aboutsummaryrefslogtreecommitdiffstats
path: root/roms/skiboot/libstb/secvar/backend/edk2-compat-reset.c
diff options
context:
space:
mode:
Diffstat (limited to 'roms/skiboot/libstb/secvar/backend/edk2-compat-reset.c')
-rw-r--r--roms/skiboot/libstb/secvar/backend/edk2-compat-reset.c116
1 files changed, 116 insertions, 0 deletions
diff --git a/roms/skiboot/libstb/secvar/backend/edk2-compat-reset.c b/roms/skiboot/libstb/secvar/backend/edk2-compat-reset.c
new file mode 100644
index 000000000..305ea08c2
--- /dev/null
+++ b/roms/skiboot/libstb/secvar/backend/edk2-compat-reset.c
@@ -0,0 +1,116 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+/* Copyright 2020 IBM Corp. */
+#include <opal.h>
+#include <device.h>
+#include "edk2-compat-process.h"
+#include "edk2-compat-reset.h"
+#include "../secvar.h"
+
+int reset_keystore(struct list_head *bank)
+{
+ struct secvar *var;
+ int rc = 0;
+
+ var = find_secvar("PK", 3, bank);
+ if (var)
+ rc = update_variable_in_bank(var, NULL, 0, bank);
+ if (rc)
+ return rc;
+
+ var = find_secvar("KEK", 4, bank);
+ if (var)
+ rc = update_variable_in_bank(var, NULL, 0, bank);
+ if (rc)
+ return rc;
+
+ var = find_secvar("db", 3, bank);
+ if (var)
+ rc = update_variable_in_bank(var, NULL, 0, bank);
+ if (rc)
+ return rc;
+
+ var = find_secvar("dbx", 4, bank);
+ if (var)
+ rc = update_variable_in_bank(var, NULL, 0, bank);
+ if (rc)
+ return rc;
+
+ var = find_secvar("TS", 3, bank);
+ if (var)
+ rc = update_variable_in_bank(var, NULL, 0, bank);
+ if (rc)
+ return rc;
+
+ var = find_secvar("HWKH", 5, bank);
+ if (var)
+ rc = update_variable_in_bank(var, NULL, 0, bank);
+
+ return rc;
+}
+
+
+int add_hw_key_hash(struct list_head *bank)
+{
+ struct secvar *var;
+ uint32_t hw_key_hash_size;
+ const char *hw_key_hash;
+ struct dt_node *secureboot;
+
+ secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
+ if (!secureboot)
+ return false;
+
+ hw_key_hash_size = dt_prop_get_u32(secureboot, "hw-key-hash-size");
+
+ hw_key_hash = dt_prop_get(secureboot, "hw-key-hash");
+
+ if (!hw_key_hash)
+ return OPAL_PERMISSION;
+
+ var = new_secvar("HWKH", 5, hw_key_hash,
+ hw_key_hash_size, SECVAR_FLAG_PROTECTED);
+ list_add_tail(bank, &var->link);
+
+ return OPAL_SUCCESS;
+}
+
+int delete_hw_key_hash(struct list_head *bank)
+{
+ struct secvar *var;
+
+ var = find_secvar("HWKH", 5, bank);
+ if (!var)
+ return OPAL_SUCCESS;
+
+ list_del(&var->link);
+ dealloc_secvar(var);
+
+ return OPAL_SUCCESS;
+}
+
+int verify_hw_key_hash(void)
+{
+ const char *hw_key_hash;
+ struct dt_node *secureboot;
+ struct secvar *var;
+
+ secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
+ if (!secureboot)
+ return OPAL_INTERNAL_ERROR;
+
+ hw_key_hash = dt_prop_get(secureboot, "hw-key-hash");
+
+ if (!hw_key_hash)
+ return OPAL_INTERNAL_ERROR;
+
+ /* This value is from the protected storage */
+ var = find_secvar("HWKH", 5, &variable_bank);
+ if (!var)
+ return OPAL_PERMISSION;
+
+ if (memcmp(hw_key_hash, var->data, var->data_size) != 0)
+ return OPAL_PERMISSION;
+
+ return OPAL_SUCCESS;
+}
+