Age | Commit message (Collapse) | Author | Files | Lines |
|
Configure special user with null password when entering manufacturing
mode and special user password is in disabled state.
Note: This feature is under VALIDATION_UNSECURE flag, and hence
will be available for reference only image.
Tested:
1. Built the image without debug-tweaks and flashed the same
2. Confirmed that root user is not enabled during regular boot
3. Pressed power button for 15 seconds during AC Cycle, and
entered manufacturing mode
4. Able to login to root user with no password and
updated the password to new one, due to enforcement
5. Verified upon rebooting, the newly configured password can be
used to login to the serial console.
6. Entered Manufacturing mode again, to make sure root user
password is not set to null again as it is already configured.
Change-Id: I6aab8713a7c4d7d75b63b1b58ee063b09d9db990
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Configure special user with default passwod 0penBmc1, when
the root user is not set with any password, and mark the
password as expired, so that it will be forced to update on
first login. This method can be used when Host interface is
not available and we still need to enable root user.
Note: This feature is under VALIDATION_UNSECURE flag, and hence
will be available for reference only image.
Tested:
1. Built the image without debug-tweaks and flashed the same
2. Confirmed that root user is not enabled during regular boot
3. Pressed power button for 15 seconds during AC Cycle, and
entered manufacturing mode
4. Able to login to root user with password "0penBmc1" and
updated the password to the new one, due to force password update
5. Verified upon rebooting, the newly configured password can be
used to login to the serial console
Change-Id: I53e68ebbe24110a116816a29fe1bf5b3142b8bc2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Ignore timer handler, when we are in validation unsecure
mode, and reside in validation unsecure mode itself.
i.e. Validation unsecure must be persistent and must not be
reseted based on a timer, which will get activated when we
execute manufacturing command.
Tested:
1. Verfied the Get Security mode command, ipmitool raw 0x30 0xB3
and saw no changes in validation unsecure mode after mfg command
execution, and after 15 minutes timeout.
Change-Id: Ifb338e13bf3f0a923bc488284cced8448043a2e5
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Updated special-mode-mgr service to expose the property as
per the D-Bus interface SpecialMode in the community
Tested
1. Verified that manufacturing mode entered as per 15 second power
buttong press during AC cycle
2. Verified that expired based on timeout or restriction mode property
change
3. Verified validation unsecure features works as expected
Change-Id: I87b67424f657a1a19545b4dc18a80a2fddf8ee44
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Support added for validation unsecure mode under compile flag
which will be enabled only with debug-tweaks. Default is disabled.
Tested:
Along with intel-ipmi-oem changes for set security mode command
1. Verified that system goes to validation unsecure mode
as per the Set Security Mode command.
2. Able to execute all the manufacturing mode command in this state
3. Mode preserved during reboot and not in reset to defaults
Change-Id: Ice33d2c02ac8c0c0276ba16651f8acbd3d5b8cd4
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Support added to log events for mfg mode, which can
be viewed using Redfish event log entries.
This will indicate, whenever manufacturing mode
is entered or exited.
Tested:
Tested the same with up-stream message entry review
https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/25687/
1. Redfish validator - passed for this new addition
2. Log will be as below (for both tampering and normalized)
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/317",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:05:17+00:00",
"EntryType": "Event",
"Id": "317",
"Message": "Entered Manufacturing Mode",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.ManufacturingModeEntered",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/899",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:14:59+00:00",
"EntryType": "Event",
"Id": "899",
"Message": "Exited Manufacturing Mode",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.ManufacturingModeExited",
"Name": "System Event Log Entry",
"Severity": "OK"
}
Change-Id: I417e5bd2e179592e1be0083eeb8759e348554bff
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Special mode mgr was using lowerCamelCase for it's path
which is not used as per our standard, hence converted
the same with '_' usage. special_mode is the new suffixed
path now.
Tested:
1. Verified by executing manufacturing mode comamnd
by entering to manufacturing mode.
Change-Id: I837296b20f93ee76440bf31d29d0391557cf956f
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
As per the manufacturing EAS document 0.7, updated timeout
for manufacturing mode from 12 hours to 15 minutes. Added
support for ResetTimer method, which will be used by all
manufacturing commands to extend the timer for next 15 minutes.
Tested:
1. Entered manufacturing mode, and verified that mode
expires after 15 minutes of power on
2. Entered manufacturing mode, executed ResetTimer()
method and verified timer got expired and BMC was in
manufacturing mode itself.
Change-Id: Ieb785b4a59d914548909d422415584ccd94c6ccc
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Update special mode manager daemon to rely on InterfacesAdded
signal too from RestrictionMode daemon, instead of using
mapper-wait alone. In this way, the value will always be updated
correctly, and can get rid of mapper-wait.
Tested:
1. Verified that special mode mgr is started as expected
2. Verified special mode mgr, reflect manufaturing mode as
expected when pressed power button for 8 seconds, during AC cycle
3. Verified special mode mgr value gets expired when provisioning
mode is updated to any value other than provisioning.
Change-Id: I1ae8a1f0a274019970986c6321c2807b9a08d545
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
special mode mgr should rollback the state once RestrictionMode
property is updated to value other than provisioning.
Tested:
Verified setting the restriction mode property to a value
other than provisioning.
Special mode value is set to manufacturing expired.
Change-Id: I32f810196e25fe2e3955eb16939caa2fb8611f86
Signed-off-by: Ayushi Smriti <smriti.ayushi@intel.com>
|
|
1. AC failure bit is read from command line parameter, and hence
the old code which reads it from PFail property is not
applicable anymore and removed.
2. Enabled special mode manager service.
Tested:
1. Made sure after boot special-mode-mgr service is working
fine without crashing
2. Able to reflect the special-mode-mgr mode properties
as expected
Change-Id: I0a369bf4db63fa3cb22650a457f5dc6bd4300823
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Instead of reading PFail as a DBus property, this change gets the
AC boot status directly from the resetreason parameter on the
command line.
Change-Id: I1f8225c334e0c48c4b4feb1116f8fecd0fb3e49d
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
|
|
Updated the typo in service name of special mode manager.
Tested:
1. Verified that it loads with proper service name without
typo.
Change-Id: If8eb03ffd66a505389834a0f773b52bfd73956c2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Due to recent changes in Power related properties, PFail
property has been removed, which was causing special
mode mgr to crash. Disable the service till, the review
to fix the PFail is merged.
Tested:
Verified that special-mode-mgr service is not started
Change-Id: I9c9744ad37aec6eb83cacfab335b0e772e6d4143
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
Power control no longer has these interfaces.
Tested: No longer waits
Change-Id: I314a6011a528b411a1032c8385b15228f3402666
Signed-off-by: James Feist <james.feist@linux.intel.com>
|
|
Daemon to detect and expose the manufacturing mode is
implemented. Applications like IPMI will use this to
determine, whether manufacturing commands can be executed or
not.
Tested:
Note: As this daemon can't be used by user, tested it using busctl
1. Verified that busctl introspect exposes the SpecialMode
property correctly based on 1. u-boot power button press during
AC cycle, 2. Provisioning mode 3. PFail 4. uptime < 12hours
2. Verified timeout happens and updates the specialMode
property value to 0.
Change-Id: I61cd824202ca7996d0993d8c9fa1d66812c6a5ef
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|