116 lines
2.3 KiB
C
116 lines
2.3 KiB
C
// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
/* Copyright 2020 IBM Corp. */
|
|
#include <opal.h>
|
|
#include <device.h>
|
|
#include "edk2-compat-process.h"
|
|
#include "edk2-compat-reset.h"
|
|
#include "../secvar.h"
|
|
|
|
int reset_keystore(struct list_head *bank)
|
|
{
|
|
struct secvar *var;
|
|
int rc = 0;
|
|
|
|
var = find_secvar("PK", 3, bank);
|
|
if (var)
|
|
rc = update_variable_in_bank(var, NULL, 0, bank);
|
|
if (rc)
|
|
return rc;
|
|
|
|
var = find_secvar("KEK", 4, bank);
|
|
if (var)
|
|
rc = update_variable_in_bank(var, NULL, 0, bank);
|
|
if (rc)
|
|
return rc;
|
|
|
|
var = find_secvar("db", 3, bank);
|
|
if (var)
|
|
rc = update_variable_in_bank(var, NULL, 0, bank);
|
|
if (rc)
|
|
return rc;
|
|
|
|
var = find_secvar("dbx", 4, bank);
|
|
if (var)
|
|
rc = update_variable_in_bank(var, NULL, 0, bank);
|
|
if (rc)
|
|
return rc;
|
|
|
|
var = find_secvar("TS", 3, bank);
|
|
if (var)
|
|
rc = update_variable_in_bank(var, NULL, 0, bank);
|
|
if (rc)
|
|
return rc;
|
|
|
|
var = find_secvar("HWKH", 5, bank);
|
|
if (var)
|
|
rc = update_variable_in_bank(var, NULL, 0, bank);
|
|
|
|
return rc;
|
|
}
|
|
|
|
|
|
int add_hw_key_hash(struct list_head *bank)
|
|
{
|
|
struct secvar *var;
|
|
uint32_t hw_key_hash_size;
|
|
const char *hw_key_hash;
|
|
struct dt_node *secureboot;
|
|
|
|
secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
|
|
if (!secureboot)
|
|
return false;
|
|
|
|
hw_key_hash_size = dt_prop_get_u32(secureboot, "hw-key-hash-size");
|
|
|
|
hw_key_hash = dt_prop_get(secureboot, "hw-key-hash");
|
|
|
|
if (!hw_key_hash)
|
|
return OPAL_PERMISSION;
|
|
|
|
var = new_secvar("HWKH", 5, hw_key_hash,
|
|
hw_key_hash_size, SECVAR_FLAG_PROTECTED);
|
|
list_add_tail(bank, &var->link);
|
|
|
|
return OPAL_SUCCESS;
|
|
}
|
|
|
|
int delete_hw_key_hash(struct list_head *bank)
|
|
{
|
|
struct secvar *var;
|
|
|
|
var = find_secvar("HWKH", 5, bank);
|
|
if (!var)
|
|
return OPAL_SUCCESS;
|
|
|
|
list_del(&var->link);
|
|
dealloc_secvar(var);
|
|
|
|
return OPAL_SUCCESS;
|
|
}
|
|
|
|
int verify_hw_key_hash(void)
|
|
{
|
|
const char *hw_key_hash;
|
|
struct dt_node *secureboot;
|
|
struct secvar *var;
|
|
|
|
secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
|
|
if (!secureboot)
|
|
return OPAL_INTERNAL_ERROR;
|
|
|
|
hw_key_hash = dt_prop_get(secureboot, "hw-key-hash");
|
|
|
|
if (!hw_key_hash)
|
|
return OPAL_INTERNAL_ERROR;
|
|
|
|
/* This value is from the protected storage */
|
|
var = find_secvar("HWKH", 5, &variable_bank);
|
|
if (!var)
|
|
return OPAL_PERMISSION;
|
|
|
|
if (memcmp(hw_key_hash, var->data, var->data_size) != 0)
|
|
return OPAL_PERMISSION;
|
|
|
|
return OPAL_SUCCESS;
|
|
}
|
|
|