rpms
/
mokutil
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import mokutil-0.6.0-4.el9

This commit is contained in:
CentOS Sources 2023-03-28 09:36:22 +00:00 committed by Stepan Oksanichenko
parent 6bffadf5c2
commit 7263a6e217
17 changed files with 196 additions and 1194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/0.4.0.tar.gz
SOURCES/mokutil-0.6.0.tar.gz

2
.mokutil.metadata
View File

@ -1 +1 @@
42d6c1551535386cba63265a6ed7172d11c88b97 SOURCES/0.4.0.tar.gz
b38fa41703cae749d8f642d3218cdff5d5d9a8ec SOURCES/mokutil-0.6.0.tar.gz

114
SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch
View File

@ -1,114 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Harry Youd <harry@harryyoud.co.uk>
Date: Wed, 31 Jul 2019 19:44:53 +0100
Subject: [PATCH] Avoid taking pointer to packed struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes:
error: taking address of packed member of struct <anonymous> may result in an unaligned pointer value [-Werror=address-of-packed-member]
---
src/mokutil.c | 38 ++++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e2d567d..8892613 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
+ efi_guid_t sigtype = CertList->SignatureType;
+
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
continue;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (CertList->SignatureSize != signature_size (&sigtype))) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
}
list[count].header = CertList;
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
/* X509 certificate */
list[count].mok_size = CertList->SignatureSize -
sizeof(efi_guid_t);
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
for (unsigned int i = 0; i < mok_num; i++) {
printf ("[key %d]\n", i+1);
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
print_x509 ((char *)list[i].mok, list[i].mok_size);
} else {
- print_hash_array (&list[i].header->SignatureType,
+ print_hash_array (&sigtype,
list[i].mok, list[i].mok_size);
}
if (i < mok_num - 1)
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
remain = total;
for (unsigned int i = 0; i < mok_num; i++) {
remain -= list[i].header->SignatureListSize;
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
sig_list_size = list[i].header->SignatureListSize;
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
}
for (unsigned int i = 0; i < node_num; i++) {
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
goto error;
/* Check if there is a signature list with the same type */
for (unsigned int i = 0; i < mok_num; i++) {
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
- &hash_type) == 0) {
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
merge_ind = i;
list_size -= sizeof(EFI_SIGNATURE_LIST);
break;
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
for (unsigned i = 0; i < mok_num; i++) {
off_t offset = 0;
ssize_t write_size;
+ efi_guid_t sigtype = list[i].header->SignatureType;
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
continue;
/* Dump X509 certificate to files */

31
SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch Normal file
View File

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 17 May 2022 11:23:28 -0400
Subject: [PATCH] Show usage instead of aborting on bad flags
Aborting here just confuses users and is sufficiently unexpected to
cause the filing of bugs.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 82694cb1ce3b29c3705c25ae4cea3d07fe57b558)
---
src/mokutil.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5d725c9..e8228af 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2087,10 +2087,9 @@ main (int argc, char *argv[])
goto out;
case 'h':
case '?':
+ default:
command |= HELP;
break;
- default:
- abort ();
}
}

30
SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch
View File

@ -1,30 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 25 Jul 2018 10:27:34 -0400
Subject: [PATCH] Fix a integer comparison sign issue.
I introduced this, and it's stupid:
mokutil.c: In function 'generate_pw_hash':
mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
if (salt_size > settings_len - (next - settings)) {
^
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 8892613..b66c1b8 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2011,7 +2011,7 @@ generate_pw_hash (const char *input_pw)
char *password = NULL;
char *crypt_string;
const char *prefix;
- int settings_len = sizeof (settings) - 2;
+ unsigned int settings_len = sizeof (settings) - 2;
unsigned int pw_len, salt_size;
if (input_pw) {

26
SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch Normal file
View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong2@huawei.com>
Date: Mon, 30 May 2022 17:54:47 +0800
Subject: [PATCH] mokutil bugfix: del unused opt "-s"
The -s option can cause unexcepted result.
Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
(cherry picked from commit 04791c29e198b18808bca519267e31c8d3786a08)
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e8228af..6982ade 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
};
int option_index = 0;
- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
+ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
long_options, &option_index);
if (c == -1)

28
SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch Normal file
View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 12:56:31 -0400
Subject: [PATCH] Fix leak of list in delete_data_from_req_var()
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit d978c18f61b877afaab45a82d260b525423b8248)
---
src/util.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util.c b/src/util.c
index 621869f..6cd0302 100644
--- a/src/util.c
+++ b/src/util.c
@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
}
/* the key or hash is not in this list */
- if (start == NULL)
- return 0;
+ if (start == NULL) {
+ ret = 0;
+ goto done;
+ }
/* all keys are removed */
if (total == 0) {

257
SOURCES/0003-mokutil-remove-simple-hash.patch
View File

@ -1,257 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 25 May 2021 12:46:03 +0200
Subject: [PATCH] mokutil: remove "--simple-hash"
The simple-hash password format is used by the very early MokManager and
not the default format anymore after we changed to password-crypt.
Remove the code to reduce the code size.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 87 +++++------------------------------------------------------
1 file changed, 7 insertions(+), 80 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index b66c1b8..e811266 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,7 +76,6 @@
#define TEST_KEY (1 << 14)
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
-#define SIMPLE_HASH (1 << 17)
#define IGNORE_DB (1 << 18)
#define USE_DB (1 << 19)
#define MOKX (1 << 20)
@@ -94,8 +93,6 @@ typedef unsigned long efi_status_t;
typedef uint8_t efi_bool_t;
typedef wchar_t efi_char16_t; /* UNICODE character */
-static int use_simple_hash;
-
typedef enum {
DELETE_MOK = 0,
ENROLL_MOK,
@@ -180,7 +177,6 @@ print_help ()
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
printf (" --root-pw\t\t\t\tUse the root password\n");
- printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
}
@@ -736,32 +732,6 @@ error:
return ret;
}
-static int
-generate_auth (void *new_list, int list_len, char *password,
- unsigned int pw_len, uint8_t *auth)
-{
- efi_char16_t efichar_pass[PASSWORD_MAX+1];
- unsigned long efichar_len;
- SHA256_CTX ctx;
-
- if (!password || !auth)
- return -1;
-
- efichar_len = efichar_from_char (efichar_pass, password,
- pw_len * sizeof(efi_char16_t));
-
- SHA256_Init (&ctx);
-
- if (new_list)
- SHA256_Update (&ctx, new_list, list_len);
-
- SHA256_Update (&ctx, efichar_pass, efichar_len);
-
- SHA256_Final (auth, &ctx);
-
- return 0;
-}
-
static void
generate_salt (char salt[], unsigned int salt_size)
{
@@ -901,7 +871,6 @@ update_request (void *new_list, int list_len, MokRequest req,
size_t data_size;
const char *req_name, *auth_name;
pw_crypt_t pw_crypt;
- uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
unsigned int pw_len;
int auth_ret;
@@ -950,12 +919,7 @@ update_request (void *new_list, int list_len, MokRequest req,
goto error;
}
- if (!use_simple_hash) {
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
- } else {
- auth_ret = generate_auth (new_list, list_len, password,
- pw_len, auth);
- }
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n");
goto error;
@@ -991,13 +955,8 @@ update_request (void *new_list, int list_len, MokRequest req,
}
/* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
- if (!use_simple_hash) {
- data = (void *)&pw_crypt;
- data_size = PASSWORD_CRYPT_SIZE;
- } else {
- data = (void *)auth;
- data_size = SHA256_DIGEST_LENGTH;
- }
+ data = (void *)&pw_crypt;
+ data_size = PASSWORD_CRYPT_SIZE;
if (efi_set_variable (efi_guid_shim, auth_name, data, data_size,
attributes, S_IRUSR | S_IWUSR) < 0) {
@@ -1750,26 +1709,16 @@ set_password (const char *hash_file, const int root_pw, const int clear)
goto error;
}
- if (!use_simple_hash) {
- pw_crypt.method = DEFAULT_CRYPT_METHOD;
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
- } else {
- auth_ret = generate_auth (NULL, 0, password, pw_len,
- auth);
- }
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n");
goto error;
}
}
- if (!use_simple_hash) {
- data = (void *)&pw_crypt;
- data_size = PASSWORD_CRYPT_SIZE;
- } else {
- data = (void *)auth;
- data_size = SHA256_DIGEST_LENGTH;
- }
+ data = (void *)auth;
+ data_size = SHA256_DIGEST_LENGTH;
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
@@ -2147,8 +2096,6 @@ main (int argc, char *argv[])
DBName db_name = MOK_LIST_RT;
int ret = -1;
- use_simple_hash = 0;
-
if (!efi_variables_supported ()) {
fprintf (stderr, "EFI variables are not supported on this system\n");
exit (1);
@@ -2175,7 +2122,6 @@ main (int argc, char *argv[])
{"hash-file", required_argument, 0, 'f'},
{"generate-hash", optional_argument, 0, 'g'},
{"root-pw", no_argument, 0, 'P'},
- {"simple-hash", no_argument, 0, 's'},
{"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 },
{"mok", no_argument, 0, 'm'},
@@ -2374,10 +2320,6 @@ main (int argc, char *argv[])
case 'x':
command |= EXPORT;
break;
- case 's':
- command |= SIMPLE_HASH;
- use_simple_hash = 1;
- break;
case 'm':
db_name = MOK_LIST_RT;
break;
@@ -2398,9 +2340,6 @@ main (int argc, char *argv[])
}
}
- if (use_root_pw == 1 && use_simple_hash == 1)
- use_simple_hash = 0;
-
if (hash_file && use_root_pw)
command |= HELP;
@@ -2436,22 +2375,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokDel", efi_guid_shim);
break;
case IMPORT:
- case IMPORT | SIMPLE_HASH:
ret = issue_mok_request (files, total, ENROLL_MOK,
hash_file, use_root_pw);
break;
case DELETE:
- case DELETE | SIMPLE_HASH:
ret = issue_mok_request (files, total, DELETE_MOK,
hash_file, use_root_pw);
break;
case IMPORT_HASH:
- case IMPORT_HASH | SIMPLE_HASH:
ret = issue_hash_request (hash_str, ENROLL_MOK,
hash_file, use_root_pw);
break;
case DELETE_HASH:
- case DELETE_HASH | SIMPLE_HASH:
ret = issue_hash_request (hash_str, DELETE_MOK,
hash_file, use_root_pw);
break;
@@ -2466,11 +2401,9 @@ main (int argc, char *argv[])
ret = export_db_keys (db_name);
break;
case PASSWORD:
- case PASSWORD | SIMPLE_HASH:
ret = set_password (hash_file, use_root_pw, 0);
break;
case CLEAR_PASSWORD:
- case CLEAR_PASSWORD | SIMPLE_HASH:
ret = set_password (NULL, 0, 1);
break;
case DISABLE_VALIDATION:
@@ -2486,7 +2419,6 @@ main (int argc, char *argv[])
ret = test_key (ENROLL_MOK, key_file);
break;
case RESET:
- case RESET | SIMPLE_HASH:
ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
break;
case GENERATE_PW_HASH:
@@ -2505,22 +2437,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokXDel", efi_guid_shim);
break;
case IMPORT | MOKX:
- case IMPORT | SIMPLE_HASH | MOKX:
ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
hash_file, use_root_pw);
break;
case DELETE | MOKX:
- case DELETE | SIMPLE_HASH | MOKX:
ret = issue_mok_request (files, total, DELETE_BLACKLIST,
hash_file, use_root_pw);
break;
case IMPORT_HASH | MOKX:
- case IMPORT_HASH | SIMPLE_HASH | MOKX:
ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
hash_file, use_root_pw);
break;
case DELETE_HASH | MOKX:
- case DELETE_HASH | SIMPLE_HASH | MOKX:
ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
hash_file, use_root_pw);
break;
@@ -2531,7 +2459,6 @@ main (int argc, char *argv[])
ret = revoke_request (DELETE_BLACKLIST);
break;
case RESET | MOKX:
- case RESET | SIMPLE_HASH | MOKX:
ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
break;
case TEST_KEY | MOKX:

70
SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch Normal file
View File

@ -0,0 +1,70 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 2 Jun 2022 13:00:22 -0400
Subject: [PATCH] Fix leak of fd in mok_get_variable()
On success, it was never closed. Refactor the code to use a single
egress path so its closure is clear.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit e498f6460ff5aea6a7cd61a33087d03e88a2f52a)
---
src/util.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/util.c b/src/util.c
index 6cd0302..f7fc033 100644
--- a/src/util.c
+++ b/src/util.c
@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
return fd;
rc = fstat(fd, &sb);
- if (rc < 0) {
-err_close:
- close(fd);
- return rc;
- }
+ if (rc < 0)
+ goto done;
if (sb.st_size == 0) {
errno = ENOENT;
rc = -1;
- goto err_close;
+ goto done;
}
bufsz = sb.st_size;
buf = calloc(1, bufsz);
- if (!buf)
- goto err_close;
+ if (!buf) {
+ rc = -1;
+ goto done;
+ }
while (pos < bufsz) {
ssz = read(fd, &buf[pos], bufsz - pos);
@@ -82,15 +81,18 @@ err_close:
errno == EINTR)
continue;
free(buf);
- goto err_close;
+ rc = -1;
+ goto done;
}
pos += ssz;
}
*datap = buf;
*data_sizep = pos;
-
- return 0;
+ rc = 0;
+done:
+ close(fd);
+ return rc;
}
MokListNode*

78
SOURCES/0004-man-remove-simple-hash.patch
View File

@ -1,78 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 14:48:08 +0800
Subject: [PATCH] man: remove "--simple-hash"
Remove "--simple-hash" from the man page.
Signed-off-by: Gary Lin <glin@suse.com>
---
man/mokutil.1 | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..7cee5da 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx |- X])
+ [--mokx |- X])
.br
\fBmokutil\fR [--revoke-import]
([--mokx | -X])
@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s])
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--clear-password | -c]
- ([--simple-hash | -s])
.br
\fBmokutil\fR [--disable-validation]
.br
@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mok | -X])
+ [--mok | -X])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--import-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--delete-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
@@ -136,11 +134,6 @@ Use the password hash from a specific file
\fB-P, --root-pw\fR
Use the root password hash from /etc/shadow
.TP
-\fB-s, --simple-hash\fR
-Use the old SHA256 password hash method to hash the password
-.br
-Note: --root-pw invalidates --simple-hash
-.TP
\fB--ignore-db\fR
Tell shim to not use the keys in db to verify EFI images
.TP

38
SOURCES/0005-mokutil-adjust-the-command-bits.patch
View File

@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 16:10:50 +0800
Subject: [PATCH] mokutil: adjust the command bits
Adjust the bits after removing SIMPLE_HASH.
Signed-off-by: Gary Lin <glin@suse.com>
(cherry picked from commit 25191c38156b90004b783d0265d967dbe8e76a38)
---
src/mokutil.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e811266..a9d97f4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,13 +76,13 @@
#define TEST_KEY (1 << 14)
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
-#define IGNORE_DB (1 << 18)
-#define USE_DB (1 << 19)
-#define MOKX (1 << 20)
-#define IMPORT_HASH (1 << 21)
-#define DELETE_HASH (1 << 22)
-#define VERBOSITY (1 << 23)
-#define TIMEOUT (1 << 24)
+#define IGNORE_DB (1 << 17)
+#define USE_DB (1 << 18)
+#define MOKX (1 << 19)
+#define IMPORT_HASH (1 << 20)
+#define DELETE_HASH (1 << 21)
+#define VERBOSITY (1 << 22)
+#define TIMEOUT (1 << 23)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX

121
SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
View File

@ -1,121 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 17 Mar 2021 14:38:57 +0100
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
This variable contains the descriptive form of all the components used by
the operating systems that ship signed shim binaries. Along with a minimum
generation number for each component. More information in can be found in
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
https://github.com/rhboot/shim/blob/main/SBAT.md
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
encoded strings, the data could just be printed without the need to do any
previous processing.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
man/mokutil.1 | 5 +++++
2 files changed, 38 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index a9d97f4..dba77c9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,7 @@
#define DELETE_HASH (1 << 21)
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
+#define LIST_SBAT (1 << 24)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -173,6 +174,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1557,6 +1559,31 @@ error:
return ret;
}
+static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+ uint8_t *data = NULL;
+ size_t data_size;
+ uint32_t attributes;
+ int ret;
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
+ return -1;
+ }
+
+ printf ("%s", data);
+ free (data);
+
+ return ret;
+}
+
static int
revoke_request (MokRequest req)
{
@@ -2133,6 +2160,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2217,6 +2245,8 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
@@ -2470,6 +2500,9 @@ main (int argc, char *argv[])
case TIMEOUT:
ret = set_timeout (timeout);
break;
+ case LIST_SBAT:
+ ret = print_var_content ("SBAT", efi_guid_shim);
+ break;
default:
print_help ();
break;
diff --git a/man/mokutil.1 b/man/mokutil.1
index 7cee5da..1f82ff1 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -71,6 +71,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--sbat]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -166,3 +168,6 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP

238
SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch
View File

@ -1,238 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 17 Mar 2021 14:49:21 +0100
Subject: [PATCH] mokutil: add mok-variables parsing support
his patch adds support for getting mok variables from
/sys/firmware/efi/mok-variables/$NAME , if they are present, as well as
for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
variables.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 151 insertions(+), 24 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index dba77c9..9153b10 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -247,6 +247,63 @@ signature_size (const efi_guid_t *hash_type)
return 0;
}
+static int
+mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
+{
+ char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name";
+ size_t filename_sz = sizeof(filename);
+ int fd, rc;
+ struct stat sb = { 0, };
+ uint8_t *buf;
+ size_t bufsz, pos = 0;
+ ssize_t ssz;
+
+ *datap = 0;
+ *data_sizep = 0;
+
+ snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name);
+
+ fd = open(filename, O_RDONLY);
+ if (fd < 0)
+ return fd;
+
+ rc = fstat(fd, &sb);
+ if (rc < 0) {
+err_close:
+ close(fd);
+ return rc;
+ }
+
+ if (sb.st_size == 0) {
+ errno = ENOENT;
+ rc = -1;
+ goto err_close;
+ }
+
+ bufsz = sb.st_size;
+ buf = calloc(1, bufsz);
+ if (!buf)
+ goto err_close;
+
+ while (pos < bufsz) {
+ ssz = read(fd, &buf[pos], bufsz - pos);
+ if (ssz < 0) {
+ if (errno == EAGAIN ||
+ errno == EWOULDBLOCK ||
+ errno == EINTR)
+ continue;
+ free(buf);
+ goto err_close;
+ }
+
+ pos += ssz;
+ }
+ *datap = buf;
+ *data_sizep = pos;
+
+ return 0;
+}
+
static MokListNode*
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
{
@@ -618,25 +675,44 @@ static int
list_keys_in_var (const char *var_name, const efi_guid_t guid)
{
uint8_t *data = NULL;
- size_t data_size;
+ char varname[] = "implausibly-long-mok-variable-name";
+ size_t data_sz, i, varname_sz = sizeof(varname);
uint32_t attributes;
int ret;
- ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
- if (ret < 0) {
- if (errno == ENOENT) {
- printf ("%s is empty\n", var_name);
- return 0;
+ ret = mok_get_variable(var_name, &data, &data_sz);
+ if (ret >= 0) {
+ ret = list_keys (data, data_sz);
+ free(data);
+ return ret;
+ }
+
+ for (i = 0; i < SIZE_MAX; i++) {
+ if (i == 0) {
+ snprintf(varname, varname_sz, "%s", var_name);
+ } else {
+ snprintf(varname, varname_sz, "%s%zu", var_name, i);
}
- fprintf (stderr, "Failed to read %s: %m\n", var_name);
- return -1;
+ ret = efi_get_variable (guid, varname, &data, &data_sz,
+ &attributes);
+ if (ret < 0)
+ return 0;
+
+ ret = list_keys (data, data_sz);
+ free(data);
+ /*
+ * If ret is < 0, the next one will error as well.
+ * If ret is 0, we need to test the next variable.
+ * If it's 1, that's a real answer.
+ */
+ if (ret < 0)
+ return 0;
+ if (ret > 0)
+ return ret;
}
- ret = list_keys (data, data_size);
- free (data);
-
- return ret;
+ return 0;
}
static int
@@ -998,22 +1074,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
- const efi_guid_t *vendor, const char *db_name)
+is_one_duplicate (const efi_guid_t *type,
+ const void *data, const uint32_t data_size,
+ uint8_t *var_data, size_t var_data_size)
{
- uint8_t *var_data;
- size_t var_data_size;
- uint32_t attributes;
uint32_t node_num;
MokListNode *list;
int ret = 0;
- if (!data || data_size == 0 || !db_name)
- return 0;
-
- ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size,
- &attributes);
- if (ret < 0)
+ if (!data || data_size == 0)
return 0;
list = build_mok_list (var_data, var_data_size, &node_num);
@@ -1046,11 +1115,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
done:
if (list)
free (list);
- free (var_data);
return ret;
}
+static int
+is_duplicate (const efi_guid_t *type,
+ const void *data, const uint32_t data_size,
+ const efi_guid_t *vendor, const char *db_name)
+{
+ uint32_t attributes;
+ char varname[] = "implausibly-long-mok-variable-name";
+ size_t varname_sz = sizeof(varname);
+ int ret = 0;
+ size_t i;
+
+ if (!strncmp(db_name, "Mok", 3)) {
+ uint8_t *var_data = NULL;
+ size_t var_data_size = 0;
+ ret = mok_get_variable(db_name, &var_data, &var_data_size);
+ if (ret >= 0) {
+ ret = is_one_duplicate(type, data, data_size,
+ var_data, var_data_size);
+ if (ret >= 0) {
+ free (var_data);
+ return ret;
+ }
+ var_data = NULL;
+ var_data_size = 0;
+ }
+ }
+
+ for (i = 0; i < SIZE_MAX; i++) {
+ uint8_t *var_data = NULL;
+ size_t var_data_size = 0;
+ if (i == 0) {
+ snprintf(varname, varname_sz, "%s", db_name);
+ } else {
+ snprintf(varname, varname_sz, "%s%zu", db_name, i);
+ }
+
+ ret = efi_get_variable (*vendor, varname,
+ &var_data, &var_data_size,
+ &attributes);
+ if (ret < 0)
+ return 0;
+
+ ret = is_one_duplicate(type, data, data_size,
+ var_data, var_data_size);
+ free (var_data);
+ /*
+ * If ret is < 0, the next one will error as well.
+ * If ret is 0, we need to test the next variable.
+ * If it's 1, that's a real answer.
+ */
+ if (ret < 0)
+ return 0;
+ if (ret > 0)
+ return ret;
+ }
+
+ return 0;
+}
+
static int
is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)

95
SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
View File

@ -1,95 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 25 May 2021 15:22:29 +0200
Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the
deprecated SHA1_*()
The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads
to compile errors when building with -Werror=deprecated-declarations, i.e:
mokutil.c: In function 'print_x509':
mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
424 | SHA1_Init (&ctx);
| ^~~~~~~~~
...
instead, the EVP_Digest*() functions could be used. Port to them and avoid
these build failures with the latest OpenSSL 3.0 version.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 9153b10..0fd2dc3 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)
{
X509 *X509cert;
BIO *cert_bio;
- SHA_CTX ctx;
- uint8_t fingerprint[SHA_DIGEST_LENGTH];
+ EVP_MD_CTX *ctx;
+ const EVP_MD *md;
+ unsigned int md_len;
+ unsigned char fingerprint[EVP_MAX_MD_SIZE];
cert_bio = BIO_new (BIO_s_mem ());
BIO_write (cert_bio, cert, cert_size);
@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size)
X509cert = d2i_X509_bio (cert_bio, NULL);
if (X509cert == NULL) {
fprintf (stderr, "Invalid X509 certificate\n");
- return -1;
+ goto cleanup_bio;
}
- SHA1_Init (&ctx);
- SHA1_Update (&ctx, cert, cert_size);
- SHA1_Final (fingerprint, &ctx);
+ md = EVP_get_digestbyname ("SHA1");
+ if(md == NULL) {
+ fprintf (stderr, "Failed to get SHA1 digest\n");
+ goto cleanup_bio;
+ }
+
+ ctx = EVP_MD_CTX_create ();
+ if (ctx == NULL) {
+ fprintf (stderr, "Failed to create digest context\n");
+ goto cleanup_bio;
+ }
+
+ if (!EVP_DigestInit_ex (ctx, md, NULL)) {
+ fprintf (stderr, "Failed to initialize digest context\n");
+ goto cleanup_ctx;
+ }
+
+ if (!EVP_DigestUpdate (ctx, cert, cert_size)) {
+ fprintf (stderr, "Failed to hash into the digest context\n");
+ goto cleanup_ctx;
+ }
+
+ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) {
+ fprintf (stderr, "Failed to get digest value\n");
+ goto cleanup_ctx;
+ }
printf ("SHA1 Fingerprint: ");
- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) {
+ for (unsigned int i = 0; i < md_len; i++) {
printf ("%02x", fingerprint[i]);
- if (i < SHA_DIGEST_LENGTH - 1)
+ if (i < md_len - 1)
printf (":");
}
printf ("\n");
X509_print_fp (stdout, X509cert);
+cleanup_ctx:
+ EVP_MD_CTX_destroy (ctx);
+cleanup_bio:
BIO_free (cert_bio);
return 0;

191
SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
View File

@ -1,191 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Fri, 3 Dec 2021 14:18:31 +0100
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
fallback debugging.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
[rharwood: no sb_check, no util renaming]
---
src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
data/mokutil | 8 +++++++
man/mokutil.1 | 10 +++++++++
3 files changed, 88 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0fd2dc3..f9641a1 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,8 @@
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
#define LIST_SBAT (1 << 24)
+#define FB_VERBOSITY (1 << 25)
+#define FB_NOREBOOT (1 << 26)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -169,6 +171,8 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
@@ -2240,6 +2244,46 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+ if (verbosity) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+ (uint8_t *)&verbosity, sizeof (verbosity),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FALLBACK_VERBOSE");
+ }
+
+ return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+ if (noreboot) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+ (uint8_t *)&noreboot, sizeof (noreboot),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FB_NO_REBOOT");
+ }
+
+ return 0;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -2275,6 +2319,8 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t fb_verbosity = 0;
+ uint8_t fb_noreboot = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2311,6 +2357,8 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-fallback-verbosity", required_argument, 0, 0 },
+ {"set-fallback-noreboot", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
@@ -2376,6 +2424,22 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
+ command |= FB_VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ fb_verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_verbosity = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
+ command |= FB_NOREBOOT;
+ if (strcmp (optarg, "true") == 0)
+ fb_noreboot = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_noreboot = 0;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2652,6 +2716,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case FB_VERBOSITY:
+ ret = set_fallback_verbosity (fb_verbosity);
+ break;
+ case FB_NOREBOOT:
+ ret = set_fallback_noreboot (fb_noreboot);
+ break;
case TIMEOUT:
ret = set_timeout (timeout);
break;
diff --git a/data/mokutil b/data/mokutil
index 800b039..af6b6ff 100755
--- a/data/mokutil
+++ b/data/mokutil
@@ -24,6 +24,14 @@ _mokutil()
COMPREPLY=( $( compgen -W "true false") )
return 0
;;
+ --set-fallback-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --set-fallback-noreboot)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
--generate-hash|-g)
COMPREPLY=( $( compgen -o nospace -P= -W "") )
return 0
diff --git a/man/mokutil.1 b/man/mokutil.1
index 1f82ff1..a3a73e1 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
@@ -156,6 +160,12 @@ this is not the password hash.
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP

13
SOURCES/mokutil.patches
View File

@ -1,9 +1,4 @@
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-mokutil-remove-simple-hash.patch
Patch0004: 0004-man-remove-simple-hash.patch
Patch0005: 0005-mokutil-adjust-the-command-bits.patch
Patch0006: 0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
Patch0007: 0007-mokutil-add-mok-variables-parsing-support.patch
Patch0008: 0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
Patch0009: 0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
Patch0001: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
Patch0002: 0002-mokutil-bugfix-del-unused-opt-s.patch
Patch0003: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
Patch0004: 0004-Fix-leak-of-fd-in-mok_get_variable.patch

56
SPECS/mokutil.spec
View File

@ -1,17 +1,24 @@
Name: mokutil
Version: 0.4.0
Release: 9%{?dist}
Version: 0.6.0
Release: 4%{?dist}
Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
URL: https://github.com/lcp/mokutil
ExclusiveArch: %{ix86} x86_64 aarch64
BuildRequires: make
BuildRequires: gcc
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
BuildRequires: efivar-devel >= 31-1
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: mokutil.patches
ExclusiveArch: %{ix86} x86_64 aarch64 %{arm}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: efivar-devel >= 31-1
BuildRequires: gcc
BuildRequires: git
BuildRequires: gnu-efi
BuildRequires: keyutils-libs-devel
BuildRequires: make
BuildRequires: openssl
BuildRequires: openssl-devel
Conflicts: shim < 0.8-1%{?dist}
Obsoletes: mokutil < 0.2.0
@ -22,27 +29,17 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
("Machine's Own Keys") mechanism.
%prep
%setup -q -n %{name}-%{version}
git init
git config user.email "%{name}-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%autosetup -S git_am -b 0 -T
%build
./autogen.sh
%configure
make %{?_smp_mflags}
%{make_build}
%install
rm -rf %{buildroot}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{make_install}
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README
%{_bindir}/mokutil
@ -50,6 +47,23 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Thu Oct 27 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.6.0-4
- Sync with Fedora at same NVR
- Resolves: #2084621
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 2:0.5.0-3
- Add support for "mokutil --list-sbat-revocations" and
"mokutil --set-sbat-policy"
Related: CVE-2022-28737
* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-2
- Add git to buildrequires
- Resolves: #2081474
* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-1
- New upstream version (0.5.0)
- Resolves: #2081474
* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-9
- Add ability to change fallback verbose mode
- Resolves: #2069296