0

[PATCH v3 2/3] platform/x86: think-lmi: Certificate support for ThinkCenter

[Mark Pearson]

ThinkCenter platforms use a different set of GUIDs along with some
differences in implementation details for their support of
certificate based authentication.

Update the think-lmi driver to work correctly on these platforms.

Tested on M75q Gen 5.

Signed-off-by: Kean Ren <kean0048@gmail.com>
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
Changes in v2:
 - split patch up into series
Changes in v3:
 - Move check for no thumbprint GUID to this patch
 - Add structure fields and missing comma

 drivers/platform/x86/lenovo/think-lmi.c | 54 ++++++++++++++++++++++---
 drivers/platform/x86/lenovo/think-lmi.h |  1 +
 2 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
index a22d25f6d3c6..3a1cec4625e5 100644
--- a/drivers/platform/x86/lenovo/think-lmi.c
+++ b/drivers/platform/x86/lenovo/think-lmi.c
@@ -119,6 +119,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_SET_BIOS_CERT_GUID    "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE"
+#define LENOVO_TC_SET_BIOS_CERT_GUID "955aaf7d-8bc4-4f04-90aa-97469512f167"
 
 /*
  * Name: UpdateBiosCert
@@ -128,6 +129,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE"
+#define LENOVO_TC_UPDATE_BIOS_CERT_GUID "5f5bbbb2-c72f-4fb8-8129-228eef4fdbed"
 
 /*
  * Name: ClearBiosCert
@@ -137,6 +139,8 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_CLEAR_BIOS_CERT_GUID  "B2BC39A7-78DD-4D71-B059-A510DEC44890"
+#define LENOVO_TC_CLEAR_BIOS_CERT_GUID  "97849cb6-cb44-42d1-a750-26a596a9eec4"
+
 /*
  * Name: CertToPassword
  * Description: Switch from certificate to password authentication.
@@ -145,6 +149,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * You must reboot the computer before the changes will take effect.
  */
 #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D"
+#define LENOVO_TC_CERT_TO_PASSWORD_GUID "ef65480d-38c9-420d-b700-ab3d6c8ebaca"
 
 /*
  * Name: SetBiosSettingCert
@@ -153,6 +158,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * Format: "Item,Value,Signature"
  */
 #define LENOVO_SET_BIOS_SETTING_CERT_GUID  "34A008CC-D205-4B62-9E67-31DFA8B90003"
+#define LENOVO_TC_SET_BIOS_SETTING_CERT_GUID  "19ecba3b-b318-4192-a89b-43d94bc60cea"
 
 /*
  * Name: SaveBiosSettingCert
@@ -161,6 +167,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
  * Format: "Signature"
  */
 #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551"
+#define LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID "0afaf46f-7cca-450a-b455-a826a0bf1af5"
 
 /*
  * Name: CertThumbprint
@@ -197,6 +204,16 @@ static struct tlmi_cert_guids thinkpad_cert_guid = {
 	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
 };
 
+static struct tlmi_cert_guids thinkcenter_cert_guid = {
+	.thumbprint = NULL,
+	.set_bios_setting = LENOVO_TC_SET_BIOS_SETTING_CERT_GUID,
+	.save_bios_setting = LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID,
+	.cert_to_password = LENOVO_TC_CERT_TO_PASSWORD_GUID,
+	.clear_bios_cert = LENOVO_TC_CLEAR_BIOS_CERT_GUID,
+	.update_bios_cert = LENOVO_TC_UPDATE_BIOS_CERT_GUID,
+	.set_bios_cert = LENOVO_TC_SET_BIOS_CERT_GUID,
+};
+
 static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
 
 static const struct tlmi_err_codes tlmi_errs[] = {
@@ -690,6 +707,9 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
 	const union acpi_object *obj;
 	acpi_status status;
 
+	if (!cert_guid->thumbprint)
+		return -EOPNOTSUPP;
+
 	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
 	if (ACPI_FAILURE(status)) {
 		kfree(output.pointer);
@@ -868,8 +888,16 @@ static ssize_t certificate_store(struct kobject *kobj,
 			return -EACCES;
 		}
 		guid = cert_guid->set_bios_cert;
-		/* Format: 'Certificate, password' */
-		auth_str = cert_command(setting, new_cert, setting->password);
+		if (tlmi_priv.thinkcenter_mode) {
+			/* Format: 'Certificate, password, encoding, kbdlang' */
+			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s", new_cert,
+					     setting->password,
+					     encoding_options[setting->encoding],
+					     setting->kbdlang);
+		} else {
+			/* Format: 'Certificate, password' */
+			auth_str = cert_command(setting, new_cert, setting->password);
+		}
 	}
 	kfree(new_cert);
 	if (!auth_str)
@@ -1605,6 +1633,16 @@ static int tlmi_analyze(struct wmi_device *wdev)
 		wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID))
 		tlmi_priv.certificate_support = true;
 
+	/* ThinkCenter uses different GUIDs for certificate support */
+	if (wmi_has_guid(LENOVO_TC_SET_BIOS_CERT_GUID) &&
+	    wmi_has_guid(LENOVO_TC_SET_BIOS_SETTING_CERT_GUID) &&
+	    wmi_has_guid(LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID)) {
+		tlmi_priv.certificate_support = true;
+		tlmi_priv.thinkcenter_mode = true;
+		cert_guid = &thinkcenter_cert_guid;
+		pr_info("ThinkCenter modified support being used\n");
+	}
+
 	/*
 	 * Try to find the number of valid settings of this machine
 	 * and use it to create sysfs attributes.
@@ -1750,10 +1788,14 @@ static int tlmi_analyze(struct wmi_device *wdev)
 	}
 
 	if (tlmi_priv.certificate_support) {
-		tlmi_priv.pwd_admin->cert_installed =
-			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
-		tlmi_priv.pwd_system->cert_installed =
-			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
+		if (tlmi_priv.thinkcenter_mode) {
+			tlmi_priv.pwd_admin->cert_installed = tlmi_priv.pwdcfg.core.password_mode;
+		} else {
+			tlmi_priv.pwd_admin->cert_installed =
+				tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
+			tlmi_priv.pwd_system->cert_installed =
+				tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
+		}
 	}
 	return 0;
 
diff --git a/drivers/platform/x86/lenovo/think-lmi.h b/drivers/platform/x86/lenovo/think-lmi.h
index 9b014644d316..c805ee312539 100644
--- a/drivers/platform/x86/lenovo/think-lmi.h
+++ b/drivers/platform/x86/lenovo/think-lmi.h
@@ -109,6 +109,7 @@ struct think_lmi {
 	enum save_mode save_mode;
 	bool save_required;
 	bool reboot_required;
+	bool thinkcenter_mode;
 
 	struct tlmi_attr_setting *setting[TLMI_SETTINGS_COUNT];
 	struct device *class_dev;
-- 
2.43.0

[PATCH v3 3/3] platform/x86: think-lmi: Add extra TC BIOS error messages

[Mark Pearson]

Add extra error messages that are used by ThinkCenter platforms.

Signed-off-by: Kean Ren <kean0048@gmail.com>
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
---
Changes in v2:
 - split patch up into series
Changes in v3:
 - No changes

 drivers/platform/x86/lenovo/think-lmi.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
index 3a1cec4625e5..006ec0446c4e 100644
--- a/drivers/platform/x86/lenovo/think-lmi.c
+++ b/drivers/platform/x86/lenovo/think-lmi.c
@@ -218,10 +218,21 @@ static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
 
 static const struct tlmi_err_codes tlmi_errs[] = {
 	{"Success", 0},
+	{"Set Certificate operation was successful.", 0},
 	{"Not Supported", -EOPNOTSUPP},
 	{"Invalid Parameter", -EINVAL},
 	{"Access Denied", -EACCES},
 	{"System Busy", -EBUSY},
+	{"Set Certificate operation failed with status:Invalid Parameter.", -EINVAL},
+	{"Set Certificate operation failed with status:Invalid certificate type.", -EINVAL},
+	{"Set Certificate operation failed with status:Invalid password format.", -EINVAL},
+	{"Set Certificate operation failed with status:Password retry count exceeded.", -EACCES},
+	{"Set Certificate operation failed with status:Password Invalid.", -EACCES},
+	{"Set Certificate operation failed with status:Operation aborted.", -EBUSY},
+	{"Set Certificate operation failed with status:No free slots to write.", -ENOSPC},
+	{"Set Certificate operation failed with status:Certificate not found.", -EEXIST},
+	{"Set Certificate operation failed with status:Internal error.", -EFAULT},
+	{"Set Certificate operation failed with status:Certificate too large.", -EFBIG},
 };
 
 static const char * const encoding_options[] = {
-- 
2.43.0

Re: [PATCH v3 2/3] platform/x86: think-lmi: Certificate support for ThinkCenter

[Ilpo Järvinen]

On Mon, 25 Aug 2025, Mark Pearson wrote:

> ThinkCenter platforms use a different set of GUIDs along with some
> differences in implementation details for their support of
> certificate based authentication.
> 
> Update the think-lmi driver to work correctly on these platforms.
> 
> Tested on M75q Gen 5.
> 
> Signed-off-by: Kean Ren <kean0048@gmail.com>
> Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
> ---
> Changes in v2:
>  - split patch up into series
> Changes in v3:
>  - Move check for no thumbprint GUID to this patch
>  - Add structure fields and missing comma
> 
>  drivers/platform/x86/lenovo/think-lmi.c | 54 ++++++++++++++++++++++---
>  drivers/platform/x86/lenovo/think-lmi.h |  1 +
>  2 files changed, 49 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
> index a22d25f6d3c6..3a1cec4625e5 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.c
> +++ b/drivers/platform/x86/lenovo/think-lmi.c
> @@ -119,6 +119,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>   * You must reboot the computer before the changes will take effect.
>   */
>  #define LENOVO_SET_BIOS_CERT_GUID    "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE"
> +#define LENOVO_TC_SET_BIOS_CERT_GUID "955aaf7d-8bc4-4f04-90aa-97469512f167"
>  
>  /*
>   * Name: UpdateBiosCert
> @@ -128,6 +129,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>   * You must reboot the computer before the changes will take effect.
>   */
>  #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE"
> +#define LENOVO_TC_UPDATE_BIOS_CERT_GUID "5f5bbbb2-c72f-4fb8-8129-228eef4fdbed"
>  
>  /*
>   * Name: ClearBiosCert
> @@ -137,6 +139,8 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>   * You must reboot the computer before the changes will take effect.
>   */
>  #define LENOVO_CLEAR_BIOS_CERT_GUID  "B2BC39A7-78DD-4D71-B059-A510DEC44890"
> +#define LENOVO_TC_CLEAR_BIOS_CERT_GUID  "97849cb6-cb44-42d1-a750-26a596a9eec4"
> +
>  /*
>   * Name: CertToPassword
>   * Description: Switch from certificate to password authentication.
> @@ -145,6 +149,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>   * You must reboot the computer before the changes will take effect.
>   */
>  #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D"
> +#define LENOVO_TC_CERT_TO_PASSWORD_GUID "ef65480d-38c9-420d-b700-ab3d6c8ebaca"
>  
>  /*
>   * Name: SetBiosSettingCert
> @@ -153,6 +158,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>   * Format: "Item,Value,Signature"
>   */
>  #define LENOVO_SET_BIOS_SETTING_CERT_GUID  "34A008CC-D205-4B62-9E67-31DFA8B90003"
> +#define LENOVO_TC_SET_BIOS_SETTING_CERT_GUID  "19ecba3b-b318-4192-a89b-43d94bc60cea"
>  
>  /*
>   * Name: SaveBiosSettingCert
> @@ -161,6 +167,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>   * Format: "Signature"
>   */
>  #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551"
> +#define LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID "0afaf46f-7cca-450a-b455-a826a0bf1af5"
>  
>  /*
>   * Name: CertThumbprint
> @@ -197,6 +204,16 @@ static struct tlmi_cert_guids thinkpad_cert_guid = {
>  	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
>  };
>  
> +static struct tlmi_cert_guids thinkcenter_cert_guid = {
> +	.thumbprint = NULL,
> +	.set_bios_setting = LENOVO_TC_SET_BIOS_SETTING_CERT_GUID,
> +	.save_bios_setting = LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID,
> +	.cert_to_password = LENOVO_TC_CERT_TO_PASSWORD_GUID,
> +	.clear_bios_cert = LENOVO_TC_CLEAR_BIOS_CERT_GUID,
> +	.update_bios_cert = LENOVO_TC_UPDATE_BIOS_CERT_GUID,
> +	.set_bios_cert = LENOVO_TC_SET_BIOS_CERT_GUID,
> +};
> +
>  static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
>  
>  static const struct tlmi_err_codes tlmi_errs[] = {
> @@ -690,6 +707,9 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
>  	const union acpi_object *obj;
>  	acpi_status status;
>  
> +	if (!cert_guid->thumbprint)
> +		return -EOPNOTSUPP;
> +
>  	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
>  	if (ACPI_FAILURE(status)) {
>  		kfree(output.pointer);
> @@ -868,8 +888,16 @@ static ssize_t certificate_store(struct kobject *kobj,
>  			return -EACCES;
>  		}
>  		guid = cert_guid->set_bios_cert;
> -		/* Format: 'Certificate, password' */
> -		auth_str = cert_command(setting, new_cert, setting->password);
> +		if (tlmi_priv.thinkcenter_mode) {
> +			/* Format: 'Certificate, password, encoding, kbdlang' */
> +			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s", new_cert,
> +					     setting->password,
> +					     encoding_options[setting->encoding],
> +					     setting->kbdlang);
> +		} else {
> +			/* Format: 'Certificate, password' */
> +			auth_str = cert_command(setting, new_cert, setting->password);
> +		}
>  	}
>  	kfree(new_cert);
>  	if (!auth_str)
> @@ -1605,6 +1633,16 @@ static int tlmi_analyze(struct wmi_device *wdev)
>  		wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID))
>  		tlmi_priv.certificate_support = true;
>  
> +	/* ThinkCenter uses different GUIDs for certificate support */
> +	if (wmi_has_guid(LENOVO_TC_SET_BIOS_CERT_GUID) &&
> +	    wmi_has_guid(LENOVO_TC_SET_BIOS_SETTING_CERT_GUID) &&
> +	    wmi_has_guid(LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID)) {
> +		tlmi_priv.certificate_support = true;
> +		tlmi_priv.thinkcenter_mode = true;
> +		cert_guid = &thinkcenter_cert_guid;

Now that this code is more readable :-), I started to wonder why this 
pointer wasn't placed into tlmi_priv?

--
 i.

> +		pr_info("ThinkCenter modified support being used\n");
> +	}
> +
>  	/*
>  	 * Try to find the number of valid settings of this machine
>  	 * and use it to create sysfs attributes.
> @@ -1750,10 +1788,14 @@ static int tlmi_analyze(struct wmi_device *wdev)
>  	}
>  
>  	if (tlmi_priv.certificate_support) {
> -		tlmi_priv.pwd_admin->cert_installed =
> -			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
> -		tlmi_priv.pwd_system->cert_installed =
> -			tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
> +		if (tlmi_priv.thinkcenter_mode) {
> +			tlmi_priv.pwd_admin->cert_installed = tlmi_priv.pwdcfg.core.password_mode;
> +		} else {
> +			tlmi_priv.pwd_admin->cert_installed =
> +				tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SVC;
> +			tlmi_priv.pwd_system->cert_installed =
> +				tlmi_priv.pwdcfg.core.password_state & TLMI_CERT_SMC;
> +		}
>  	}
>  	return 0;
>  
> diff --git a/drivers/platform/x86/lenovo/think-lmi.h b/drivers/platform/x86/lenovo/think-lmi.h
> index 9b014644d316..c805ee312539 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.h
> +++ b/drivers/platform/x86/lenovo/think-lmi.h
> @@ -109,6 +109,7 @@ struct think_lmi {
>  	enum save_mode save_mode;
>  	bool save_required;
>  	bool reboot_required;
> +	bool thinkcenter_mode;
>  
>  	struct tlmi_attr_setting *setting[TLMI_SETTINGS_COUNT];
>  	struct device *class_dev;
> 

Re: [PATCH v3 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Ilpo Järvinen]

[-- Attachment #1: Type: text/plain, Size: 2062 bytes --]

On Mon, 25 Aug 2025, Mark Pearson wrote:

> Add a certificate GUID structure to make it easier to add different
> options for other platforms that need different GUIDs.
> 
> Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
> Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
> ---
> Changes in v2:
>  - split patch up into series
> Changes in v3:
>  - add field details to thinkpad_cert_guid declare.
>  - add missing comma
>  - Move null thumbprint GUID check to later in series
> 
>  drivers/platform/x86/lenovo/think-lmi.c | 38 +++++++++++++++++++------
>  1 file changed, 30 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
> index 0992b41b6221..a22d25f6d3c6 100644
> --- a/drivers/platform/x86/lenovo/think-lmi.c
> +++ b/drivers/platform/x86/lenovo/think-lmi.c
> @@ -177,6 +177,28 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>  #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
>  #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
>  
> +struct tlmi_cert_guids {
> +	char *thumbprint;
> +	char *set_bios_setting;
> +	char *save_bios_setting;
> +	char *cert_to_password;
> +	char *clear_bios_cert;
> +	char *update_bios_cert;
> +	char *set_bios_cert;

const char

> +};
> +
> +static struct tlmi_cert_guids thinkpad_cert_guid = {

These are not supposed to be altered, right? If so, this should be const 
then.

> +	.thumbprint = LENOVO_CERT_THUMBPRINT_GUID,
> +	.set_bios_setting = LENOVO_SET_BIOS_SETTING_CERT_GUID,
> +	.save_bios_setting = LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
> +	.cert_to_password = LENOVO_CERT_TO_PASSWORD_GUID,
> +	.clear_bios_cert = LENOVO_CLEAR_BIOS_CERT_GUID,
> +	.update_bios_cert = LENOVO_UPDATE_BIOS_CERT_GUID,
> +	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
> +};
> +
> +static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;

const here as well. Please also note my comment on placement of this in 
patch 2.

-- 
 i.

Re: [PATCH v3 2/3] platform/x86: think-lmi: Certificate support for ThinkCenter

[Mark Pearson]

Hi Ilpo,

On Thu, Aug 28, 2025, at 6:46 AM, Ilpo Järvinen wrote:
> On Mon, 25 Aug 2025, Mark Pearson wrote:
>
>> ThinkCenter platforms use a different set of GUIDs along with some
>> differences in implementation details for their support of
>> certificate based authentication.
>> 
>> Update the think-lmi driver to work correctly on these platforms.
>> 
>> Tested on M75q Gen 5.
>> 
>> Signed-off-by: Kean Ren <kean0048@gmail.com>
>> Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
>> ---
>> Changes in v2:
>>  - split patch up into series
>> Changes in v3:
>>  - Move check for no thumbprint GUID to this patch
>>  - Add structure fields and missing comma
>> 
>>  drivers/platform/x86/lenovo/think-lmi.c | 54 ++++++++++++++++++++++---
>>  drivers/platform/x86/lenovo/think-lmi.h |  1 +
>>  2 files changed, 49 insertions(+), 6 deletions(-)
>> 
>> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
>> index a22d25f6d3c6..3a1cec4625e5 100644
>> --- a/drivers/platform/x86/lenovo/think-lmi.c
>> +++ b/drivers/platform/x86/lenovo/think-lmi.c
>> @@ -119,6 +119,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_SET_BIOS_CERT_GUID    "26861C9F-47E9-44C4-BD8B-DFE7FA2610FE"
>> +#define LENOVO_TC_SET_BIOS_CERT_GUID "955aaf7d-8bc4-4f04-90aa-97469512f167"
>>  
>>  /*
>>   * Name: UpdateBiosCert
>> @@ -128,6 +129,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_UPDATE_BIOS_CERT_GUID "9AA3180A-9750-41F7-B9F7-D5D3B1BAC3CE"
>> +#define LENOVO_TC_UPDATE_BIOS_CERT_GUID "5f5bbbb2-c72f-4fb8-8129-228eef4fdbed"
>>  
>>  /*
>>   * Name: ClearBiosCert
>> @@ -137,6 +139,8 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_CLEAR_BIOS_CERT_GUID  "B2BC39A7-78DD-4D71-B059-A510DEC44890"
>> +#define LENOVO_TC_CLEAR_BIOS_CERT_GUID  "97849cb6-cb44-42d1-a750-26a596a9eec4"
>> +
>>  /*
>>   * Name: CertToPassword
>>   * Description: Switch from certificate to password authentication.
>> @@ -145,6 +149,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * You must reboot the computer before the changes will take effect.
>>   */
>>  #define LENOVO_CERT_TO_PASSWORD_GUID "0DE8590D-5510-4044-9621-77C227F5A70D"
>> +#define LENOVO_TC_CERT_TO_PASSWORD_GUID "ef65480d-38c9-420d-b700-ab3d6c8ebaca"
>>  
>>  /*
>>   * Name: SetBiosSettingCert
>> @@ -153,6 +158,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * Format: "Item,Value,Signature"
>>   */
>>  #define LENOVO_SET_BIOS_SETTING_CERT_GUID  "34A008CC-D205-4B62-9E67-31DFA8B90003"
>> +#define LENOVO_TC_SET_BIOS_SETTING_CERT_GUID  "19ecba3b-b318-4192-a89b-43d94bc60cea"
>>  
>>  /*
>>   * Name: SaveBiosSettingCert
>> @@ -161,6 +167,7 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>   * Format: "Signature"
>>   */
>>  #define LENOVO_SAVE_BIOS_SETTING_CERT_GUID "C050FB9D-DF5F-4606-B066-9EFC401B2551"
>> +#define LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID "0afaf46f-7cca-450a-b455-a826a0bf1af5"
>>  
>>  /*
>>   * Name: CertThumbprint
>> @@ -197,6 +204,16 @@ static struct tlmi_cert_guids thinkpad_cert_guid = {
>>  	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
>>  };
>>  
>> +static struct tlmi_cert_guids thinkcenter_cert_guid = {
>> +	.thumbprint = NULL,
>> +	.set_bios_setting = LENOVO_TC_SET_BIOS_SETTING_CERT_GUID,
>> +	.save_bios_setting = LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID,
>> +	.cert_to_password = LENOVO_TC_CERT_TO_PASSWORD_GUID,
>> +	.clear_bios_cert = LENOVO_TC_CLEAR_BIOS_CERT_GUID,
>> +	.update_bios_cert = LENOVO_TC_UPDATE_BIOS_CERT_GUID,
>> +	.set_bios_cert = LENOVO_TC_SET_BIOS_CERT_GUID,
>> +};
>> +
>>  static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
>>  
>>  static const struct tlmi_err_codes tlmi_errs[] = {
>> @@ -690,6 +707,9 @@ static ssize_t cert_thumbprint(char *buf, const char *arg, int count)
>>  	const union acpi_object *obj;
>>  	acpi_status status;
>>  
>> +	if (!cert_guid->thumbprint)
>> +		return -EOPNOTSUPP;
>> +
>>  	status = wmi_evaluate_method(cert_guid->thumbprint, 0, 0, &input, &output);
>>  	if (ACPI_FAILURE(status)) {
>>  		kfree(output.pointer);
>> @@ -868,8 +888,16 @@ static ssize_t certificate_store(struct kobject *kobj,
>>  			return -EACCES;
>>  		}
>>  		guid = cert_guid->set_bios_cert;
>> -		/* Format: 'Certificate, password' */
>> -		auth_str = cert_command(setting, new_cert, setting->password);
>> +		if (tlmi_priv.thinkcenter_mode) {
>> +			/* Format: 'Certificate, password, encoding, kbdlang' */
>> +			auth_str = kasprintf(GFP_KERNEL, "%s,%s,%s,%s", new_cert,
>> +					     setting->password,
>> +					     encoding_options[setting->encoding],
>> +					     setting->kbdlang);
>> +		} else {
>> +			/* Format: 'Certificate, password' */
>> +			auth_str = cert_command(setting, new_cert, setting->password);
>> +		}
>>  	}
>>  	kfree(new_cert);
>>  	if (!auth_str)
>> @@ -1605,6 +1633,16 @@ static int tlmi_analyze(struct wmi_device *wdev)
>>  		wmi_has_guid(LENOVO_SAVE_BIOS_SETTING_CERT_GUID))
>>  		tlmi_priv.certificate_support = true;
>>  
>> +	/* ThinkCenter uses different GUIDs for certificate support */
>> +	if (wmi_has_guid(LENOVO_TC_SET_BIOS_CERT_GUID) &&
>> +	    wmi_has_guid(LENOVO_TC_SET_BIOS_SETTING_CERT_GUID) &&
>> +	    wmi_has_guid(LENOVO_TC_SAVE_BIOS_SETTING_CERT_GUID)) {
>> +		tlmi_priv.certificate_support = true;
>> +		tlmi_priv.thinkcenter_mode = true;
>> +		cert_guid = &thinkcenter_cert_guid;
>
> Now that this code is more readable :-), I started to wonder why this 
> pointer wasn't placed into tlmi_priv?
>
I never thought of it. It would be a better place for it.
Will add in v4.

Mark

Re: [PATCH v3 1/3] platform/x86: think-lmi: Add certificate GUID structure

[Mark Pearson]

On Thu, Aug 28, 2025, at 6:50 AM, Ilpo Järvinen wrote:
> On Mon, 25 Aug 2025, Mark Pearson wrote:
>
>> Add a certificate GUID structure to make it easier to add different
>> options for other platforms that need different GUIDs.
>> 
>> Suggested-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
>> Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
>> ---
>> Changes in v2:
>>  - split patch up into series
>> Changes in v3:
>>  - add field details to thinkpad_cert_guid declare.
>>  - add missing comma
>>  - Move null thumbprint GUID check to later in series
>> 
>>  drivers/platform/x86/lenovo/think-lmi.c | 38 +++++++++++++++++++------
>>  1 file changed, 30 insertions(+), 8 deletions(-)
>> 
>> diff --git a/drivers/platform/x86/lenovo/think-lmi.c b/drivers/platform/x86/lenovo/think-lmi.c
>> index 0992b41b6221..a22d25f6d3c6 100644
>> --- a/drivers/platform/x86/lenovo/think-lmi.c
>> +++ b/drivers/platform/x86/lenovo/think-lmi.c
>> @@ -177,6 +177,28 @@ MODULE_PARM_DESC(debug_support, "Enable debug command support");
>>  #define TLMI_CERT_SVC BIT(7) /* Admin Certificate Based */
>>  #define TLMI_CERT_SMC BIT(8) /* System Certificate Based */
>>  
>> +struct tlmi_cert_guids {
>> +	char *thumbprint;
>> +	char *set_bios_setting;
>> +	char *save_bios_setting;
>> +	char *cert_to_password;
>> +	char *clear_bios_cert;
>> +	char *update_bios_cert;
>> +	char *set_bios_cert;
>
> const char
>
yep.

>> +};
>> +
>> +static struct tlmi_cert_guids thinkpad_cert_guid = {
>
> These are not supposed to be altered, right? If so, this should be const 
> then.
>
Weird...I could have sworn I made it a const. I'll fix

>> +	.thumbprint = LENOVO_CERT_THUMBPRINT_GUID,
>> +	.set_bios_setting = LENOVO_SET_BIOS_SETTING_CERT_GUID,
>> +	.save_bios_setting = LENOVO_SAVE_BIOS_SETTING_CERT_GUID,
>> +	.cert_to_password = LENOVO_CERT_TO_PASSWORD_GUID,
>> +	.clear_bios_cert = LENOVO_CLEAR_BIOS_CERT_GUID,
>> +	.update_bios_cert = LENOVO_UPDATE_BIOS_CERT_GUID,
>> +	.set_bios_cert = LENOVO_SET_BIOS_CERT_GUID,
>> +};
>> +
>> +static struct tlmi_cert_guids *cert_guid = &thinkpad_cert_guid;
>
> const here as well. Please also note my comment on placement of this in 
> patch 2.

Ack.

Thanks for the review
Mark