import mokutil-0.4.0-8.el9_0.1

This commit is contained in:
CentOS Sources 2022-06-16 09:18:56 -04:00 committed by Stepan Oksanichenko
parent a614a6fd41
commit 31942e0e52
10 changed files with 246 additions and 79 deletions

View File

@ -1,4 +1,4 @@
From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Harry Youd <harry@harryyoud.co.uk>
Date: Wed, 31 Jul 2019 19:44:53 +0100
Subject: [PATCH] Avoid taking pointer to packed struct
@ -112,6 +112,3 @@ index e2d567d..8892613 100644
continue;
/* Dump X509 certificate to files */
--
2.21.0

View File

@ -1,4 +1,4 @@
From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 25 Jul 2018 10:27:34 -0400
Subject: [PATCH] Fix a integer comparison sign issue.
@ -16,10 +16,10 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d03127abf54..068df0d109c 100644
index 8892613..b66c1b8 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
@@ -2011,7 +2011,7 @@ generate_pw_hash (const char *input_pw)
char *password = NULL;
char *crypt_string;
const char *prefix;
@ -28,6 +28,3 @@ index d03127abf54..068df0d109c 100644
unsigned int pw_len, salt_size;
if (input_pw) {
--
2.23.0

View File

@ -1,4 +1,4 @@
From 698994102afcbbe16e65930a09e0df5248c4d200 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 17 Mar 2021 14:38:57 +0100
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
@ -16,32 +16,12 @@ previous processing.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
man/mokutil.1 | 5 +++++
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
man/mokutil.1 | 5 +++++
2 files changed, 38 insertions(+)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b433da..446298763ad 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--sbat]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP
diff --git a/src/mokutil.c b/src/mokutil.c
index b66c1b8b5a7..0c25ae5033d 100644
index b66c1b8..0c25ae5 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,7 @@
@ -119,6 +99,23 @@ index b66c1b8b5a7..0c25ae5033d 100644
default:
print_help ();
break;
--
2.29.2
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..4462987 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--sbat]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP

View File

@ -1,4 +1,4 @@
From 256639accc910e60496fffef96128dc1afd0fa3a Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Mar 2021 14:49:21 +0100
Subject: [PATCH] mokutil: add mok-variables parsing support
@ -10,11 +10,11 @@ variables.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 175 +++++++++++++++++++++++++++++++++++++++++++-------
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 151 insertions(+), 24 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0c25ae5033d..252dc7a327f 100644
index 0c25ae5..252dc7a 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -251,6 +251,63 @@ signature_size (const efi_guid_t *hash_type)
@ -112,14 +112,11 @@ index 0c25ae5033d..252dc7a327f 100644
- fprintf (stderr, "Failed to read %s: %m\n", var_name);
- return -1;
- }
+ ret = efi_get_variable (guid, varname, &data, &data_sz,
+ &attributes);
+ if (ret < 0)
+ return 0;
- ret = list_keys (data, data_size);
- free (data);
+
+ ret = list_keys (data, data_sz);
+ free(data);
+ /*
@ -131,8 +128,11 @@ index 0c25ae5033d..252dc7a327f 100644
+ return 0;
+ if (ret > 0)
+ return ret;
+ }
}
- ret = list_keys (data, data_size);
- free (data);
-
- return ret;
+ return 0;
}
@ -236,6 +236,3 @@ index 0c25ae5033d..252dc7a327f 100644
static int
is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)
--
2.29.2

View File

@ -1,4 +1,4 @@
From b7a6c0a7ee8e66c5daa377d2e6f59461ed34f3bf Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 25 May 2021 12:46:03 +0200
Subject: [PATCH] mokutil: remove "--simple-hash"
@ -9,11 +9,11 @@ Remove the code to reduce the code size.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 87 +++++----------------------------------------------
src/mokutil.c | 87 +++++------------------------------------------------------
1 file changed, 7 insertions(+), 80 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 252dc7a327f..563e585979b 100644
index 252dc7a..563e585 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,7 +76,6 @@
@ -255,6 +255,3 @@ index 252dc7a327f..563e585979b 100644
ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
break;
case TEST_KEY | MOKX:
--
2.31.1

View File

@ -1,7 +1,7 @@
From d944337820debcaa5e275ec6a3523702ee2d9dd7 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 14:48:08 +0800
Subject: [PATCH 2/2] man: remove "--simple-hash"
Subject: [PATCH] man: remove "--simple-hash"
Remove "--simple-hash" from the man page.
@ -11,7 +11,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 446298763ad..1f82ff1abed 100644
index 4462987..1f82ff1 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
@ -76,6 +76,3 @@ index 446298763ad..1f82ff1abed 100644
\fB--ignore-db\fR
Tell shim to not use the keys in db to verify EFI images
.TP
--
2.31.1

View File

@ -1,4 +1,4 @@
From f552d2bb570568673d293fcb2263a2ee8c3333de Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 25 May 2021 15:22:29 +0200
Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the
@ -22,7 +22,7 @@ Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 563e585979b..3fdc791af7f 100644
index 563e585..3fdc791 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)
@ -44,8 +44,11 @@ index 563e585979b..3fdc791af7f 100644
fprintf (stderr, "Invalid X509 certificate\n");
- return -1;
+ goto cleanup_bio;
+ }
+
}
- SHA1_Init (&ctx);
- SHA1_Update (&ctx, cert, cert_size);
- SHA1_Final (fingerprint, &ctx);
+ md = EVP_get_digestbyname ("SHA1");
+ if(md == NULL) {
+ fprintf (stderr, "Failed to get SHA1 digest\n");
@ -56,11 +59,8 @@ index 563e585979b..3fdc791af7f 100644
+ if (ctx == NULL) {
+ fprintf (stderr, "Failed to create digest context\n");
+ goto cleanup_bio;
}
- SHA1_Init (&ctx);
- SHA1_Update (&ctx, cert, cert_size);
- SHA1_Final (fingerprint, &ctx);
+ }
+
+ if (!EVP_DigestInit_ex (ctx, md, NULL)) {
+ fprintf (stderr, "Failed to initialize digest context\n");
+ goto cleanup_ctx;
@ -93,6 +93,3 @@ index 563e585979b..3fdc791af7f 100644
BIO_free (cert_bio);
return 0;
--
2.31.1

View File

@ -0,0 +1,181 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Apr 2022 17:28:07 -0700
Subject: [PATCH] SBAT revocation update support
Control how shim will apply SBAT revocations:
mokutil --set-sbat-policy latest
applies the latest SBAT revocations
(default behavior)
mokutil --set-sbat-policy previous
applies previous SBAT revocations to
allow falling back to an older release
In both of the above cases shim will only apply SBAT revocations that
are newer than the ones currently installed.
mokutil --set-sbat-policy delete
resets SBAT revocations only if Secure
Boot is disabled. This setting does not
persist.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
(cherry picked from commit 68f122d79677cf4a8298cf60ab7dc8a7bf43091c)
[rharwood: renumbering, new options not present, renamed var]
---
src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
man/mokutil.1 | 14 ++++++++++++--
2 files changed, 55 insertions(+), 6 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3fdc791..ac158b3 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,7 @@
#define VERBOSITY (1 << 23)
#define TIMEOUT (1 << 24)
#define LIST_SBAT (1 << 25)
+#define SET_SBAT (1 << 27)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -169,12 +170,13 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
++ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
- printf (" --sbat\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2261,6 +2263,26 @@ list_db (DBName db_name)
return -1;
}
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+ if (sbat_policy) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+ (uint8_t *)&sbat_policy,
+ sizeof (sbat_policy),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set SbatPolicy\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("SbatPolicy");
+ }
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -2275,6 +2297,7 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t sbat_policy = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2311,11 +2334,12 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-sbat-policy", required_argument, 0, 0 },
+ {"list-sbat-revocations", no_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
- {"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2376,6 +2400,20 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
+ command |= SET_SBAT;
+ if (strcmp (optarg, "latest") == 0)
+ sbat_policy = 1;
+ else if (strcmp (optarg, "previous") == 0)
+ sbat_policy = 2;
+ else if (strcmp (optarg, "delete") == 0)
+ sbat_policy = 3;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
+ command |= LIST_SBAT;
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2400,8 +2438,6 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
- } else if (strcmp (option, "sbat") == 0) {
- command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
@@ -2658,6 +2694,9 @@ main (int argc, char *argv[])
case LIST_SBAT:
ret = print_var_content ("SBAT", efi_guid_shim);
break;
+ case SET_SBAT:
+ ret = manage_sbat(sbat_policy);
+ break;
default:
print_help ();
break;
diff --git a/man/mokutil.1 b/man/mokutil.1
index 1f82ff1..48fbe25 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -71,7 +71,9 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
-\fBmokutil\fR [--sbat]
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
.br
.SH DESCRIPTION
@@ -168,6 +170,14 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
-\fB--sbat\fR
+\fB--list-sbat-revocations\fR
List the entries in the Secure Boot Advanced Targeting store (SBAT)
.TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP

8
SOURCES/mokutil.patches Normal file
View File

@ -0,0 +1,8 @@
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch
Patch0005: 0005-mokutil-remove-simple-hash.patch
Patch0006: 0006-man-remove-simple-hash.patch
Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
Patch0008: 0008-SBAT-revocation-update-support.patch

View File

@ -1,6 +1,6 @@
Name: mokutil
Version: 0.4.0
Release: 8%{?dist}
Release: 8%{?dist}.1
Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
@ -11,16 +11,11 @@ BuildRequires: gcc
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
BuildRequires: efivar-devel >= 31-1
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
Source1: mokutil.patches
Conflicts: shim < 0.8-1%{?dist}
Obsoletes: mokutil < 0.2.0
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch
Patch0005: 0005-mokutil-remove-simple-hash.patch
Patch0006: 0006-man-remove-simple-hash.patch
Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
%include %{SOURCE1}
%description
mokutil provides a tool to manage keys for Secure Boot through the MoK
@ -55,6 +50,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Wed Jun 01 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-8.el9_0.1
- Support sbat revocation and setting policy
- Related: CVE-2022-28737
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688