diff --git a/.gitignore b/.gitignore index e69de29..8fa6b56 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,5 @@ +*.tar.* +clog +*.rpm +.build*.log +mokutil-*/ diff --git a/0001-Avoid-taking-pointer-to-packed-struct.patch b/0001-Avoid-taking-pointer-to-packed-struct.patch new file mode 100644 index 0000000..67d946e --- /dev/null +++ b/0001-Avoid-taking-pointer-to-packed-struct.patch @@ -0,0 +1,117 @@ +From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001 +From: Harry Youd +Date: Wed, 31 Jul 2019 19:44:53 +0100 +Subject: [PATCH] Avoid taking pointer to packed struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] +--- + src/mokutil.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index e2d567d..8892613 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) + return NULL; + } + +- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && +- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) && +- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) && +- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) && +- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) && +- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) { ++ efi_guid_t sigtype = CertList->SignatureType; ++ ++ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && ++ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) && ++ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) && ++ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) && ++ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) && ++ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) { + dbsize -= CertList->SignatureListSize; + CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + + CertList->SignatureListSize); + continue; + } + +- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && +- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) { ++ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && ++ (CertList->SignatureSize != signature_size (&sigtype))) { + dbsize -= CertList->SignatureListSize; + CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + + CertList->SignatureListSize); +@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) + } + + list[count].header = CertList; +- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) { ++ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { + /* X509 certificate */ + list[count].mok_size = CertList->SignatureSize - + sizeof(efi_guid_t); +@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size) + + for (unsigned int i = 0; i < mok_num; i++) { + printf ("[key %d]\n", i+1); +- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) { ++ efi_guid_t sigtype = list[i].header->SignatureType; ++ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { + print_x509 ((char *)list[i].mok, list[i].mok_size); + } else { +- print_hash_array (&list[i].header->SignatureType, ++ print_hash_array (&sigtype, + list[i].mok, list[i].mok_size); + } + if (i < mok_num - 1) +@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, + remain = total; + for (unsigned int i = 0; i < mok_num; i++) { + remain -= list[i].header->SignatureListSize; +- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) ++ efi_guid_t sigtype = list[i].header->SignatureType; ++ if (efi_guid_cmp (&sigtype, type) != 0) + continue; + + sig_list_size = list[i].header->SignatureListSize; +@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size + } + + for (unsigned int i = 0; i < node_num; i++) { +- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) ++ efi_guid_t sigtype = list[i].header->SignatureType; ++ if (efi_guid_cmp (&sigtype, type) != 0) + continue; + + if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { +@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req, + goto error; + /* Check if there is a signature list with the same type */ + for (unsigned int i = 0; i < mok_num; i++) { +- if (efi_guid_cmp (&mok_list[i].header->SignatureType, +- &hash_type) == 0) { ++ efi_guid_t sigtype = mok_list[i].header->SignatureType; ++ if (efi_guid_cmp (&sigtype, &hash_type) == 0) { + merge_ind = i; + list_size -= sizeof(EFI_SIGNATURE_LIST); + break; +@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name) + for (unsigned i = 0; i < mok_num; i++) { + off_t offset = 0; + ssize_t write_size; ++ efi_guid_t sigtype = list[i].header->SignatureType; + +- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0) ++ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) + continue; + + /* Dump X509 certificate to files */ +-- +2.21.0 + diff --git a/0002-Fix-a-integer-comparison-sign-issue.patch b/0002-Fix-a-integer-comparison-sign-issue.patch new file mode 100644 index 0000000..591a8d2 --- /dev/null +++ b/0002-Fix-a-integer-comparison-sign-issue.patch @@ -0,0 +1,33 @@ +From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 25 Jul 2018 10:27:34 -0400 +Subject: [PATCH] Fix a integer comparison sign issue. + +I introduced this, and it's stupid: + +mokutil.c: In function 'generate_pw_hash': +mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare] + if (salt_size > settings_len - (next - settings)) { + ^ + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d03127abf54..068df0d109c 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw) + char *password = NULL; + char *crypt_string; + const char *prefix; +- int settings_len = sizeof (settings) - 2; ++ unsigned int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { +-- +2.23.0 + diff --git a/mokutil.spec b/mokutil.spec new file mode 100644 index 0000000..79e716e --- /dev/null +++ b/mokutil.spec @@ -0,0 +1,119 @@ +Name: mokutil +Version: 0.4.0 +Release: 2%{?dist} +Epoch: 2 +Summary: Tool to manage UEFI Secure Boot MoK Keys +License: GPLv3+ +URL: https://github.com/lcp/mokutil +ExclusiveArch: %{ix86} x86_64 aarch64 +BuildRequires: gcc +BuildRequires: autoconf automake gnu-efi git openssl-devel openssl +BuildRequires: efivar-devel >= 31-1 +Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz +Conflicts: shim < 0.8-1%{?dist} +Obsoletes: mokutil < 0.2.0 + +Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch +Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch + +%description +mokutil provides a tool to manage keys for Secure Boot through the MoK +("Machine's Own Keys") mechanism. + +%prep +%setup -q -n %{name}-%{version} +git init +git config user.email "%{name}-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} - 2:0.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jun 11 2020 Javier Martinez Canillas - 0.4.0-1 +- Update to 0.4.0 release + +* Wed Jan 29 2020 Fedora Release Engineering - 2:0.3.0-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 12 2019 Peter Jones - 0.3.0-14 +- Pull one more upstream patch to keep this in sync with the f31 build. + +* Thu Oct 24 2019 Leigh Scott - 1:0.3.0-14 +- Apply upstream commits to fix FTBFS + +* Thu Jul 25 2019 Fedora Release Engineering - 1:0.3.0-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1:0.3.0-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 1:0.3.0-11 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Fri Jul 13 2018 Fedora Release Engineering - 1:0.3.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 1:0.3.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Jan 20 2018 Björn Esser - 1:0.3.0-8 +- Rebuilt for switch to libxcrypt + +* Thu Aug 03 2017 Fedora Release Engineering - 1:0.3.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:0.3.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 08 2017 Peter Jones - 0.3.0-5 +- Rebuild for efivar-31-1.fc26 + Related: rhbz#1468841 + +* Fri Feb 10 2017 Fedora Release Engineering - 1:0.3.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Aug 17 2016 Peter Jones - 0.3.0-3 +- Rebuild for newer efivar again. + +* Wed Aug 10 2016 Peter Jones - 0.3.0-2 +- Update for newer efivar. + +* Tue Jun 14 2016 Peter Jones - 0.3.0-1 +- Update to 0.3.0 release. + Resolves: rhbz#1334628 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:0.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1:0.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 1:0.2.0-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Mon Oct 06 2014 Peter Jones - 0.2.0-1 +- First independent package. diff --git a/sources b/sources new file mode 100644 index 0000000..3262c0a --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (0.4.0.tar.gz) = 1caa4242fda51f73b5e1a97ad38d9235cee5e5dad72e3e40c9e44a20c76cd5397e299693733e4d52e3b05b0272a30732d8c3ea86403739cbc6545de16c1a2dd0