import CS mokutil-0.7.2-4.el9

This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 10:46:03 -04:00
parent d4682a7acd
commit 7613325ed1
8 changed files with 355 additions and 1 deletions

View File

@ -0,0 +1,45 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leonardo Sandoval <lsandova@redhat.com>
Date: Fri, 25 Oct 2024 13:53:05 -0600
Subject: [PATCH] mokutil.c: show help if no args or --help even on unsupported
system
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
src/mokutil.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index cb06be2..2da211d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2156,14 +2156,25 @@ main (int argc, char *argv[])
if (pw_hash_file && use_root_pw)
command |= HELP;
- if (!(command & HELP) && !efi_variables_supported ()) {
- fprintf (stderr, "EFI variables are not supported on this system\n");
- exit (1);
- }
if (db_name != MOK_LIST_RT && !(command & ~MOKX))
command |= LIST_ENROLLED;
+ /* no matter if mokutil is supported (EFI) or not (BIOS) in the system, print
+ the help menu if no command line arguments provided or explicit help
+ requested */
+ if (!command || (command & HELP)) {
+ print_help ();
+ ret = 0;
+ goto out;
+ }
+
+ /* check if mock is supported on the system */
+ if (!efi_variables_supported ()) {
+ fprintf (stderr, "EFI variables are not supported on this system\n");
+ exit (1);
+ }
+
sb_check = !(command & HELP || command & TEST_KEY ||
command & VERBOSITY || command & TIMEOUT ||
command & FB_VERBOSITY || command & FB_NOREBOOT);

View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 28 Apr 2025 18:18:00 +0800
Subject: [PATCH] mokutil: fix a typo 'mock'
'mock' is the typo of 'MOK'. Since efi_variables_supported() checks the
EFI variable support of the system, correct the comment to match the
code.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 2da211d..988b060 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2169,7 +2169,7 @@ main (int argc, char *argv[])
goto out;
}
- /* check if mock is supported on the system */
+ /* check if EFI variable is supported on the system */
if (!efi_variables_supported ()) {
fprintf (stderr, "EFI variables are not supported on this system\n");
exit (1);

View File

@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Wed, 29 Jan 2025 17:37:36 +0100
Subject: [PATCH] mokutil: remove unused int_to_b64()
static const char b64t[64] triggers compiler warning
which in turn makes the build fail with
-Werror=unterminated-string-initialization, so removing
this string with the the unused int_to_b64() function
which is the only function using this array.
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
src/password-crypt.c | 9 ---------
src/password-crypt.h | 1 -
2 files changed, 10 deletions(-)
diff --git a/src/password-crypt.c b/src/password-crypt.c
index db69b88..bdbf784 100644
--- a/src/password-crypt.c
+++ b/src/password-crypt.c
@@ -46,9 +46,6 @@
#define SHA256_DEFAULT_ROUNDS 5000
#define SHA512_DEFAULT_ROUNDS 5000
-static const char b64t[64] =
-"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
static const char md5_prefix[] = "$1$";
static const char sha256_prefix[] = "$5$";
@@ -357,12 +354,6 @@ decode_pass (const char *crypt_pass, pw_crypt_t *pw_crypt)
return -1;
}
-char
-int_to_b64 (const int i)
-{
- return b64t[i & 0x3f];
-}
-
int
b64_to_int (const char c)
{
diff --git a/src/password-crypt.h b/src/password-crypt.h
index 214a65b..999e036 100644
--- a/src/password-crypt.h
+++ b/src/password-crypt.h
@@ -68,7 +68,6 @@ uint16_t get_pw_salt_size (const HashMethod method);
int get_pw_hash_size (const HashMethod method);
const char *get_crypt_prefix (const HashMethod method);
int decode_pass (const char *crypt_pass, pw_crypt_t *pw_crypt);
-char int_to_b64 (const int i);
int b64_to_int (const char c);
#endif /* __PASSWORD_CRYPT_H__ */

View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Thu, 24 Apr 2025 12:49:29 -0600
Subject: [PATCH] mokutil.c: on --test-key, return non-zero if test key is not
enrolled
Aligns with the same behaviour as other common UNIX tools,
e.g. 'command -v program' returns 0 if program exists, non-zero if not
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 988b060..e40579b 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1567,7 +1567,7 @@ test_key (const MokRequest req, const char *key_file)
if (is_valid_request (&efi_guid_x509_cert, key, read_size, req)) {
printf ("%s is not enrolled\n", key_file);
- ret = 0;
+ ret = 1;
} else {
print_skip_message (key_file, key, read_size, req);
ret = 1;

View File

@ -0,0 +1,138 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Fri, 25 Apr 2025 13:07:10 -0600
Subject: [PATCH] mokutil: introduce --is-sb-enabled parameter
The result would be 0 if SB is enable, 1 otherwise (or -1 in case of
error). This is a different outcome when using --sb-state, where it
returns 0 no matter the SB status (or -1 in case of error).
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
man/mokutil.1 | 5 +++++
src/mokutil.c | 30 ++++++++++++++++++++++++++++--
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index ccb285c..6b30610 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -40,6 +40,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--sb-state]
.br
+\fBmokutil\fR [--is-sb-enabled]
+.br
\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
.br
@@ -133,6 +135,9 @@ Enable the validation process in shim
\fB--sb-state\fR
Show SecureBoot State
.TP
+\fB--is-sb-enabled\fR
+Indicates if SecureBoot is enabled
+.TP
\fB-t, --test-key\fR
Test if the key is enrolled or not
.TP
diff --git a/src/mokutil.c b/src/mokutil.c
index e40579b..918ca06 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -89,6 +89,7 @@
#define UNTRUST_MOK (1 << 28)
#define SET_SBAT (1 << 29)
#define SET_SSP (1 << 30)
+#define IS_SB_ENABLED (1 << 31)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -129,6 +130,7 @@ print_help ()
printf (" --disable-validation\t\t\tDisable signature validation\n");
printf (" --enable-validation\t\t\tEnable signature validation\n");
printf (" --sb-state\t\t\t\tShow SecureBoot State\n");
+ printf (" --is-sb-enabled\t\t\tIndicates if SecureBoot is enabled or not\n");
printf (" --test-key, -t <der file>\t\tTest if the key is enrolled or not\n");
printf (" --reset\t\t\t\tReset MOK list\n");
printf (" --generate-hash[=password], -g\tGenerate the password hash\n");
@@ -1400,7 +1402,7 @@ enable_validation(void)
}
static int
-sb_state ()
+sb_state_internal ()
{
uint8_t *data = NULL;
size_t data_size;
@@ -1408,6 +1410,7 @@ sb_state ()
int32_t secureboot = -1;
int32_t setupmode = -1;
int32_t moksbstate = -1;
+ int ret = 0;
if (efi_get_variable (efi_guid_global, "SecureBoot", &data, &data_size,
&attributes) < 0) {
@@ -1453,17 +1456,34 @@ sb_state ()
if (secureboot == 1 && setupmode == 0) {
printf ("SecureBoot enabled\n");
+ ret = 0;
if (moksbstate == 1)
printf ("SecureBoot validation is disabled in shim\n");
} else if (secureboot == 0 || setupmode == 1) {
printf ("SecureBoot disabled\n");
+ ret = 1;
if (setupmode == 1)
printf ("Platform is in Setup Mode\n");
} else {
printf ("Cannot determine secure boot state.\n");
}
- return 0;
+ return ret;
+}
+
+static int
+sb_state ()
+{
+ int ret = sb_state_internal ();
+
+ /* in this case, ignore the ret value except on failure */
+ return (ret < 0)? ret: 0;
+}
+
+static int
+is_sb_enabled ()
+{
+ return sb_state_internal ();
}
static inline int
@@ -1855,6 +1875,7 @@ main (int argc, char *argv[])
{"disable-validation", no_argument, 0, 0 },
{"enable-validation", no_argument, 0, 0 },
{"sb-state", no_argument, 0, 0 },
+ {"is-sb-enabled", no_argument, 0, 0 },
{"test-key", required_argument, 0, 't'},
{"reset", no_argument, 0, 0 },
{"hash-file", required_argument, 0, 'f'},
@@ -1908,6 +1929,8 @@ main (int argc, char *argv[])
command |= ENABLE_VALIDATION;
} else if (strcmp (option, "sb-state") == 0) {
command |= SB_STATE;
+ } else if (strcmp (option, "is-sb-enabled") == 0) {
+ command |= IS_SB_ENABLED;
} else if (strcmp (option, "reset") == 0) {
command |= RESET;
} else if (strcmp (option, "ignore-db") == 0) {
@@ -2258,6 +2281,9 @@ main (int argc, char *argv[])
case SB_STATE:
ret = sb_state ();
break;
+ case IS_SB_ENABLED:
+ ret = is_sb_enabled ();
+ break;
case TEST_KEY:
ret = test_key (ENROLL_MOK, key_file);
break;

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Fri, 27 Jun 2025 17:28:58 -0600
Subject: [PATCH] return zero in case --test-key is enrolled
Otherwise it returns non-zero even if key is enrolled, indicating a
negative result.
With this change, the --test-key return code would be following
[root@localhost ~]# mokutil --test-key sb_cert.cer
sb_cert.cer is already enrolled
[root@localhost ~]# echo $?
0
instead of
[root@localhost ~]# mokutil --test-key sb_cert.cer
sb_cert.cer is already enrolled
[root@localhost ~]# echo $?
1
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 918ca06..368524b 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1590,7 +1590,7 @@ test_key (const MokRequest req, const char *key_file)
ret = 1;
} else {
print_skip_message (key_file, key, read_size, req);
- ret = 1;
+ ret = 0;
}
error:

View File

@ -0,0 +1,6 @@
Patch0001: 0001-mokutil.c-show-help-if-no-args-or-help-even-on-unsup.patch
Patch0002: 0002-mokutil-fix-a-typo-mock.patch
Patch0003: 0003-mokutil-remove-unused-int_to_b64.patch
Patch0004: 0004-mokutil.c-on-test-key-return-non-zero-if-test-key-is.patch
Patch0005: 0005-mokutil-introduce-is-sb-enabled-parameter.patch
Patch0006: 0006-return-zero-in-case-test-key-is-enrolled.patch

View File

@ -1,6 +1,6 @@
Name: mokutil
Version: 0.7.2
Release: 1%{?dist}
Release: 4%{?dist}
Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
@ -47,6 +47,21 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Tue Dec 09 2025 Leo Sandoval <lsandova@redhat.com> - 0.7.2-4
- Bump release
- Resolves: #RHEL-90837
* Fri Jun 27 2025 Leo Sandoval <lsandova@redhat.com> - 0.7.2-3
- Return zero in case --test-key is enrolled
- Resolves: #RHEL-90837
* Mon May 12 2025 Leo Sandoval <lsandova@redhat.com> - 0.7.2-2
- Rebase several patches from upstream which:
- Introduce --is-sb-enabled parameter and better return codes
- Remove unused int_to_b64()
- Show help on unsupported systems
- Resolves: #RHEL-90837
* Mon Apr 28 2025 Leo Sandoval <lsandova@redhat.com> - 0.7.2-1
- Bump version to 0.7.2 upstream tag
- Resolves: #RHEL-88741