Skip to main content

syslock command

Use this command to display and configure system lockdown settings.

Syntax:
syslock [-options]
Table 1. syslock options
OptionDescriptionValues
-enEnable or disable system configuration lock function.
Note
Enable with -e option can promote the current inventory as trusted snapshot.
enabled, disabled
-eEnable system configuration lock settings with or without enforcing current inventory into trusted snapshot.
Note
A default value will be set if there is not a -e option.
enabled, disabled
-l [x]List inventory of specific snapshot at index x.The index number xis specified as an integer in the command option.
-mTake manual snapshot. 
-dDescription for manual snapshot.String of up to 32 characters.
-cList inventory difference from trusted snapshot. 
-poSet lockdown policy.
Note
The action will prevent server booting if System Guard is in noncompliant status.
none, osboot, pperm
-cpuSet cpu lockdown.on, off
-dimmSet dimm lockdown.on, off
-pciSet pci lockdown.on, off
-driveSet drive lockdown.on, off
-riserSet riser lockdown.on, off
-bpSet backplane lockdown.on, off
To show current status and snapshot list (trusted and history)
system> syslock
Current status: disabled
Policy: none
cpu: off
dXCC: off
pci: off
drive: off
riser: off
bp: off

No snapshot.

System changes have been detected!
Index In Use Date Description
----- -------- ------------------- ----------------
1 Yes 28/01/2022 15:32:59 Enforced by XCCroot.
2 No 28/01/2022 15:28:16 Boot by BMC.

system> syslock
Current status: disabled
Policy: none
cpu: off
dXCC: off
pci: off
drive: off
riser: off
bp: off

To list inventory of specific snapshot
system> syslock -l 1
Location Component ID Description
--------- -------------- ----------------
To enable/disable function.(enable with passphrase, and/or promote current inventory as trusted snapshot):
system> syslock -en enabled
ok
system> syslock -en disabled
ok
system> syslock -en disabled -p Passw0rd12 -e disabled
ok
To take manual snapshot:
system> syslock -m -d xyz
ok
To list inventory difference from trusted snapshot
System>syslock -c
system configuration changes have been detected:

Difference Location ID Description
-------------- ---------- --------------- ----------------------------------------------------------------
New device Drive 13 S0K2QRYC Drive 13, IBM-ESXS, 300GB 10K 6Gbps SAS 2.5"

To set lockdown policy:
system> syslock -po none/pperm/osboot

To set lockdown components:
system>syslock -cpu <on | off>
system>syslock -dXCC <on | off>
system>syslock -pci <on | off>
system>syslock -drive <on | off>
system>syslock -tpm <on | off>
system>syslock -riser <on | off>
system>syslock -bp <on | off>
system>syslock -board <on | off>
system>syslock -psu <on | off>
system>syslock -fan <on | off>
system>syslock -xccfw <on | off>
system>syslock -uefifw <on | off>