1/*
2 * Copyright (c) 2022 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23#include <libkern/libkern.h>
24#include <sys/sysctl.h>
25#include <sys/lockdown_mode.h>
26#include <IOKit/IOPlatformExpert.h>
27#include <IOKit/IOKitKeysPrivate.h>
28
29static const char * kLockdownModeNVRAMVariableKey = kIOKitSystemGUID ":ldm";
30
31#pragma mark Initialization
32
33static LCK_GRP_DECLARE(lockdown_mode_init_lck_grp, "lockdown_mode_init_lock");
34static LCK_MTX_DECLARE(lockdown_mode_init_mtx, &lockdown_mode_init_lck_grp);
35
36static int lockdown_mode_init_done = 0;
37
38int lockdown_mode_state = 0;
39
40SYSCTL_DECL(_security_mac);
41SYSCTL_INT(_security_mac, OID_AUTO, lockdown_mode_state, CTLFLAG_RD | CTLFLAG_LOCKED, &lockdown_mode_state, 0, "Lockdown Mode state");
42
43__startup_func
44void
45lockdown_mode_init(void)
46{
47 if (!PEReadNVRAMBooleanProperty(symbol: kLockdownModeNVRAMVariableKey, value: &lockdown_mode_state)) {
48 printf("lockdown_mode: error getting state from nvram\n");
49 }
50 printf("lockdown_mode: lockdown mode in nvram is %s\n", lockdown_mode_state ? "on" : "off");
51
52 lck_mtx_lock(lck: &lockdown_mode_init_mtx);
53 lockdown_mode_init_done = 1;
54 wakeup(chan: &lockdown_mode_init_done);
55 lck_mtx_unlock(lck: &lockdown_mode_init_mtx);
56}
57
58#if defined (__i386__) || defined (__x86_64__)
59extern boolean_t IOServiceWaitForMatchingResource( const char * property, uint64_t timeout );
60
61__startup_func
62static void
63lockdown_mode_init_async_thread(void)
64{
65 if (!IOServiceWaitForMatchingResource("IONVRAM", UINT64_MAX)) {
66 panic("lockdown_mode: error acquiring nvram service");
67 }
68 lockdown_mode_init();
69}
70
71__startup_func
72static void
73lockdown_mode_init_async(void)
74{
75 thread_t thread;
76 kern_return_t ret = kernel_thread_start((thread_continue_t)lockdown_mode_init_async_thread, 0, &thread);
77 if (ret == KERN_SUCCESS) {
78 thread_deallocate(thread);
79 }
80}
81STARTUP(EARLY_BOOT, STARTUP_RANK_LAST, lockdown_mode_init_async);
82#else
83STARTUP(EARLY_BOOT, STARTUP_RANK_LAST, lockdown_mode_init);
84#endif
85
86int
87get_lockdown_mode_state(void)
88{
89 lck_mtx_lock(lck: &lockdown_mode_init_mtx);
90 if (!lockdown_mode_init_done) {
91 msleep(chan: &lockdown_mode_init_done, mtx: &lockdown_mode_init_mtx, pri: 0, wmesg: "get_lockdown_mode_state", NULL);
92 }
93 lck_mtx_unlock(lck: &lockdown_mode_init_mtx);
94
95
96 return lockdown_mode_state;
97}
98
99void
100enable_lockdown_mode(void)
101{
102 lockdown_mode_state = 1;
103 PEWriteNVRAMBooleanProperty(symbol: kLockdownModeNVRAMVariableKey, TRUE);
104}
105
106void
107disable_lockdown_mode(void)
108{
109 lockdown_mode_state = 0;
110 PERemoveNVRAMProperty(symbol: kLockdownModeNVRAMVariableKey);
111}
112