From 9bafe1e2e1220c685fed1d173d5ed5f1f251e086 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 02:01:28 -0500 Subject: [PATCH] import mokutil-0.3.0-12.el8 --- .../0013-SBAT-revocation-update-support.patch | 211 ------------------ ...etting-fallback-verbosity-and-norebo.patch | 193 ++++++++++++++++ SOURCES/mokutil.patches | 2 +- SPECS/mokutil.spec | 8 +- 4 files changed, 198 insertions(+), 216 deletions(-) delete mode 100644 SOURCES/0013-SBAT-revocation-update-support.patch create mode 100644 SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch diff --git a/SOURCES/0013-SBAT-revocation-update-support.patch b/SOURCES/0013-SBAT-revocation-update-support.patch deleted file mode 100644 index 91636f3..0000000 --- a/SOURCES/0013-SBAT-revocation-update-support.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jan Setje-Eilers -Date: Thu, 21 Apr 2022 17:28:07 -0700 -Subject: [PATCH] SBAT revocation update support - -Control how shim will apply SBAT revocations: - - mokutil --set-sbat-policy latest - - applies the latest SBAT revocations - (default behavior) - - mokutil --set-sbat-policy previous - - applies previous SBAT revocations to - allow falling back to an older release - - In both of the above cases shim will only apply SBAT revocations that -are newer than the ones currently installed. - - mokutil --set-sbat-policy delete - - resets SBAT revocations only if Secure - Boot is disabled. This setting does not - persist. - -Signed-off-by: Jan Setje-Eilers -(cherry picked from commit 2122b5e4323137509bc38615e269cc352c971815) -[rharwood: renumber, options not added yet] -Signed-off-by: Robbie Harwood ---- - src/mokutil.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - man/mokutil.1 | 14 ++++++++++++ - 2 files changed, 86 insertions(+) - -diff --git a/src/mokutil.c b/src/mokutil.c -index 838599c..0327275 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -83,6 +83,8 @@ - #define IMPORT_HASH (1 << 21) - #define DELETE_HASH (1 << 22) - #define VERBOSITY (1 << 23) -+#define LIST_SBAT (1 << 27) -+#define SET_SBAT (1 << 28) - - #define DEFAULT_CRYPT_METHOD SHA512_BASED - #define DEFAULT_SALT_SIZE SHA512_SALT_MAX -@@ -152,10 +154,12 @@ print_help () - printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); - printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); - printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); -+ printf (" --set-sbat-policy \t\tApply Latest, Previous, or Blank SBAT revocations\n"); - printf (" --pk\t\t\t\t\tList the keys in PK\n"); - printf (" --kek\t\t\t\t\tList the keys in KEK\n"); - printf (" --db\t\t\t\t\tList the keys in db\n"); - printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); -+ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n"); - printf ("\n"); - printf ("Supplimentary Options:\n"); - printf (" --hash-file \t\tUse the specific password hash\n"); -@@ -2115,6 +2119,31 @@ generate_pw_hash (const char *input_pw) - return 0; - } - -+static int -+print_var_content (const char *var_name, const efi_guid_t guid) -+{ -+ uint8_t *data = NULL; -+ size_t data_size; -+ uint32_t attributes; -+ int ret; -+ -+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); -+ if (ret < 0) { -+ if (errno == ENOENT) { -+ printf ("%s is empty\n", var_name); -+ return 0; -+ } -+ -+ fprintf (stderr, "Failed to read %s: %m\n", var_name); -+ return -1; -+ } -+ -+ printf ("%s", data); -+ free (data); -+ -+ return ret; -+} -+ - static int - set_verbosity (uint8_t verbosity) - { -@@ -2156,6 +2185,26 @@ list_db (DBName db_name) - return -1; - } - -+static int -+manage_sbat (const uint8_t sbat_policy) -+{ -+ if (sbat_policy) { -+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE -+ | EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS; -+ if (efi_set_variable (efi_guid_shim, "SbatPolicy", -+ (uint8_t *)&sbat_policy, -+ sizeof (sbat_policy), -+ attributes, S_IRUSR | S_IWUSR) < 0) { -+ fprintf (stderr, "Failed to set SbatPolicy\n"); -+ return -1; -+ } -+ } else { -+ return test_and_delete_var ("SbatPolicy"); -+ } -+ return 0; -+} -+ - int - main (int argc, char *argv[]) - { -@@ -2169,6 +2218,7 @@ main (int argc, char *argv[]) - unsigned int command = 0; - int use_root_pw = 0; - uint8_t verbosity = 0; -+ uint8_t sbat_policy = 0; - DBName db_name = MOK_LIST_RT; - int ret = -1; - -@@ -2207,10 +2257,12 @@ main (int argc, char *argv[]) - {"import-hash", required_argument, 0, 0 }, - {"delete-hash", required_argument, 0, 0 }, - {"set-verbosity", required_argument, 0, 0 }, -+ {"set-sbat-policy", required_argument, 0, 0 }, - {"pk", no_argument, 0, 0 }, - {"kek", no_argument, 0, 0 }, - {"db", no_argument, 0, 0 }, - {"dbx", no_argument, 0, 0 }, -+ {"list-sbat-revocations", no_argument, 0, 0 }, - {0, 0, 0, 0} - }; - -@@ -2270,6 +2322,16 @@ main (int argc, char *argv[]) - verbosity = 0; - else - command |= HELP; -+ } else if (strcmp (option, "set-sbat-policy") == 0) { -+ command |= SET_SBAT; -+ if (strcmp (optarg, "latest") == 0) -+ sbat_policy = 1; -+ else if (strcmp (optarg, "previous") == 0) -+ sbat_policy = 2; -+ else if (strcmp (optarg, "delete") == 0) -+ sbat_policy = 3; -+ else -+ command |= HELP; - } else if (strcmp (option, "pk") == 0) { - if (db_name != MOK_LIST_RT) { - command |= HELP; -@@ -2298,6 +2360,10 @@ main (int argc, char *argv[]) - command |= LIST_ENROLLED; - db_name = DBX; - } -+ } else if (strcmp (option, "list-sbat-revocations") == 0) { -+ command |= LIST_SBAT; -+ } else if (strcmp (option, "sbat") == 0) { -+ command |= LIST_SBAT; - } - - break; -@@ -2557,6 +2623,12 @@ main (int argc, char *argv[]) - case VERBOSITY: - ret = set_verbosity (verbosity); - break; -+ case LIST_SBAT: -+ ret = print_var_content ("SbatLevelRT", efi_guid_shim); -+ break; -+ case SET_SBAT: -+ ret = manage_sbat(sbat_policy); -+ break; - default: - print_help (); - break; -diff --git a/man/mokutil.1 b/man/mokutil.1 -index 25fe8b4..f5a0ea3 100644 ---- a/man/mokutil.1 -+++ b/man/mokutil.1 -@@ -73,6 +73,9 @@ mokutil \- utility to manipulate machine owner keys - .br - \fBmokutil\fR [--dbx] - .br -+\fBmokutil\fR [--list-sbat-revocations] -+.br -+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)] - - .SH DESCRIPTION - \fBmokutil\fR is a tool to import or delete the machines owner keys -@@ -173,3 +176,14 @@ List the keys in the secure boot signature store (db) - \fB--dbx\fR - List the keys in the secure boot blacklist signature store (dbx) - .TP -+\fB--list-sbat-revocations\fR -+List the entries in the Secure Boot Advanced Targeting store (SBAT) -+.TP -+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR -+Set the SbatPolicy UEFI Variable to have shim apply either the latest -+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then -+delete will reset the SBAT revocations to an empty revocation list. -+While latest and previous are persistent configuration, delete will be -+cleared by shim on the next boot whether or not it succeeds. The default -+behavior is for shim to apply the previous revocations. -+.TP diff --git a/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch b/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch new file mode 100644 index 0000000..3d94670 --- /dev/null +++ b/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch @@ -0,0 +1,193 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Fri, 3 Dec 2021 14:18:31 +0100 +Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases +fallback debugging. + +Signed-off-by: Renaud Métrich +(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e) +(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224) +[rharwood: no sb_check, no util renaming] +(cherry picked from commit 157a0969bdb5e7df152b4241f90b48209c235f2f) +[rharwood: flags are sparse now] +--- + src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + data/mokutil | 8 +++++++ + man/mokutil.1 | 10 +++++++++ + 3 files changed, 88 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 838599c..1cec4e9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -83,6 +83,8 @@ + #define IMPORT_HASH (1 << 21) + #define DELETE_HASH (1 << 22) + #define VERBOSITY (1 << 23) ++#define FB_VERBOSITY (1 << 25) ++#define FB_NOREBOOT (1 << 26) + + #define DEFAULT_CRYPT_METHOD SHA512_BASED + #define DEFAULT_SALT_SIZE SHA512_SALT_MAX +@@ -152,6 +154,8 @@ print_help () + printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); + printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); + printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); ++ printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); ++ printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); + printf (" --pk\t\t\t\t\tList the keys in PK\n"); + printf (" --kek\t\t\t\t\tList the keys in KEK\n"); + printf (" --db\t\t\t\t\tList the keys in db\n"); +@@ -2135,6 +2139,46 @@ set_verbosity (uint8_t verbosity) + return 0; + } + ++static int ++set_fallback_verbosity (const uint8_t verbosity) ++{ ++ if (verbosity) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE", ++ (uint8_t *)&verbosity, sizeof (verbosity), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_var ("FALLBACK_VERBOSE"); ++ } ++ ++ return 0; ++} ++ ++static int ++set_fallback_noreboot (const uint8_t noreboot) ++{ ++ if (noreboot) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT", ++ (uint8_t *)&noreboot, sizeof (noreboot), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set FB_NO_REBOOT\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_var ("FB_NO_REBOOT"); ++ } ++ ++ return 0; ++} ++ + static inline int + list_db (DBName db_name) + { +@@ -2169,6 +2213,8 @@ main (int argc, char *argv[]) + unsigned int command = 0; + int use_root_pw = 0; + uint8_t verbosity = 0; ++ uint8_t fb_verbosity = 0; ++ uint8_t fb_noreboot = 0; + DBName db_name = MOK_LIST_RT; + int ret = -1; + +@@ -2207,6 +2253,8 @@ main (int argc, char *argv[]) + {"import-hash", required_argument, 0, 0 }, + {"delete-hash", required_argument, 0, 0 }, + {"set-verbosity", required_argument, 0, 0 }, ++ {"set-fallback-verbosity", required_argument, 0, 0 }, ++ {"set-fallback-noreboot", required_argument, 0, 0 }, + {"pk", no_argument, 0, 0 }, + {"kek", no_argument, 0, 0 }, + {"db", no_argument, 0, 0 }, +@@ -2270,6 +2318,22 @@ main (int argc, char *argv[]) + verbosity = 0; + else + command |= HELP; ++ } else if (strcmp (option, "set-fallback-verbosity") == 0) { ++ command |= FB_VERBOSITY; ++ if (strcmp (optarg, "true") == 0) ++ fb_verbosity = 1; ++ else if (strcmp (optarg, "false") == 0) ++ fb_verbosity = 0; ++ else ++ command |= HELP; ++ } else if (strcmp (option, "set-fallback-noreboot") == 0) { ++ command |= FB_NOREBOOT; ++ if (strcmp (optarg, "true") == 0) ++ fb_noreboot = 1; ++ else if (strcmp (optarg, "false") == 0) ++ fb_noreboot = 0; ++ else ++ command |= HELP; + } else if (strcmp (option, "pk") == 0) { + if (db_name != MOK_LIST_RT) { + command |= HELP; +@@ -2557,6 +2621,12 @@ main (int argc, char *argv[]) + case VERBOSITY: + ret = set_verbosity (verbosity); + break; ++ case FB_VERBOSITY: ++ ret = set_fallback_verbosity (fb_verbosity); ++ break; ++ case FB_NOREBOOT: ++ ret = set_fallback_noreboot (fb_noreboot); ++ break; + default: + print_help (); + break; +diff --git a/data/mokutil b/data/mokutil +index 800b039..af6b6ff 100755 +--- a/data/mokutil ++++ b/data/mokutil +@@ -24,6 +24,14 @@ _mokutil() + COMPREPLY=( $( compgen -W "true false") ) + return 0 + ;; ++ --set-fallback-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --set-fallback-noreboot) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; + --generate-hash|-g) + COMPREPLY=( $( compgen -o nospace -P= -W "") ) + return 0 +diff --git a/man/mokutil.1 b/man/mokutil.1 +index 25fe8b4..30dcfb2 100644 +--- a/man/mokutil.1 ++++ b/man/mokutil.1 +@@ -65,6 +65,10 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] + .br ++\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)] ++.br ++\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)] ++.br + \fBmokutil\fR [--pk] + .br + \fBmokutil\fR [--kek] +@@ -161,6 +165,12 @@ this is not the password hash. + \fB--set-verbosity\fR + Set the SHIM_VERBOSE to make shim more or less verbose + .TP ++\fB--set-fallback-verbosity\fR ++Set the FALLBACK_VERBOSE to make fallback more or less verbose ++.TP ++\fB--set-fallback-noreboot\fR ++Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system ++.TP + \fB--pk\fR + List the keys in the public Platform Key (PK) + .TP diff --git a/SOURCES/mokutil.patches b/SOURCES/mokutil.patches index 4274a69..011b06c 100644 --- a/SOURCES/mokutil.patches +++ b/SOURCES/mokutil.patches @@ -10,4 +10,4 @@ Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch Patch0012: 0012-initial-mok-variables-code.patch -Patch0013: 0013-SBAT-revocation-update-support.patch +Patch0013: 0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch diff --git a/SPECS/mokutil.spec b/SPECS/mokutil.spec index cf84baa..a0b87c9 100644 --- a/SPECS/mokutil.spec +++ b/SPECS/mokutil.spec @@ -1,6 +1,6 @@ Name: mokutil Version: 0.3.0 -Release: 11%{?dist}.1 +Release: 12%{?dist} Epoch: 1 Summary: Tool to manage UEFI Secure Boot MoK Keys License: GPLv3+ @@ -48,9 +48,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %{_datadir}/bash-completion/completions/mokutil %changelog -* Wed Jun 01 2022 Robbie Harwood - 0.3.0-11.el8_6.1 -- Support listing sbat revocations and setting sbat policy -- Resolves: CVE-2022-28737 +* Mon Mar 28 2022 Robbie Harwood - 1:0.3.0-12 +- Add ability to set fallback verbose mode +- Resolves: #2030704 * Tue Jan 05 2021 Javier Martinez Canillas - 0.3.0-11 - Bump NVR for brew to build the package