From 68f9a87de04beda3f052bd53e6bacba8da15656b Mon Sep 17 00:00:00 2001
From: Kris Adler <adler.kristopher@gmail.com>
Date: Tue, 22 Aug 2023 11:21:10 -0500
Subject: [PATCH] Add commands for controlling the Makers Authority

---
 Common/DtaDev.h             |  9 ++++++
 Common/DtaDevEnterprise.cpp | 54 +++++++++++++++++++++++++++++++++
 Common/DtaDevEnterprise.h   | 13 ++++++--
 Common/DtaDevGeneric.cpp    |  2 ++
 Common/DtaDevGeneric.h      |  8 +++++
 Common/DtaDevOpal.cpp       | 59 +++++++++++++++++++++++++++++++++++++
 Common/DtaDevOpal.h         | 26 ++++++++++------
 Common/DtaLexicon.h         | 17 ++++++++---
 Common/DtaOptions.cpp       |  9 ++++++
 Common/DtaOptions.h         |  3 ++
 Common/sedutil.cpp          | 20 ++++++++++---
 11 files changed, 201 insertions(+), 19 deletions(-)

diff --git a/Common/DtaDev.h b/Common/DtaDev.h
index 8c9b55e..217e6e7 100644
--- a/Common/DtaDev.h
+++ b/Common/DtaDev.h
@@ -303,6 +303,15 @@ class DtaDev {
 	 * @param Admin1Password Password of the LockingSP authority
 	 */
     virtual uint8_t addUserToLockingACEs(const char *userid, char* Admin1Password) = 0;
+	/** Enable or disable the Admin SP Makers Authority
+	 * @param sidPassword The SID password
+	 * @param enable Whether to enable (true) or disable (false) the Makers Authority
+	 */
+	virtual uint8_t enableDisableMakersAuthority(char * sidPassword, uint8_t enable) = 0;
+	
+	/** Print the status of the Admin SP Makers Authority */
+	virtual uint8_t printMakersAuthorityStatus() = 0;
+	
 	bool no_hash_passwords; /** disables hashing of passwords */
 	bool hex_passwords; /** converts passwords from hex before using them */
 	sedutiloutput output_format; /** standard, readable, JSON */
diff --git a/Common/DtaDevEnterprise.cpp b/Common/DtaDevEnterprise.cpp
index 48ff63d..8d8c9af 100644
--- a/Common/DtaDevEnterprise.cpp
+++ b/Common/DtaDevEnterprise.cpp
@@ -1695,6 +1695,60 @@ uint8_t DtaDevEnterprise::addUserToLockingACEs(const char *userid, char * Admin1
 	LOG(D1) << "Exiting DtaDevEnterprise::addUserLockingACEs";
 	return 0;
 }
+uint8_t DtaDevEnterprise::enableDisableMakersAuthority(char * password, uint8_t enable)
+{
+	LOG(D1) << "Entering DtaDevEnterprise::enableDisableMakersAuthority()";
+	uint8_t lastRC;
+	session = new DtaSession(this);
+	if (NULL == session) {
+		LOG(E) << "Unable to create session object ";
+		return DTAERROR_OBJECT_CREATE_FAILED;
+	}
+	if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID, password, OPAL_UID::OPAL_SID_UID)) != 0) {
+		LOG(E) << "Unable to start AdminSP SID session " << dev;
+		delete session;
+		return lastRC;
+	}
+	vector<uint8_t> table;
+	set8(table, OPALUID[OPAL_UID::OPAL_MAKERS_UID]);
+	if ((lastRC = setTable(table, "Enabled", enable ? OPAL_TRUE : OPAL_FALSE)) != 0) {
+		LOG(E) << "Unable to " << (enable ? "enable" : "disable") << " the Makers Authority";
+		delete session;
+		return lastRC;
+	}
+	LOG(I) << "Makers Authority " << (enable ? "enabled" : "disabled");
+	delete session;
+	LOG(D1) << "Exiting DtaDevEnterprise::enableDisableMakersAuthority()";
+	return 0;
+}
+
+uint8_t DtaDevEnterprise::printMakersAuthorityStatus()
+{
+	LOG(D1) << "Entering DtaDevEnterprise::printMakersAuthorityStatus()";
+	uint8_t lastRC;
+	session = new DtaSession(this);
+	if (NULL == session) {
+		LOG(E) << "Unable to create session object ";
+		return DTAERROR_OBJECT_CREATE_FAILED;
+	}
+	if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID)) != 0) {
+		LOG(E) << "Unable to start Unauthenticated session " << dev;
+		delete session;
+		return lastRC;
+	}
+	vector<uint8_t> table;
+	set8(table, OPALUID[OPAL_UID::OPAL_MAKERS_UID]);
+	if ((lastRC = getTable(table, "Enabled", "Enabled")) != 0) {
+		LOG(E) << "Unable to get Makers Authority table";
+		delete session;
+		return lastRC;
+	}
+	cout << "Makers Authority status:" << endl;
+	cout << "  " << "Enabled: " << (response.getUint8(5) ? "Y" : "N") << endl;
+	delete session;
+	LOG(D1) << "Exiting DtaDevEnterprise::printMakersAuthorityStatus()";
+	return 0;
+}
 #ifdef _MSC_VER
 #pragma warning(pop)
 #endif
diff --git a/Common/DtaDevEnterprise.h b/Common/DtaDevEnterprise.h
index bf1edbf..1e17ccf 100644
--- a/Common/DtaDevEnterprise.h
+++ b/Common/DtaDevEnterprise.h
@@ -213,8 +213,17 @@ class DtaDevEnterprise : public DtaDevOS {
 	 * @param userid The user to add to Locking ACEs
 	 * @param Admin1Password Password of the LockingSP authority
 	 */
-    uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password);
-
+        uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password);
+        
+        /** Enable or disable the Admin SP Makers Authority
+        * @param sidPassword The SID password
+        * @param enable Whether to enable (true) or disable (false) the Makers Authority
+        */
+        uint8_t enableDisableMakersAuthority(char * password, uint8_t enable);
+        
+        /** Print the status of the Admin SP Makers Authority */
+        uint8_t printMakersAuthorityStatus();
+        
 protected:
 	uint8_t getDefaultPassword();
 private:
diff --git a/Common/DtaDevGeneric.cpp b/Common/DtaDevGeneric.cpp
index 5af97a1..4f128a0 100644
--- a/Common/DtaDevGeneric.cpp
+++ b/Common/DtaDevGeneric.cpp
@@ -94,6 +94,8 @@ uint8NOCODE(takeOwnership, char * newpassword, bool securemode)
 uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword,
 	uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode)
 uint8NOCODE(addUserToLockingACEs, const char* userid, char * Admin1Password)
+uint8NOCODE(enableDisableMakersAuthority, char * password, uint8_t enable)
+uint8NOCODE(printMakersAuthorityStatus)
 uint16_t DtaDevGeneric::comID()
 {
 	LOG(E) << "Generic Device class does not support function " << "comID" << std::endl; 
diff --git a/Common/DtaDevGeneric.h b/Common/DtaDevGeneric.h
index 15c96c5..457defe 100644
--- a/Common/DtaDevGeneric.h
+++ b/Common/DtaDevGeneric.h
@@ -234,4 +234,12 @@ class DtaDevGeneric : public DtaDevOS {
 	 * @param Admin1Password Password of the LockingSP authority
 	 */
 	 uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password);
+	 /** Enable or disable the Admin SP Makers Authority
+	 * @param sidPassword The SID password
+	 * @param enable Whether to enable (true) or disable (false) the Makers Authority
+	 */
+	 uint8_t enableDisableMakersAuthority(char * password, uint8_t enable);
+	 
+	 /** Print the status of the Admin SP Makers Authority */
+	 uint8_t printMakersAuthorityStatus();
 };
diff --git a/Common/DtaDevOpal.cpp b/Common/DtaDevOpal.cpp
index 2e9624c..c877057 100644
--- a/Common/DtaDevOpal.cpp
+++ b/Common/DtaDevOpal.cpp
@@ -2098,6 +2098,65 @@ uint8_t DtaDevOpal::getAuthoritiesFromACE(OPAL_UID ace_uid,
     }
     return lastRC;
 }
+uint8_t DtaDevOpal::enableDisableMakersAuthority(char * password, uint8_t enable)
+{
+	LOG(D1) << "Entering DtaDevOpal::enableDisableMakersAuthority()";
+	uint8_t lastRC;
+	session = new DtaSession(this);
+	if (NULL == session) {
+		LOG(E) << "Unable to create session object ";
+		return DTAERROR_OBJECT_CREATE_FAILED;
+	}
+	if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID, password, OPAL_UID::OPAL_SID_UID)) != 0) {
+		LOG(E) << "Unable to start AdminSP SID session " << dev;
+		delete session;
+		return lastRC;
+	}
+	vector<uint8_t> table;
+	table.push_back(OPAL_SHORT_ATOM::BYTESTRING8);
+	for (int i = 0; i < 8; i++) {
+		table.push_back(OPALUID[OPAL_UID::OPAL_MAKERS_UID][i]);
+	}
+	if ((lastRC = setTable(table, AUTHORITY_ENABLED, enable ? OPAL_TRUE : OPAL_FALSE)) != 0) {
+		LOG(E) << "Unable to " << (enable ? "enable" : "disable") << " the Makers Authority";
+		delete session;
+		return lastRC;
+	}
+	LOG(I) << "Makers Authority " << (enable ? "enabled" : "disabled");
+	delete session;
+	LOG(D1) << "Exiting DtaDevOpal::enableDisableMakersAuthority()";
+	return 0;
+}
+uint8_t DtaDevOpal::printMakersAuthorityStatus()
+{
+	LOG(D1) << "Entering DtaDevOpal::printMakersAuthorityStatus()";
+	uint8_t lastRC;
+	session = new DtaSession(this);
+	if (NULL == session) {
+		LOG(E) << "Unable to create session object ";
+		return DTAERROR_OBJECT_CREATE_FAILED;
+	}
+	if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID)) != 0) {
+		LOG(E) << "Unable to start Unauthenticated session " << dev;
+		delete session;
+		return lastRC;
+	}
+	vector<uint8_t> table;
+	table. push_back(OPAL_SHORT_ATOM::BYTESTRING8);
+	for (int i = 0; i < 8; i++) {
+		table.push_back(OPALUID[OPAL_UID::OPAL_MAKERS_UID][i]);
+	}
+	if ((lastRC = getTable(table, AUTHORITY_ENABLED, AUTHORITY_ENABLED)) != 0) {
+		LOG(E) << "Unable to get Makers Authority table";
+		delete session;
+		return lastRC;
+	}
+	cout << "Makers Authority status:" << endl;
+	cout << "  " << "Enabled: " << (response.getUint8(4) ? "Y" : "N") << endl;
+	delete session;
+	LOG(D1) << "Exiting DtaDevOpal::printMakersAuthorityStatus()";
+	return 0;
+}
 #ifdef __linux__
 uint8_t DtaDevOpal::askNewPassword(std::shared_ptr<SecureString> &password, bool confirm) {
     uint8_t lastRC = OPALSTATUSCODE::SUCCESS;
diff --git a/Common/DtaDevOpal.h b/Common/DtaDevOpal.h
index 434be75..3bd83d7 100644
--- a/Common/DtaDevOpal.h
+++ b/Common/DtaDevOpal.h
@@ -268,13 +268,22 @@ class DtaDevOpal : public DtaDevOS {
 	uint8_t rawCmd(char *sp, char * auth, char *pass,
 		char *invoker, char *method, char *plist);
 
-    /** Add the authority to Locking (Rd/RW) and MBRControl DoneToDOR ACEs
-      * This function gets authorities already in ACEs.
-      * Only the OR boolean_ACE are handled in boolean expressions.
-      * @param Admin1Password Password of the LockingSP authority
-      * @param userid The authority to add to Locking ACEs
-      */
-    uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password);
+        /** Add the authority to Locking (Rd/RW) and MBRControl DoneToDOR ACEs
+        * This function gets authorities already in ACEs.
+        * Only the OR boolean_ACE are handled in boolean expressions.
+        * @param Admin1Password Password of the LockingSP authority
+        * @param userid The authority to add to Locking ACEs
+        */
+        uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password);
+        
+        /** Enable or disable the Admin SP Makers Authority
+        * @param sidPassword The SID password
+        * @param enable Whether to enable (true) or disable (false) the Makers Authority
+        */
+        uint8_t enableDisableMakersAuthority(char * password, uint8_t enable);
+        
+        /** Print the status of the Admin SP Makers Authority */
+        uint8_t printMakersAuthorityStatus();
 protected:
         /** Primitive to handle the setting of a value in the locking sp.
          * @param table_uid UID of the table 
@@ -316,8 +325,7 @@ class DtaDevOpal : public DtaDevOS {
       * @param ace_uid The ACE to read
       * @param authorities_uid Vector containing authorities uids
       */
-    uint8_t getAuthoritiesFromACE(OPAL_UID ace_uid, std::vector<std::vector<uint8_t>>& authorities_uid);
-
+    uint8_t getAuthoritiesFromACE(OPAL_UID ace_uid, std::vector<std::vector<uint8_t>>& authorities_uid);    
     /** Ask the user to input a new password. 
       * This function fails if the first password and it's confirmation differs 
       * @param password The new password entered by the user
diff --git a/Common/DtaLexicon.h b/Common/DtaLexicon.h
index bf40664..aa1d4d0 100644
--- a/Common/DtaLexicon.h
+++ b/Common/DtaLexicon.h
@@ -35,9 +35,10 @@ static const uint8_t OPALUID[][8]{
 	{ 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, 0x01 }, /**< Administrative SP */
 	{ 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, 0x02 }, /**< Locking SP */
 	{ 0x00, 0x00, 0x02, 0x05, 0x00, 0x01, 0x00, 0x01 }, /**< ENTERPRISE Locking SP  */
-	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01 }, /**<anybody */
-	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06 }, /**< SID */
+	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01 }, /**< ANYBODY */
 	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02 }, /**< ADMINS */
+	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x03 }, /**< MAKERS */
+	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06 }, /**< SID */
 	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0x01 }, /**< ADMIN1 */
 	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x03, 0x00, 0x01 }, /**< USER1 */
 	{ 0x00, 0x00, 0x00, 0x09, 0x00, 0x03, 0x00, 0x02 }, /**< USER2 */
@@ -76,8 +77,9 @@ typedef enum _OPAL_UID {
     OPAL_LOCKINGSP_UID,
 	ENTERPRISE_LOCKINGSP_UID,
     OPAL_ANYBODY_UID,
-    OPAL_SID_UID,
     OPAL_ADMINS_UID,
+    OPAL_MAKERS_UID,
+    OPAL_SID_UID,
     OPAL_ADMIN1_UID,
     OPAL_USER1_UID,
     OPAL_USER2_UID,
@@ -163,8 +165,15 @@ typedef enum _OPAL_TOKEN {
 	STARTCOLUMN = 0x03,
 	ENDCOLUMN = 0x04,
 	VALUES = 0x01,
-	// authority table
+	// C_PIN table
 	PIN = 0x03,
+	// authority table
+	AUTHORITY_UID = 0x00,
+	AUTHORITY_NAME = 0x01,
+	AUTHORITY_COMMON_NAME = 0x02,
+	AUTHORITY_IS_CLASS = 0x03,
+	AUTHORITY_CLASS = 0x04,
+	AUTHORITY_ENABLED = 0x05,
 	// locking tokens
 	RANGESTART = 0x03,
 	RANGELENGTH = 0x04,
diff --git a/Common/DtaOptions.cpp b/Common/DtaOptions.cpp
index 54d619c..7578a31 100644
--- a/Common/DtaOptions.cpp
+++ b/Common/DtaOptions.cpp
@@ -104,6 +104,12 @@ void usage()
     printf("                                grant UserX permission to lock/unlock device\n");
     printf("--enableUser <userid> <Admin1password> <device> \n");
     printf("                                grant UserX permission to lock/unlock device\n");
+    printf("--disableMakersAuthority <SIDpassword> <device> \n");
+    printf("                                revoke the device manufacturer's admin powers\n" );
+    printf("--enableMakersAuthority <SIDpassword> <device> \n");
+    printf("                                grant the device manufacturer admin powers\n");
+    printf("--printMakersAuthorityStatus <device> \n");
+    printf("                                print the Makers Authority status\n");
     printf("--printPasswordHash <password> <device>\n");
     printf("                                print the hash of the password \n");
     printf("                                as computed by sedutil. Hex-ecoded.\n");
@@ -582,6 +588,9 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts)
 			OPTION_IS(password)
 			OPTION_IS(device)
 		END_OPTION
+		BEGIN_OPTION(disableMakersAuthority, 2, 1) OPTION_IS(password) OPTION_IS(device) END_OPTION
+		BEGIN_OPTION(enableMakersAuthority, 2, 1) OPTION_IS(password) OPTION_IS(device) END_OPTION
+		BEGIN_OPTION(printMakersAuthorityStatus, 1, 1) OPTION_IS(device) END_OPTION
 		else {
       LOG(E) << "Invalid command line argument " << argv[i];
 			return DTAERROR_INVALID_COMMAND;
diff --git a/Common/DtaOptions.h b/Common/DtaOptions.h
index 9eec24a..2f29c35 100644
--- a/Common/DtaOptions.h
+++ b/Common/DtaOptions.h
@@ -102,6 +102,9 @@ typedef enum _sedutiloption {
     prepareForS3Sleep,
 	rawCmd,
     addUserToLockingACEs,
+	disableMakersAuthority,
+	enableMakersAuthority,
+	printMakersAuthorityStatus,
 } sedutiloption;
 
 /** verify the number of arguments passed */
diff --git a/Common/sedutil.cpp b/Common/sedutil.cpp
index f2c6770..33efa23 100644
--- a/Common/sedutil.cpp
+++ b/Common/sedutil.cpp
@@ -284,9 +284,21 @@ int main(int argc, char * argv[])
         LOG(D) << "Performing addUserToLockingACEs";
         return d->addUserToLockingACEs(argv[opts.userid], GET_PASSWORD());
 		break;
-    default:
-        LOG(E) << "Unable to determine what you want to do ";
-        usage();
-    }
+	case sedutiloption::disableMakersAuthority:
+		LOG(D) << "Disabling the Makers authority";
+		return d->enableDisableMakersAuthority(argv[opts.password], 0);
+		break;
+	case sedutiloption::enableMakersAuthority:
+		LOG(D) << "Enabling the Makers authority";
+		return d->enableDisableMakersAuthority(argv[opts.password], 1);
+		break;
+	case sedutiloption::printMakersAuthorityStatus:
+		LOG(D) << "Printing the Makers authority status";
+		return d->printMakersAuthorityStatus();
+		break;
+	default:
+		LOG(E) << "Unable to determine what you want to do ";
+		usage();
+  }
 	return DTAERROR_INVALID_COMMAND;
 }