1 /*
2 * Copyright (c) 2022 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23 #include <libkern/libkern.h>
24 #include <sys/sysctl.h>
25 #include <sys/lockdown_mode.h>
26 #include <IOKit/IOPlatformExpert.h>
27 #include <IOKit/IOKitKeysPrivate.h>
28
29 static const char * kLockdownModeNVRAMVariableKey = kIOKitSystemGUID ":ldm";
30
31 #pragma mark Initialization
32
33 static LCK_GRP_DECLARE(lockdown_mode_init_lck_grp, "lockdown_mode_init_lock");
34 static LCK_MTX_DECLARE(lockdown_mode_init_mtx, &lockdown_mode_init_lck_grp);
35
36 static int lockdown_mode_init_done = 0;
37
38 int lockdown_mode_state = 0;
39
40 SYSCTL_DECL(_security_mac);
41 SYSCTL_INT(_security_mac, OID_AUTO, lockdown_mode_state, CTLFLAG_RD | CTLFLAG_LOCKED, &lockdown_mode_state, 0, "Lockdown Mode state");
42
43 __startup_func
44 void
lockdown_mode_init(void)45 lockdown_mode_init(void)
46 {
47 if (!PEReadNVRAMBooleanProperty(kLockdownModeNVRAMVariableKey, &lockdown_mode_state)) {
48 printf("lockdown_mode: error getting state from nvram\n");
49 }
50 printf("lockdown_mode: lockdown mode in nvram is %s\n", lockdown_mode_state ? "on" : "off");
51
52 lck_mtx_lock(&lockdown_mode_init_mtx);
53 lockdown_mode_init_done = 1;
54 wakeup(&lockdown_mode_init_done);
55 lck_mtx_unlock(&lockdown_mode_init_mtx);
56 }
57
58 #if defined (__i386__) || defined (__x86_64__)
59 extern boolean_t IOServiceWaitForMatchingResource( const char * property, uint64_t timeout );
60
61 __startup_func
62 static void
lockdown_mode_init_async_thread(void)63 lockdown_mode_init_async_thread(void)
64 {
65 if (!IOServiceWaitForMatchingResource("IONVRAM", UINT64_MAX)) {
66 panic("lockdown_mode: error acquiring nvram service");
67 }
68 lockdown_mode_init();
69 }
70
71 __startup_func
72 static void
lockdown_mode_init_async(void)73 lockdown_mode_init_async(void)
74 {
75 thread_t thread;
76 kern_return_t ret = kernel_thread_start((thread_continue_t)lockdown_mode_init_async_thread, 0, &thread);
77 if (ret == KERN_SUCCESS) {
78 thread_deallocate(thread);
79 }
80 }
81 STARTUP(EARLY_BOOT, STARTUP_RANK_LAST, lockdown_mode_init_async);
82 #else
83 STARTUP(EARLY_BOOT, STARTUP_RANK_LAST, lockdown_mode_init);
84 #endif
85
86 int
get_lockdown_mode_state(void)87 get_lockdown_mode_state(void)
88 {
89 lck_mtx_lock(&lockdown_mode_init_mtx);
90 if (!lockdown_mode_init_done) {
91 msleep(&lockdown_mode_init_done, &lockdown_mode_init_mtx, 0, "get_lockdown_mode_state", NULL);
92 }
93 lck_mtx_unlock(&lockdown_mode_init_mtx);
94
95 #if XNU_TARGET_OS_XR
96 printf("lockdown_mode: disabling lockdown mode on visionOS\n");
97 disable_lockdown_mode();
98 #endif
99
100 return lockdown_mode_state;
101 }
102
103 void
enable_lockdown_mode(void)104 enable_lockdown_mode(void)
105 {
106 lockdown_mode_state = 1;
107 PEWriteNVRAMBooleanProperty(kLockdownModeNVRAMVariableKey, TRUE);
108 }
109
110 void
disable_lockdown_mode(void)111 disable_lockdown_mode(void)
112 {
113 lockdown_mode_state = 0;
114 PERemoveNVRAMProperty(kLockdownModeNVRAMVariableKey);
115 }
116