From a8adf035dd4c47f832b0e02a12d1176771d534b3 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 28 Mar 2022 19:46:40 +0000
Subject: [PATCH] Add ability to change fallback verbose mode

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
 ...etting-fallback-verbosity-and-norebo.patch | 199 ++++++++++++++++++
 mokutil.patches                               |   1 +
 mokutil.spec                                  |   8 +-
 3 files changed, 207 insertions(+), 1 deletion(-)
 create mode 100644 0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
 create mode 100644 mokutil.patches

diff --git a/0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch b/0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
new file mode 100644
index 0000000..a43a2c1
--- /dev/null
+++ b/0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
@@ -0,0 +1,199 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Fri, 3 Dec 2021 14:18:31 +0100
+Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
+fallback debugging.
+
+Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
+(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
+---
+ src/mokutil.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ data/mokutil  |  8 +++++++
+ man/mokutil.1 | 10 ++++++++
+ 3 files changed, 90 insertions(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 787b85e..e1bd0e3 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -83,6 +83,8 @@
+ #define VERBOSITY          (1 << 22)
+ #define TIMEOUT            (1 << 23)
+ #define LIST_SBAT          (1 << 24)
++#define FB_VERBOSITY       (1 << 25)
++#define FB_NOREBOOT        (1 << 26)
+ 
+ #define DEFAULT_CRYPT_METHOD SHA512_BASED
+ #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
+@@ -127,6 +129,8 @@ print_help ()
+ 	printf ("  --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
+ 	printf ("  --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
+ 	printf ("  --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
++	printf ("  --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
++	printf ("  --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
+ 	printf ("  --pk\t\t\t\t\tList the keys in PK\n");
+ 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
+ 	printf ("  --db\t\t\t\t\tList the keys in db\n");
+@@ -1672,6 +1676,46 @@ set_verbosity (const uint8_t verbosity)
+ 	return 0;
+ }
+ 
++static int
++set_fallback_verbosity (const uint8_t verbosity)
++{
++	if (verbosity) {
++		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
++				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
++				      | EFI_VARIABLE_RUNTIME_ACCESS;
++		if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
++				      (uint8_t *)&verbosity, sizeof (verbosity),
++				      attributes, S_IRUSR | S_IWUSR) < 0) {
++			fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
++			return -1;
++		}
++	} else {
++		return test_and_delete_mok_var ("FALLBACK_VERBOSE");
++	}
++
++	return 0;
++}
++
++static int
++set_fallback_noreboot (const uint8_t noreboot)
++{
++	if (noreboot) {
++		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
++				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
++				      | EFI_VARIABLE_RUNTIME_ACCESS;
++		if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
++				      (uint8_t *)&noreboot, sizeof (noreboot),
++				      attributes, S_IRUSR | S_IWUSR) < 0) {
++			fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
++			return -1;
++		}
++	} else {
++		return test_and_delete_mok_var ("FB_NO_REBOOT");
++	}
++
++	return 0;
++}
++
+ static inline int
+ list_db (const DBName db_name)
+ {
+@@ -1707,6 +1751,8 @@ main (int argc, char *argv[])
+ 	unsigned int command = 0;
+ 	int use_root_pw = 0;
+ 	uint8_t verbosity = 0;
++	uint8_t fb_verbosity = 0;
++	uint8_t fb_noreboot = 0;
+ 	DBName db_name = MOK_LIST_RT;
+ 	int ret = -1;
+ 	int sb_check;
+@@ -1747,6 +1793,8 @@ main (int argc, char *argv[])
+ 			{"import-hash",        required_argument, 0, 0  },
+ 			{"delete-hash",        required_argument, 0, 0  },
+ 			{"set-verbosity",      required_argument, 0, 0  },
++			{"set-fallback-verbosity", required_argument, 0, 0  },
++			{"set-fallback-noreboot", required_argument, 0, 0  },
+ 			{"pk",                 no_argument,       0, 0  },
+ 			{"kek",                no_argument,       0, 0  },
+ 			{"db",                 no_argument,       0, 0  },
+@@ -1815,6 +1863,22 @@ main (int argc, char *argv[])
+ 					verbosity = 0;
+ 				else
+ 					command |= HELP;
++			} else if (strcmp (option, "set-fallback-verbosity") == 0) {
++				command |= FB_VERBOSITY;
++				if (strcmp (optarg, "true") == 0)
++					fb_verbosity = 1;
++				else if (strcmp (optarg, "false") == 0)
++					fb_verbosity = 0;
++				else
++					command |= HELP;
++			} else if (strcmp (option, "set-fallback-noreboot") == 0) {
++				command |= FB_NOREBOOT;
++				if (strcmp (optarg, "true") == 0)
++					fb_noreboot = 1;
++				else if (strcmp (optarg, "false") == 0)
++					fb_noreboot = 0;
++				else
++					command |= HELP;
+ 			} else if (strcmp (option, "pk") == 0) {
+ 				if (db_name != MOK_LIST_RT) {
+ 					command |= HELP;
+@@ -1978,7 +2042,8 @@ main (int argc, char *argv[])
+ 		command |= LIST_ENROLLED;
+ 
+ 	sb_check = !(command & HELP || command & TEST_KEY ||
+-		     command & VERBOSITY || command & TIMEOUT);
++		     command & VERBOSITY || command & TIMEOUT ||
++		     command & FB_VERBOSITY || command & FB_NOREBOOT);
+ 	if (sb_check) {
+ 		/* Check whether the machine supports Secure Boot or not */
+ 		int rc;
+@@ -2100,6 +2165,12 @@ main (int argc, char *argv[])
+ 		case VERBOSITY:
+ 			ret = set_verbosity (verbosity);
+ 			break;
++		case FB_VERBOSITY:
++			ret = set_fallback_verbosity (fb_verbosity);
++			break;
++		case FB_NOREBOOT:
++			ret = set_fallback_noreboot (fb_noreboot);
++			break;
+ 		case TIMEOUT:
+ 			ret = set_timeout (timeout);
+ 			break;
+diff --git a/data/mokutil b/data/mokutil
+index cf50606..b6ee859 100755
+--- a/data/mokutil
++++ b/data/mokutil
+@@ -24,6 +24,14 @@ _mokutil()
+ 		COMPREPLY=( $( compgen -W "true false") )
+ 		return 0
+ 		;;
++	--set-fallback-verbosity)
++		COMPREPLY=( $( compgen -W "true false") )
++		return 0
++		;;
++	--set-fallback-noreboot)
++		COMPREPLY=( $( compgen -W "true false") )
++		return 0
++		;;
+ 	--generate-hash|-g)
+ 		COMPREPLY=( $( compgen -o nospace -P= -W "") )
+ 		return 0
+diff --git a/man/mokutil.1 b/man/mokutil.1
+index 11804af..2ea081f 100644
+--- a/man/mokutil.1
++++ b/man/mokutil.1
+@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys
+ .br
+ \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
+ .br
++\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
++.br
++\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
++.br
+ \fBmokutil\fR [--pk]
+ .br
+ \fBmokutil\fR [--kek]
+@@ -158,6 +162,12 @@ this is not the password hash.
+ \fB--set-verbosity\fR
+ Set the SHIM_VERBOSE to make shim more or less verbose
+ .TP
++\fB--set-fallback-verbosity\fR
++Set the FALLBACK_VERBOSE to make fallback more or less verbose
++.TP
++\fB--set-fallback-noreboot\fR
++Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
++.TP
+ \fB--pk\fR
+ List the keys in the public Platform Key (PK)
+ .TP
diff --git a/mokutil.patches b/mokutil.patches
new file mode 100644
index 0000000..042bb98
--- /dev/null
+++ b/mokutil.patches
@@ -0,0 +1 @@
+Patch0001: 0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
diff --git a/mokutil.spec b/mokutil.spec
index a1c31b6..6aca90e 100644
--- a/mokutil.spec
+++ b/mokutil.spec
@@ -1,11 +1,12 @@
 Name:           mokutil
 Version:        0.5.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Epoch:          2
 Summary:        Tool to manage UEFI Secure Boot MoK Keys
 License:        GPLv3+
 URL:            https://github.com/lcp/mokutil
 Source0:        https://github.com/lcp/mokutil/archive/%{version}.tar.gz
+Source1:        mokutil.patches
 ExclusiveArch:  %{ix86} x86_64 aarch64 %{arm}
 
 BuildRequires:  autoconf
@@ -20,6 +21,8 @@ BuildRequires:  openssl-devel
 Conflicts:      shim < 0.8-1%{?dist}
 Obsoletes:      mokutil < 0.2.0
 
+%include %{SOURCE1}
+
 %description
 mokutil provides a tool to manage keys for Secure Boot through the MoK
 ("Machine's Own Keys") mechanism.
@@ -43,6 +46,9 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
 %{_datadir}/bash-completion/completions/mokutil
 
 %changelog
+* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-3
+- Add ability to change fallback verbose mode
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.5.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild