/* Copyright 2016 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

#include "2sysincludes.h"
#include "2hmac.h"
#include "2sha.h"
#include "bdb_api.h"
#include "bdb_struct.h"
#include "bdb.h"
#include "nvm.h"
#include "secrets.h"

static int nvmrw_validate(const void *buf, uint32_t size)
{
	const struct nvmrw *nvm = buf;

	if (nvm->struct_magic != NVM_RW_MAGIC)
		return BDB_ERROR_NVM_RW_MAGIC;

	if (nvm->struct_major_version != NVM_HEADER_VERSION_MAJOR)
		return BDB_ERROR_NVM_STRUCT_VERSION;

	if (size < nvm->struct_size)
		return BDB_ERROR_NVM_STRUCT_SIZE;

	/*
	 * We allow any sizes between min and max so that we can handle minor
	 * version mismatches. Reader can be older than data or the other way
	 * around. FW in slot B can upgrade NVM-RW but fails to qualify as a
	 * stable boot path. Then, FW in slot A is invoked which is older than
	 * the NVM-RW written by FW in slot B.
	 */
	if (nvm->struct_size < NVM_RW_MIN_STRUCT_SIZE ||
			NVM_RW_MAX_STRUCT_SIZE < nvm->struct_size)
		return BDB_ERROR_NVM_STRUCT_SIZE;

	return BDB_SUCCESS;
}

static int nvmrw_verify(const struct bdb_secrets *secrets,
			const struct nvmrw *nvm, uint32_t size)
{
	uint8_t mac[NVM_HMAC_SIZE];
	int rv;

	if (!secrets || !nvm)
		return BDB_ERROR_NVM_INVALID_PARAMETER;

	rv = nvmrw_validate(nvm, size);
	if (rv)
		return rv;

	/* Compute and verify HMAC */
	if (hmac(VB2_HASH_SHA256, secrets->nvm_rw, BDB_SECRET_SIZE,
		 nvm, nvm->struct_size - sizeof(mac), mac, sizeof(mac)))
		return BDB_ERROR_NVM_RW_HMAC;
	/* TODO: Use safe_memcmp */
	if (memcmp(mac, nvm->hmac, sizeof(mac)))
		return BDB_ERROR_NVM_RW_INVALID_HMAC;

	return BDB_SUCCESS;
}

int nvmrw_write(struct vba_context *ctx, enum nvm_type type)
{
	struct nvmrw *nvm = &ctx->nvmrw;
	int retry = NVM_MAX_WRITE_RETRY;
	int rv;

	if (!ctx)
		return BDB_ERROR_NVM_INVALID_PARAMETER;

	if (!ctx->secrets)
		return BDB_ERROR_NVM_INVALID_SECRET;

	rv = nvmrw_validate(nvm, sizeof(*nvm));
	if (rv)
		return rv;

	/* Update HMAC */
	hmac(VB2_HASH_SHA256, ctx->secrets->nvm_rw, BDB_SECRET_SIZE,
	     nvm, nvm->struct_size - sizeof(nvm->hmac),
	     nvm->hmac, sizeof(nvm->hmac));

	while (retry--) {
		uint8_t buf[sizeof(struct nvmrw)];
		if (vbe_write_nvm(type, nvm, nvm->struct_size))
			continue;
		if (vbe_read_nvm(type, buf, sizeof(buf)))
			continue;
		if (memcmp(buf, nvm, sizeof(buf)))
			continue;
		/* Write success */
		return BDB_SUCCESS;
	}

	/* NVM seems corrupted. Go to chip recovery mode */
	return BDB_ERROR_NVM_WRITE;
}

static int read_verify_nvmrw(enum nvm_type type,
			     const struct bdb_secrets *secrets,
			     uint8_t *buf, uint32_t buf_size)
{
	struct nvmrw *nvm = (struct nvmrw *)buf;
	int rv;

	/* Read minimum amount */
	if (vbe_read_nvm(type, buf, NVM_MIN_STRUCT_SIZE))
		return BDB_ERROR_NVM_VBE_READ;

	/* Validate the content */
	rv = nvmrw_validate(buf, buf_size);
	if (rv)
		return rv;

	/* Read full body */
	if (vbe_read_nvm(type, buf, nvm->struct_size))
		return BDB_ERROR_NVM_VBE_READ;

	/* Verify the content */
	rv = nvmrw_verify(secrets, nvm, sizeof(*nvm));
		return rv;

	return BDB_SUCCESS;
}

int nvmrw_read(struct vba_context *ctx)
{
	uint8_t buf1[NVM_RW_MAX_STRUCT_SIZE];
	uint8_t buf2[NVM_RW_MAX_STRUCT_SIZE];
	struct nvmrw *nvm1 = (struct nvmrw *)buf1;
	struct nvmrw *nvm2 = (struct nvmrw *)buf2;
	int rv1, rv2;

	/* Read and verify the 1st copy */
	rv1 = read_verify_nvmrw(NVM_TYPE_RW_PRIMARY, ctx->secrets,
				buf1, sizeof(buf1));

	/* Read and verify the 2nd copy */
	rv2 = read_verify_nvmrw(NVM_TYPE_RW_SECONDARY, ctx->secrets,
				buf2, sizeof(buf2));

	if (rv1 == BDB_SUCCESS && rv2 == BDB_SUCCESS) {
		/* Sync primary and secondary based on update_count. */
		if (nvm1->update_count > nvm2->update_count)
			rv2 = !BDB_SUCCESS;
		else if (nvm1->update_count < nvm2->update_count)
			rv1 = !BDB_SUCCESS;
	} else if (rv1 != BDB_SUCCESS && rv2 != BDB_SUCCESS){
		/* Abort. Neither was successful. */
		return rv1;
	}

	if (rv1 == BDB_SUCCESS)
		/* both copies are good. use primary copy */
		memcpy(&ctx->nvmrw, buf1, sizeof(ctx->nvmrw));
	else
		/* primary is bad but secondary is good. */
		memcpy(&ctx->nvmrw, buf2, sizeof(ctx->nvmrw));

	if (ctx->nvmrw.struct_minor_version != NVM_HEADER_VERSION_MINOR) {
		/*
		 * Upgrade or downgrade is required. So, we need to write both.
		 * When upgrading, this is the place where new fields should be
		 * initialized. We don't increment update_count.
		 */
		ctx->nvmrw.struct_minor_version = NVM_HEADER_VERSION_MINOR;
		ctx->nvmrw.struct_size = sizeof(ctx->nvmrw);
		/* We don't worry about calculating hmac twice because
		 * this is a corner case. */
		rv1 = nvmrw_write(ctx, NVM_TYPE_RW_PRIMARY);
		rv2 = nvmrw_write(ctx, NVM_TYPE_RW_SECONDARY);
	} else if (rv1 != BDB_SUCCESS) {
		/* primary copy is bad. sync it with secondary copy */
		rv1 = nvmrw_write(ctx, NVM_TYPE_RW_PRIMARY);
	} else if (rv2 != BDB_SUCCESS){
		/* secondary copy is bad. sync it with primary copy */
		rv2 = nvmrw_write(ctx, NVM_TYPE_RW_SECONDARY);
	} else {
		/* Both copies are good and versions are same as the reader.
		 * Skip writing. This should be the common case. */
	}

	if (rv1 || rv2)
		return rv1 ? rv1 : rv2;

	return BDB_SUCCESS;
}

static int nvmrw_init(struct vba_context *ctx)
{
	if (nvmrw_read(ctx))
		return BDB_ERROR_NVM_INIT;

	return BDB_SUCCESS;
}

int vba_update_kernel_version(struct vba_context *ctx,
			      uint32_t kernel_data_key_version,
			      uint32_t kernel_version)
{
	struct nvmrw *nvm = &ctx->nvmrw;

	if (nvmrw_verify(ctx->secrets, nvm, sizeof(*nvm))) {
		if (nvmrw_init(ctx))
			return BDB_ERROR_NVM_INIT;
	}

	if (nvm->min_kernel_data_key_version < kernel_data_key_version ||
			nvm->min_kernel_version < kernel_version) {
		int rv1, rv2;

		/* Roll forward versions */
		nvm->min_kernel_data_key_version = kernel_data_key_version;
		nvm->min_kernel_version = kernel_version;

		/* Increment update counter */
		nvm->update_count++;

		/* Update both copies */
		rv1 = nvmrw_write(ctx, NVM_TYPE_RW_PRIMARY);
		rv2 = nvmrw_write(ctx, NVM_TYPE_RW_SECONDARY);
		if (rv1 || rv2)
			return BDB_ERROR_RECOVERY_REQUEST;
	}

	return BDB_SUCCESS;
}

int vba_update_buc(struct vba_context *ctx, uint8_t *new_buc)
{
	struct nvmrw *nvm = &ctx->nvmrw;
	uint8_t buc[BUC_ENC_DIGEST_SIZE];
	int rv1, rv2;

	if (nvmrw_verify(ctx->secrets, nvm, sizeof(*nvm))) {
		if (nvmrw_init(ctx))
			return BDB_ERROR_NVM_INIT;
	}

	/* Encrypt new BUC
	 * Note that we do not need to decide whether we should use hardware
	 * crypto or not because this is supposed to be running in RW code. */
	if (vbe_aes256_encrypt(new_buc, BUC_ENC_DIGEST_SIZE,
			       ctx->secrets->buc, buc))
		return BDB_ERROR_ENCRYPT_BUC;

	/* Return if new BUC is same as current one. */
	if (!memcmp(buc, nvm->buc_enc_digest, sizeof(buc)))
		return BDB_SUCCESS;

	memcpy(nvm->buc_enc_digest, buc, sizeof(buc));

	/* Increment update counter */
	nvm->update_count++;

	/* Write new BUC */
	rv1 = nvmrw_write(ctx, NVM_TYPE_RW_PRIMARY);
	rv2 = nvmrw_write(ctx, NVM_TYPE_RW_SECONDARY);
	if (rv1 || rv2)
		return BDB_ERROR_WRITE_BUC;

	return BDB_SUCCESS;
}

int nvmrw_get(struct vba_context *ctx, enum nvmrw_var var, uint32_t *val)
{
	struct nvmrw *nvm = &ctx->nvmrw;

	/* No init or verify so that this can be called from futility.
	 * Callers are responsible for init and verify. */

	switch (var) {
	case NVMRW_VAR_UPDATE_COUNT:
		*val = nvm->update_count;
		break;
	case NVMRW_VAR_MIN_KERNEL_DATA_KEY_VERSION:
		*val = nvm->min_kernel_data_key_version;
		break;
	case NVMRW_VAR_MIN_KERNEL_VERSION:
		*val = nvm->min_kernel_version;
		break;
	case NVMRW_VAR_BUC_TYPE:
		*val = nvm->buc_type;
		break;
	case NVMRW_VAR_FLAG_BUC_PRESENT:
		*val = nvm->flags & NVM_RW_FLAG_BUC_PRESENT;
		break;
	case NVMRW_VAR_FLAG_DFM_DISABLE:
		*val = nvm->flags & NVM_RW_FLAG_DFM_DISABLE;
		break;
	case NVMRW_VAR_FLAG_DOSM:
		*val = nvm->flags & NVM_RW_FLAG_DOSM;
		break;
	default:
		return BDB_ERROR_NVM_INVALID_PARAMETER;
	}

	return BDB_SUCCESS;
}

#define MAX_8BIT_UINT ((((uint64_t)1) << 8) - 1)

int nvmrw_set(struct vba_context *ctx, enum nvmrw_var var, uint32_t val)
{
	struct nvmrw *nvm = &ctx->nvmrw;

	/* No init or verify so that this can be called from futility.
	 * Callers are responsible for init and verify. */

	switch (var) {
	case NVMRW_VAR_UPDATE_COUNT:
		nvm->update_count = val;
		break;
	case NVMRW_VAR_MIN_KERNEL_DATA_KEY_VERSION:
		nvm->min_kernel_data_key_version = val;
		break;
	case NVMRW_VAR_MIN_KERNEL_VERSION:
		nvm->min_kernel_version = val;
		break;
	case NVMRW_VAR_BUC_TYPE:
		if (val > MAX_8BIT_UINT)
			return BDB_ERROR_NVM_INVALID_PARAMETER;
		nvm->buc_type = val;
		break;
	case NVMRW_VAR_FLAG_BUC_PRESENT:
		nvm->flags &= ~NVM_RW_FLAG_BUC_PRESENT;
		nvm->flags |= val ? NVM_RW_FLAG_BUC_PRESENT : 0;
		break;
	case NVMRW_VAR_FLAG_DFM_DISABLE:
		nvm->flags &= ~NVM_RW_FLAG_DFM_DISABLE;
		nvm->flags |= val ? NVM_RW_FLAG_DFM_DISABLE : 0;
		break;
	case NVMRW_VAR_FLAG_DOSM:
		nvm->flags &= ~NVM_RW_FLAG_DOSM;
		nvm->flags |= val ? NVM_RW_FLAG_DOSM : 0;
		break;
	default:
		return BDB_ERROR_NVM_INVALID_PARAMETER;
	}

	return BDB_SUCCESS;
}