diff --git a/0002-SBAT-revocation-update-support.patch b/0002-SBAT-revocation-update-support.patch new file mode 100644 index 0000000..5dfff8d --- /dev/null +++ b/0002-SBAT-revocation-update-support.patch @@ -0,0 +1,185 @@ +From 405b34cdd4b006f9d6496f201cb058eb8d3ac376 Mon Sep 17 00:00:00 2001 +From: Jan Setje-Eilers +Date: Thu, 21 Apr 2022 17:28:07 -0700 +Subject: [PATCH] SBAT revocation update support + +Control how shim will apply SBAT revocations: + + mokutil --set-sbat-policy latest + + applies the latest SBAT revocations + (default behavior) + + mokutil --set-sbat-policy previous + + applies previous SBAT revocations to + allow falling back to an older release + + In both of the above cases shim will only apply SBAT revocations that +are newer than the ones currently installed. + + mokutil --set-sbat-policy delete + + resets SBAT revocations only if Secure + Boot is disabled. This setting does not + persist. + +Signed-off-by: Jan Setje-Eilers +--- + src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++---- + man/mokutil.1 | 14 ++++++++++++-- + 2 files changed, 55 insertions(+), 6 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index e1bd0e36e8a..4fb75cd9b3d 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -85,6 +85,7 @@ + #define LIST_SBAT (1 << 24) + #define FB_VERBOSITY (1 << 25) + #define FB_NOREBOOT (1 << 26) ++#define SET_SBAT (1 << 27) + + #define DEFAULT_CRYPT_METHOD SHA512_BASED + #define DEFAULT_SALT_SIZE SHA512_SALT_MAX +@@ -131,12 +132,13 @@ print_help () + printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); + printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); + printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); +++ printf (" --set-sbat-policy \t\tApply Latest, Previous, or Blank SBAT revocations\n"); +++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n"); + printf (" --pk\t\t\t\t\tList the keys in PK\n"); + printf (" --kek\t\t\t\t\tList the keys in KEK\n"); + printf (" --db\t\t\t\t\tList the keys in db\n"); + printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); + printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); +- printf (" --sbat\t\t\t\tList the entries in SBAT\n"); + printf ("\n"); + printf ("Supplimentary Options:\n"); + printf (" --hash-file \t\tUse the specific password hash\n"); +@@ -1737,6 +1739,26 @@ list_db (const DBName db_name) + return -1; + } + ++static int ++manage_sbat (const uint8_t sbat_policy) ++{ ++ if (sbat_policy) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "SbatPolicy", ++ (uint8_t *)&sbat_policy, ++ sizeof (sbat_policy), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set SbatPolicy\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_var ("SbatPolicy"); ++ } ++ return 0; ++} ++ + int + main (int argc, char *argv[]) + { +@@ -1753,6 +1775,7 @@ main (int argc, char *argv[]) + uint8_t verbosity = 0; + uint8_t fb_verbosity = 0; + uint8_t fb_noreboot = 0; ++ uint8_t sbat_policy = 0; + DBName db_name = MOK_LIST_RT; + int ret = -1; + int sb_check; +@@ -1795,11 +1818,12 @@ main (int argc, char *argv[]) + {"set-verbosity", required_argument, 0, 0 }, + {"set-fallback-verbosity", required_argument, 0, 0 }, + {"set-fallback-noreboot", required_argument, 0, 0 }, ++ {"set-sbat-policy", required_argument, 0, 0 }, ++ {"list-sbat-revocations", no_argument, 0, 0 }, + {"pk", no_argument, 0, 0 }, + {"kek", no_argument, 0, 0 }, + {"db", no_argument, 0, 0 }, + {"dbx", no_argument, 0, 0 }, +- {"sbat", no_argument, 0, 0 }, + {"timeout", required_argument, 0, 0 }, + {"ca-check", no_argument, 0, 0 }, + {"ignore-keyring", no_argument, 0, 0 }, +@@ -1879,6 +1903,20 @@ main (int argc, char *argv[]) + fb_noreboot = 0; + else + command |= HELP; ++ } else if (strcmp (option, "set-sbat-policy") == 0) { ++ command |= SET_SBAT; ++ if (strcmp (optarg, "latest") == 0) ++ sbat_policy = 1; ++ else if (strcmp (optarg, "previous") == 0) ++ sbat_policy = 2; ++ else if (strcmp (optarg, "delete") == 0) ++ sbat_policy = 3; ++ else ++ command |= HELP; ++ } else if (strcmp (option, "list-sbat-revocations") == 0) { ++ command |= LIST_SBAT; ++ } else if (strcmp (option, "sbat") == 0) { ++ command |= LIST_SBAT; + } else if (strcmp (option, "pk") == 0) { + if (db_name != MOK_LIST_RT) { + command |= HELP; +@@ -1903,8 +1941,6 @@ main (int argc, char *argv[]) + } else { + db_name = DBX; + } +- } else if (strcmp (option, "sbat") == 0) { +- command |= LIST_SBAT; + } else if (strcmp (option, "timeout") == 0) { + command |= TIMEOUT; + timeout = strdup (optarg); +@@ -2177,6 +2213,9 @@ main (int argc, char *argv[]) + case LIST_SBAT: + ret = print_var_content ("SbatLevelRT", efi_guid_shim); + break; ++ case SET_SBAT: ++ ret = manage_sbat(sbat_policy); ++ break; + default: + print_help (); + break; +diff --git a/man/mokutil.1 b/man/mokutil.1 +index 2ea081fc932..4260a7e8467 100644 +--- a/man/mokutil.1 ++++ b/man/mokutil.1 +@@ -75,7 +75,9 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--dbx] + .br +-\fBmokutil\fR [--sbat] ++\fBmokutil\fR [--list-sbat-revocations] ++.br ++\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)] + .br + \fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR] + .br +@@ -180,9 +182,17 @@ List the keys in the secure boot signature store (db) + \fB--dbx\fR + List the keys in the secure boot blacklist signature store (dbx) + .TP +-\fB--sbat\fR ++\fB--list-sbat-revocations\fR + List the entries in the Secure Boot Advanced Targeting store (SBAT) + .TP ++\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR ++Set the SbatPolicy UEFI Variable to have shim apply either the latest ++or the previous SBAT revocations. If UEFI Secure Boot is disabled, then ++delete will reset the SBAT revocations to an empty revocation list. ++While latest and previous are persistent configuration, delete will be ++cleared by shim on the next boot whether or not it succeeds. The default ++behavior is for shim to apply the previous revocations. ++.TP + \fB--timeout\fR + Set the timeout for MOK prompt + .TP +-- +2.35.1 + diff --git a/mokutil.patches b/mokutil.patches index 042bb98..ea0ebd6 100644 --- a/mokutil.patches +++ b/mokutil.patches @@ -1 +1,2 @@ Patch0001: 0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch +Patch0002: 0002-SBAT-revocation-update-support.patch diff --git a/mokutil.spec b/mokutil.spec index 617a623..7cefb72 100644 --- a/mokutil.spec +++ b/mokutil.spec @@ -1,6 +1,6 @@ Name: mokutil Version: 0.5.0 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 Summary: Tool to manage UEFI Secure Boot MoK Keys License: GPLv3+ @@ -57,6 +57,11 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %{_datadir}/bash-completion/completions/mokutil %changelog +* Wed Jun 01 2022 Peter Jones - 0.4.0-9 +- Add support for "mokutil --list-sbat-revocations" and + "mokutil --set-sbat-policy" + Related: CVE-2022-28737 + * Thu May 05 2022 Robbie Harwood - 2:0.5.0-2 - Add git to buildrequires - Resolves: #2081474