From 7263a6e21704788eafef973dd70dc28599b77c62 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 09:36:22 +0000 Subject: [PATCH] import mokutil-0.6.0-4.el9 --- .gitignore | 2 +- .mokutil.metadata | 2 +- ...void-taking-pointer-to-packed-struct.patch | 114 -------- ...age-instead-of-aborting-on-bad-flags.patch | 31 +++ ...-Fix-a-integer-comparison-sign-issue.patch | 30 -- ...0002-mokutil-bugfix-del-unused-opt-s.patch | 26 ++ ...-of-list-in-delete_data_from_req_var.patch | 28 ++ SOURCES/0003-mokutil-remove-simple-hash.patch | 257 ------------------ ...4-Fix-leak-of-fd-in-mok_get_variable.patch | 70 +++++ SOURCES/0004-man-remove-simple-hash.patch | 78 ------ ...0005-mokutil-adjust-the-command-bits.patch | 38 --- ...on-to-print-the-UEFI-SBAT-variable-c.patch | 121 --------- ...il-add-mok-variables-parsing-support.patch | 238 ---------------- ...Digest-functions-instead-of-the-depr.patch | 95 ------- ...etting-fallback-verbosity-and-norebo.patch | 191 ------------- SOURCES/mokutil.patches | 13 +- SPECS/mokutil.spec | 56 ++-- 17 files changed, 196 insertions(+), 1194 deletions(-) delete mode 100644 SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch create mode 100644 SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch delete mode 100644 SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch create mode 100644 SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch create mode 100644 SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch delete mode 100644 SOURCES/0003-mokutil-remove-simple-hash.patch create mode 100644 SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch delete mode 100644 SOURCES/0004-man-remove-simple-hash.patch delete mode 100644 SOURCES/0005-mokutil-adjust-the-command-bits.patch delete mode 100644 SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch delete mode 100644 SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch delete mode 100644 SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch delete mode 100644 SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch diff --git a/.gitignore b/.gitignore index af35945..ca43e0b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/0.4.0.tar.gz +SOURCES/mokutil-0.6.0.tar.gz diff --git a/.mokutil.metadata b/.mokutil.metadata index 032d179..ab6e9e9 100644 --- a/.mokutil.metadata +++ b/.mokutil.metadata @@ -1 +1 @@ -42d6c1551535386cba63265a6ed7172d11c88b97 SOURCES/0.4.0.tar.gz +b38fa41703cae749d8f642d3218cdff5d5d9a8ec SOURCES/mokutil-0.6.0.tar.gz diff --git a/SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch b/SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch deleted file mode 100644 index f0268ce..0000000 --- a/SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Harry Youd -Date: Wed, 31 Jul 2019 19:44:53 +0100 -Subject: [PATCH] Avoid taking pointer to packed struct -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: -error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] ---- - src/mokutil.c | 38 ++++++++++++++++++++++---------------- - 1 file changed, 22 insertions(+), 16 deletions(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index e2d567d..8892613 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) - return NULL; - } - -- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) { -+ efi_guid_t sigtype = CertList->SignatureType; -+ -+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) { - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + - CertList->SignatureListSize); - continue; - } - -- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && -- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) { -+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && -+ (CertList->SignatureSize != signature_size (&sigtype))) { - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + - CertList->SignatureListSize); -@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) - } - - list[count].header = CertList; -- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) { -+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { - /* X509 certificate */ - list[count].mok_size = CertList->SignatureSize - - sizeof(efi_guid_t); -@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size) - - for (unsigned int i = 0; i < mok_num; i++) { - printf ("[key %d]\n", i+1); -- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) { -+ efi_guid_t sigtype = list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { - print_x509 ((char *)list[i].mok, list[i].mok_size); - } else { -- print_hash_array (&list[i].header->SignatureType, -+ print_hash_array (&sigtype, - list[i].mok, list[i].mok_size); - } - if (i < mok_num - 1) -@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, - remain = total; - for (unsigned int i = 0; i < mok_num; i++) { - remain -= list[i].header->SignatureListSize; -- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) -+ efi_guid_t sigtype = list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, type) != 0) - continue; - - sig_list_size = list[i].header->SignatureListSize; -@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size - } - - for (unsigned int i = 0; i < node_num; i++) { -- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) -+ efi_guid_t sigtype = list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, type) != 0) - continue; - - if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { -@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req, - goto error; - /* Check if there is a signature list with the same type */ - for (unsigned int i = 0; i < mok_num; i++) { -- if (efi_guid_cmp (&mok_list[i].header->SignatureType, -- &hash_type) == 0) { -+ efi_guid_t sigtype = mok_list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) { - merge_ind = i; - list_size -= sizeof(EFI_SIGNATURE_LIST); - break; -@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name) - for (unsigned i = 0; i < mok_num; i++) { - off_t offset = 0; - ssize_t write_size; -+ efi_guid_t sigtype = list[i].header->SignatureType; - -- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0) -+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) - continue; - - /* Dump X509 certificate to files */ diff --git a/SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch b/SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch new file mode 100644 index 0000000..0f7fda1 --- /dev/null +++ b/SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 17 May 2022 11:23:28 -0400 +Subject: [PATCH] Show usage instead of aborting on bad flags + +Aborting here just confuses users and is sufficiently unexpected to +cause the filing of bugs. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066 +Signed-off-by: Robbie Harwood +(cherry picked from commit 82694cb1ce3b29c3705c25ae4cea3d07fe57b558) +--- + src/mokutil.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 5d725c9..e8228af 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -2087,10 +2087,9 @@ main (int argc, char *argv[]) + goto out; + case 'h': + case '?': ++ default: + command |= HELP; + break; +- default: +- abort (); + } + } + diff --git a/SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch b/SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch deleted file mode 100644 index 33662ef..0000000 --- a/SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 25 Jul 2018 10:27:34 -0400 -Subject: [PATCH] Fix a integer comparison sign issue. - -I introduced this, and it's stupid: - -mokutil.c: In function 'generate_pw_hash': -mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare] - if (salt_size > settings_len - (next - settings)) { - ^ - -Signed-off-by: Peter Jones ---- - src/mokutil.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index 8892613..b66c1b8 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -2011,7 +2011,7 @@ generate_pw_hash (const char *input_pw) - char *password = NULL; - char *crypt_string; - const char *prefix; -- int settings_len = sizeof (settings) - 2; -+ unsigned int settings_len = sizeof (settings) - 2; - unsigned int pw_len, salt_size; - - if (input_pw) { diff --git a/SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch b/SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch new file mode 100644 index 0000000..a5ad40b --- /dev/null +++ b/SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Mon, 30 May 2022 17:54:47 +0800 +Subject: [PATCH] mokutil bugfix: del unused opt "-s" + +The -s option can cause unexcepted result. + +Signed-off-by: gaoyusong +(cherry picked from commit 04791c29e198b18808bca519267e31c8d3786a08) +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index e8228af..6982ade 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1851,7 +1851,7 @@ main (int argc, char *argv[]) + }; + + int option_index = 0; +- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv", ++ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv", + long_options, &option_index); + + if (c == -1) diff --git a/SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch b/SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch new file mode 100644 index 0000000..23633a8 --- /dev/null +++ b/SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 2 Jun 2022 12:56:31 -0400 +Subject: [PATCH] Fix leak of list in delete_data_from_req_var() + +Signed-off-by: Robbie Harwood +(cherry picked from commit d978c18f61b877afaab45a82d260b525423b8248) +--- + src/util.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 621869f..6cd0302 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type, + } + + /* the key or hash is not in this list */ +- if (start == NULL) +- return 0; ++ if (start == NULL) { ++ ret = 0; ++ goto done; ++ } + + /* all keys are removed */ + if (total == 0) { diff --git a/SOURCES/0003-mokutil-remove-simple-hash.patch b/SOURCES/0003-mokutil-remove-simple-hash.patch deleted file mode 100644 index 2c8e537..0000000 --- a/SOURCES/0003-mokutil-remove-simple-hash.patch +++ /dev/null @@ -1,257 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Tue, 25 May 2021 12:46:03 +0200 -Subject: [PATCH] mokutil: remove "--simple-hash" - -The simple-hash password format is used by the very early MokManager and -not the default format anymore after we changed to password-crypt. -Remove the code to reduce the code size. - -Signed-off-by: Gary Lin ---- - src/mokutil.c | 87 +++++------------------------------------------------------ - 1 file changed, 7 insertions(+), 80 deletions(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index b66c1b8..e811266 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -76,7 +76,6 @@ - #define TEST_KEY (1 << 14) - #define RESET (1 << 15) - #define GENERATE_PW_HASH (1 << 16) --#define SIMPLE_HASH (1 << 17) - #define IGNORE_DB (1 << 18) - #define USE_DB (1 << 19) - #define MOKX (1 << 20) -@@ -94,8 +93,6 @@ typedef unsigned long efi_status_t; - typedef uint8_t efi_bool_t; - typedef wchar_t efi_char16_t; /* UNICODE character */ - --static int use_simple_hash; -- - typedef enum { - DELETE_MOK = 0, - ENROLL_MOK, -@@ -180,7 +177,6 @@ print_help () - printf ("Supplimentary Options:\n"); - printf (" --hash-file \t\tUse the specific password hash\n"); - printf (" --root-pw\t\t\t\tUse the root password\n"); -- printf (" --simple-hash\t\t\t\tUse the old password hash method\n"); - printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); - } - -@@ -736,32 +732,6 @@ error: - return ret; - } - --static int --generate_auth (void *new_list, int list_len, char *password, -- unsigned int pw_len, uint8_t *auth) --{ -- efi_char16_t efichar_pass[PASSWORD_MAX+1]; -- unsigned long efichar_len; -- SHA256_CTX ctx; -- -- if (!password || !auth) -- return -1; -- -- efichar_len = efichar_from_char (efichar_pass, password, -- pw_len * sizeof(efi_char16_t)); -- -- SHA256_Init (&ctx); -- -- if (new_list) -- SHA256_Update (&ctx, new_list, list_len); -- -- SHA256_Update (&ctx, efichar_pass, efichar_len); -- -- SHA256_Final (auth, &ctx); -- -- return 0; --} -- - static void - generate_salt (char salt[], unsigned int salt_size) - { -@@ -901,7 +871,6 @@ update_request (void *new_list, int list_len, MokRequest req, - size_t data_size; - const char *req_name, *auth_name; - pw_crypt_t pw_crypt; -- uint8_t auth[SHA256_DIGEST_LENGTH]; - char *password = NULL; - unsigned int pw_len; - int auth_ret; -@@ -950,12 +919,7 @@ update_request (void *new_list, int list_len, MokRequest req, - goto error; - } - -- if (!use_simple_hash) { -- auth_ret = generate_hash (&pw_crypt, password, pw_len); -- } else { -- auth_ret = generate_auth (new_list, list_len, password, -- pw_len, auth); -- } -+ auth_ret = generate_hash (&pw_crypt, password, pw_len); - if (auth_ret < 0) { - fprintf (stderr, "Couldn't generate hash\n"); - goto error; -@@ -991,13 +955,8 @@ update_request (void *new_list, int list_len, MokRequest req, - } - - /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */ -- if (!use_simple_hash) { -- data = (void *)&pw_crypt; -- data_size = PASSWORD_CRYPT_SIZE; -- } else { -- data = (void *)auth; -- data_size = SHA256_DIGEST_LENGTH; -- } -+ data = (void *)&pw_crypt; -+ data_size = PASSWORD_CRYPT_SIZE; - - if (efi_set_variable (efi_guid_shim, auth_name, data, data_size, - attributes, S_IRUSR | S_IWUSR) < 0) { -@@ -1750,26 +1709,16 @@ set_password (const char *hash_file, const int root_pw, const int clear) - goto error; - } - -- if (!use_simple_hash) { -- pw_crypt.method = DEFAULT_CRYPT_METHOD; -- auth_ret = generate_hash (&pw_crypt, password, pw_len); -- } else { -- auth_ret = generate_auth (NULL, 0, password, pw_len, -- auth); -- } -+ pw_crypt.method = DEFAULT_CRYPT_METHOD; -+ auth_ret = generate_hash (&pw_crypt, password, pw_len); - if (auth_ret < 0) { - fprintf (stderr, "Couldn't generate hash\n"); - goto error; - } - } - -- if (!use_simple_hash) { -- data = (void *)&pw_crypt; -- data_size = PASSWORD_CRYPT_SIZE; -- } else { -- data = (void *)auth; -- data_size = SHA256_DIGEST_LENGTH; -- } -+ data = (void *)auth; -+ data_size = SHA256_DIGEST_LENGTH; - uint32_t attributes = EFI_VARIABLE_NON_VOLATILE - | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS; -@@ -2147,8 +2096,6 @@ main (int argc, char *argv[]) - DBName db_name = MOK_LIST_RT; - int ret = -1; - -- use_simple_hash = 0; -- - if (!efi_variables_supported ()) { - fprintf (stderr, "EFI variables are not supported on this system\n"); - exit (1); -@@ -2175,7 +2122,6 @@ main (int argc, char *argv[]) - {"hash-file", required_argument, 0, 'f'}, - {"generate-hash", optional_argument, 0, 'g'}, - {"root-pw", no_argument, 0, 'P'}, -- {"simple-hash", no_argument, 0, 's'}, - {"ignore-db", no_argument, 0, 0 }, - {"use-db", no_argument, 0, 0 }, - {"mok", no_argument, 0, 'm'}, -@@ -2374,10 +2320,6 @@ main (int argc, char *argv[]) - case 'x': - command |= EXPORT; - break; -- case 's': -- command |= SIMPLE_HASH; -- use_simple_hash = 1; -- break; - case 'm': - db_name = MOK_LIST_RT; - break; -@@ -2398,9 +2340,6 @@ main (int argc, char *argv[]) - } - } - -- if (use_root_pw == 1 && use_simple_hash == 1) -- use_simple_hash = 0; -- - if (hash_file && use_root_pw) - command |= HELP; - -@@ -2436,22 +2375,18 @@ main (int argc, char *argv[]) - ret = list_keys_in_var ("MokDel", efi_guid_shim); - break; - case IMPORT: -- case IMPORT | SIMPLE_HASH: - ret = issue_mok_request (files, total, ENROLL_MOK, - hash_file, use_root_pw); - break; - case DELETE: -- case DELETE | SIMPLE_HASH: - ret = issue_mok_request (files, total, DELETE_MOK, - hash_file, use_root_pw); - break; - case IMPORT_HASH: -- case IMPORT_HASH | SIMPLE_HASH: - ret = issue_hash_request (hash_str, ENROLL_MOK, - hash_file, use_root_pw); - break; - case DELETE_HASH: -- case DELETE_HASH | SIMPLE_HASH: - ret = issue_hash_request (hash_str, DELETE_MOK, - hash_file, use_root_pw); - break; -@@ -2466,11 +2401,9 @@ main (int argc, char *argv[]) - ret = export_db_keys (db_name); - break; - case PASSWORD: -- case PASSWORD | SIMPLE_HASH: - ret = set_password (hash_file, use_root_pw, 0); - break; - case CLEAR_PASSWORD: -- case CLEAR_PASSWORD | SIMPLE_HASH: - ret = set_password (NULL, 0, 1); - break; - case DISABLE_VALIDATION: -@@ -2486,7 +2419,6 @@ main (int argc, char *argv[]) - ret = test_key (ENROLL_MOK, key_file); - break; - case RESET: -- case RESET | SIMPLE_HASH: - ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw); - break; - case GENERATE_PW_HASH: -@@ -2505,22 +2437,18 @@ main (int argc, char *argv[]) - ret = list_keys_in_var ("MokXDel", efi_guid_shim); - break; - case IMPORT | MOKX: -- case IMPORT | SIMPLE_HASH | MOKX: - ret = issue_mok_request (files, total, ENROLL_BLACKLIST, - hash_file, use_root_pw); - break; - case DELETE | MOKX: -- case DELETE | SIMPLE_HASH | MOKX: - ret = issue_mok_request (files, total, DELETE_BLACKLIST, - hash_file, use_root_pw); - break; - case IMPORT_HASH | MOKX: -- case IMPORT_HASH | SIMPLE_HASH | MOKX: - ret = issue_hash_request (hash_str, ENROLL_BLACKLIST, - hash_file, use_root_pw); - break; - case DELETE_HASH | MOKX: -- case DELETE_HASH | SIMPLE_HASH | MOKX: - ret = issue_hash_request (hash_str, DELETE_BLACKLIST, - hash_file, use_root_pw); - break; -@@ -2531,7 +2459,6 @@ main (int argc, char *argv[]) - ret = revoke_request (DELETE_BLACKLIST); - break; - case RESET | MOKX: -- case RESET | SIMPLE_HASH | MOKX: - ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw); - break; - case TEST_KEY | MOKX: diff --git a/SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch b/SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch new file mode 100644 index 0000000..f1a48f6 --- /dev/null +++ b/SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 2 Jun 2022 13:00:22 -0400 +Subject: [PATCH] Fix leak of fd in mok_get_variable() + +On success, it was never closed. Refactor the code to use a single +egress path so its closure is clear. + +Signed-off-by: Robbie Harwood +(cherry picked from commit e498f6460ff5aea6a7cd61a33087d03e88a2f52a) +--- + src/util.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 6cd0302..f7fc033 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep) + return fd; + + rc = fstat(fd, &sb); +- if (rc < 0) { +-err_close: +- close(fd); +- return rc; +- } ++ if (rc < 0) ++ goto done; + + if (sb.st_size == 0) { + errno = ENOENT; + rc = -1; +- goto err_close; ++ goto done; + } + + bufsz = sb.st_size; + buf = calloc(1, bufsz); +- if (!buf) +- goto err_close; ++ if (!buf) { ++ rc = -1; ++ goto done; ++ } + + while (pos < bufsz) { + ssz = read(fd, &buf[pos], bufsz - pos); +@@ -82,15 +81,18 @@ err_close: + errno == EINTR) + continue; + free(buf); +- goto err_close; ++ rc = -1; ++ goto done; + } + + pos += ssz; + } + *datap = buf; + *data_sizep = pos; +- +- return 0; ++ rc = 0; ++done: ++ close(fd); ++ return rc; + } + + MokListNode* diff --git a/SOURCES/0004-man-remove-simple-hash.patch b/SOURCES/0004-man-remove-simple-hash.patch deleted file mode 100644 index 056ce58..0000000 --- a/SOURCES/0004-man-remove-simple-hash.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Thu, 27 Aug 2020 14:48:08 +0800 -Subject: [PATCH] man: remove "--simple-hash" - -Remove "--simple-hash" from the man page. - -Signed-off-by: Gary Lin ---- - man/mokutil.1 | 19 ++++++------------- - 1 file changed, 6 insertions(+), 13 deletions(-) - -diff --git a/man/mokutil.1 b/man/mokutil.1 -index 25fe8b4..7cee5da 100644 ---- a/man/mokutil.1 -+++ b/man/mokutil.1 -@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys - .br - \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] - ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | -- [--simple-hash | -s] | [--mokx | -X]) -+ [--mokx | -X]) - .br - \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] - ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | -- [--simple-hash | -s] | [--mokx |- X]) -+ [--mokx |- X]) - .br - \fBmokutil\fR [--revoke-import] - ([--mokx | -X]) -@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys - \fBmokutil\fR [--export | -x] - .br - \fBmokutil\fR [--password | -p] -- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | -- [--simple-hash | -s]) -+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P]) - .br - \fBmokutil\fR [--clear-password | -c] -- ([--simple-hash | -s]) - .br - \fBmokutil\fR [--disable-validation] - .br -@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys - .br - \fBmokutil\fR [--reset] - ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | -- [--simple-hash | -s] | [--mok | -X]) -+ [--mok | -X]) - .br - \fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR] - .br -@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys - .br - \fBmokutil\fR [--import-hash \fIhash\fR] - ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | -- [--simple-hash | -s] | [--mokx | -X]) -+ [--mokx | -X]) - .br - \fBmokutil\fR [--delete-hash \fIhash\fR] - ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | -- [--simple-hash | -s] | [--mokx | -X]) -+ [--mokx | -X]) - .br - \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] - .br -@@ -136,11 +134,6 @@ Use the password hash from a specific file - \fB-P, --root-pw\fR - Use the root password hash from /etc/shadow - .TP --\fB-s, --simple-hash\fR --Use the old SHA256 password hash method to hash the password --.br --Note: --root-pw invalidates --simple-hash --.TP - \fB--ignore-db\fR - Tell shim to not use the keys in db to verify EFI images - .TP diff --git a/SOURCES/0005-mokutil-adjust-the-command-bits.patch b/SOURCES/0005-mokutil-adjust-the-command-bits.patch deleted file mode 100644 index 8b7c106..0000000 --- a/SOURCES/0005-mokutil-adjust-the-command-bits.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Thu, 27 Aug 2020 16:10:50 +0800 -Subject: [PATCH] mokutil: adjust the command bits - -Adjust the bits after removing SIMPLE_HASH. - -Signed-off-by: Gary Lin -(cherry picked from commit 25191c38156b90004b783d0265d967dbe8e76a38) ---- - src/mokutil.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index e811266..a9d97f4 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -76,13 +76,13 @@ - #define TEST_KEY (1 << 14) - #define RESET (1 << 15) - #define GENERATE_PW_HASH (1 << 16) --#define IGNORE_DB (1 << 18) --#define USE_DB (1 << 19) --#define MOKX (1 << 20) --#define IMPORT_HASH (1 << 21) --#define DELETE_HASH (1 << 22) --#define VERBOSITY (1 << 23) --#define TIMEOUT (1 << 24) -+#define IGNORE_DB (1 << 17) -+#define USE_DB (1 << 18) -+#define MOKX (1 << 19) -+#define IMPORT_HASH (1 << 20) -+#define DELETE_HASH (1 << 21) -+#define VERBOSITY (1 << 22) -+#define TIMEOUT (1 << 23) - - #define DEFAULT_CRYPT_METHOD SHA512_BASED - #define DEFAULT_SALT_SIZE SHA512_SALT_MAX diff --git a/SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch b/SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch deleted file mode 100644 index e8b0786..0000000 --- a/SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Wed, 17 Mar 2021 14:38:57 +0100 -Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content - -This variable contains the descriptive form of all the components used by -the operating systems that ship signed shim binaries. Along with a minimum -generation number for each component. More information in can be found in -the UEFI Secure Boot Advanced Targeting (SBAT) specification: - - https://github.com/rhboot/shim/blob/main/SBAT.md - -Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8 -encoded strings, the data could just be printed without the need to do any -previous processing. - -Signed-off-by: Javier Martinez Canillas ---- - src/mokutil.c | 33 +++++++++++++++++++++++++++++++++ - man/mokutil.1 | 5 +++++ - 2 files changed, 38 insertions(+) - -diff --git a/src/mokutil.c b/src/mokutil.c -index a9d97f4..dba77c9 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -83,6 +83,7 @@ - #define DELETE_HASH (1 << 21) - #define VERBOSITY (1 << 22) - #define TIMEOUT (1 << 23) -+#define LIST_SBAT (1 << 24) - - #define DEFAULT_CRYPT_METHOD SHA512_BASED - #define DEFAULT_SALT_SIZE SHA512_SALT_MAX -@@ -173,6 +174,7 @@ print_help () - printf (" --db\t\t\t\t\tList the keys in db\n"); - printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); - printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); -+ printf (" --sbat\t\t\t\tList the entries in SBAT\n"); - printf ("\n"); - printf ("Supplimentary Options:\n"); - printf (" --hash-file \t\tUse the specific password hash\n"); -@@ -1557,6 +1559,31 @@ error: - return ret; - } - -+static int -+print_var_content (const char *var_name, const efi_guid_t guid) -+{ -+ uint8_t *data = NULL; -+ size_t data_size; -+ uint32_t attributes; -+ int ret; -+ -+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); -+ if (ret < 0) { -+ if (errno == ENOENT) { -+ printf ("%s is empty\n", var_name); -+ return 0; -+ } -+ -+ fprintf (stderr, "Failed to read %s: %m\n", var_name); -+ return -1; -+ } -+ -+ printf ("%s", data); -+ free (data); -+ -+ return ret; -+} -+ - static int - revoke_request (MokRequest req) - { -@@ -2133,6 +2160,7 @@ main (int argc, char *argv[]) - {"kek", no_argument, 0, 0 }, - {"db", no_argument, 0, 0 }, - {"dbx", no_argument, 0, 0 }, -+ {"sbat", no_argument, 0, 0 }, - {"timeout", required_argument, 0, 0 }, - {0, 0, 0, 0} - }; -@@ -2217,6 +2245,8 @@ main (int argc, char *argv[]) - } else { - db_name = DBX; - } -+ } else if (strcmp (option, "sbat") == 0) { -+ command |= LIST_SBAT; - } else if (strcmp (option, "timeout") == 0) { - command |= TIMEOUT; - timeout = strdup (optarg); -@@ -2470,6 +2500,9 @@ main (int argc, char *argv[]) - case TIMEOUT: - ret = set_timeout (timeout); - break; -+ case LIST_SBAT: -+ ret = print_var_content ("SBAT", efi_guid_shim); -+ break; - default: - print_help (); - break; -diff --git a/man/mokutil.1 b/man/mokutil.1 -index 7cee5da..1f82ff1 100644 ---- a/man/mokutil.1 -+++ b/man/mokutil.1 -@@ -71,6 +71,8 @@ mokutil \- utility to manipulate machine owner keys - .br - \fBmokutil\fR [--dbx] - .br -+\fBmokutil\fR [--sbat] -+.br - - .SH DESCRIPTION - \fBmokutil\fR is a tool to import or delete the machines owner keys -@@ -166,3 +168,6 @@ List the keys in the secure boot signature store (db) - \fB--dbx\fR - List the keys in the secure boot blacklist signature store (dbx) - .TP -+\fB--sbat\fR -+List the entries in the Secure Boot Advanced Targeting store (SBAT) -+.TP diff --git a/SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch b/SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch deleted file mode 100644 index d60453d..0000000 --- a/SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch +++ /dev/null @@ -1,238 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 17 Mar 2021 14:49:21 +0100 -Subject: [PATCH] mokutil: add mok-variables parsing support - -his patch adds support for getting mok variables from -/sys/firmware/efi/mok-variables/$NAME , if they are present, as well as -for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok -variables. - -Signed-off-by: Peter Jones ---- - src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 151 insertions(+), 24 deletions(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index dba77c9..9153b10 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -247,6 +247,63 @@ signature_size (const efi_guid_t *hash_type) - return 0; - } - -+static int -+mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep) -+{ -+ char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name"; -+ size_t filename_sz = sizeof(filename); -+ int fd, rc; -+ struct stat sb = { 0, }; -+ uint8_t *buf; -+ size_t bufsz, pos = 0; -+ ssize_t ssz; -+ -+ *datap = 0; -+ *data_sizep = 0; -+ -+ snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name); -+ -+ fd = open(filename, O_RDONLY); -+ if (fd < 0) -+ return fd; -+ -+ rc = fstat(fd, &sb); -+ if (rc < 0) { -+err_close: -+ close(fd); -+ return rc; -+ } -+ -+ if (sb.st_size == 0) { -+ errno = ENOENT; -+ rc = -1; -+ goto err_close; -+ } -+ -+ bufsz = sb.st_size; -+ buf = calloc(1, bufsz); -+ if (!buf) -+ goto err_close; -+ -+ while (pos < bufsz) { -+ ssz = read(fd, &buf[pos], bufsz - pos); -+ if (ssz < 0) { -+ if (errno == EAGAIN || -+ errno == EWOULDBLOCK || -+ errno == EINTR) -+ continue; -+ free(buf); -+ goto err_close; -+ } -+ -+ pos += ssz; -+ } -+ *datap = buf; -+ *data_sizep = pos; -+ -+ return 0; -+} -+ - static MokListNode* - build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) - { -@@ -618,25 +675,44 @@ static int - list_keys_in_var (const char *var_name, const efi_guid_t guid) - { - uint8_t *data = NULL; -- size_t data_size; -+ char varname[] = "implausibly-long-mok-variable-name"; -+ size_t data_sz, i, varname_sz = sizeof(varname); - uint32_t attributes; - int ret; - -- ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); -- if (ret < 0) { -- if (errno == ENOENT) { -- printf ("%s is empty\n", var_name); -- return 0; -+ ret = mok_get_variable(var_name, &data, &data_sz); -+ if (ret >= 0) { -+ ret = list_keys (data, data_sz); -+ free(data); -+ return ret; -+ } -+ -+ for (i = 0; i < SIZE_MAX; i++) { -+ if (i == 0) { -+ snprintf(varname, varname_sz, "%s", var_name); -+ } else { -+ snprintf(varname, varname_sz, "%s%zu", var_name, i); - } - -- fprintf (stderr, "Failed to read %s: %m\n", var_name); -- return -1; -+ ret = efi_get_variable (guid, varname, &data, &data_sz, -+ &attributes); -+ if (ret < 0) -+ return 0; -+ -+ ret = list_keys (data, data_sz); -+ free(data); -+ /* -+ * If ret is < 0, the next one will error as well. -+ * If ret is 0, we need to test the next variable. -+ * If it's 1, that's a real answer. -+ */ -+ if (ret < 0) -+ return 0; -+ if (ret > 0) -+ return ret; - } - -- ret = list_keys (data, data_size); -- free (data); -- -- return ret; -+ return 0; - } - - static int -@@ -998,22 +1074,15 @@ is_valid_cert (void *cert, uint32_t cert_size) - } - - static int --is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, -- const efi_guid_t *vendor, const char *db_name) -+is_one_duplicate (const efi_guid_t *type, -+ const void *data, const uint32_t data_size, -+ uint8_t *var_data, size_t var_data_size) - { -- uint8_t *var_data; -- size_t var_data_size; -- uint32_t attributes; - uint32_t node_num; - MokListNode *list; - int ret = 0; - -- if (!data || data_size == 0 || !db_name) -- return 0; -- -- ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size, -- &attributes); -- if (ret < 0) -+ if (!data || data_size == 0) - return 0; - - list = build_mok_list (var_data, var_data_size, &node_num); -@@ -1046,11 +1115,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size - done: - if (list) - free (list); -- free (var_data); - - return ret; - } - -+static int -+is_duplicate (const efi_guid_t *type, -+ const void *data, const uint32_t data_size, -+ const efi_guid_t *vendor, const char *db_name) -+{ -+ uint32_t attributes; -+ char varname[] = "implausibly-long-mok-variable-name"; -+ size_t varname_sz = sizeof(varname); -+ int ret = 0; -+ size_t i; -+ -+ if (!strncmp(db_name, "Mok", 3)) { -+ uint8_t *var_data = NULL; -+ size_t var_data_size = 0; -+ ret = mok_get_variable(db_name, &var_data, &var_data_size); -+ if (ret >= 0) { -+ ret = is_one_duplicate(type, data, data_size, -+ var_data, var_data_size); -+ if (ret >= 0) { -+ free (var_data); -+ return ret; -+ } -+ var_data = NULL; -+ var_data_size = 0; -+ } -+ } -+ -+ for (i = 0; i < SIZE_MAX; i++) { -+ uint8_t *var_data = NULL; -+ size_t var_data_size = 0; -+ if (i == 0) { -+ snprintf(varname, varname_sz, "%s", db_name); -+ } else { -+ snprintf(varname, varname_sz, "%s%zu", db_name, i); -+ } -+ -+ ret = efi_get_variable (*vendor, varname, -+ &var_data, &var_data_size, -+ &attributes); -+ if (ret < 0) -+ return 0; -+ -+ ret = is_one_duplicate(type, data, data_size, -+ var_data, var_data_size); -+ free (var_data); -+ /* -+ * If ret is < 0, the next one will error as well. -+ * If ret is 0, we need to test the next variable. -+ * If it's 1, that's a real answer. -+ */ -+ if (ret < 0) -+ return 0; -+ if (ret > 0) -+ return ret; -+ } -+ -+ return 0; -+} -+ - static int - is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, - MokRequest req) diff --git a/SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch b/SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch deleted file mode 100644 index 48b7bcf..0000000 --- a/SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Tue, 25 May 2021 15:22:29 +0200 -Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the - deprecated SHA1_*() - -The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads -to compile errors when building with -Werror=deprecated-declarations, i.e: - -mokutil.c: In function 'print_x509': -mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] - 424 | SHA1_Init (&ctx); - | ^~~~~~~~~ -... - -instead, the EVP_Digest*() functions could be used. Port to them and avoid -these build failures with the latest OpenSSL 3.0 version. - -Signed-off-by: Javier Martinez Canillas ---- - src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 36 insertions(+), 8 deletions(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index 9153b10..0fd2dc3 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size) - { - X509 *X509cert; - BIO *cert_bio; -- SHA_CTX ctx; -- uint8_t fingerprint[SHA_DIGEST_LENGTH]; -+ EVP_MD_CTX *ctx; -+ const EVP_MD *md; -+ unsigned int md_len; -+ unsigned char fingerprint[EVP_MAX_MD_SIZE]; - - cert_bio = BIO_new (BIO_s_mem ()); - BIO_write (cert_bio, cert, cert_size); -@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size) - X509cert = d2i_X509_bio (cert_bio, NULL); - if (X509cert == NULL) { - fprintf (stderr, "Invalid X509 certificate\n"); -- return -1; -+ goto cleanup_bio; - } - -- SHA1_Init (&ctx); -- SHA1_Update (&ctx, cert, cert_size); -- SHA1_Final (fingerprint, &ctx); -+ md = EVP_get_digestbyname ("SHA1"); -+ if(md == NULL) { -+ fprintf (stderr, "Failed to get SHA1 digest\n"); -+ goto cleanup_bio; -+ } -+ -+ ctx = EVP_MD_CTX_create (); -+ if (ctx == NULL) { -+ fprintf (stderr, "Failed to create digest context\n"); -+ goto cleanup_bio; -+ } -+ -+ if (!EVP_DigestInit_ex (ctx, md, NULL)) { -+ fprintf (stderr, "Failed to initialize digest context\n"); -+ goto cleanup_ctx; -+ } -+ -+ if (!EVP_DigestUpdate (ctx, cert, cert_size)) { -+ fprintf (stderr, "Failed to hash into the digest context\n"); -+ goto cleanup_ctx; -+ } -+ -+ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) { -+ fprintf (stderr, "Failed to get digest value\n"); -+ goto cleanup_ctx; -+ } - - printf ("SHA1 Fingerprint: "); -- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) { -+ for (unsigned int i = 0; i < md_len; i++) { - printf ("%02x", fingerprint[i]); -- if (i < SHA_DIGEST_LENGTH - 1) -+ if (i < md_len - 1) - printf (":"); - } - printf ("\n"); - X509_print_fp (stdout, X509cert); - -+cleanup_ctx: -+ EVP_MD_CTX_destroy (ctx); -+cleanup_bio: - BIO_free (cert_bio); - - return 0; diff --git a/SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch b/SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch deleted file mode 100644 index 1b23819..0000000 --- a/SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Renaud=20M=C3=A9trich?= -Date: Fri, 3 Dec 2021 14:18:31 +0100 -Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases -fallback debugging. - -Signed-off-by: Renaud Métrich -(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e) -(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224) -[rharwood: no sb_check, no util renaming] ---- - src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - data/mokutil | 8 +++++++ - man/mokutil.1 | 10 +++++++++ - 3 files changed, 88 insertions(+) - -diff --git a/src/mokutil.c b/src/mokutil.c -index 0fd2dc3..f9641a1 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -84,6 +84,8 @@ - #define VERBOSITY (1 << 22) - #define TIMEOUT (1 << 23) - #define LIST_SBAT (1 << 24) -+#define FB_VERBOSITY (1 << 25) -+#define FB_NOREBOOT (1 << 26) - - #define DEFAULT_CRYPT_METHOD SHA512_BASED - #define DEFAULT_SALT_SIZE SHA512_SALT_MAX -@@ -169,6 +171,8 @@ print_help () - printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); - printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); - printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); -+ printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); -+ printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); - printf (" --pk\t\t\t\t\tList the keys in PK\n"); - printf (" --kek\t\t\t\t\tList the keys in KEK\n"); - printf (" --db\t\t\t\t\tList the keys in db\n"); -@@ -2240,6 +2244,46 @@ set_verbosity (uint8_t verbosity) - return 0; - } - -+static int -+set_fallback_verbosity (const uint8_t verbosity) -+{ -+ if (verbosity) { -+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE -+ | EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS; -+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE", -+ (uint8_t *)&verbosity, sizeof (verbosity), -+ attributes, S_IRUSR | S_IWUSR) < 0) { -+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n"); -+ return -1; -+ } -+ } else { -+ return test_and_delete_var ("FALLBACK_VERBOSE"); -+ } -+ -+ return 0; -+} -+ -+static int -+set_fallback_noreboot (const uint8_t noreboot) -+{ -+ if (noreboot) { -+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE -+ | EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS; -+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT", -+ (uint8_t *)&noreboot, sizeof (noreboot), -+ attributes, S_IRUSR | S_IWUSR) < 0) { -+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n"); -+ return -1; -+ } -+ } else { -+ return test_and_delete_var ("FB_NO_REBOOT"); -+ } -+ -+ return 0; -+} -+ - static inline int - list_db (DBName db_name) - { -@@ -2275,6 +2319,8 @@ main (int argc, char *argv[]) - unsigned int command = 0; - int use_root_pw = 0; - uint8_t verbosity = 0; -+ uint8_t fb_verbosity = 0; -+ uint8_t fb_noreboot = 0; - DBName db_name = MOK_LIST_RT; - int ret = -1; - -@@ -2311,6 +2357,8 @@ main (int argc, char *argv[]) - {"import-hash", required_argument, 0, 0 }, - {"delete-hash", required_argument, 0, 0 }, - {"set-verbosity", required_argument, 0, 0 }, -+ {"set-fallback-verbosity", required_argument, 0, 0 }, -+ {"set-fallback-noreboot", required_argument, 0, 0 }, - {"pk", no_argument, 0, 0 }, - {"kek", no_argument, 0, 0 }, - {"db", no_argument, 0, 0 }, -@@ -2376,6 +2424,22 @@ main (int argc, char *argv[]) - verbosity = 0; - else - command |= HELP; -+ } else if (strcmp (option, "set-fallback-verbosity") == 0) { -+ command |= FB_VERBOSITY; -+ if (strcmp (optarg, "true") == 0) -+ fb_verbosity = 1; -+ else if (strcmp (optarg, "false") == 0) -+ fb_verbosity = 0; -+ else -+ command |= HELP; -+ } else if (strcmp (option, "set-fallback-noreboot") == 0) { -+ command |= FB_NOREBOOT; -+ if (strcmp (optarg, "true") == 0) -+ fb_noreboot = 1; -+ else if (strcmp (optarg, "false") == 0) -+ fb_noreboot = 0; -+ else -+ command |= HELP; - } else if (strcmp (option, "pk") == 0) { - if (db_name != MOK_LIST_RT) { - command |= HELP; -@@ -2652,6 +2716,12 @@ main (int argc, char *argv[]) - case VERBOSITY: - ret = set_verbosity (verbosity); - break; -+ case FB_VERBOSITY: -+ ret = set_fallback_verbosity (fb_verbosity); -+ break; -+ case FB_NOREBOOT: -+ ret = set_fallback_noreboot (fb_noreboot); -+ break; - case TIMEOUT: - ret = set_timeout (timeout); - break; -diff --git a/data/mokutil b/data/mokutil -index 800b039..af6b6ff 100755 ---- a/data/mokutil -+++ b/data/mokutil -@@ -24,6 +24,14 @@ _mokutil() - COMPREPLY=( $( compgen -W "true false") ) - return 0 - ;; -+ --set-fallback-verbosity) -+ COMPREPLY=( $( compgen -W "true false") ) -+ return 0 -+ ;; -+ --set-fallback-noreboot) -+ COMPREPLY=( $( compgen -W "true false") ) -+ return 0 -+ ;; - --generate-hash|-g) - COMPREPLY=( $( compgen -o nospace -P= -W "") ) - return 0 -diff --git a/man/mokutil.1 b/man/mokutil.1 -index 1f82ff1..a3a73e1 100644 ---- a/man/mokutil.1 -+++ b/man/mokutil.1 -@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys - .br - \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] - .br -+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)] -+.br -+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)] -+.br - \fBmokutil\fR [--pk] - .br - \fBmokutil\fR [--kek] -@@ -156,6 +160,12 @@ this is not the password hash. - \fB--set-verbosity\fR - Set the SHIM_VERBOSE to make shim more or less verbose - .TP -+\fB--set-fallback-verbosity\fR -+Set the FALLBACK_VERBOSE to make fallback more or less verbose -+.TP -+\fB--set-fallback-noreboot\fR -+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system -+.TP - \fB--pk\fR - List the keys in the public Platform Key (PK) - .TP diff --git a/SOURCES/mokutil.patches b/SOURCES/mokutil.patches index 83bc421..c450456 100644 --- a/SOURCES/mokutil.patches +++ b/SOURCES/mokutil.patches @@ -1,9 +1,4 @@ -Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch -Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch -Patch0003: 0003-mokutil-remove-simple-hash.patch -Patch0004: 0004-man-remove-simple-hash.patch -Patch0005: 0005-mokutil-adjust-the-command-bits.patch -Patch0006: 0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch -Patch0007: 0007-mokutil-add-mok-variables-parsing-support.patch -Patch0008: 0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch -Patch0009: 0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch +Patch0001: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch +Patch0002: 0002-mokutil-bugfix-del-unused-opt-s.patch +Patch0003: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch +Patch0004: 0004-Fix-leak-of-fd-in-mok_get_variable.patch diff --git a/SPECS/mokutil.spec b/SPECS/mokutil.spec index 1005d19..b61e783 100644 --- a/SPECS/mokutil.spec +++ b/SPECS/mokutil.spec @@ -1,17 +1,24 @@ Name: mokutil -Version: 0.4.0 -Release: 9%{?dist} +Version: 0.6.0 +Release: 4%{?dist} Epoch: 2 Summary: Tool to manage UEFI Secure Boot MoK Keys License: GPLv3+ URL: https://github.com/lcp/mokutil -ExclusiveArch: %{ix86} x86_64 aarch64 -BuildRequires: make -BuildRequires: gcc -BuildRequires: autoconf automake gnu-efi git openssl-devel openssl -BuildRequires: efivar-devel >= 31-1 -Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz +Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: mokutil.patches +ExclusiveArch: %{ix86} x86_64 aarch64 %{arm} + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: efivar-devel >= 31-1 +BuildRequires: gcc +BuildRequires: git +BuildRequires: gnu-efi +BuildRequires: keyutils-libs-devel +BuildRequires: make +BuildRequires: openssl +BuildRequires: openssl-devel Conflicts: shim < 0.8-1%{?dist} Obsoletes: mokutil < 0.2.0 @@ -22,27 +29,17 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK ("Machine's Own Keys") mechanism. %prep -%setup -q -n %{name}-%{version} -git init -git config user.email "%{name}-owner@fedoraproject.org" -git config user.name "Fedora Ninjas" -git add . -git commit -a -q -m "%{version} baseline." -git am %{patches} - 2:0.6.0-4 +- Sync with Fedora at same NVR +- Resolves: #2084621 + +* Wed Jun 01 2022 Peter Jones - 2:0.5.0-3 +- Add support for "mokutil --list-sbat-revocations" and + "mokutil --set-sbat-policy" + Related: CVE-2022-28737 + +* Thu May 05 2022 Robbie Harwood - 2:0.5.0-2 +- Add git to buildrequires +- Resolves: #2081474 + +* Thu May 05 2022 Robbie Harwood - 2:0.5.0-1 +- New upstream version (0.5.0) +- Resolves: #2081474 + * Mon Mar 28 2022 Robbie Harwood - 2:0.4.0-9 - Add ability to change fallback verbose mode - Resolves: #2069296