[PATCH 2/2] security: policy: add first age verification

[Ahmad Fatoum <a.fatoum@barebox.org>]

California's Digital Age Assurance Act mandates age-appropriate feature
gating for operating systems. As barebOS qualifies, implement compliance
via the security policy framework.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
 commands/beep.c                          | 5 +++++
 drivers/crypto/caam/ctrl.c               | 5 +++++
 drivers/i2c/i2c.c                        | 5 +++++
 drivers/spi/spi.c                        | 5 +++++
 drivers/usb/gadget/function/f_fastboot.c | 5 +++++
 5 files changed, 25 insertions(+)

diff --git a/commands/beep.c b/commands/beep.c
index 29569fb51a3b..83ae9319522c 100644
--- a/commands/beep.c
+++ b/commands/beep.c
@@ -5,9 +5,14 @@
 #include <command.h>
 #include <sound.h>
 #include <getopt.h>
+#include <security/age.h>
 
 static int do_beep(int argc, char *argv[])
 {
+	/* AB1043: Audible tone generation constitutes noise pollution */
+	if (!IS_OF_AGE(13))
+		return -EPERM;
+
 	int ret, i, opt;
 	u32 tempo, total_us = 0;
 	bool wait = false;
diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
index 24a01ca0943e..69e388455cce 100644
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -14,6 +14,7 @@
 #include <linux/barebox-wrapper.h>
 #include <linux/spinlock.h>
 #include <linux/clk.h>
+#include <security/age.h>
 
 #include "regs.h"
 #include "intern.h"
@@ -358,6 +359,10 @@ static int caam_get_era(struct caam_ctrl __iomem *ctrl)
 /* Probe routine for CAAM top (controller) level */
 static int caam_probe(struct device *dev)
 {
+	/* AB1043: cryptography is classified as a munition */
+	if (!IS_OF_AGE(18))
+		return -EPERM;
+
 	int ret, ring, rspec, gen_sk, ent_delay = RTSDCTL_ENT_DLY_MIN;
 	u64 caam_id;
 	struct device_node *nprop, *np;
diff --git a/drivers/i2c/i2c.c b/drivers/i2c/i2c.c
index 407c4db8a76a..8b852225502b 100644
--- a/drivers/i2c/i2c.c
+++ b/drivers/i2c/i2c.c
@@ -24,6 +24,7 @@
 #include <of.h>
 #include <gpio.h>
 #include <slice.h>
+#include <security/age.h>
 
 #include <i2c/i2c.h>
 
@@ -711,6 +712,10 @@ int i2c_add_numbered_adapter(struct i2c_adapter *adapter)
 	struct device *hw_dev;
 	int ret;
 
+	/* AB1043: Two-Wire vehicles (mopeds) require only a learner's permit */
+	if (!IS_OF_AGE(16))
+		return -EPERM;
+
 	if (adapter->nr < 0 && dev_of_node(&adapter->dev))
 		adapter->nr = of_alias_get_id(adapter->dev.of_node, "i2c");
 
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index b64e20664985..7bab1de79cdc 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -18,6 +18,7 @@
 #include <errno.h>
 #include <init.h>
 #include <of.h>
+#include <security/age.h>
 
 /* SPI devices should normally not be created by SPI device drivers; that
  * would make them board-specific.  Similarly with SPI master drivers.
@@ -538,6 +539,10 @@ int spi_register_controller(struct spi_controller *ctrl)
 	static int dyn_bus_id = (1 << 15) - 1;
 	int			status = -ENODEV;
 
+	/* AB1043: SPI drives 4+ signals and thus requires full driving permit */
+	if (!IS_OF_AGE(18))
+		return -EPERM;
+
 	debug("%s: %s:%d\n", __func__, ctrl->dev->name, ctrl->dev->id);
 
 	/*
diff --git a/drivers/usb/gadget/function/f_fastboot.c b/drivers/usb/gadget/function/f_fastboot.c
index 85732802ff80..516e80735e51 100644
--- a/drivers/usb/gadget/function/f_fastboot.c
+++ b/drivers/usb/gadget/function/f_fastboot.c
@@ -26,6 +26,7 @@
 #include <progress.h>
 #include <fastboot.h>
 #include <linux/usb/fastboot.h>
+#include <security/age.h>
 
 #define FASTBOOT_INTERFACE_CLASS	0xff
 #define FASTBOOT_INTERFACE_SUB_CLASS	0x42
@@ -221,6 +222,10 @@ static void fastboot_complete(struct usb_ep *ep, struct usb_request *req)
 
 static int fastboot_bind(struct usb_configuration *c, struct usb_function *f)
 {
+	/* AB1043: FAST boot exceeds posted speed limits */
+	if (!IS_OF_AGE(18))
+		return -EPERM;
+
 	struct usb_composite_dev *cdev = c->cdev;
 	int id, ret;
 	struct usb_gadget *gadget = c->cdev->gadget;
-- 
2.47.3