User Guide for Lenovo models including: ThinkLMI BIOS Setup using Linux WMI

Sugumaran Lacshiminarayanan

ThinkLMI - Lenovo BIOS Setup using Linux WMI ...

15 janv. 2023 — The purpose of this guide is to explain how to modify BIOS settings, and boot order using Linux. Management Instrumentation (LMI) through the Lenovo user ...

Lenovo ThinkPad X13 Intel Core Ultra 7 155U Laptop 33.8 cm (13.3") WUXGA 16 GB LPDDR5x-SDRAM 512 GB SSD Wi-Fi 6E (802.11ax) Windows 11 Pro Black Lenovo BIOS Setup using Linux WMI Deployment Guide - ThinkPad (254 KB)

Lenovo 21LU0005GR

• Google Docs
• Google Drive
• Download [pdf]
• Download Optimized
• Document:
  • Text
  • References

File Info : application/pdf, 11 Pages, 254.00KB

ThinkLMI - Lenovo BIOS Setup using Linux WMI Deployment Guide
First Edition (January 2023)
© Copyright Lenovo LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration "GSA" contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925 © Copyright Lenovo
1

Table of Contents
Preface ...............................................................................................................................................................3 Overview ............................................................................................................................................................4
Using ThinkLMI ...............................................................................................................................................4 Key Benefits ....................................................................................................................................................5 Supported computers ......................................................................................................................................5 Typical Usage....................................................................................................................................................5 Listing Available BIOS Settings.......................................................................................................................5 Changing BIOS settings ..................................................................................................................................6 Changing the Boot Order ................................................................................................................................7 Password Authentication.................................................................................................................................8 Changing an existing BIOS password............................................................................................................9 Limitations and Notes ....................................................................................................................................10 Trademarks ...................................................................................................................................................... 11
© Copyright Lenovo
2

Preface
The purpose of this guide is to explain how to modify BIOS settings, and boot order using Linux Management Instrumentation (LMI) through the Lenovo user space interface (ThinkLMI). This guide is intended for skilled IT administrators who are familiar with configuring BIOS settings on computers in their organizations. If you have suggestions, comments, or questions, please talk to us on our forum! A team of deployment engineers (including the author of this document) is standing by, ready to help with any deployment challenges you are facing: https://forums.lenovo.com/t5/Enterprise-Client-Management/bd-p/sa01_eg
© Copyright Lenovo
3

Overview
IT administrators are always looking for easier ways to manage client computer BIOS settings, which include passwords, hardware settings, and the boot order. The Lenovo BIOS LMI interface provides a simplified way to change these settings. Lenovo has developed a BIOS interface that can be manipulated through Linux WMI. The Lenovo BIOS management interface ThinkLMI enables IT administrators to make queries on current BIOS settings, change single settings, change supervisor password and modify the boot order either at client computers or remotely.
Using ThinkLMI
ThinkLMI provides a powerful set of functions, such as query-based information retrieval and event notification, which enables users to manage computers. The Lenovo ThinkLMI interface extends the capabilities of Linux WMI to allow management of BIOS settings. The following illustration shows how ThinkLMI can be used to access Lenovo BIOS Settings
User Command from CLI/Script

ThinkLMI Sysfs Interface ThinkLMI Kernel Module
Lenovo BIOS Interface

Operating System BIOS/Hardware

© Copyright Lenovo
4

Key Benefits
The Lenovo BIOS Linux WMI interface provides the following benefits: · Flexible BIOS configuration, including the ability to change a single BIOS setting or all BIOS settings · BIOS password management, including updating supervisor passwords and power-on passwords

Supported computers

BIOS setup through ThinkLMI is supported on all Lenovo Linux certified platforms from 2020 onwards. Whilst we expect it to work on older platforms it is unsupported there.
Typical Usage
Using ThinkLMI, the BIOS settings can be configured in the following ways: · List BIOS settings · Change BIOS settings · Change the boot order (sometimes referred to as the startup sequence) · Change BIOS Password(Supervisor password and power-on password)

Listing Available BIOS Settings

For a list of all available BIOS settings that can be changed through Linux WMI on a specific computer, use the following command.

ls /sys/class/firmware-attributes/thinklmi/attributes

The above command retrieves all the settings available from the BIOS. Part of the output from ThinkPad Z16 Gen 1 is shown below:

ls /sys/class/firmware-attributes/thinklmi/attributes

AbsolutePersistenceModuleActivation AlarmDate AlarmDayofWeek AlarmTime Allow3rdPartyUEFICA AlwaysOnUSB AmdVt BIOSPasswordAtBootDeviceList BIOSPasswordAtReboot ...
Sample terminal output

DataExecutionPrevention DeviceGuard EnhancedWindowsBiometricSecurity ePrivacyLock FingerprintPasswordAuthentication FingerprintPreDesktopAuthentication FingerprintReaderAccess FingerprintSecurityMode FnCtrlKeySwap

© Copyright Lenovo
5

Changing BIOS settings
To change a BIOS setting, use the following command: echo [value] > /sys/class/firmware-attributes/thinklmi/attributes/ [BIOS Setting] /current_value For example - to change the current value for WakeOnLANDock: echo Enable > /sys/class/firmware-attributes/thinklmi/attributes/WakeOnLANDock /current_value
Sample terminal input
Note: BIOS settings and values are case sensitive. To find the permitted [value] for a [BIOS Setting] use the following command. cat /sys/class/firmware-attributes/thinklmi/attributes/[BIOS Setting]/possible_values
For example - to find possible values of the WakeOnLANDock setting: cat /sys/class/firmware-attributes/thinklmi/attributes/WakeOnLANDock /possible_values Disable,Enable
Sample terminal output
© Copyright Lenovo
6

Changing the Boot Order
To change the boot order, use the following steps: 1. Determine the current setting for "BootOrder" by using the following command. cat /sys/class/firmware-attributes/thinklmi/attributes/BootOrder/current_value 2. Set a new boot order, use the following command echo [Boot Order String] > /sys/class/firmware-attributes/ thinklmi/attributes/BootOrder/current_value Specify a new boot order by listing the boot devices in order, separated by colons. Devices that are not specified are excluded from the boot order. In the following example, the CD drive 0 is the first boot device and hard disk drive 0 is the second startup device: echo ATAPICD0:HDD0 > /sys/class/firmware-attributes/thinklmi/attributes/ BootOrder/current_value
Sample terminal output
© Copyright Lenovo
7

Password Authentication
If a Supervisor password has been set, authentication needs to be performed before a BIOS setting can be changed. The following commands performs password authentication.
echo [Password String] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/current_password
echo [Encoding] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/encoding
echo [Keyboard Language] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/kbdlang
Reference the table below for details on each parameter

Parameter
Password String

Description Current password string

Encoding
Keyboard Language

Password string encoding Keyboard languages

Possible selections
· "abc" ­ raw ascii character · "1e302e" - scancode
· ascii · scancode
· "us" - English US, English UK, Chinese-Traditional, Danish, Dutch, French-Canadian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Spanish-European, Spanish-Latin American, Swiss, Turkish
· "fr" - French-European, Belgian · "gr" - German, Czech, Slovak, Slovenian

If the supervisor password is set as hello, with ascii encoding and the keyboard type is US, the below command example will authenticate the BIOS setting. Once authenticated, it remains valid till the next restart. The default value for Encoding is ascii and the Keyboard Language is US. Set these only if it is different from the default.
echo hello > /sys/class/firmware-attributes/thinklmi/authentication /Admin/current_password
echo ascii > /sys/class/firmware-attributes/thinklmi/authentication /Admin/encoding
echo us > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/kbdlang

Sample terminal output
For the [Password Type], refer the table in the following page.

© Copyright Lenovo
8

Changing an existing BIOS password
To update a password, use the following commands
echo [Password String] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/current_password
echo [Encoding] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/encoding
echo [Keyboard Language] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/kbdlang
echo [Password String] > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/new_password

Reference the table below for details on each parameter

Parameter Password
New Password Password type
Encoding
language

Description Current password string New password string Password type string
Password encoding Keyboard languages

Possible selections
· "abc" - raw ascii character · "1e302e" ­ scancode · "abc" - raw ascii character · "1e302e" ­ scancode · "Admin": Supervisor password · "Power-on": Power-on password · "HDD": Hard Disk Password (*1) · "NVMe": NVM password (*1) · "System": System Password (*1)
· "ascii" · "scancode" · "us" - English US, English UK, Chinese-Traditional, Danish,
Dutch, French-Canadian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, SpanishEuropean, Spanish-Latin American, Swiss, Turkish
· "fr" - French-European, Belgian · "gr" - German, Czech, Slovak, Slovenian

© Copyright Lenovo
9

If the supervisor password is set as "hello", the new password is "hello123", password type is supervisor (i.e. "Admin"), with ascii encoding and the keyboard type is US, the below commands will change the supervisor password. Once authenticated, it remains valid till the next restart.
echo hello > /sys/class/firmware-attributes/thinklmi/authentication /Admin/current_password

echo ascii > /sys/class/firmware-attributes/thinklmi/authentication

Sample terminal output

/Admin/encoding

echo us > /sys/class/firmware-attributes/thinklmi/authentication /[Password Type]/kbdlang

echo hello123 > /sys/class/firmware-attributes/thinklmi/authentication /Admin/new_password

Sample terminal output

Limitations and Notes
1. A password cannot be set using this method when one does not already exist. Passwords can only
be updated or cleared.
2. User/Master hard disk password (HDD) type is supported only on ThinkPad Laptops.
3. BIOS settings cannot be changed at the same boot as power-on passwords (POP) and hard disk passwords (HDP). If you want to change BIOS settings, POP and HDP you must reboot the system after changing each one of them.
4. To remove the power-on password when a supervisor password is set, it must be done in three steps: a. Change the supervisor password. If you don't want to change it specify the same password for both the current and the new parameters, but you must do this step. b. Change the power-on password by specifying the current password and a NULL string as the new password c. Reboot the system (do not reboot between steps a and b).
5. Some security-related settings cannot be disabled by ThinkLMI. For example, the following BIOS settings cannot be changed from Enable to Disable: a. SecureBoot b. SecureRollbackPrevention c. PhysicalPresneceForTpmClear d. PhysicalPresenceForTpmProvision
6. It is not possible to change the Security Chip Selection (e.g. Discrete TPM or Intel PTT) 7. Note for Discrete TPM: the following values are supported for SecurityChip:
a. Active b. Inactive c. Disable 8. Note for Intel PTT: the following values are supported for SecurityChip: a. Enable b. Disable

© Copyright Lenovo
10

Trademarks
The following terms are trademarks of Lenovo in the United States, other countries, or both: Lenovo The Lenovo logo ThinkPad Other company, product, or service names may be trademarks or service marks of others.
© Copyright Lenovo
11



References

• English Community-Lenovo Community