JadePkg: Add RedfishPlatformCredentialLib library instance

Platform specific implementation of acquiring credential to access to Redfish service. This was cloned from EmulatorPkg with modifications to retrieve Redfish bootstrap account through IPMI. Signed-off-by: Vu Nguyen <Vu@amperecomputing.com>
AmpereComputing · Jun 30, 2021 · ba7bfd9 · ba7bfd9
1 parent f758c09
commit ba7bfd9
Show file tree

Hide file tree

Showing 4 changed files with 374 additions and 0 deletions.
diff --git a/Platform/Ampere/JadePkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.c b/Platform/Ampere/JadePkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.c
@@ -0,0 +1,281 @@
+/** @file
+  RedfishPlatformCredentialLib instance
+
+  (C) Copyright 2020 Hewlett Packard Enterprise Development LP<BR>
+  Copyright (c) 2021, Ampere Computing LLC. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Uefi.h>
+#include <IndustryStandard/IpmiNetFnGroupExtension.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/IpmiLib.h>
+#include <Library/IpmiCommandLibExt.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiLib.h>
+
+#include <Protocol/EdkIIRedfishCredential.h>
+
+#include <Guid/GlobalVariable.h>
+#include <Guid/ImageAuthentication.h>
+
+BOOLEAN mSecureBootDisabled = FALSE;
+BOOLEAN mStopRedfishService = FALSE;
+
+EFI_STATUS
+EFIAPI
+LibStopRedfishService (
+  IN EDKII_REDFISH_CREDENTIAL_PROTOCOL          *This,
+  IN EDKII_REDFISH_CREDENTIAL_STOP_SERVICE_TYPE ServiceStopType
+);
+
+/**
+  Return the credential for accessing to Redfish service.
+
+  @param[out]  AuthMethod     The authentication method.
+  @param[out]  UserId         User ID.
+  @param[out]  Password       USer password.
+
+  @retval EFI_SUCCESS              Get the authentication information successfully.
+  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources.
+
+**/
+EFI_STATUS
+GetRedfishCredential (
+  OUT EDKII_REDFISH_AUTH_METHOD *AuthMethod,
+  OUT CHAR8                     **UserId,
+  OUT CHAR8                     **Password
+  )
+{
+  EFI_STATUS                                      Status;
+  IPMI_GET_BOOTSTRAP_ACCOUNT_CREDENTIALS_REQUEST  GetAccountRequest;
+  IPMI_GET_BOOTSTRAP_ACCOUNT_CREDENTIALS_RESPONSE GetAccountResponse;
+  UINT32                                          DataSize;
+  UINTN                                           UserIdSize;
+  UINTN                                           PasswordSize;
+
+  //
+  // AuthMethod set to HTTP Basic authentication.
+  //
+  *AuthMethod = AuthMethodHttpBasic;
+
+  //
+  // User ID and Password.
+  //
+  GetAccountRequest.GroupExtensionId = IPMI_GET_ACCOUNT_DEFAULT_GROUP;
+  GetAccountRequest.DisableCredentialControl = IPMI_GET_ACCOUNT_KEEP_BOOTSTRAP_ENABLE;
+  DataSize = sizeof (GetAccountResponse);
+  Status = IpmiSubmitCommand (
+             IPMI_NETFN_GROUP_EXT,
+             IPMI_GET_BOOTSTRAP_ACCOUNT_CREDENTIALS,
+             (VOID *)&GetAccountRequest,
+             sizeof (GetAccountRequest),
+             (VOID *)&GetAccountResponse,
+             &DataSize
+             );
+
+  if (!EFI_ERROR (Status)
+      && GetAccountResponse.CompletionCode == IPMI_COMP_CODE_NORMAL
+      && GetAccountResponse.GroupExtensionId == IPMI_GET_ACCOUNT_DEFAULT_GROUP)
+  {
+    *UserId = AllocateZeroPool (IPMI_BOOTSTRAP_MAX_STRING_SIZE + 1); // Plus one more space for NULL terminator
+    if (*UserId == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+    CopyMem (*UserId, (VOID *)GetAccountResponse.UserName, IPMI_BOOTSTRAP_MAX_STRING_SIZE);
+
+    *Password = AllocateZeroPool (IPMI_BOOTSTRAP_MAX_STRING_SIZE + 1); // Plus one more space for NULL terminator
+    if (*Password == NULL) {
+      FreePool (*UserId);
+      return EFI_OUT_OF_RESOURCES;
+    }
+    CopyMem (*Password, (VOID *)GetAccountResponse.Password, IPMI_BOOTSTRAP_MAX_STRING_SIZE);
+  } else {
+    UserIdSize   = AsciiStrSize ((CHAR8 *)PcdGetPtr (PcdRedfishServiceUserId));
+    PasswordSize = AsciiStrSize ((CHAR8 *)PcdGetPtr (PcdRedfishServicePassword));
+
+    if (UserIdSize == 0 || PasswordSize == 0) {
+      DEBUG ((DEBUG_ERROR, "Incorrect string of UserID or Password for Redfish service.\n"));
+      return EFI_INVALID_PARAMETER;
+    }
+    *UserId = AllocateZeroPool (UserIdSize);
+    if (*UserId == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+    CopyMem (*UserId, (CHAR8 *)PcdGetPtr (PcdRedfishServiceUserId), UserIdSize);
+
+    *Password = AllocateZeroPool (PasswordSize);
+    if (*Password == NULL) {
+      FreePool (*UserId);
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    CopyMem (*Password, (CHAR8 *)PcdGetPtr (PcdRedfishServicePassword), PasswordSize);
+  }
+  return EFI_SUCCESS;
+}
+
+/**
+  Retrieve platform's Redfish authentication information.
+
+  This functions returns the Redfish authentication method together with the user Id and
+  password.
+  - For AuthMethodNone, the UserId and Password could be used for HTTP header authentication
+    as defined by RFC7235.
+  - For AuthMethodRedfishSession, the UserId and Password could be used for Redfish
+    session login as defined by  Redfish API specification (DSP0266).
+
+  Callers are responsible for and freeing the returned string storage.
+
+  @param[in]   This                Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL instance.
+  @param[out]  AuthMethod          Type of Redfish authentication method.
+  @param[out]  UserId              The pointer to store the returned UserId string.
+  @param[out]  Password            The pointer to store the returned Password string.
+
+  @retval EFI_SUCCESS              Get the authentication information successfully.
+  @retval EFI_ACCESS_DENIED        SecureBoot is disabled after EndOfDxe.
+  @retval EFI_INVALID_PARAMETER    This or AuthMethod or UserId or Password is NULL.
+  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources.
+  @retval EFI_UNSUPPORTED          Unsupported authentication method is found.
+
+**/
+EFI_STATUS
+EFIAPI
+LibCredentialGetAuthInfo (
+  IN  EDKII_REDFISH_CREDENTIAL_PROTOCOL  *This,
+  OUT EDKII_REDFISH_AUTH_METHOD          *AuthMethod,
+  OUT CHAR8                              **UserId,
+  OUT CHAR8                              **Password
+  )
+{
+  EFI_STATUS                   Status;
+
+  if (This == NULL
+      || AuthMethod == NULL
+      || UserId == NULL
+      || Password == NULL)
+  {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  if (mStopRedfishService) {
+    return EFI_ACCESS_DENIED;
+  }
+
+  if (mSecureBootDisabled) {
+    Status = LibStopRedfishService (This, ServiceStopTypeSecureBootDisabled);
+    if (EFI_ERROR (Status) && Status != EFI_UNSUPPORTED) {
+      DEBUG ((DEBUG_ERROR, "SecureBoot has been disabled, but failed to stop RedfishService - %r\n", Status));
+      return Status;
+    }
+  }
+
+  Status = GetRedfishCredential (
+             AuthMethod,
+             UserId,
+             Password
+             );
+
+  return Status;
+}
+
+/**
+  Notify the Redfish service to stop provide configuration service to this platform.
+
+  This function should be called when the platfrom is about to leave the safe environment.
+  It will notify the Redfish service provider to abort all logged in session, and prohibit
+  further login with original auth info. GetAuthInfo() will return EFI_UNSUPPORTED once this
+  function is returned.
+
+  @param[in]   This                Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL instance.
+  @param[in]   ServiceStopType     Reason of stopping Redfish service.
+
+  @retval EFI_SUCCESS              Service has been stoped successfully.
+  @retval EFI_INVALID_PARAMETER    This is NULL or given the wrong ServiceStopType.
+  @retval EFI_UNSUPPORTED          Not support to stop Redfish service.
+  @retval Others                   Some error happened.
+
+**/
+EFI_STATUS
+EFIAPI
+LibStopRedfishService (
+  IN EDKII_REDFISH_CREDENTIAL_PROTOCOL          *This,
+  IN EDKII_REDFISH_CREDENTIAL_STOP_SERVICE_TYPE ServiceStopType
+  )
+{
+  if (ServiceStopType >= ServiceStopTypeMax) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  if (ServiceStopType == ServiceStopTypeSecureBootDisabled) {
+    //
+    // Check platform PCD to determine the action for stopping
+    // Redfish service due to secure boot is disabled.
+    //
+    if (!PcdGetBool (PcdRedfishServiceStopIfSecureBootDisabled)) {
+      return EFI_UNSUPPORTED;
+    } else {
+      mStopRedfishService = TRUE;
+      DEBUG ((DEBUG_INFO, "EFI Redfish service is stopped due to SecureBoot is disabled!!\n"));
+    }
+  } else if (ServiceStopType == ServiceStopTypeExitBootService) {
+    //
+    // Check platform PCD to determine the action for stopping
+    // Redfish service due to exit boot service.
+    //
+    if (PcdGetBool (PcdRedfishServiceStopIfExitbootService)) {
+      return EFI_UNSUPPORTED;
+    } else {
+      mStopRedfishService = TRUE;
+      DEBUG ((DEBUG_INFO, "EFI Redfish service is stopped due to Exit Boot Service!!\n"));
+    }
+  } else {
+    mStopRedfishService = TRUE;
+    DEBUG ((DEBUG_INFO, "EFI Redfish service is stopped without Redfish service stop type!!\n"));
+  }
+  return EFI_SUCCESS;
+}
+
+/**
+  Notification of Exit Boot Service.
+
+  @param[in]  This    Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL.
+**/
+VOID
+EFIAPI
+LibCredentialExitBootServicesNotify (
+  IN  EDKII_REDFISH_CREDENTIAL_PROTOCOL  *This
+  )
+{
+  LibStopRedfishService (This, ServiceStopTypeExitBootService);
+}
+
+/**
+  Notification of End of DXE.
+
+  @param[in]  This    Pointer to EDKII_REDFISH_CREDENTIAL_PROTOCOL.
+**/
+VOID
+EFIAPI
+LibCredentialEndOfDxeNotify (
+  IN  EDKII_REDFISH_CREDENTIAL_PROTOCOL  *This
+  )
+{
+  EFI_STATUS  Status;
+  UINT8       *SecureBootVar;
+
+  //
+  // Check Secure Boot status and lock Redfish service if Secure Boot is disabled.
+  //
+  Status = GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBootVar, NULL);
+  if (EFI_ERROR (Status) || (*SecureBootVar != SECURE_BOOT_MODE_ENABLE)) {
+    //
+    // Secure Boot is disabled
+    //
+    mSecureBootDisabled = TRUE;
+    LibStopRedfishService (This, ServiceStopTypeSecureBootDisabled);
+  }
+}
diff --git a/...form/Ampere/JadePkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.inf b/...form/Ampere/JadePkg/Library/RedfishPlatformCredentialLib/RedfishPlatformCredentialLib.inf
@@ -0,0 +1,47 @@
+## @file
+#
+#  (C) Copyright 2020 Hewlett Packard Enterprise Development LP<BR>
+#  Copyright (c) 2021, Ampere Computing LLC. All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x0001001B
+  BASE_NAME                      = RedfishPlatformCredentialLib
+  FILE_GUID                      = 6C9D3E8D-9999-47D9-98A4-267EAAF67034
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = RedfishPlatformCredentialLib
+
+[Sources]
+  RedfishPlatformCredentialLib.c
+
+[Packages]
+  EmulatorPkg/EmulatorPkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  MdePkg/MdePkg.dec
+  RedfishPkg/RedfishPkg.dec
+  Silicon/Ampere/AmpereSiliconPkg/AmpereSiliconPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+  IpmiCommandLibExt
+  IpmiLib
+  PcdLib
+  UefiBootServicesTableLib
+  UefiLib
+
+[Pcd]
+  gAmpereTokenSpaceGuid.PcdRedfishServiceStopIfSecureBootDisabled ## CONSUMES
+  gAmpereTokenSpaceGuid.PcdRedfishServiceStopIfExitbootService    ## CONSUMES
+  gAmpereTokenSpaceGuid.PcdRedfishServiceUserId                   ## CONSUMES
+  gAmpereTokenSpaceGuid.PcdRedfishServicePassword                 ## CONSUMES
+
+[Guids]
+  gEfiGlobalVariableGuid
+
+[Depex]
+  gEfiVariableArchProtocolGuid
diff --git a/Silicon/Ampere/AmpereSiliconPkg/AmpereSiliconPkg.dec b/Silicon/Ampere/AmpereSiliconPkg/AmpereSiliconPkg.dec
@@ -109,6 +109,19 @@
   # Pcie HotPlug reset map
   gAmpereTokenSpaceGuid.gPcieHotPlugGpioResetMap|0x0|UINT8|0xB000000A
 
+  ## Platform level Redfish Service control PCD
+  # These PCDs are used to stop the Redfish sevice when secure boot is disabled
+  # or exit boot service.
+  gAmpereTokenSpaceGuid.PcdRedfishServiceStopIfSecureBootDisabled|TRUE|BOOLEAN|0xB0000010
+  gAmpereTokenSpaceGuid.PcdRedfishServiceStopIfExitbootService|TRUE|BOOLEAN|0xB0000011
+  ##
+  # edk2 Redfish implementation on Emulator package is designed to access
+  # to Redfish simulator.
+  # https://github.com/DMTF/Redfish-Profile-Simulator
+  # The user ID and password are fixed as below.
+  gAmpereTokenSpaceGuid.PcdRedfishServiceUserId|"root"|VOID*|0xB0000012
+  gAmpereTokenSpaceGuid.PcdRedfishServicePassword|"0penBmc"|VOID*|0xB0000013
+
 [PcdsDynamic, PcdsDynamicEx]
   # FRU Chassis Information
   gAmpereTokenSpaceGuid.PcdFruChassisPartNumber|"To be filled by O.E.M.                             "|VOID*|0xB0000021

diff --git a/Silicon/Ampere/AmpereSiliconPkg/Include/Library/IpmiCommandLibExt.h b/Silicon/Ampere/AmpereSiliconPkg/Include/Library/IpmiCommandLibExt.h
@@ -152,5 +152,38 @@ IpmiGetBootFlags (
   OUT IPMI_BOOT_FLAGS_INFO *BootFlags
   );
 
+//
+//  Definitions for Get Bootstrap Account Credentials.
+//  Follow Section 9. Credential bootstrapping via IPMI commands
+//         of Redfish Host Interface Specification v1.3.0
+//
+#define IPMI_GET_BOOTSTRAP_ACCOUNT_CREDENTIALS 0x02
+#define IPMI_GET_ACCOUNT_DEFAULT_GROUP         0x52
+#define IPMI_GET_ACCOUNT_KEEP_BOOTSTRAP_ENABLE 0xA5
+#define IPMI_BOOTSTRAP_MAX_STRING_SIZE         16
+
+//
+//  Constants and Structure definitions for "Get Bootstrap Account Credentials" command to follow here
+//
+typedef struct {
+  UINT8  GroupExtensionId;
+  UINT8  DisableCredentialControl;
+} IPMI_GET_BOOTSTRAP_ACCOUNT_CREDENTIALS_REQUEST;
+
+typedef struct {
+  UINT8  CompletionCode;
+  UINT8  GroupExtensionId;
+
+  //
+  // The UserName as a UTF-8 string
+  //
+  CHAR8  UserName[IPMI_BOOTSTRAP_MAX_STRING_SIZE];
+
+  //
+  // The Password as a UTF-8 string
+  //
+  CHAR8  Password[IPMI_BOOTSTRAP_MAX_STRING_SIZE];
+} IPMI_GET_BOOTSTRAP_ACCOUNT_CREDENTIALS_RESPONSE;
+
 #pragma pack()
 #endif /* IPMI_COMMAND_LIB_EXT_ */