#! /usr/bin/python3
########################################################################
# Copyright (c) 2022 VMware, Inc.  All rights reserved
# VMware Confidential
########################################################################

"""Apply a https://uefi.org/revocationlistfile DBX revocation list file
to the host via ESXi's VSI API."""

import argparse
from uefi import uefivar
import struct
import sys

description = \
'''Apply an update to this host's UEFI Secure Boot forbidden signature
database (dbx).  This program does not check whether the update has
already been applied, but reapplying a previously applied update should
have no effect.'''

def makeParser():
   """Construct argument parser.
   """
   parser = argparse.ArgumentParser(description=description)
   parser.add_argument('filename', type=str, nargs='?', help=
                       '''a DBXUpdate.bin file, downloadable from
                       https://uefi.org/revocationlistfile''')
   return parser

def applyUpdate(filename):
   """Apply an update from the given filename.
   """
   varname = 'dbx-' + uefivar.EfiImageSecurityDatabaseGUID

   attr = struct.pack('I',
                      uefivar.EfiVariableNonVolatile |
                      uefivar.EfiVariableBootserviceAccess |
                      uefivar.EfiVariableRuntimeAccess |
                      uefivar.EfiVariableTimeBasedAuthenticatedWriteAccess |
                      uefivar.EfiVariableAppendWrite)

   b = open(filename, 'rb').read()

   uefivar.set(varname, attr + b)

   print('dbx update applied')

def main(argv):
   parser = makeParser()
   args = parser.parse_args()

   if args.filename is not None:
      applyUpdate(args.filename)
   else:
      parser.print_help()
      exit(2)

if __name__ == '__main__':
   main(sys.argv)