1 /*
2 * Copyright (c) 2021-2022 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <libkern/libkern.h>
30
31 #define VARIABLE_STORE_SIGNATURE 'NVV3'
32
33 // Variable Store Version
34 #define VARIABLE_STORE_VERSION 0x1
35
36 #define VARIABLE_DATA 0x55AA
37 #define INVALIDATED_VARIABLE_DATA 0x0000
38
39 // Variable State flags
40 #define VAR_IN_DELETED_TRANSITION 0xFE // Variable is in obsolete transistion
41 #define VAR_DELETED 0xFD // Variable is obsolete
42 #define VAR_INACTIVE 0xFB // Variable is inactive due to failing CRC
43 #define VAR_ADDED 0x7F // Variable has been completely added
44
45 // No changes needed on save
46 #define VAR_NEW_STATE_NONE 0x01
47 // Remove existing entry on save
48 #define VAR_NEW_STATE_REMOVE 0x02
49 // Add new value on save, mark previous as inactive
50 #define VAR_NEW_STATE_APPEND 0x03
51
52 #pragma pack(1)
53 struct v3_store_header {
54 uint32_t name;
55 uint32_t size;
56 uint32_t generation;
57 uint8_t state;
58 uint8_t flags;
59 uint8_t version;
60 uint8_t reserved1;
61 uint32_t system_size;
62 uint32_t common_size;
63 };
64
65 struct v3_var_header {
66 uint16_t startId;
67 uint8_t state;
68 uint8_t reserved;
69 uint32_t attributes;
70 uint32_t nameSize;
71 uint32_t dataSize;
72 uuid_t guid;
73 uint32_t crc;
74 uint8_t name_data_buf[];
75 };
76 #pragma pack()
77
78 struct nvram_v3_var_entry {
79 uint8_t new_state;
80 size_t existing_offset;
81 struct v3_var_header header;
82 };
83
84 static size_t
nvram_v3_var_container_size(const struct v3_var_header * header)85 nvram_v3_var_container_size(const struct v3_var_header *header)
86 {
87 return sizeof(struct nvram_v3_var_entry) + header->nameSize + header->dataSize;
88 }
89
90 static size_t
variable_length(const struct v3_var_header * header)91 variable_length(const struct v3_var_header *header)
92 {
93 return sizeof(struct v3_var_header) + header->nameSize + header->dataSize;
94 }
95
96 static bool
valid_store_header(const struct v3_store_header * header)97 valid_store_header(const struct v3_store_header *header)
98 {
99 return (header->name == VARIABLE_STORE_SIGNATURE) && (header->version == VARIABLE_STORE_VERSION);
100 }
101
102 static bool
valid_variable_header(const struct v3_var_header * header,size_t buf_len)103 valid_variable_header(const struct v3_var_header *header, size_t buf_len)
104 {
105 return (buf_len > sizeof(struct v3_var_header)) &&
106 (header->startId == VARIABLE_DATA) &&
107 (variable_length(header) <= buf_len);
108 }
109
110 static uint32_t
find_active_var_in_image(const struct v3_var_header * var,const uint8_t * image,uint32_t offset,uint32_t len)111 find_active_var_in_image(const struct v3_var_header *var, const uint8_t *image, uint32_t offset, uint32_t len)
112 {
113 const struct v3_var_header *store_var;
114 uint32_t var_offset = 0;
115
116 while ((offset + sizeof(struct v3_var_header) < len)) {
117 store_var = (const struct v3_var_header *)(image + offset);
118
119 if (valid_variable_header(store_var, len - offset)) {
120 if ((store_var->state == VAR_ADDED) &&
121 (uuid_compare(var->guid, store_var->guid) == 0) &&
122 (var->nameSize == store_var->nameSize) &&
123 (memcmp(var->name_data_buf, store_var->name_data_buf, var->nameSize) == 0)) {
124 var_offset = offset;
125 break;
126 }
127 } else {
128 break;
129 }
130
131 offset += variable_length(store_var);
132 }
133
134 return var_offset;
135 }
136
137 static IOReturn
find_current_offset_in_image(const uint8_t * image,uint32_t len,uint32_t * newOffset)138 find_current_offset_in_image(const uint8_t *image, uint32_t len, uint32_t *newOffset)
139 {
140 uint32_t offset = 0;
141 uint32_t inner_offset = 0;
142
143 if (valid_store_header((const struct v3_store_header *)(image + offset))) {
144 DEBUG_INFO("valid store header @ %#x\n", offset);
145 offset += sizeof(struct v3_store_header);
146 }
147
148 while (offset < len) {
149 const struct v3_var_header *store_var = (const struct v3_var_header *)(image + offset);
150 uuid_string_t uuidString;
151
152 if (valid_variable_header(store_var, len - offset)) {
153 uuid_unparse(store_var->guid, uuidString);
154 DEBUG_INFO("Valid var @ %#08x, state=%#02x, length=%#08zx, %s:%s\n", offset, store_var->state,
155 variable_length(store_var), uuidString, store_var->name_data_buf);
156 offset += variable_length(store_var);
157 } else {
158 break;
159 }
160 }
161
162 while (offset < len) {
163 if (image[offset] == 0xFF) {
164 DEBUG_INFO("scanning for clear memory @ %#x\n", offset);
165
166 inner_offset = offset;
167
168 while ((inner_offset < len) && (image[inner_offset] == 0xFF)) {
169 inner_offset++;
170 }
171
172 if (inner_offset == len) {
173 DEBUG_INFO("found start of clear mem @ %#x\n", offset);
174 break;
175 } else {
176 DEBUG_ERROR("ERROR!!!!! found non-clear byte @ %#x\n", offset);
177 return kIOReturnInvalid;
178 }
179 }
180 offset++;
181 }
182
183 *newOffset = offset;
184
185 return kIOReturnSuccess;
186 }
187
188 class IONVRAMV3Handler : public IODTNVRAMFormatHandler, IOTypedOperatorsMixin<IONVRAMV3Handler>
189 {
190 private:
191 IONVRAMController *_nvramController;
192 IODTNVRAM *_provider;
193
194 bool _newData;
195 bool _resetData;
196 bool _reload;
197
198 bool _rawController;
199
200 uint32_t _generation;
201
202 uint8_t *_nvramImage;
203
204 OSSharedPtr<OSDictionary> _varDict;
205
206 uint32_t _commonSize;
207 uint32_t _systemSize;
208
209 uint32_t _commonUsed;
210 uint32_t _systemUsed;
211
212 uint32_t _currentOffset;
213
214 OSSharedPtr<OSArray> _varEntries;
215
216 IORWLock *_variableLock;
217 IOLock *_controllerLock;
218
219 IOReturn unserializeImage(const uint8_t *image, IOByteCount length);
220 IOReturn reclaim(void);
221 uint32_t findCurrentBank(void);
222 size_t getAppendSize(void);
223
224 static bool convertObjectToProp(uint8_t *buffer, uint32_t *length, const char *propSymbol, OSObject *propObject);
225 static bool convertPropToObject(const uint8_t *propName, uint32_t propNameLength, const uint8_t *propData, uint32_t propDataLength,
226 OSSharedPtr<const OSSymbol>& propSymbol, OSSharedPtr<OSObject>& propObject);
227
228 IOReturn reloadInternal(void);
229 IOReturn setVariableInternal(const uuid_t varGuid, const char *variableName, OSObject *object);
230
231 void setEntryForRemove(struct nvram_v3_var_entry *v3Entry, bool system);
232 void findExistingEntry(const uuid_t varGuid, const char *varName, struct nvram_v3_var_entry **existing, unsigned int *existingIndex);
233 IOReturn syncRaw(void);
234 IOReturn syncBlock(void);
235 IOReturn handleEphDM(void);
236
237 public:
238 virtual
239 ~IONVRAMV3Handler() APPLE_KEXT_OVERRIDE;
240 IONVRAMV3Handler();
241 static bool isValidImage(const uint8_t *image, IOByteCount length);
242 static IONVRAMV3Handler *init(IODTNVRAM *provider, const uint8_t *image, IOByteCount length);
243
244 virtual bool getNVRAMProperties(void) APPLE_KEXT_OVERRIDE;
245 virtual IOReturn unserializeVariables(void) APPLE_KEXT_OVERRIDE;
246 virtual IOReturn setVariable(const uuid_t varGuid, const char *variableName, OSObject *object) APPLE_KEXT_OVERRIDE;
247 virtual bool setController(IONVRAMController *controller) APPLE_KEXT_OVERRIDE;
248 virtual IOReturn sync(void) APPLE_KEXT_OVERRIDE;
249 virtual IOReturn flush(const uuid_t guid, IONVRAMOperation op) APPLE_KEXT_OVERRIDE;
250 virtual void reload(void) APPLE_KEXT_OVERRIDE;
251 virtual uint32_t getGeneration(void) const APPLE_KEXT_OVERRIDE;
252 virtual uint32_t getVersion(void) const APPLE_KEXT_OVERRIDE;
253 virtual uint32_t getSystemUsed(void) const APPLE_KEXT_OVERRIDE;
254 virtual uint32_t getCommonUsed(void) const APPLE_KEXT_OVERRIDE;
255 virtual bool getSystemPartitionActive(void) const APPLE_KEXT_OVERRIDE;
256 virtual IOReturn getVarDict(OSSharedPtr<OSDictionary> &varDictCopy) APPLE_KEXT_OVERRIDE;
257 };
258
~IONVRAMV3Handler()259 IONVRAMV3Handler::~IONVRAMV3Handler()
260 {
261 }
262
IONVRAMV3Handler()263 IONVRAMV3Handler::IONVRAMV3Handler()
264 {
265 }
266
267 bool
isValidImage(const uint8_t * image,IOByteCount length)268 IONVRAMV3Handler::isValidImage(const uint8_t *image, IOByteCount length)
269 {
270 const struct v3_store_header *header = (const struct v3_store_header *)image;
271
272 if ((header == nullptr) || (length < sizeof(*header))) {
273 return false;
274 }
275
276 return valid_store_header(header);
277 }
278
279 IONVRAMV3Handler*
init(IODTNVRAM * provider,const uint8_t * image,IOByteCount length)280 IONVRAMV3Handler::init(IODTNVRAM *provider, const uint8_t *image, IOByteCount length)
281 {
282 OSSharedPtr<IORegistryEntry> entry;
283 OSSharedPtr<OSObject> prop;
284 bool propertiesOk;
285
286 IONVRAMV3Handler *handler = new IONVRAMV3Handler();
287
288 handler->_provider = provider;
289
290 handler->_variableLock = IORWLockAlloc();
291 require(handler->_variableLock != nullptr, exit);
292
293 handler->_controllerLock = IOLockAlloc();
294 require(handler->_controllerLock != nullptr, exit);
295
296 propertiesOk = handler->getNVRAMProperties();
297 require_action(propertiesOk, exit, DEBUG_ERROR("Unable to get NVRAM properties\n"));
298
299 require_action(length == handler->_bankSize, exit, DEBUG_ERROR("length %#llx != _bankSize %#x\n", length, handler->_bankSize));
300
301 if ((image != nullptr) && (length != 0)) {
302 if (handler->unserializeImage(image, length) != kIOReturnSuccess) {
303 DEBUG_ERROR("Unable to unserialize image, len=%#x\n", (unsigned int)length);
304 }
305 }
306
307 return handler;
308
309 exit:
310 delete handler;
311
312 return nullptr;
313 }
314
315 bool
getNVRAMProperties()316 IONVRAMV3Handler::getNVRAMProperties()
317 {
318 bool ok = false;
319 const char *rawControllerKey = "nvram-raw";
320 OSSharedPtr<IORegistryEntry> entry;
321 OSSharedPtr<OSObject> prop;
322 OSData * data;
323
324 require_action(IODTNVRAMFormatHandler::getNVRAMProperties(), exit, DEBUG_ERROR("parent getNVRAMProperties failed\n"));
325
326 entry = IORegistryEntry::fromPath("/chosen", gIODTPlane);
327 require_action(entry, exit, DEBUG_ERROR("Unable to find chosen node\n"));
328
329 prop = entry->copyProperty(rawControllerKey);
330 require_action(prop != nullptr, exit, DEBUG_ERROR("No %s entry\n", rawControllerKey));
331
332 data = OSDynamicCast(OSData, prop.get());
333 require(data != nullptr, exit);
334
335 _rawController = *((uint32_t*)data->getBytesNoCopy());
336 DEBUG_INFO("_rawController = %d\n", _rawController);
337
338 ok = true;
339
340 exit:
341 return ok;
342 }
343
344 IOReturn
flush(const uuid_t guid,IONVRAMOperation op)345 IONVRAMV3Handler::flush(const uuid_t guid, IONVRAMOperation op)
346 {
347 IOReturn ret = kIOReturnSuccess;
348 bool flushSystem;
349 bool flushCommon;
350
351 flushSystem = getSystemPartitionActive() && (uuid_compare(guid, gAppleSystemVariableGuid) == 0);
352 flushCommon = uuid_compare(guid, gAppleNVRAMGuid) == 0;
353
354 DEBUG_INFO("flushSystem=%d, flushCommon=%d\n", flushSystem, flushCommon);
355
356 NVRAMWRITELOCK(_variableLock);
357 if (flushSystem || flushCommon) {
358 const OSSymbol *canonicalKey;
359 OSSharedPtr<OSDictionary> dictCopy;
360 OSSharedPtr<OSCollectionIterator> iter;
361 uuid_string_t uuidString;
362
363 dictCopy = OSDictionary::withDictionary(_varDict.get());
364 iter = OSCollectionIterator::withCollection(dictCopy.get());
365 require_action(dictCopy && iter, exit, ret = kIOReturnNoMemory);
366
367 while ((canonicalKey = OSDynamicCast(OSSymbol, iter->getNextObject()))) {
368 const char *varName;
369 uuid_t varGuid;
370 bool clear;
371
372 parseVariableName(canonicalKey->getCStringNoCopy(), &varGuid, &varName);
373
374 uuid_unparse(varGuid, uuidString);
375
376 clear = ((flushSystem && (uuid_compare(varGuid, gAppleSystemVariableGuid) == 0)) ||
377 (flushCommon && (uuid_compare(varGuid, gAppleSystemVariableGuid) != 0))) &&
378 verifyPermission(op, varGuid, varName, getSystemPartitionActive());
379
380 if (clear) {
381 DEBUG_INFO("Clearing entry for %s:%s\n", uuidString, varName);
382 setVariableInternal(varGuid, varName, nullptr);
383 } else {
384 DEBUG_INFO("Keeping entry for %s:%s\n", uuidString, varName);
385 }
386 }
387
388 _newData = true;
389 }
390
391 DEBUG_INFO("_commonUsed %#x, _systemUsed %#x\n", _commonUsed, _systemUsed);
392
393 exit:
394 NVRAMRWUNLOCK(_variableLock);
395 return ret;
396 }
397
398 IOReturn
reloadInternal(void)399 IONVRAMV3Handler::reloadInternal(void)
400 {
401 IOReturn ret;
402 uint32_t controllerBank;
403 uint8_t *controllerImage;
404 struct nvram_v3_var_entry *v3Entry;
405 const struct v3_store_header *storeHeader;
406 const struct v3_var_header *storeVar;
407 OSData *entryContainer;
408
409 NVRAMLOCKASSERTHELD(_controllerLock);
410
411 controllerBank = findCurrentBank();
412
413 if (_currentBank != controllerBank) {
414 DEBUG_ERROR("_currentBank %#x != controllerBank %#x\n", _currentBank, controllerBank);
415 }
416
417 _currentBank = controllerBank;
418
419 controllerImage = (uint8_t *)IOMallocData(_bankSize);
420
421 _nvramController->select(_currentBank);
422 _nvramController->read(0, controllerImage, _bankSize);
423
424 require_action(isValidImage(controllerImage, _bankSize), exit,
425 (ret = kIOReturnInvalid, DEBUG_ERROR("Invalid image at bank %d\n", _currentBank)));
426
427 DEBUG_INFO("valid image found\n");
428
429 storeHeader = (const struct v3_store_header *)controllerImage;
430
431 _generation = storeHeader->generation;
432
433 // We must sync any existing variables offset on the controller image with our internal representation
434 // If we find an existing entry and the data is still the same we record the existing offset and mark it
435 // as VAR_NEW_STATE_NONE meaning no action needed
436 // Otherwise if the data is different or it is not found on the controller image we mark it as VAR_NEW_STATE_APPEND
437 // which will have us invalidate the existing entry if there is one and append it on the next save
438 NVRAMREADLOCK(_variableLock);
439 for (unsigned int i = 0; i < _varEntries->getCount(); i++) {
440 uint32_t offset = sizeof(struct v3_store_header);
441 uint32_t latestOffset;
442 uint32_t prevOffset = 0;
443
444 entryContainer = (OSDynamicCast(OSData, _varEntries->getObject(i)));
445 v3Entry = (struct nvram_v3_var_entry *)entryContainer->getBytesNoCopy();
446
447 DEBUG_INFO("Looking for %s\n", v3Entry->header.name_data_buf);
448 while ((latestOffset = find_active_var_in_image(&v3Entry->header, controllerImage, offset, _bankSize))) {
449 DEBUG_INFO("Found offset for %s @ %#08x\n", v3Entry->header.name_data_buf, latestOffset);
450 if (prevOffset) {
451 DEBUG_INFO("Marking prev offset for %s at %#08x invalid\n", v3Entry->header.name_data_buf, offset);
452 // Invalidate any previous duplicate entries in the store
453 struct v3_var_header *prevVarHeader = (struct v3_var_header *)(controllerImage + prevOffset);
454 uint8_t state = prevVarHeader->state & VAR_DELETED & VAR_IN_DELETED_TRANSITION;
455
456 ret = _nvramController->write(prevOffset + offsetof(struct v3_var_header, state), &state, sizeof(state));
457 require_noerr_action(ret, unlock, DEBUG_ERROR("existing state w fail, ret=%#x\n", ret));
458 }
459
460 prevOffset = latestOffset;
461 offset += latestOffset;
462 }
463
464 v3Entry->existing_offset = latestOffset ? latestOffset : prevOffset;
465 DEBUG_INFO("Existing offset for %s at %#08zx\n", v3Entry->header.name_data_buf, v3Entry->existing_offset);
466
467 if (v3Entry->existing_offset == 0) {
468 DEBUG_ERROR("%s is not in the NOR image\n", v3Entry->header.name_data_buf);
469 if (v3Entry->new_state != VAR_NEW_STATE_REMOVE) {
470 DEBUG_INFO("%s marked for append\n", v3Entry->header.name_data_buf);
471 // Doesn't exist in the store, just append it on next sync
472 v3Entry->new_state = VAR_NEW_STATE_APPEND;
473 }
474 } else {
475 DEBUG_INFO("Found offset for %s @ %#zx\n", v3Entry->header.name_data_buf, v3Entry->existing_offset);
476 storeVar = (const struct v3_var_header *)&controllerImage[v3Entry->existing_offset];
477
478 if (v3Entry->new_state != VAR_NEW_STATE_REMOVE) {
479 // Verify that the existing data matches the store data
480 if ((variable_length(&v3Entry->header) == variable_length(storeVar)) &&
481 (memcmp(v3Entry->header.name_data_buf, storeVar->name_data_buf, storeVar->nameSize + storeVar->dataSize) == 0)) {
482 DEBUG_INFO("Store var data for %s matches, marking new state none\n", v3Entry->header.name_data_buf);
483 v3Entry->new_state = VAR_NEW_STATE_NONE;
484 } else {
485 DEBUG_INFO("Store var data for %s differs, marking new state append\n", v3Entry->header.name_data_buf);
486 v3Entry->new_state = VAR_NEW_STATE_APPEND;
487 }
488 } else {
489 // Store has entry but it has been removed from our collection, keep it marked for delete but with updated
490 // existing_offset for coherence
491 DEBUG_INFO("Removing entry at %#08zx with next sync\n", v3Entry->existing_offset);
492 }
493 }
494 }
495 ret = find_current_offset_in_image(controllerImage, _bankSize, &_currentOffset);
496 require_noerr_action(ret, unlock, DEBUG_ERROR("Unidentified bytes in image\n"));
497 DEBUG_INFO("New _currentOffset=%#x\n", _currentOffset);
498
499 unlock:
500 NVRAMRWUNLOCK(_variableLock);
501 exit:
502 IOFreeData(controllerImage, _bankSize);
503 return ret;
504 }
505
506 void
reload(void)507 IONVRAMV3Handler::reload(void)
508 {
509 _reload = true;
510
511 DEBUG_INFO("reload marked\n");
512 }
513
514 void
setEntryForRemove(struct nvram_v3_var_entry * v3Entry,bool system)515 IONVRAMV3Handler::setEntryForRemove(struct nvram_v3_var_entry *v3Entry, bool system)
516 {
517 OSSharedPtr<const OSSymbol> canonicalKey;
518 const char *variableName;
519 uint32_t variableSize;
520
521 // Anyone calling setEntryForRemove should've already held the lock for write.
522 NVRAMRWLOCKASSERTEXCLUSIVE(_variableLock);
523
524 require_action(v3Entry != nullptr, exit, DEBUG_INFO("remove with no entry\n"));
525
526 variableName = (const char *)v3Entry->header.name_data_buf;
527 variableSize = (uint32_t)variable_length(&v3Entry->header);
528 canonicalKey = keyWithGuidAndCString(v3Entry->header.guid, variableName);
529
530 if (v3Entry->new_state == VAR_NEW_STATE_REMOVE) {
531 DEBUG_INFO("entry %s already marked for remove\n", variableName);
532 } else {
533 DEBUG_INFO("marking entry %s for remove\n", variableName);
534
535 v3Entry->new_state = VAR_NEW_STATE_REMOVE;
536
537 _varDict->removeObject(canonicalKey.get());
538
539 if (system) {
540 if (_systemUsed < variableSize) {
541 panic("Invalid _systemUsed size\n");
542 }
543 _systemUsed -= variableSize;
544 } else {
545 if (_commonUsed < variableSize) {
546 panic("Invalid _commonUsed size\n");
547 }
548 _commonUsed -= variableSize;
549 }
550
551 if (_provider->_diags) {
552 _provider->_diags->logVariable(getPartitionTypeForGUID(v3Entry->header.guid),
553 kIONVRAMOperationDelete,
554 variableName,
555 nullptr);
556 }
557 }
558
559 exit:
560 return;
561 }
562
563 void
findExistingEntry(const uuid_t varGuid,const char * varName,struct nvram_v3_var_entry ** existing,unsigned int * existingIndex)564 IONVRAMV3Handler::findExistingEntry(const uuid_t varGuid, const char *varName, struct nvram_v3_var_entry **existing, unsigned int *existingIndex)
565 {
566 struct nvram_v3_var_entry *v3Entry = nullptr;
567 OSData *entryContainer = nullptr;
568 unsigned int index = 0;
569 uint32_t nameLen = (uint32_t)strlen(varName) + 1;
570
571 for (index = 0; index < _varEntries->getCount(); index++) {
572 entryContainer = (OSDynamicCast(OSData, _varEntries->getObject(index)));
573 v3Entry = (struct nvram_v3_var_entry *)entryContainer->getBytesNoCopy();
574
575 if ((v3Entry->header.nameSize == nameLen) &&
576 (memcmp(v3Entry->header.name_data_buf, varName, nameLen) == 0)) {
577 if (varGuid) {
578 if (uuid_compare(varGuid, v3Entry->header.guid) == 0) {
579 uuid_string_t uuidString;
580 uuid_unparse(varGuid, uuidString);
581 DEBUG_INFO("found existing entry for %s:%s, e_off=%#lx, len=%#lx, new_state=%#x\n", uuidString, varName,
582 v3Entry->existing_offset, variable_length(&v3Entry->header), v3Entry->new_state);
583 break;
584 }
585 } else {
586 DEBUG_INFO("found existing entry for %s, e_off=%#lx, len=%#lx\n", varName, v3Entry->existing_offset, variable_length(&v3Entry->header));
587 break;
588 }
589 }
590
591 v3Entry = nullptr;
592 }
593
594 if (v3Entry != nullptr) {
595 if (existing) {
596 *existing = v3Entry;
597 }
598
599 if (existingIndex) {
600 *existingIndex = index;
601 }
602 }
603 }
604
605 IOReturn
unserializeImage(const uint8_t * image,IOByteCount length)606 IONVRAMV3Handler::unserializeImage(const uint8_t *image, IOByteCount length)
607 {
608 IOReturn ret = kIOReturnInvalid;
609 const struct v3_store_header *storeHeader;
610
611 require(isValidImage(image, length), exit);
612
613 storeHeader = (const struct v3_store_header *)image;
614 require_action(storeHeader->size == (uint32_t)length, exit,
615 DEBUG_ERROR("Image size %#x != header size %#x\n", (unsigned int)length, storeHeader->size));
616
617 _generation = storeHeader->generation;
618 _systemSize = storeHeader->system_size;
619 _commonSize = storeHeader->common_size - sizeof(struct v3_store_header);
620
621 _systemUsed = 0;
622 _commonUsed = 0;
623
624 if (_nvramImage) {
625 IOFreeData(_nvramImage, _bankSize);
626 }
627
628 _varEntries.reset();
629 _varEntries = OSArray::withCapacity(40);
630
631 _nvramImage = IONewData(uint8_t, length);
632 _bankSize = (uint32_t)length;
633 bcopy(image, _nvramImage, _bankSize);
634
635 ret = kIOReturnSuccess;
636
637 exit:
638 return ret;
639 }
640
641 typedef struct {
642 const char *name;
643 OSSharedPtr<OSObject> value;
644 } ephDMAllowListEntry;
645
646 static
647 ephDMAllowListEntry ephDMEntries[] = {
648 // Mobile Obliteration clears the following variables after it runs
649 { .name = "oblit-begins" },
650 { .name = "orig-oblit" },
651 { .name = "oblit-failure" },
652 { .name = "oblit-inprogress" },
653 { .name = "obliteration" },
654 // darwin-init is used for configuring internal builds
655 { .name = "darwin-init" }
656 };
657
658 IOReturn
handleEphDM(void)659 IONVRAMV3Handler::handleEphDM(void)
660 {
661 OSSharedPtr<IORegistryEntry> entry;
662 OSData* data;
663 OSSharedPtr<OSObject> prop;
664 uint32_t ephDM = 0;
665 IOReturn ret = kIOReturnSuccess;
666 OSSharedPtr<const OSSymbol> canonicalKey;
667 uint32_t skip = 0;
668
669 // For ephemeral data mode, NVRAM needs to be cleared on every boot
670 // For system region supported targets, iBoot clears the system region
671 // For other targets, iBoot clears all the persistent variables
672 // So xnu only needs to clear the common region
673 entry = IORegistryEntry::fromPath("/product", gIODTPlane);
674 if (entry) {
675 prop = entry->copyProperty("ephemeral-data-mode");
676 if (prop) {
677 data = OSDynamicCast(OSData, prop.get());
678 if (data) {
679 ephDM = *((uint32_t *)data->getBytesNoCopy());
680 }
681 }
682 }
683
684 require_action(ephDM != 0, exit, DEBUG_ALWAYS("ephemeral-data-mode not supported\n"));
685 require_action(_systemSize != 0, exit, DEBUG_ALWAYS("No system region, no need to clear\n"));
686
687 if (PE_parse_boot_argn("epdm-skip-nvram", &skip, sizeof(skip))) {
688 require_action(!(gInternalBuild && (skip == 1)), exit, DEBUG_ALWAYS("Internal build + epdm-skip-nvram set to true, skip nvram clearing\n"));
689 }
690
691 // Go through the allowlist and stash the values
692 for (uint32_t entry = 0; entry < ARRAY_SIZE(ephDMEntries); entry++) {
693 canonicalKey = keyWithGuidAndCString(gAppleNVRAMGuid, ephDMEntries[entry].name);
694 ephDMEntries[entry].value.reset(OSDynamicCast(OSData, _varDict->getObject(canonicalKey.get())), OSRetain);
695 }
696
697 DEBUG_ALWAYS("Obliterating common region\n");
698 ret = flush(gAppleNVRAMGuid, kIONVRAMOperationObliterate);
699 require_noerr_action(ret, exit, DEBUG_ERROR("Flushing common region failed, ret=%#08x\n", ret));
700
701 // Now write the allowlist variables back
702 for (uint32_t entry = 0; entry < ARRAY_SIZE(ephDMEntries); entry++) {
703 if (ephDMEntries[entry].value.get() == nullptr) {
704 continue;
705 }
706 ret = setVariableInternal(gAppleNVRAMGuid, ephDMEntries[entry].name, ephDMEntries[entry].value.get());
707 require_noerr_action(ret, exit, DEBUG_ERROR("Setting allowlist variable %s failed, ret=%#08x\n", ephDMEntries[entry].name, ret));
708 }
709
710 exit:
711 return ret;
712 }
713
714 IOReturn
unserializeVariables(void)715 IONVRAMV3Handler::unserializeVariables(void)
716 {
717 IOReturn ret = kIOReturnSuccess;
718 OSSharedPtr<const OSSymbol> propSymbol;
719 OSSharedPtr<OSObject> propObject;
720 OSSharedPtr<OSData> entryContainer;
721 struct nvram_v3_var_entry *v3Entry;
722 const struct v3_var_header *header;
723 size_t offset = sizeof(struct v3_store_header);
724 uint32_t crc;
725 unsigned int i;
726 bool system;
727 uuid_string_t uuidString;
728 size_t existingSize;
729
730 if (_systemSize || _commonSize) {
731 _varDict = OSDictionary::withCapacity(1);
732 }
733
734 while ((offset + sizeof(struct v3_var_header)) < _bankSize) {
735 struct nvram_v3_var_entry *existingEntry = nullptr;
736 unsigned int existingIndex = 0;
737
738 header = (const struct v3_var_header *)(_nvramImage + offset);
739
740 for (i = 0; i < sizeof(struct v3_var_header); i++) {
741 if ((_nvramImage[offset + i] != 0) && (_nvramImage[offset + i] != 0xFF)) {
742 break;
743 }
744 }
745
746 if (i == sizeof(struct v3_var_header)) {
747 DEBUG_INFO("No more variables after offset %#lx\n", offset);
748 break;
749 }
750
751 if (!valid_variable_header(header, _bankSize - offset)) {
752 DEBUG_ERROR("invalid header @ %#lx\n", offset);
753 offset += sizeof(struct v3_var_header);
754 continue;
755 }
756
757 uuid_unparse(header->guid, uuidString);
758 DEBUG_INFO("Valid var @ %#08zx, state=%#02x, length=%#08zx, %s:%s\n", offset, header->state,
759 variable_length(header), uuidString, header->name_data_buf);
760
761 if (header->state != VAR_ADDED) {
762 goto skip;
763 }
764
765 crc = crc32(0, header->name_data_buf + header->nameSize, header->dataSize);
766
767 if (crc != header->crc) {
768 DEBUG_ERROR("invalid crc @ %#lx, calculated=%#x, read=%#x\n", offset, crc, header->crc);
769 goto skip;
770 }
771
772 v3Entry = (struct nvram_v3_var_entry *)IOMallocZeroData(nvram_v3_var_container_size(header));
773 __nochk_memcpy(&v3Entry->header, _nvramImage + offset, variable_length(header));
774
775 // It is assumed that the initial image being unserialized here is going to be the proxy data from EDT and not the image
776 // read from the controller, which for various reasons due to the setting of states and saves from iBoot, can be
777 // different. We will have an initial existing_offset of 0 and once the controller is set we will read
778 // out the image there and update the existing offset with what is present on the NOR image
779 v3Entry->existing_offset = 0;
780 v3Entry->new_state = VAR_NEW_STATE_NONE;
781
782 // safe guard for any strange duplicate entries in the store
783 findExistingEntry(v3Entry->header.guid, (const char *)v3Entry->header.name_data_buf, &existingEntry, &existingIndex);
784
785 if (existingEntry != nullptr) {
786 existingSize = variable_length(&existingEntry->header);
787
788 entryContainer = OSData::withBytes(v3Entry, (uint32_t)nvram_v3_var_container_size(header));
789 _varEntries->replaceObject(existingIndex, entryContainer.get());
790
791 DEBUG_INFO("Found existing for %s, resetting when controller available\n", v3Entry->header.name_data_buf);
792 _resetData = true;
793 } else {
794 entryContainer = OSData::withBytes(v3Entry, (uint32_t)nvram_v3_var_container_size(header));
795 _varEntries->setObject(entryContainer.get());
796 existingSize = 0;
797 }
798
799 system = (_systemSize != 0) && (uuid_compare(v3Entry->header.guid, gAppleSystemVariableGuid) == 0);
800 if (system) {
801 _systemUsed = _systemUsed + (uint32_t)variable_length(header) - (uint32_t)existingSize;
802 } else {
803 _commonUsed = _commonUsed + (uint32_t)variable_length(header) - (uint32_t)existingSize;
804 }
805
806 if (convertPropToObject(v3Entry->header.name_data_buf, v3Entry->header.nameSize,
807 v3Entry->header.name_data_buf + v3Entry->header.nameSize, v3Entry->header.dataSize,
808 propSymbol, propObject)) {
809 OSSharedPtr<const OSSymbol> canonicalKey = keyWithGuidAndCString(v3Entry->header.guid, (const char *)v3Entry->header.name_data_buf);
810
811 DEBUG_INFO("adding %s, dataLength=%u, system=%d\n",
812 canonicalKey->getCStringNoCopy(), v3Entry->header.dataSize, system);
813
814 _varDict->setObject(canonicalKey.get(), propObject.get());
815
816 if (_provider->_diags) {
817 _provider->_diags->logVariable(getPartitionTypeForGUID(v3Entry->header.guid),
818 kIONVRAMOperationInit, propSymbol.get()->getCStringNoCopy(),
819 (void *)(uintptr_t)(header->name_data_buf + header->nameSize));
820 }
821 }
822 IOFreeData(v3Entry, nvram_v3_var_container_size(header));
823 skip:
824 offset += variable_length(header);
825 }
826
827 _currentOffset = (uint32_t)offset;
828
829 DEBUG_ALWAYS("_commonSize %#x, _systemSize %#x, _currentOffset %#x\n", _commonSize, _systemSize, _currentOffset);
830
831 ret = handleEphDM();
832 verify_noerr_action(ret, panic("handleEphDM failed with ret=%08x", ret));
833
834 DEBUG_INFO("_commonUsed %#x, _systemUsed %#x\n", _commonUsed, _systemUsed);
835
836 _newData = true;
837
838 if (_provider->_diags) {
839 OSSharedPtr<OSNumber> val = OSNumber::withNumber(getSystemUsed(), 32);
840 _provider->_diags->setProperty(kNVRAMSystemUsedKey, val.get());
841 DEBUG_INFO("%s=%u\n", kNVRAMSystemUsedKey, getSystemUsed());
842
843 val = OSNumber::withNumber(getCommonUsed(), 32);
844 _provider->_diags->setProperty(kNVRAMCommonUsedKey, val.get());
845 DEBUG_INFO("%s=%u\n", kNVRAMCommonUsedKey, getCommonUsed());
846 }
847
848 return ret;
849 }
850
851 IOReturn
setVariableInternal(const uuid_t varGuid,const char * variableName,OSObject * object)852 IONVRAMV3Handler::setVariableInternal(const uuid_t varGuid, const char *variableName, OSObject *object)
853 {
854 struct nvram_v3_var_entry *v3Entry = nullptr;
855 struct nvram_v3_var_entry *newV3Entry;
856 OSSharedPtr<OSData> newContainer;
857 OSSharedPtr<const OSSymbol> canonicalKey;
858 bool unset = (object == nullptr);
859 bool system = false;
860 IOReturn ret = kIOReturnSuccess;
861 size_t entryNameLen = strlen(variableName) + 1;
862 unsigned int existingEntryIndex;
863 uint32_t dataSize = 0;
864 size_t existingVariableSize = 0;
865 size_t newVariableSize = 0;
866 size_t newEntrySize;
867 uuid_string_t uuidString;
868
869 // Anyone calling setVariableInternal should've already held the lock for write.
870 NVRAMRWLOCKASSERTEXCLUSIVE(_variableLock);
871
872 system = (uuid_compare(varGuid, gAppleSystemVariableGuid) == 0);
873 canonicalKey = keyWithGuidAndCString(varGuid, variableName);
874
875 uuid_unparse(varGuid, uuidString);
876 DEBUG_INFO("setting %s:%s, system=%d, current var count=%u\n", uuidString, variableName, system, _varEntries->getCount());
877
878 findExistingEntry(varGuid, variableName, &v3Entry, &existingEntryIndex);
879
880 if (unset == true) {
881 setEntryForRemove(v3Entry, system);
882 } else {
883 if ((v3Entry != nullptr) && (v3Entry->new_state != VAR_NEW_STATE_REMOVE)) {
884 // Sizing was subtracted in setEntryForRemove
885 existingVariableSize = variable_length(&v3Entry->header);
886 }
887
888 convertObjectToProp(nullptr, &dataSize, variableName, object);
889
890 newVariableSize = sizeof(struct v3_var_header) + entryNameLen + dataSize;
891 newEntrySize = sizeof(struct nvram_v3_var_entry) + entryNameLen + dataSize;
892
893 if (system) {
894 if (_systemUsed - existingVariableSize + newVariableSize > _systemSize) {
895 DEBUG_ERROR("system region full\n");
896 ret = kIOReturnNoSpace;
897 goto exit;
898 }
899 } else if (_commonUsed - existingVariableSize + newVariableSize > _commonSize) {
900 DEBUG_ERROR("common region full\n");
901 ret = kIOReturnNoSpace;
902 goto exit;
903 }
904
905 DEBUG_INFO("creating new entry for %s, existingVariableSize=%#zx, newVariableSize=%#zx\n", variableName, existingVariableSize, newVariableSize);
906 newV3Entry = (struct nvram_v3_var_entry *)IOMallocZeroData(newEntrySize);
907
908 memcpy(newV3Entry->header.name_data_buf, variableName, entryNameLen);
909 convertObjectToProp(newV3Entry->header.name_data_buf + entryNameLen, &dataSize, variableName, object);
910
911 newV3Entry->header.startId = VARIABLE_DATA;
912 newV3Entry->header.nameSize = (uint32_t)entryNameLen;
913 newV3Entry->header.dataSize = dataSize;
914 newV3Entry->header.crc = crc32(0, newV3Entry->header.name_data_buf + entryNameLen, dataSize);
915 memcpy(newV3Entry->header.guid, varGuid, sizeof(gAppleNVRAMGuid));
916 newV3Entry->new_state = VAR_NEW_STATE_APPEND;
917
918 if (v3Entry) {
919 newV3Entry->existing_offset = v3Entry->existing_offset;
920 newV3Entry->header.state = v3Entry->header.state;
921 newV3Entry->header.attributes = v3Entry->header.attributes;
922
923 newContainer = OSData::withBytes(newV3Entry, (uint32_t)newEntrySize);
924 _varEntries->replaceObject(existingEntryIndex, newContainer.get());
925 } else {
926 newContainer = OSData::withBytes(newV3Entry, (uint32_t)newEntrySize);
927 _varEntries->setObject(newContainer.get());
928 }
929
930 if (system) {
931 _systemUsed = _systemUsed + (uint32_t)newVariableSize - (uint32_t)existingVariableSize;
932 } else {
933 _commonUsed = _commonUsed + (uint32_t)newVariableSize - (uint32_t)existingVariableSize;
934 }
935
936 _varDict->setObject(canonicalKey.get(), object);
937
938 if (_provider->_diags) {
939 _provider->_diags->logVariable(getPartitionTypeForGUID(varGuid),
940 kIONVRAMOperationWrite, variableName,
941 (void *)(uintptr_t)dataSize);
942 }
943
944 IOFreeData(newV3Entry, newEntrySize);
945 }
946
947 exit:
948 _newData = true;
949
950 if (_provider->_diags) {
951 OSSharedPtr<OSNumber> val = OSNumber::withNumber(getSystemUsed(), 32);
952 _provider->_diags->setProperty(kNVRAMSystemUsedKey, val.get());
953
954 val = OSNumber::withNumber(getCommonUsed(), 32);
955 _provider->_diags->setProperty(kNVRAMCommonUsedKey, val.get());
956 }
957
958 DEBUG_INFO("_commonUsed %#x, _systemUsed %#x\n", _commonUsed, _systemUsed);
959
960 return ret;
961 }
962
963 IOReturn
setVariable(const uuid_t varGuid,const char * variableName,OSObject * object)964 IONVRAMV3Handler::setVariable(const uuid_t varGuid, const char *variableName, OSObject *object)
965 {
966 uuid_t destGuid;
967 IOReturn ret = kIOReturnError;
968
969 if (strcmp(variableName, "reclaim-int") == 0) {
970 NVRAMLOCK(_controllerLock);
971 ret = reclaim();
972 NVRAMUNLOCK(_controllerLock);
973 return ret;
974 }
975
976 if (getSystemPartitionActive()) {
977 // System region case, if they're using the GUID directly or it's on the system allow list
978 // force it to use the System GUID
979 if ((uuid_compare(varGuid, gAppleSystemVariableGuid) == 0) || variableInAllowList(variableName)) {
980 uuid_copy(destGuid, gAppleSystemVariableGuid);
981 } else {
982 uuid_copy(destGuid, varGuid);
983 }
984 } else {
985 // No system region, store System GUID as Common GUID
986 if ((uuid_compare(varGuid, gAppleSystemVariableGuid) == 0) || variableInAllowList(variableName)) {
987 uuid_copy(destGuid, gAppleNVRAMGuid);
988 } else {
989 uuid_copy(destGuid, varGuid);
990 }
991 }
992
993 NVRAMWRITELOCK(_variableLock);
994 ret = setVariableInternal(destGuid, variableName, object);
995 NVRAMRWUNLOCK(_variableLock);
996
997 return ret;
998 }
999
1000 uint32_t
findCurrentBank(void)1001 IONVRAMV3Handler::findCurrentBank(void)
1002 {
1003 struct v3_store_header storeHeader;
1004 uint32_t maxGen = 0;
1005 uint32_t currentBank = 0;
1006
1007 NVRAMLOCKASSERTHELD(_controllerLock);
1008
1009 for (unsigned int i = 0; i < _bankCount; i++) {
1010 _nvramController->select(i);
1011 _nvramController->read(0, (uint8_t *)&storeHeader, sizeof(storeHeader));
1012
1013 if (valid_store_header(&storeHeader) && (storeHeader.generation >= maxGen)) {
1014 currentBank = i;
1015 maxGen = storeHeader.generation;
1016 }
1017 }
1018
1019 DEBUG_ALWAYS("currentBank=%#x, gen=%#x\n", currentBank, maxGen);
1020
1021 return currentBank;
1022 }
1023
1024 bool
setController(IONVRAMController * controller)1025 IONVRAMV3Handler::setController(IONVRAMController *controller)
1026 {
1027 IOReturn ret = kIOReturnSuccess;
1028
1029 NVRAMLOCK(_controllerLock);
1030
1031 if (_nvramController == NULL) {
1032 _nvramController = controller;
1033 }
1034
1035 DEBUG_INFO("Controller name: %s\n", _nvramController->getName());
1036
1037 require(_bankSize != 0, exit);
1038
1039 if (_resetData) {
1040 _resetData = false;
1041 DEBUG_ERROR("_resetData set, issuing reclaim recovery\n");
1042 goto reclaim;
1043 }
1044
1045 if (reloadInternal() == kIOReturnSuccess) {
1046 goto exit;
1047 }
1048
1049 reclaim:
1050 ret = reclaim();
1051 require_noerr_action(ret, exit, DEBUG_ERROR("Reclaim recovery failed, invalid controller state!!! ret=%#x\n", ret));
1052 exit:
1053 NVRAMUNLOCK(_controllerLock);
1054 return ret == kIOReturnSuccess;
1055 }
1056
1057 IOReturn
reclaim(void)1058 IONVRAMV3Handler::reclaim(void)
1059 {
1060 IOReturn ret;
1061 struct v3_store_header newStoreHeader;
1062 struct v3_var_header *varHeader;
1063 struct nvram_v3_var_entry *varEntry;
1064 OSData *entryContainer;
1065 size_t new_bank_offset = sizeof(struct v3_store_header);
1066 uint32_t next_bank = (_currentBank + 1) % _bankCount;
1067 uint8_t *bankData;
1068 OSSharedPtr<OSArray> remainingEntries;
1069
1070 DEBUG_INFO("called\n");
1071 NVRAMLOCKASSERTHELD(_controllerLock);
1072
1073 bankData = (uint8_t *)IOMallocData(_bankSize);
1074 require_action(bankData != nullptr, exit, ret = kIOReturnNoMemory);
1075
1076 ret = _nvramController->select(next_bank);
1077 verify_noerr_action(ret, DEBUG_INFO("select of bank %#08x failed\n", next_bank));
1078
1079 ret = _nvramController->eraseBank();
1080 verify_noerr_action(ret, DEBUG_INFO("eraseBank failed, ret=%#08x\n", ret));
1081
1082 _currentBank = next_bank;
1083
1084 NVRAMREADLOCK(_variableLock);
1085
1086 remainingEntries = OSArray::withCapacity(_varEntries->getCapacity());
1087
1088 for (unsigned int i = 0; i < _varEntries->getCount(); i++) {
1089 entryContainer = OSDynamicCast(OSData, _varEntries->getObject(i));
1090 varEntry = (struct nvram_v3_var_entry *)entryContainer->getBytesNoCopy();
1091 varHeader = &varEntry->header;
1092
1093 DEBUG_INFO("entry %u %s, new_state=%#x, e_offset=%#lx, state=%#x\n",
1094 i, varEntry->header.name_data_buf, varEntry->new_state, varEntry->existing_offset, varHeader->state);
1095
1096 if ((varEntry->new_state == VAR_NEW_STATE_NONE) ||
1097 (varEntry->new_state == VAR_NEW_STATE_APPEND)) {
1098 varHeader->state = VAR_ADDED;
1099
1100 memcpy(bankData + new_bank_offset, (uint8_t *)varHeader, variable_length(varHeader));
1101
1102 varEntry->new_state = VAR_NEW_STATE_NONE;
1103 varEntry->existing_offset = new_bank_offset;
1104 new_bank_offset += variable_length(varHeader);
1105
1106 remainingEntries->setObject(entryContainer);
1107 } else {
1108 // entryContainer not added to remainingEntries, entry dropped
1109 }
1110 }
1111
1112 memcpy(&newStoreHeader, _nvramImage, sizeof(newStoreHeader));
1113
1114 _generation += 1;
1115
1116 newStoreHeader.generation = _generation;
1117
1118 memcpy(bankData, (uint8_t *)&newStoreHeader, sizeof(newStoreHeader));
1119
1120 ret = _nvramController->write(0, bankData, new_bank_offset);
1121 require_noerr_action(ret, unlock, DEBUG_ERROR("reclaim bank write failed, ret=%08x\n", ret));
1122
1123 _currentOffset = (uint32_t)new_bank_offset;
1124
1125 DEBUG_INFO("Reclaim complete, _currentBank=%u _generation=%u, _currentOffset=%#x\n", _currentBank, _generation, _currentOffset);
1126
1127 _newData = false;
1128 _varEntries.reset(remainingEntries.get(), OSRetain);
1129
1130 unlock:
1131 NVRAMRWUNLOCK(_variableLock);
1132 exit:
1133 IOFreeData(bankData, _bankSize);
1134
1135 return ret;
1136 }
1137
1138 size_t
getAppendSize(void)1139 IONVRAMV3Handler::getAppendSize(void)
1140 {
1141 struct nvram_v3_var_entry *varEntry;
1142 struct v3_var_header *varHeader;
1143 OSData *entryContainer;
1144 size_t appendSize = 0;
1145
1146 NVRAMRWLOCKASSERTHELD(_variableLock);
1147
1148 for (unsigned int i = 0; i < _varEntries->getCount(); i++) {
1149 entryContainer = OSDynamicCast(OSData, _varEntries->getObject(i));
1150 varEntry = (struct nvram_v3_var_entry *)entryContainer->getBytesNoCopy();
1151 varHeader = &varEntry->header;
1152
1153 if (varEntry->new_state == VAR_NEW_STATE_APPEND) {
1154 appendSize += variable_length(varHeader);
1155 }
1156 }
1157
1158 return appendSize;
1159 }
1160
1161 IOReturn
syncRaw(void)1162 IONVRAMV3Handler::syncRaw(void)
1163 {
1164 IOReturn ret = kIOReturnSuccess;
1165 struct nvram_v3_var_entry *varEntry;
1166 struct v3_var_header *varHeader;
1167 OSData *entryContainer;
1168 OSSharedPtr<OSArray> remainingEntries;
1169 uint8_t *appendBuffer = nullptr;
1170 size_t appendBufferOffset = 0;
1171 size_t *invalidateOffsets = nullptr;
1172 size_t invalidateOffsetsCount = 0;
1173 size_t invalidateOffsetIndex = 0;
1174 size_t invalidatedSize = 0;
1175
1176 require_action(_nvramController != nullptr, exit, DEBUG_INFO("No _nvramController\n"));
1177 require_action(_newData == true, exit, DEBUG_INFO("No _newData to sync\n"));
1178 require_action(_bankSize != 0, exit, DEBUG_INFO("No nvram size info\n"));
1179
1180 NVRAMREADLOCK(_variableLock);
1181 DEBUG_INFO("_varEntries->getCount()=%#x\n", _varEntries->getCount());
1182
1183 if (getAppendSize() + _currentOffset < _bankSize) {
1184 // No reclaim, build append and invalidate list
1185 remainingEntries = OSArray::withCapacity(_varEntries->getCapacity());
1186
1187 appendBuffer = (uint8_t *)IOMallocData(_bankSize);
1188 require_action(appendBuffer, unlock, ret = kIOReturnNoMemory);
1189
1190 invalidateOffsetsCount = _varEntries->getCount();
1191 invalidateOffsets = (size_t *)IOMallocData(invalidateOffsetsCount * sizeof(size_t));
1192 require_action(invalidateOffsets, unlock, ret = kIOReturnNoMemory);
1193
1194 for (unsigned int i = 0; i < _varEntries->getCount(); i++) {
1195 entryContainer = OSDynamicCast(OSData, _varEntries->getObject(i));
1196 varEntry = (struct nvram_v3_var_entry *)entryContainer->getBytesNoCopy();
1197 varHeader = &varEntry->header;
1198
1199 DEBUG_INFO("entry %s, new_state=%#02x state=%#02x, existing_offset=%#zx\n",
1200 varEntry->header.name_data_buf, varEntry->new_state, varEntry->header.state, varEntry->existing_offset);
1201
1202 if (varEntry->new_state == VAR_NEW_STATE_APPEND) {
1203 size_t varSize = variable_length(varHeader);
1204 size_t prevOffset = varEntry->existing_offset;
1205
1206 varHeader->state = VAR_ADDED;
1207 varEntry->existing_offset = _currentOffset + appendBufferOffset;
1208 varEntry->new_state = VAR_NEW_STATE_NONE;
1209
1210 DEBUG_INFO("Appending %s in append buffer offset %#zx, actual offset %#zx, prevOffset %#zx, varsize=%#zx\n",
1211 varEntry->header.name_data_buf, appendBufferOffset, varEntry->existing_offset, prevOffset, varSize);
1212
1213 // Write to append buffer
1214 memcpy(appendBuffer + appendBufferOffset, (uint8_t *)varHeader, varSize);
1215 appendBufferOffset += varSize;
1216
1217 if (prevOffset) {
1218 invalidateOffsets[invalidateOffsetIndex++] = prevOffset;
1219 invalidatedSize += variable_length((struct v3_var_header *)prevOffset);
1220 }
1221
1222 remainingEntries->setObject(entryContainer);
1223 } else if (varEntry->new_state == VAR_NEW_STATE_REMOVE) {
1224 if (varEntry->existing_offset) {
1225 DEBUG_INFO("marking entry at offset %#lx deleted\n", varEntry->existing_offset);
1226
1227 invalidateOffsets[invalidateOffsetIndex++] = varEntry->existing_offset;
1228 invalidatedSize += variable_length((struct v3_var_header *)varEntry->existing_offset);
1229 } else {
1230 DEBUG_INFO("No existing_offset , removing\n");
1231 }
1232
1233 // not re-added to remainingEntries
1234 } else {
1235 DEBUG_INFO("skipping\n");
1236 remainingEntries->setObject(entryContainer);
1237 }
1238 }
1239
1240 if (appendBufferOffset > 0) {
1241 // Write appendBuffer
1242 DEBUG_INFO("Appending append buffer size=%#zx at offset=%#x\n", appendBufferOffset, _currentOffset);
1243 ret = _nvramController->write(_currentOffset, appendBuffer, appendBufferOffset);
1244 require_noerr_action(ret, unlock, DEBUG_ERROR("could not re-append, ret=%#x\n", ret));
1245
1246 _currentOffset += appendBufferOffset;
1247 } else {
1248 DEBUG_INFO("No entries to append\n");
1249 }
1250
1251 if (invalidateOffsetIndex > 0) {
1252 // Invalidate Entries
1253 for (unsigned int i = 0; i < invalidateOffsetIndex; i++) {
1254 uint8_t state = VAR_ADDED & VAR_DELETED & VAR_IN_DELETED_TRANSITION;
1255
1256 ret = _nvramController->write(invalidateOffsets[i] + offsetof(struct v3_var_header, state), &state, sizeof(state));
1257 require_noerr_action(ret, unlock, DEBUG_ERROR("unable to invalidate at offset %#zx, ret=%#x\n", invalidateOffsets[i], ret));
1258 DEBUG_INFO("Invalidated entry at offset=%#zx\n", invalidateOffsets[i]);
1259 }
1260 } else {
1261 DEBUG_INFO("No entries to invalidate\n");
1262 }
1263
1264 _newData = false;
1265 _varEntries.reset(remainingEntries.get(), OSRetain);
1266 unlock:
1267 NVRAMRWUNLOCK(_variableLock);
1268 } else {
1269 // Will need to reclaim, rebuild store and write everything at once
1270 NVRAMRWUNLOCK(_variableLock);
1271 ret = reclaim();
1272 }
1273
1274 exit:
1275 IOFreeData(appendBuffer, _bankSize);
1276 IOFreeData(invalidateOffsets, invalidateOffsetsCount * sizeof(size_t));
1277
1278 return ret;
1279 }
1280
1281 IOReturn
syncBlock(void)1282 IONVRAMV3Handler::syncBlock(void)
1283 {
1284 IOReturn ret = kIOReturnSuccess;
1285 struct v3_store_header newStoreHeader;
1286 struct v3_var_header *varHeader;
1287 struct nvram_v3_var_entry *varEntry;
1288 OSData *entryContainer;
1289 size_t new_bank_offset = sizeof(struct v3_store_header);
1290 uint8_t *block;
1291 OSSharedPtr<OSArray> remainingEntries;
1292 uint32_t next_bank = (_currentBank + 1) % _bankCount;
1293
1294 DEBUG_INFO("called\n");
1295
1296 require_action(_nvramController != nullptr, exit, DEBUG_INFO("No _nvramController\n"));
1297 require_action(_newData == true, exit, DEBUG_INFO("No _newData to sync\n"));
1298 require_action(_bankSize != 0, exit, DEBUG_INFO("No nvram size info\n"));
1299
1300 block = (uint8_t *)IOMallocData(_bankSize);
1301
1302 NVRAMREADLOCK(_variableLock);
1303 remainingEntries = OSArray::withCapacity(_varEntries->getCapacity());
1304
1305 ret = _nvramController->select(next_bank);
1306 verify_noerr_action(ret, DEBUG_INFO("select of bank %#x failed\n", next_bank));
1307
1308 ret = _nvramController->eraseBank();
1309 verify_noerr_action(ret, DEBUG_INFO("eraseBank failed, ret=%#08x\n", ret));
1310
1311 _currentBank = next_bank;
1312
1313 memcpy(&newStoreHeader, _nvramImage, sizeof(newStoreHeader));
1314
1315 _generation += 1;
1316
1317 newStoreHeader.generation = _generation;
1318
1319 memcpy(block, (uint8_t *)&newStoreHeader, sizeof(newStoreHeader));
1320
1321 for (unsigned int i = 0; i < _varEntries->getCount(); i++) {
1322 entryContainer = OSDynamicCast(OSData, _varEntries->getObject(i));
1323 varEntry = (struct nvram_v3_var_entry *)entryContainer->getBytesNoCopy();
1324 varHeader = &varEntry->header;
1325
1326 DEBUG_INFO("entry %u %s, new_state=%#x, e_offset=%#lx, state=%#x\n",
1327 i, varEntry->header.name_data_buf, varEntry->new_state, varEntry->existing_offset, varHeader->state);
1328
1329 if (varEntry->new_state != VAR_NEW_STATE_REMOVE) {
1330 varHeader->state = VAR_ADDED;
1331
1332 memcpy(block + new_bank_offset, (uint8_t *)varHeader, variable_length(varHeader));
1333
1334 varEntry->existing_offset = new_bank_offset;
1335 new_bank_offset += variable_length(varHeader);
1336 varEntry->new_state = VAR_NEW_STATE_NONE;
1337
1338 remainingEntries->setObject(entryContainer);
1339 } else {
1340 DEBUG_INFO("Dropping %s\n", varEntry->header.name_data_buf);
1341 }
1342 }
1343
1344 ret = _nvramController->write(0, block, _bankSize);
1345 verify_noerr_action(ret, DEBUG_ERROR("w fail, ret=%#x\n", ret));
1346
1347 _nvramController->sync();
1348
1349 _varEntries.reset(remainingEntries.get(), OSRetain);
1350 NVRAMRWUNLOCK(_variableLock);
1351
1352 _newData = false;
1353
1354 DEBUG_INFO("Save complete, _generation=%u\n", _generation);
1355
1356 IOFreeData(block, _bankSize);
1357
1358 exit:
1359 return ret;
1360 }
1361
1362 IOReturn
sync(void)1363 IONVRAMV3Handler::sync(void)
1364 {
1365 IOReturn ret;
1366
1367 NVRAMLOCK(_controllerLock);
1368
1369 if (_reload) {
1370 ret = reloadInternal();
1371 if (ret != kIOReturnSuccess) {
1372 DEBUG_ERROR("Reload failed, ret=%#x, reclaiming\n", ret);
1373 ret = reclaim();
1374 require_noerr_action(ret, exit, DEBUG_ERROR("Reclaim recovery failed, ret=%#x\n", ret));
1375 }
1376 _reload = false;
1377 }
1378
1379 if (_rawController == true) {
1380 ret = syncRaw();
1381
1382 if (ret != kIOReturnSuccess) {
1383 ret = reclaim();
1384 require_noerr_action(ret, exit, DEBUG_ERROR("Reclaim recovery failed, ret=%#x\n", ret));
1385 }
1386 } else {
1387 ret = syncBlock();
1388 }
1389
1390 exit:
1391 NVRAMUNLOCK(_controllerLock);
1392 return ret;
1393 }
1394
1395 uint32_t
getGeneration(void) const1396 IONVRAMV3Handler::getGeneration(void) const
1397 {
1398 return _generation;
1399 }
1400
1401 uint32_t
getVersion(void) const1402 IONVRAMV3Handler::getVersion(void) const
1403 {
1404 return kNVRAMVersion3;
1405 }
1406
1407 uint32_t
getSystemUsed(void) const1408 IONVRAMV3Handler::getSystemUsed(void) const
1409 {
1410 return _systemUsed;
1411 }
1412
1413 uint32_t
getCommonUsed(void) const1414 IONVRAMV3Handler::getCommonUsed(void) const
1415 {
1416 return _commonUsed;
1417 }
1418
1419 bool
getSystemPartitionActive(void) const1420 IONVRAMV3Handler::getSystemPartitionActive(void) const
1421 {
1422 return _systemSize != 0;
1423 }
1424
1425 bool
convertObjectToProp(uint8_t * buffer,uint32_t * length,const char * propName,OSObject * propObject)1426 IONVRAMV3Handler::convertObjectToProp(uint8_t *buffer, uint32_t *length,
1427 const char *propName, OSObject *propObject)
1428 {
1429 uint32_t offset;
1430 IONVRAMVariableType propType;
1431 OSBoolean *tmpBoolean = nullptr;
1432 OSNumber *tmpNumber = nullptr;
1433 OSString *tmpString = nullptr;
1434 OSData *tmpData = nullptr;
1435
1436 propType = getVariableType(propName);
1437
1438 // Get the size of the data.
1439 offset = 0;
1440 switch (propType) {
1441 case kOFVariableTypeBoolean:
1442 tmpBoolean = OSDynamicCast(OSBoolean, propObject);
1443 if (tmpBoolean != nullptr) {
1444 const char *bool_buf;
1445 if (tmpBoolean->getValue()) {
1446 bool_buf = "true";
1447 } else {
1448 bool_buf = "false";
1449 }
1450
1451 offset = (uint32_t)strlen(bool_buf);
1452
1453 if (buffer) {
1454 if (*length < offset) {
1455 return false;
1456 } else {
1457 memcpy(buffer, bool_buf, offset);
1458 }
1459 }
1460 }
1461 break;
1462
1463 case kOFVariableTypeNumber:
1464 tmpNumber = OSDynamicCast(OSNumber, propObject);
1465 if (tmpNumber != nullptr) {
1466 char num_buf[12];
1467 char *end_buf = num_buf;
1468 uint32_t tmpValue = tmpNumber->unsigned32BitValue();
1469 if (tmpValue == 0xFFFFFFFF) {
1470 end_buf += snprintf(end_buf, sizeof(num_buf), "-1");
1471 } else if (tmpValue < 1000) {
1472 end_buf += snprintf(end_buf, sizeof(num_buf), "%d", (uint32_t)tmpValue);
1473 } else {
1474 end_buf += snprintf(end_buf, sizeof(num_buf), "%#x", (uint32_t)tmpValue);
1475 }
1476
1477 offset = (uint32_t)(end_buf - num_buf);
1478 if (buffer) {
1479 if (*length < offset) {
1480 return false;
1481 } else {
1482 memcpy(buffer, num_buf, offset);
1483 }
1484 }
1485 }
1486 break;
1487
1488 case kOFVariableTypeString:
1489 tmpString = OSDynamicCast(OSString, propObject);
1490 if (tmpString != nullptr) {
1491 offset = tmpString->getLength();
1492
1493 if (buffer) {
1494 if (*length < offset) {
1495 return false;
1496 } else {
1497 bcopy(tmpString->getCStringNoCopy(), buffer, offset);
1498 }
1499 }
1500 }
1501 break;
1502
1503 case kOFVariableTypeData:
1504 tmpData = OSDynamicCast(OSData, propObject);
1505 if (tmpData != nullptr) {
1506 offset = tmpData->getLength();
1507
1508 if (buffer) {
1509 if (*length < offset) {
1510 return false;
1511 } else {
1512 bcopy(tmpData->getBytesNoCopy(), buffer, offset);
1513 }
1514 }
1515 }
1516 break;
1517
1518 default:
1519 return false;
1520 }
1521
1522 *length = offset;
1523
1524 return offset != 0;
1525 }
1526
1527
1528 bool
convertPropToObject(const uint8_t * propName,uint32_t propNameLength,const uint8_t * propData,uint32_t propDataLength,OSSharedPtr<const OSSymbol> & propSymbol,OSSharedPtr<OSObject> & propObject)1529 IONVRAMV3Handler::convertPropToObject(const uint8_t *propName, uint32_t propNameLength,
1530 const uint8_t *propData, uint32_t propDataLength,
1531 OSSharedPtr<const OSSymbol>& propSymbol,
1532 OSSharedPtr<OSObject>& propObject)
1533 {
1534 OSSharedPtr<const OSSymbol> tmpSymbol;
1535 OSSharedPtr<OSNumber> tmpNumber;
1536 OSSharedPtr<OSString> tmpString;
1537 OSSharedPtr<OSObject> tmpObject = nullptr;
1538
1539 tmpSymbol = OSSymbol::withCString((const char *)propName);
1540
1541 if (tmpSymbol == nullptr) {
1542 return false;
1543 }
1544
1545 switch (getVariableType(tmpSymbol.get())) {
1546 case kOFVariableTypeBoolean:
1547 if (!strncmp("true", (const char *)propData, propDataLength)) {
1548 tmpObject.reset(kOSBooleanTrue, OSRetain);
1549 } else if (!strncmp("false", (const char *)propData, propDataLength)) {
1550 tmpObject.reset(kOSBooleanFalse, OSRetain);
1551 }
1552 break;
1553
1554 case kOFVariableTypeNumber:
1555 tmpNumber = OSNumber::withNumber(strtol((const char *)propData, nullptr, 0), 32);
1556 if (tmpNumber != nullptr) {
1557 tmpObject = tmpNumber;
1558 }
1559 break;
1560
1561 case kOFVariableTypeString:
1562 tmpString = OSString::withCString((const char *)propData, propDataLength);
1563 if (tmpString != nullptr) {
1564 tmpObject = tmpString;
1565 }
1566 break;
1567
1568 case kOFVariableTypeData:
1569 tmpObject = OSData::withBytes(propData, propDataLength);
1570 break;
1571
1572 default:
1573 break;
1574 }
1575
1576 if (tmpObject == nullptr) {
1577 tmpSymbol.reset();
1578 return false;
1579 }
1580
1581 propSymbol = tmpSymbol;
1582 propObject = tmpObject;
1583
1584 return true;
1585 }
1586
1587 IOReturn
getVarDict(OSSharedPtr<OSDictionary> & varDictCopy)1588 IONVRAMV3Handler::getVarDict(OSSharedPtr<OSDictionary> &varDictCopy)
1589 {
1590 IOReturn ret = kIOReturnNotFound;
1591
1592 NVRAMREADLOCK(_variableLock);
1593 if (_varDict) {
1594 varDictCopy = OSDictionary::withDictionary(_varDict.get());
1595 if (varDictCopy) {
1596 if (OSDictionary::withCapacity(varDictCopy->getCount()) != nullptr) {
1597 ret = kIOReturnSuccess;
1598 }
1599 }
1600 }
1601 NVRAMRWUNLOCK(_variableLock);
1602
1603 return ret;
1604 }
1605