/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "efivars-fundamental.h"

static const sd_char * const table[_SECURE_BOOT_MAX] = {
        [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"),
        [SECURE_BOOT_DISABLED]    = STR_C("disabled"),
        [SECURE_BOOT_UNKNOWN]     = STR_C("unknown"),
        [SECURE_BOOT_AUDIT]       = STR_C("audit"),
        [SECURE_BOOT_DEPLOYED]    = STR_C("deployed"),
        [SECURE_BOOT_SETUP]       = STR_C("setup"),
        [SECURE_BOOT_USER]        = STR_C("user"),
};

const sd_char *secure_boot_mode_to_string(SecureBootMode m) {
        return (m >= 0 && m < _SECURE_BOOT_MAX) ? table[m] : NULL;
}

SecureBootMode decode_secure_boot_mode(bool secure, bool audit, bool deployed, bool setup) {
        /* See figure 32-4 Secure Boot Modes from UEFI Specification 2.9 */
        if (secure && deployed && !audit && !setup)
                return SECURE_BOOT_DEPLOYED;
        if (secure && !deployed && !audit && !setup)
                return SECURE_BOOT_USER;
        if (!secure && !deployed && audit && setup)
                return SECURE_BOOT_AUDIT;
        if (!secure && !deployed && !audit && setup)
                return SECURE_BOOT_SETUP;

        /* Some firmware allows disabling secure boot while not being in
         * setup mode unless the PK is cleared. */
        if (!secure && !deployed && !audit && !setup)
                return SECURE_BOOT_DISABLED;

        /* Well, this should not happen. */
        return SECURE_BOOT_UNKNOWN;
}