// SPDX-License-Identifier: GPL-2.0-or-later

#define TST_NO_DEFAULT_MAIN

#define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"

#include <stdio.h>
#include <stdlib.h>
#include <sys/mount.h>

#include "tst_test.h"
#include "tst_safe_macros.h"
#include "tst_safe_stdio.h"
#include "tst_lockdown.h"
#include "tst_private.h"

#define EFIVAR_SECUREBOOT "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"

int tst_secureboot_enabled(void)
{
	int fd;
	char data[5];

	if (access(EFIVAR_SECUREBOOT, F_OK)) {
		tst_res(TINFO, "Efivar FS not available");
		return -1;
	}

	fd = open(EFIVAR_SECUREBOOT, O_RDONLY);

	if (fd == -1) {
		tst_res(TINFO | TERRNO,
			"Cannot open SecureBoot Efivar sysfile");
		return -1;
	} else if (fd < 0) {
		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
		return -1;
	}

	SAFE_READ(1, fd, data, 5);
	SAFE_CLOSE(fd);
	tst_res(TINFO, "SecureBoot: %s", data[4] ? "on" : "off");
	return data[4];
}

int tst_lockdown_enabled(void)
{
	char line[BUFSIZ];
	FILE *file;

	if (access(PATH_LOCKDOWN, F_OK) != 0) {
		char flag;

		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");

		/* SecureBoot enabled could mean integrity lockdown */
		if (flag == 'y' && tst_secureboot_enabled() > 0)
			return 1;

		tst_res(TINFO, "Unable to determine system lockdown state");
		return 0;
	}

	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");
	if (!fgets(line, sizeof(line), file))
		tst_brk(TBROK | TERRNO, "fgets %s", PATH_LOCKDOWN);
	SAFE_FCLOSE(file);

	return (strstr(line, "[none]") == NULL);
}