Add support for "mokutil --list-sbat-revocations" and

"mokutil --set-sbat-policy" Related: CVE-2022-28737 Signed-off-by: Peter Jones <pjones@redhat.com>
2022-06-01 13:06:50 -04:00 · 2022-06-01 13:06:50 -04:00 · b14c869cf8
commit b14c869cf8
parent 1520a5f46a
3 changed files with 192 additions and 1 deletions
--- a/0002-SBAT-revocation-update-support.patch
+++ b/0002-SBAT-revocation-update-support.patch
@ -0,0 +1,185 @@
+From 405b34cdd4b006f9d6496f201cb058eb8d3ac376 Mon Sep 17 00:00:00 2001
+From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Date: Thu, 21 Apr 2022 17:28:07 -0700
+Subject: [PATCH] SBAT revocation update support
+
+Control how shim will apply SBAT revocations:
+
+ mokutil --set-sbat-policy latest
+
+	applies the latest SBAT revocations
+	(default behavior)
+
+ mokutil --set-sbat-policy previous
+
+	applies previous SBAT revocations to
+	allow falling back to an older release
+
+ In both of the above cases shim will only apply SBAT revocations that
+are newer than the ones currently installed.
+
+ mokutil --set-sbat-policy delete
+
+	resets SBAT revocations only if Secure
+	Boot is disabled. This setting does not
+	persist.
+
+Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
+---
+ src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
+ man/mokutil.1 | 14 ++++++++++++--
+ 2 files changed, 55 insertions(+), 6 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index e1bd0e36e8a..4fb75cd9b3d 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -85,6 +85,7 @@
+ #define LIST_SBAT          (1 << 24)
+ #define FB_VERBOSITY       (1 << 25)
+ #define FB_NOREBOOT        (1 << 26)
+#define SET_SBAT           (1 << 27)
+ 
+ #define DEFAULT_CRYPT_METHOD SHA512_BASED
+ #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
+@@ -131,12 +132,13 @@ print_help ()
+ 	printf ("  --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ 	printf ("  --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+ 	printf ("  --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
++	printf ("  --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
++	printf ("  --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
+ 	printf ("  --pk\t\t\t\t\tList the keys in PK\n");
+ 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
+ 	printf ("  --db\t\t\t\t\tList the keys in db\n");
+ 	printf ("  --dbx\t\t\t\t\tList the keys in dbx\n");
+ 	printf ("  --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+-	printf ("  --sbat\t\t\t\tList the entries in SBAT\n");
+ 	printf ("\n");
+ 	printf ("Supplimentary Options:\n");
+ 	printf ("  --hash-file <hash file>\t\tUse the specific password hash\n");
+@@ -1737,6 +1739,26 @@ list_db (const DBName db_name)
+ 	return -1;
+ }
+ 
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+	if (sbat_policy) {
+		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
+				      | EFI_VARIABLE_RUNTIME_ACCESS;
+		if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+				      (uint8_t *)&sbat_policy,
+				      sizeof (sbat_policy),
+				      attributes, S_IRUSR | S_IWUSR) < 0) {
+			fprintf (stderr, "Failed to set SbatPolicy\n");
+			return -1;
+		}
+	} else {
+		return test_and_delete_var ("SbatPolicy");
+	}
+	return 0;
+}
+
+ int
+ main (int argc, char *argv[])
+ {
+@@ -1753,6 +1775,7 @@ main (int argc, char *argv[])
+ 	uint8_t verbosity = 0;
+ 	uint8_t fb_verbosity = 0;
+ 	uint8_t fb_noreboot = 0;
+	uint8_t sbat_policy = 0;
+ 	DBName db_name = MOK_LIST_RT;
+ 	int ret = -1;
+ 	int sb_check;
+@@ -1795,11 +1818,12 @@ main (int argc, char *argv[])
+ 			{"set-verbosity",      required_argument, 0, 0  },
+ 			{"set-fallback-verbosity", required_argument, 0, 0  },
+ 			{"set-fallback-noreboot", required_argument, 0, 0  },
+			{"set-sbat-policy",    required_argument, 0, 0  },
+			{"list-sbat-revocations", no_argument,       0, 0  },
+ 			{"pk",                 no_argument,       0, 0  },
+ 			{"kek",                no_argument,       0, 0  },
+ 			{"db",                 no_argument,       0, 0  },
+ 			{"dbx",                no_argument,       0, 0  },
+-			{"sbat",               no_argument,       0, 0  },
+ 			{"timeout",            required_argument, 0, 0  },
+ 			{"ca-check",           no_argument,       0, 0  },
+ 			{"ignore-keyring",     no_argument,       0, 0  },
+@@ -1879,6 +1903,20 @@ main (int argc, char *argv[])
+ 					fb_noreboot = 0;
+ 				else
+ 					command |= HELP;
+			} else if (strcmp (option, "set-sbat-policy") == 0) {
+				command |= SET_SBAT;
+				if (strcmp (optarg, "latest") == 0)
+					sbat_policy = 1;
+				else if (strcmp (optarg, "previous") == 0)
+					sbat_policy = 2;
+				else if (strcmp (optarg, "delete") == 0)
+					sbat_policy = 3;
+				else
+					command |= HELP;
+			}  else if (strcmp (option, "list-sbat-revocations") == 0) {
+				command |= LIST_SBAT;
+			}  else if (strcmp (option, "sbat") == 0) {
+				command |= LIST_SBAT;
+ 			} else if (strcmp (option, "pk") == 0) {
+ 				if (db_name != MOK_LIST_RT) {
+ 					command |= HELP;
+@@ -1903,8 +1941,6 @@ main (int argc, char *argv[])
+ 				} else {
+ 					db_name = DBX;
+ 				}
+-			}  else if (strcmp (option, "sbat") == 0) {
+-				command |= LIST_SBAT;
+ 			} else if (strcmp (option, "timeout") == 0) {
+ 				command |= TIMEOUT;
+ 				timeout = strdup (optarg);
+@@ -2177,6 +2213,9 @@ main (int argc, char *argv[])
+ 		case LIST_SBAT:
+ 			ret = print_var_content ("SbatLevelRT", efi_guid_shim);
+ 			break;
+		case SET_SBAT:
+			ret = manage_sbat(sbat_policy);
+			break;
+ 		default:
+ 			print_help ();
+ 			break;
+diff --git a/man/mokutil.1 b/man/mokutil.1
+index 2ea081fc932..4260a7e8467 100644
+--- a/man/mokutil.1
+++ b/man/mokutil.1
+@@ -75,7 +75,9 @@ mokutil \- utility to manipulate machine owner keys
+ .br
+ \fBmokutil\fR [--dbx]
+ .br
+-\fBmokutil\fR [--sbat]
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
+ .br
+ \fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR]
+ .br
+@@ -180,9 +182,17 @@ List the keys in the secure boot signature store (db)
+ \fB--dbx\fR
+ List the keys in the secure boot blacklist signature store (dbx)
+ .TP
+-\fB--sbat\fR
+\fB--list-sbat-revocations\fR
+ List the entries in the Secure Boot Advanced Targeting store (SBAT)
+ .TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations.  If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP
+ \fB--timeout\fR
+ Set the timeout for MOK prompt
+ .TP
+-- 
+2.35.1
+
--- a/mokutil.patches
+++ b/mokutil.patches
@ -1 +1,2 @@
 Patch0001: 0001-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
+Patch0002: 0002-SBAT-revocation-update-support.patch
--- a/mokutil.spec
+++ b/mokutil.spec
@ -1,6 +1,6 @@
 Name:           mokutil
 Version:        0.5.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Epoch:          2
 Summary:        Tool to manage UEFI Secure Boot MoK Keys
 License:        GPLv3+
@ -57,6 +57,11 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %{_datadir}/bash-completion/completions/mokutil

 %changelog
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 0.4.0-9
+- Add support for "mokutil --list-sbat-revocations" and
+  "mokutil --set-sbat-policy"
+  Related: CVE-2022-28737
+
 * Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-2
 - Add git to buildrequires
 - Resolves: #2081474