// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
/* Copyright 2020 IBM Corp. */
#include <opal.h>
#include <device.h>
#include "edk2-compat-process.h"
#include "edk2-compat-reset.h"
#include "../secvar.h"

int reset_keystore(struct list_head *bank)
{
	struct secvar *var;
	int rc = 0;

	var = find_secvar("PK", 3, bank);
	if (var)
		rc = update_variable_in_bank(var, NULL, 0, bank);
	if (rc)
		return rc;

	var = find_secvar("KEK", 4, bank);
	if (var)
		rc = update_variable_in_bank(var, NULL, 0, bank);
	if (rc)
		return rc;

	var = find_secvar("db", 3, bank);
	if (var)
		rc = update_variable_in_bank(var, NULL, 0, bank);
	if (rc)
		return rc;

	var = find_secvar("dbx", 4, bank);
	if (var)
		rc = update_variable_in_bank(var, NULL, 0, bank);
	if (rc)
		return rc;

	var = find_secvar("TS", 3, bank);
	if (var)
		rc = update_variable_in_bank(var, NULL, 0, bank);
	if (rc)
		return rc;

	var = find_secvar("HWKH", 5, bank);
	if (var)
		rc = update_variable_in_bank(var, NULL, 0, bank);

	return rc;
}


int add_hw_key_hash(struct list_head *bank)
{
	struct secvar *var;
	uint32_t hw_key_hash_size;
	const char *hw_key_hash;
	struct dt_node *secureboot;

	secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
	if (!secureboot)
		return false;

	hw_key_hash_size = dt_prop_get_u32(secureboot, "hw-key-hash-size");

	hw_key_hash = dt_prop_get(secureboot, "hw-key-hash");

	if (!hw_key_hash)
		return OPAL_PERMISSION;

	var = new_secvar("HWKH", 5, hw_key_hash,
			hw_key_hash_size, SECVAR_FLAG_PROTECTED);
	list_add_tail(bank, &var->link);

	return OPAL_SUCCESS;
}

int delete_hw_key_hash(struct list_head *bank)
{
	struct secvar *var;

	var = find_secvar("HWKH", 5, bank);
	if (!var)
		return OPAL_SUCCESS;

	list_del(&var->link);
	dealloc_secvar(var);

	return OPAL_SUCCESS;
}

int verify_hw_key_hash(void)
{
	const char *hw_key_hash;
	struct dt_node *secureboot;
	struct secvar *var;

	secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
	if (!secureboot)
		return OPAL_INTERNAL_ERROR;

	hw_key_hash = dt_prop_get(secureboot, "hw-key-hash");

	if (!hw_key_hash)
		return OPAL_INTERNAL_ERROR;

	/* This value is from the protected storage */
	var = find_secvar("HWKH", 5, &variable_bank);
	if (!var)
		return OPAL_PERMISSION;

	if (memcmp(hw_key_hash, var->data, var->data_size) != 0)
		return OPAL_PERMISSION;

	return OPAL_SUCCESS;
}