import mokutil-0.6.0-4.el9
This commit is contained in:
parent
ef34049d75
commit
b4e04dbb0d
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/0.4.0.tar.gz
|
||||
SOURCES/mokutil-0.6.0.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
42d6c1551535386cba63265a6ed7172d11c88b97 SOURCES/0.4.0.tar.gz
|
||||
b38fa41703cae749d8f642d3218cdff5d5d9a8ec SOURCES/mokutil-0.6.0.tar.gz
|
||||
|
@ -1,114 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Harry Youd <harry@harryyoud.co.uk>
|
||||
Date: Wed, 31 Jul 2019 19:44:53 +0100
|
||||
Subject: [PATCH] Avoid taking pointer to packed struct
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes:
|
||||
error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
|
||||
---
|
||||
src/mokutil.c | 38 ++++++++++++++++++++++----------------
|
||||
1 file changed, 22 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index e2d567d..8892613 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
|
||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
|
||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
|
||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
|
||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
|
||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
|
||||
+ efi_guid_t sigtype = CertList->SignatureType;
|
||||
+
|
||||
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
|
||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
|
||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
|
||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
|
||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
|
||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
|
||||
dbsize -= CertList->SignatureListSize;
|
||||
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
||||
CertList->SignatureListSize);
|
||||
continue;
|
||||
}
|
||||
|
||||
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
|
||||
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
|
||||
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
|
||||
+ (CertList->SignatureSize != signature_size (&sigtype))) {
|
||||
dbsize -= CertList->SignatureListSize;
|
||||
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
||||
CertList->SignatureListSize);
|
||||
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||
}
|
||||
|
||||
list[count].header = CertList;
|
||||
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
|
||||
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
|
||||
/* X509 certificate */
|
||||
list[count].mok_size = CertList->SignatureSize -
|
||||
sizeof(efi_guid_t);
|
||||
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
|
||||
|
||||
for (unsigned int i = 0; i < mok_num; i++) {
|
||||
printf ("[key %d]\n", i+1);
|
||||
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
|
||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
|
||||
print_x509 ((char *)list[i].mok, list[i].mok_size);
|
||||
} else {
|
||||
- print_hash_array (&list[i].header->SignatureType,
|
||||
+ print_hash_array (&sigtype,
|
||||
list[i].mok, list[i].mok_size);
|
||||
}
|
||||
if (i < mok_num - 1)
|
||||
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
||||
remain = total;
|
||||
for (unsigned int i = 0; i < mok_num; i++) {
|
||||
remain -= list[i].header->SignatureListSize;
|
||||
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
|
||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||
+ if (efi_guid_cmp (&sigtype, type) != 0)
|
||||
continue;
|
||||
|
||||
sig_list_size = list[i].header->SignatureListSize;
|
||||
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
|
||||
}
|
||||
|
||||
for (unsigned int i = 0; i < node_num; i++) {
|
||||
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
|
||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||
+ if (efi_guid_cmp (&sigtype, type) != 0)
|
||||
continue;
|
||||
|
||||
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
|
||||
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
||||
goto error;
|
||||
/* Check if there is a signature list with the same type */
|
||||
for (unsigned int i = 0; i < mok_num; i++) {
|
||||
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
|
||||
- &hash_type) == 0) {
|
||||
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
|
||||
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
|
||||
merge_ind = i;
|
||||
list_size -= sizeof(EFI_SIGNATURE_LIST);
|
||||
break;
|
||||
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
|
||||
for (unsigned i = 0; i < mok_num; i++) {
|
||||
off_t offset = 0;
|
||||
ssize_t write_size;
|
||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
||||
|
||||
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
|
||||
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
|
||||
continue;
|
||||
|
||||
/* Dump X509 certificate to files */
|
@ -0,0 +1,31 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 17 May 2022 11:23:28 -0400
|
||||
Subject: [PATCH] Show usage instead of aborting on bad flags
|
||||
|
||||
Aborting here just confuses users and is sufficiently unexpected to
|
||||
cause the filing of bugs.
|
||||
|
||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit 82694cb1ce3b29c3705c25ae4cea3d07fe57b558)
|
||||
---
|
||||
src/mokutil.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 5d725c9..e8228af 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -2087,10 +2087,9 @@ main (int argc, char *argv[])
|
||||
goto out;
|
||||
case 'h':
|
||||
case '?':
|
||||
+ default:
|
||||
command |= HELP;
|
||||
break;
|
||||
- default:
|
||||
- abort ();
|
||||
}
|
||||
}
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 25 Jul 2018 10:27:34 -0400
|
||||
Subject: [PATCH] Fix a integer comparison sign issue.
|
||||
|
||||
I introduced this, and it's stupid:
|
||||
|
||||
mokutil.c: In function 'generate_pw_hash':
|
||||
mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
|
||||
if (salt_size > settings_len - (next - settings)) {
|
||||
^
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 8892613..b66c1b8 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -2011,7 +2011,7 @@ generate_pw_hash (const char *input_pw)
|
||||
char *password = NULL;
|
||||
char *crypt_string;
|
||||
const char *prefix;
|
||||
- int settings_len = sizeof (settings) - 2;
|
||||
+ unsigned int settings_len = sizeof (settings) - 2;
|
||||
unsigned int pw_len, salt_size;
|
||||
|
||||
if (input_pw) {
|
26
SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch
Normal file
26
SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: gaoyusong <gaoyusong2@huawei.com>
|
||||
Date: Mon, 30 May 2022 17:54:47 +0800
|
||||
Subject: [PATCH] mokutil bugfix: del unused opt "-s"
|
||||
|
||||
The -s option can cause unexcepted result.
|
||||
|
||||
Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
|
||||
(cherry picked from commit 04791c29e198b18808bca519267e31c8d3786a08)
|
||||
---
|
||||
src/mokutil.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index e8228af..6982ade 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
|
||||
};
|
||||
|
||||
int option_index = 0;
|
||||
- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
|
||||
+ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
|
||||
long_options, &option_index);
|
||||
|
||||
if (c == -1)
|
@ -0,0 +1,28 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 Jun 2022 12:56:31 -0400
|
||||
Subject: [PATCH] Fix leak of list in delete_data_from_req_var()
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit d978c18f61b877afaab45a82d260b525423b8248)
|
||||
---
|
||||
src/util.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index 621869f..6cd0302 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
|
||||
}
|
||||
|
||||
/* the key or hash is not in this list */
|
||||
- if (start == NULL)
|
||||
- return 0;
|
||||
+ if (start == NULL) {
|
||||
+ ret = 0;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
/* all keys are removed */
|
||||
if (total == 0) {
|
@ -1,257 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Tue, 25 May 2021 12:46:03 +0200
|
||||
Subject: [PATCH] mokutil: remove "--simple-hash"
|
||||
|
||||
The simple-hash password format is used by the very early MokManager and
|
||||
not the default format anymore after we changed to password-crypt.
|
||||
Remove the code to reduce the code size.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
src/mokutil.c | 87 +++++------------------------------------------------------
|
||||
1 file changed, 7 insertions(+), 80 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index b66c1b8..e811266 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -76,7 +76,6 @@
|
||||
#define TEST_KEY (1 << 14)
|
||||
#define RESET (1 << 15)
|
||||
#define GENERATE_PW_HASH (1 << 16)
|
||||
-#define SIMPLE_HASH (1 << 17)
|
||||
#define IGNORE_DB (1 << 18)
|
||||
#define USE_DB (1 << 19)
|
||||
#define MOKX (1 << 20)
|
||||
@@ -94,8 +93,6 @@ typedef unsigned long efi_status_t;
|
||||
typedef uint8_t efi_bool_t;
|
||||
typedef wchar_t efi_char16_t; /* UNICODE character */
|
||||
|
||||
-static int use_simple_hash;
|
||||
-
|
||||
typedef enum {
|
||||
DELETE_MOK = 0,
|
||||
ENROLL_MOK,
|
||||
@@ -180,7 +177,6 @@ print_help ()
|
||||
printf ("Supplimentary Options:\n");
|
||||
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
||||
printf (" --root-pw\t\t\t\tUse the root password\n");
|
||||
- printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
|
||||
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
|
||||
}
|
||||
|
||||
@@ -736,32 +732,6 @@ error:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static int
|
||||
-generate_auth (void *new_list, int list_len, char *password,
|
||||
- unsigned int pw_len, uint8_t *auth)
|
||||
-{
|
||||
- efi_char16_t efichar_pass[PASSWORD_MAX+1];
|
||||
- unsigned long efichar_len;
|
||||
- SHA256_CTX ctx;
|
||||
-
|
||||
- if (!password || !auth)
|
||||
- return -1;
|
||||
-
|
||||
- efichar_len = efichar_from_char (efichar_pass, password,
|
||||
- pw_len * sizeof(efi_char16_t));
|
||||
-
|
||||
- SHA256_Init (&ctx);
|
||||
-
|
||||
- if (new_list)
|
||||
- SHA256_Update (&ctx, new_list, list_len);
|
||||
-
|
||||
- SHA256_Update (&ctx, efichar_pass, efichar_len);
|
||||
-
|
||||
- SHA256_Final (auth, &ctx);
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
static void
|
||||
generate_salt (char salt[], unsigned int salt_size)
|
||||
{
|
||||
@@ -901,7 +871,6 @@ update_request (void *new_list, int list_len, MokRequest req,
|
||||
size_t data_size;
|
||||
const char *req_name, *auth_name;
|
||||
pw_crypt_t pw_crypt;
|
||||
- uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
char *password = NULL;
|
||||
unsigned int pw_len;
|
||||
int auth_ret;
|
||||
@@ -950,12 +919,7 @@ update_request (void *new_list, int list_len, MokRequest req,
|
||||
goto error;
|
||||
}
|
||||
|
||||
- if (!use_simple_hash) {
|
||||
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
||||
- } else {
|
||||
- auth_ret = generate_auth (new_list, list_len, password,
|
||||
- pw_len, auth);
|
||||
- }
|
||||
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
||||
if (auth_ret < 0) {
|
||||
fprintf (stderr, "Couldn't generate hash\n");
|
||||
goto error;
|
||||
@@ -991,13 +955,8 @@ update_request (void *new_list, int list_len, MokRequest req,
|
||||
}
|
||||
|
||||
/* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
|
||||
- if (!use_simple_hash) {
|
||||
- data = (void *)&pw_crypt;
|
||||
- data_size = PASSWORD_CRYPT_SIZE;
|
||||
- } else {
|
||||
- data = (void *)auth;
|
||||
- data_size = SHA256_DIGEST_LENGTH;
|
||||
- }
|
||||
+ data = (void *)&pw_crypt;
|
||||
+ data_size = PASSWORD_CRYPT_SIZE;
|
||||
|
||||
if (efi_set_variable (efi_guid_shim, auth_name, data, data_size,
|
||||
attributes, S_IRUSR | S_IWUSR) < 0) {
|
||||
@@ -1750,26 +1709,16 @@ set_password (const char *hash_file, const int root_pw, const int clear)
|
||||
goto error;
|
||||
}
|
||||
|
||||
- if (!use_simple_hash) {
|
||||
- pw_crypt.method = DEFAULT_CRYPT_METHOD;
|
||||
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
||||
- } else {
|
||||
- auth_ret = generate_auth (NULL, 0, password, pw_len,
|
||||
- auth);
|
||||
- }
|
||||
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
|
||||
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
||||
if (auth_ret < 0) {
|
||||
fprintf (stderr, "Couldn't generate hash\n");
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
|
||||
- if (!use_simple_hash) {
|
||||
- data = (void *)&pw_crypt;
|
||||
- data_size = PASSWORD_CRYPT_SIZE;
|
||||
- } else {
|
||||
- data = (void *)auth;
|
||||
- data_size = SHA256_DIGEST_LENGTH;
|
||||
- }
|
||||
+ data = (void *)auth;
|
||||
+ data_size = SHA256_DIGEST_LENGTH;
|
||||
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
||||
| EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
@@ -2147,8 +2096,6 @@ main (int argc, char *argv[])
|
||||
DBName db_name = MOK_LIST_RT;
|
||||
int ret = -1;
|
||||
|
||||
- use_simple_hash = 0;
|
||||
-
|
||||
if (!efi_variables_supported ()) {
|
||||
fprintf (stderr, "EFI variables are not supported on this system\n");
|
||||
exit (1);
|
||||
@@ -2175,7 +2122,6 @@ main (int argc, char *argv[])
|
||||
{"hash-file", required_argument, 0, 'f'},
|
||||
{"generate-hash", optional_argument, 0, 'g'},
|
||||
{"root-pw", no_argument, 0, 'P'},
|
||||
- {"simple-hash", no_argument, 0, 's'},
|
||||
{"ignore-db", no_argument, 0, 0 },
|
||||
{"use-db", no_argument, 0, 0 },
|
||||
{"mok", no_argument, 0, 'm'},
|
||||
@@ -2374,10 +2320,6 @@ main (int argc, char *argv[])
|
||||
case 'x':
|
||||
command |= EXPORT;
|
||||
break;
|
||||
- case 's':
|
||||
- command |= SIMPLE_HASH;
|
||||
- use_simple_hash = 1;
|
||||
- break;
|
||||
case 'm':
|
||||
db_name = MOK_LIST_RT;
|
||||
break;
|
||||
@@ -2398,9 +2340,6 @@ main (int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- if (use_root_pw == 1 && use_simple_hash == 1)
|
||||
- use_simple_hash = 0;
|
||||
-
|
||||
if (hash_file && use_root_pw)
|
||||
command |= HELP;
|
||||
|
||||
@@ -2436,22 +2375,18 @@ main (int argc, char *argv[])
|
||||
ret = list_keys_in_var ("MokDel", efi_guid_shim);
|
||||
break;
|
||||
case IMPORT:
|
||||
- case IMPORT | SIMPLE_HASH:
|
||||
ret = issue_mok_request (files, total, ENROLL_MOK,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
case DELETE:
|
||||
- case DELETE | SIMPLE_HASH:
|
||||
ret = issue_mok_request (files, total, DELETE_MOK,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
case IMPORT_HASH:
|
||||
- case IMPORT_HASH | SIMPLE_HASH:
|
||||
ret = issue_hash_request (hash_str, ENROLL_MOK,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
case DELETE_HASH:
|
||||
- case DELETE_HASH | SIMPLE_HASH:
|
||||
ret = issue_hash_request (hash_str, DELETE_MOK,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
@@ -2466,11 +2401,9 @@ main (int argc, char *argv[])
|
||||
ret = export_db_keys (db_name);
|
||||
break;
|
||||
case PASSWORD:
|
||||
- case PASSWORD | SIMPLE_HASH:
|
||||
ret = set_password (hash_file, use_root_pw, 0);
|
||||
break;
|
||||
case CLEAR_PASSWORD:
|
||||
- case CLEAR_PASSWORD | SIMPLE_HASH:
|
||||
ret = set_password (NULL, 0, 1);
|
||||
break;
|
||||
case DISABLE_VALIDATION:
|
||||
@@ -2486,7 +2419,6 @@ main (int argc, char *argv[])
|
||||
ret = test_key (ENROLL_MOK, key_file);
|
||||
break;
|
||||
case RESET:
|
||||
- case RESET | SIMPLE_HASH:
|
||||
ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
|
||||
break;
|
||||
case GENERATE_PW_HASH:
|
||||
@@ -2505,22 +2437,18 @@ main (int argc, char *argv[])
|
||||
ret = list_keys_in_var ("MokXDel", efi_guid_shim);
|
||||
break;
|
||||
case IMPORT | MOKX:
|
||||
- case IMPORT | SIMPLE_HASH | MOKX:
|
||||
ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
case DELETE | MOKX:
|
||||
- case DELETE | SIMPLE_HASH | MOKX:
|
||||
ret = issue_mok_request (files, total, DELETE_BLACKLIST,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
case IMPORT_HASH | MOKX:
|
||||
- case IMPORT_HASH | SIMPLE_HASH | MOKX:
|
||||
ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
case DELETE_HASH | MOKX:
|
||||
- case DELETE_HASH | SIMPLE_HASH | MOKX:
|
||||
ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
|
||||
hash_file, use_root_pw);
|
||||
break;
|
||||
@@ -2531,7 +2459,6 @@ main (int argc, char *argv[])
|
||||
ret = revoke_request (DELETE_BLACKLIST);
|
||||
break;
|
||||
case RESET | MOKX:
|
||||
- case RESET | SIMPLE_HASH | MOKX:
|
||||
ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
|
||||
break;
|
||||
case TEST_KEY | MOKX:
|
70
SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch
Normal file
70
SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 2 Jun 2022 13:00:22 -0400
|
||||
Subject: [PATCH] Fix leak of fd in mok_get_variable()
|
||||
|
||||
On success, it was never closed. Refactor the code to use a single
|
||||
egress path so its closure is clear.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
(cherry picked from commit e498f6460ff5aea6a7cd61a33087d03e88a2f52a)
|
||||
---
|
||||
src/util.c | 24 +++++++++++++-----------
|
||||
1 file changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index 6cd0302..f7fc033 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
|
||||
return fd;
|
||||
|
||||
rc = fstat(fd, &sb);
|
||||
- if (rc < 0) {
|
||||
-err_close:
|
||||
- close(fd);
|
||||
- return rc;
|
||||
- }
|
||||
+ if (rc < 0)
|
||||
+ goto done;
|
||||
|
||||
if (sb.st_size == 0) {
|
||||
errno = ENOENT;
|
||||
rc = -1;
|
||||
- goto err_close;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
bufsz = sb.st_size;
|
||||
buf = calloc(1, bufsz);
|
||||
- if (!buf)
|
||||
- goto err_close;
|
||||
+ if (!buf) {
|
||||
+ rc = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
while (pos < bufsz) {
|
||||
ssz = read(fd, &buf[pos], bufsz - pos);
|
||||
@@ -82,15 +81,18 @@ err_close:
|
||||
errno == EINTR)
|
||||
continue;
|
||||
free(buf);
|
||||
- goto err_close;
|
||||
+ rc = -1;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
pos += ssz;
|
||||
}
|
||||
*datap = buf;
|
||||
*data_sizep = pos;
|
||||
-
|
||||
- return 0;
|
||||
+ rc = 0;
|
||||
+done:
|
||||
+ close(fd);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
MokListNode*
|
@ -1,78 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 27 Aug 2020 14:48:08 +0800
|
||||
Subject: [PATCH] man: remove "--simple-hash"
|
||||
|
||||
Remove "--simple-hash" from the man page.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
man/mokutil.1 | 19 ++++++-------------
|
||||
1 file changed, 6 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
||||
index 25fe8b4..7cee5da 100644
|
||||
--- a/man/mokutil.1
|
||||
+++ b/man/mokutil.1
|
||||
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
|
||||
.br
|
||||
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
|
||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
||||
- [--simple-hash | -s] | [--mokx | -X])
|
||||
+ [--mokx | -X])
|
||||
.br
|
||||
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
|
||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
||||
- [--simple-hash | -s] | [--mokx |- X])
|
||||
+ [--mokx |- X])
|
||||
.br
|
||||
\fBmokutil\fR [--revoke-import]
|
||||
([--mokx | -X])
|
||||
@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys
|
||||
\fBmokutil\fR [--export | -x]
|
||||
.br
|
||||
\fBmokutil\fR [--password | -p]
|
||||
- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
||||
- [--simple-hash | -s])
|
||||
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
|
||||
.br
|
||||
\fBmokutil\fR [--clear-password | -c]
|
||||
- ([--simple-hash | -s])
|
||||
.br
|
||||
\fBmokutil\fR [--disable-validation]
|
||||
.br
|
||||
@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys
|
||||
.br
|
||||
\fBmokutil\fR [--reset]
|
||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
||||
- [--simple-hash | -s] | [--mok | -X])
|
||||
+ [--mok | -X])
|
||||
.br
|
||||
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
|
||||
.br
|
||||
@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys
|
||||
.br
|
||||
\fBmokutil\fR [--import-hash \fIhash\fR]
|
||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
||||
- [--simple-hash | -s] | [--mokx | -X])
|
||||
+ [--mokx | -X])
|
||||
.br
|
||||
\fBmokutil\fR [--delete-hash \fIhash\fR]
|
||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
||||
- [--simple-hash | -s] | [--mokx | -X])
|
||||
+ [--mokx | -X])
|
||||
.br
|
||||
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
|
||||
.br
|
||||
@@ -136,11 +134,6 @@ Use the password hash from a specific file
|
||||
\fB-P, --root-pw\fR
|
||||
Use the root password hash from /etc/shadow
|
||||
.TP
|
||||
-\fB-s, --simple-hash\fR
|
||||
-Use the old SHA256 password hash method to hash the password
|
||||
-.br
|
||||
-Note: --root-pw invalidates --simple-hash
|
||||
-.TP
|
||||
\fB--ignore-db\fR
|
||||
Tell shim to not use the keys in db to verify EFI images
|
||||
.TP
|
@ -1,38 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 27 Aug 2020 16:10:50 +0800
|
||||
Subject: [PATCH] mokutil: adjust the command bits
|
||||
|
||||
Adjust the bits after removing SIMPLE_HASH.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
(cherry picked from commit 25191c38156b90004b783d0265d967dbe8e76a38)
|
||||
---
|
||||
src/mokutil.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index e811266..a9d97f4 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -76,13 +76,13 @@
|
||||
#define TEST_KEY (1 << 14)
|
||||
#define RESET (1 << 15)
|
||||
#define GENERATE_PW_HASH (1 << 16)
|
||||
-#define IGNORE_DB (1 << 18)
|
||||
-#define USE_DB (1 << 19)
|
||||
-#define MOKX (1 << 20)
|
||||
-#define IMPORT_HASH (1 << 21)
|
||||
-#define DELETE_HASH (1 << 22)
|
||||
-#define VERBOSITY (1 << 23)
|
||||
-#define TIMEOUT (1 << 24)
|
||||
+#define IGNORE_DB (1 << 17)
|
||||
+#define USE_DB (1 << 18)
|
||||
+#define MOKX (1 << 19)
|
||||
+#define IMPORT_HASH (1 << 20)
|
||||
+#define DELETE_HASH (1 << 21)
|
||||
+#define VERBOSITY (1 << 22)
|
||||
+#define TIMEOUT (1 << 23)
|
||||
|
||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
@ -1,121 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Wed, 17 Mar 2021 14:38:57 +0100
|
||||
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
|
||||
|
||||
This variable contains the descriptive form of all the components used by
|
||||
the operating systems that ship signed shim binaries. Along with a minimum
|
||||
generation number for each component. More information in can be found in
|
||||
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
|
||||
|
||||
https://github.com/rhboot/shim/blob/main/SBAT.md
|
||||
|
||||
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
|
||||
encoded strings, the data could just be printed without the need to do any
|
||||
previous processing.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
|
||||
man/mokutil.1 | 5 +++++
|
||||
2 files changed, 38 insertions(+)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index a9d97f4..dba77c9 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -83,6 +83,7 @@
|
||||
#define DELETE_HASH (1 << 21)
|
||||
#define VERBOSITY (1 << 22)
|
||||
#define TIMEOUT (1 << 23)
|
||||
+#define LIST_SBAT (1 << 24)
|
||||
|
||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
||||
@@ -173,6 +174,7 @@ print_help ()
|
||||
printf (" --db\t\t\t\t\tList the keys in db\n");
|
||||
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
||||
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
|
||||
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
|
||||
printf ("\n");
|
||||
printf ("Supplimentary Options:\n");
|
||||
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
||||
@@ -1557,6 +1559,31 @@ error:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int
|
||||
+print_var_content (const char *var_name, const efi_guid_t guid)
|
||||
+{
|
||||
+ uint8_t *data = NULL;
|
||||
+ size_t data_size;
|
||||
+ uint32_t attributes;
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
|
||||
+ if (ret < 0) {
|
||||
+ if (errno == ENOENT) {
|
||||
+ printf ("%s is empty\n", var_name);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ printf ("%s", data);
|
||||
+ free (data);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
revoke_request (MokRequest req)
|
||||
{
|
||||
@@ -2133,6 +2160,7 @@ main (int argc, char *argv[])
|
||||
{"kek", no_argument, 0, 0 },
|
||||
{"db", no_argument, 0, 0 },
|
||||
{"dbx", no_argument, 0, 0 },
|
||||
+ {"sbat", no_argument, 0, 0 },
|
||||
{"timeout", required_argument, 0, 0 },
|
||||
{0, 0, 0, 0}
|
||||
};
|
||||
@@ -2217,6 +2245,8 @@ main (int argc, char *argv[])
|
||||
} else {
|
||||
db_name = DBX;
|
||||
}
|
||||
+ } else if (strcmp (option, "sbat") == 0) {
|
||||
+ command |= LIST_SBAT;
|
||||
} else if (strcmp (option, "timeout") == 0) {
|
||||
command |= TIMEOUT;
|
||||
timeout = strdup (optarg);
|
||||
@@ -2470,6 +2500,9 @@ main (int argc, char *argv[])
|
||||
case TIMEOUT:
|
||||
ret = set_timeout (timeout);
|
||||
break;
|
||||
+ case LIST_SBAT:
|
||||
+ ret = print_var_content ("SBAT", efi_guid_shim);
|
||||
+ break;
|
||||
default:
|
||||
print_help ();
|
||||
break;
|
||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
||||
index 7cee5da..1f82ff1 100644
|
||||
--- a/man/mokutil.1
|
||||
+++ b/man/mokutil.1
|
||||
@@ -71,6 +71,8 @@ mokutil \- utility to manipulate machine owner keys
|
||||
.br
|
||||
\fBmokutil\fR [--dbx]
|
||||
.br
|
||||
+\fBmokutil\fR [--sbat]
|
||||
+.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
\fBmokutil\fR is a tool to import or delete the machines owner keys
|
||||
@@ -166,3 +168,6 @@ List the keys in the secure boot signature store (db)
|
||||
\fB--dbx\fR
|
||||
List the keys in the secure boot blacklist signature store (dbx)
|
||||
.TP
|
||||
+\fB--sbat\fR
|
||||
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
|
||||
+.TP
|
@ -1,238 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 17 Mar 2021 14:49:21 +0100
|
||||
Subject: [PATCH] mokutil: add mok-variables parsing support
|
||||
|
||||
his patch adds support for getting mok variables from
|
||||
/sys/firmware/efi/mok-variables/$NAME , if they are present, as well as
|
||||
for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
|
||||
variables.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 151 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index dba77c9..9153b10 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -247,6 +247,63 @@ signature_size (const efi_guid_t *hash_type)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int
|
||||
+mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
|
||||
+{
|
||||
+ char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name";
|
||||
+ size_t filename_sz = sizeof(filename);
|
||||
+ int fd, rc;
|
||||
+ struct stat sb = { 0, };
|
||||
+ uint8_t *buf;
|
||||
+ size_t bufsz, pos = 0;
|
||||
+ ssize_t ssz;
|
||||
+
|
||||
+ *datap = 0;
|
||||
+ *data_sizep = 0;
|
||||
+
|
||||
+ snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name);
|
||||
+
|
||||
+ fd = open(filename, O_RDONLY);
|
||||
+ if (fd < 0)
|
||||
+ return fd;
|
||||
+
|
||||
+ rc = fstat(fd, &sb);
|
||||
+ if (rc < 0) {
|
||||
+err_close:
|
||||
+ close(fd);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ if (sb.st_size == 0) {
|
||||
+ errno = ENOENT;
|
||||
+ rc = -1;
|
||||
+ goto err_close;
|
||||
+ }
|
||||
+
|
||||
+ bufsz = sb.st_size;
|
||||
+ buf = calloc(1, bufsz);
|
||||
+ if (!buf)
|
||||
+ goto err_close;
|
||||
+
|
||||
+ while (pos < bufsz) {
|
||||
+ ssz = read(fd, &buf[pos], bufsz - pos);
|
||||
+ if (ssz < 0) {
|
||||
+ if (errno == EAGAIN ||
|
||||
+ errno == EWOULDBLOCK ||
|
||||
+ errno == EINTR)
|
||||
+ continue;
|
||||
+ free(buf);
|
||||
+ goto err_close;
|
||||
+ }
|
||||
+
|
||||
+ pos += ssz;
|
||||
+ }
|
||||
+ *datap = buf;
|
||||
+ *data_sizep = pos;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static MokListNode*
|
||||
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||
{
|
||||
@@ -618,25 +675,44 @@ static int
|
||||
list_keys_in_var (const char *var_name, const efi_guid_t guid)
|
||||
{
|
||||
uint8_t *data = NULL;
|
||||
- size_t data_size;
|
||||
+ char varname[] = "implausibly-long-mok-variable-name";
|
||||
+ size_t data_sz, i, varname_sz = sizeof(varname);
|
||||
uint32_t attributes;
|
||||
int ret;
|
||||
|
||||
- ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
|
||||
- if (ret < 0) {
|
||||
- if (errno == ENOENT) {
|
||||
- printf ("%s is empty\n", var_name);
|
||||
- return 0;
|
||||
+ ret = mok_get_variable(var_name, &data, &data_sz);
|
||||
+ if (ret >= 0) {
|
||||
+ ret = list_keys (data, data_sz);
|
||||
+ free(data);
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < SIZE_MAX; i++) {
|
||||
+ if (i == 0) {
|
||||
+ snprintf(varname, varname_sz, "%s", var_name);
|
||||
+ } else {
|
||||
+ snprintf(varname, varname_sz, "%s%zu", var_name, i);
|
||||
}
|
||||
|
||||
- fprintf (stderr, "Failed to read %s: %m\n", var_name);
|
||||
- return -1;
|
||||
+ ret = efi_get_variable (guid, varname, &data, &data_sz,
|
||||
+ &attributes);
|
||||
+ if (ret < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ ret = list_keys (data, data_sz);
|
||||
+ free(data);
|
||||
+ /*
|
||||
+ * If ret is < 0, the next one will error as well.
|
||||
+ * If ret is 0, we need to test the next variable.
|
||||
+ * If it's 1, that's a real answer.
|
||||
+ */
|
||||
+ if (ret < 0)
|
||||
+ return 0;
|
||||
+ if (ret > 0)
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
- ret = list_keys (data, data_size);
|
||||
- free (data);
|
||||
-
|
||||
- return ret;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -998,22 +1074,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
||||
}
|
||||
|
||||
static int
|
||||
-is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
|
||||
- const efi_guid_t *vendor, const char *db_name)
|
||||
+is_one_duplicate (const efi_guid_t *type,
|
||||
+ const void *data, const uint32_t data_size,
|
||||
+ uint8_t *var_data, size_t var_data_size)
|
||||
{
|
||||
- uint8_t *var_data;
|
||||
- size_t var_data_size;
|
||||
- uint32_t attributes;
|
||||
uint32_t node_num;
|
||||
MokListNode *list;
|
||||
int ret = 0;
|
||||
|
||||
- if (!data || data_size == 0 || !db_name)
|
||||
- return 0;
|
||||
-
|
||||
- ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size,
|
||||
- &attributes);
|
||||
- if (ret < 0)
|
||||
+ if (!data || data_size == 0)
|
||||
return 0;
|
||||
|
||||
list = build_mok_list (var_data, var_data_size, &node_num);
|
||||
@@ -1046,11 +1115,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
|
||||
done:
|
||||
if (list)
|
||||
free (list);
|
||||
- free (var_data);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int
|
||||
+is_duplicate (const efi_guid_t *type,
|
||||
+ const void *data, const uint32_t data_size,
|
||||
+ const efi_guid_t *vendor, const char *db_name)
|
||||
+{
|
||||
+ uint32_t attributes;
|
||||
+ char varname[] = "implausibly-long-mok-variable-name";
|
||||
+ size_t varname_sz = sizeof(varname);
|
||||
+ int ret = 0;
|
||||
+ size_t i;
|
||||
+
|
||||
+ if (!strncmp(db_name, "Mok", 3)) {
|
||||
+ uint8_t *var_data = NULL;
|
||||
+ size_t var_data_size = 0;
|
||||
+ ret = mok_get_variable(db_name, &var_data, &var_data_size);
|
||||
+ if (ret >= 0) {
|
||||
+ ret = is_one_duplicate(type, data, data_size,
|
||||
+ var_data, var_data_size);
|
||||
+ if (ret >= 0) {
|
||||
+ free (var_data);
|
||||
+ return ret;
|
||||
+ }
|
||||
+ var_data = NULL;
|
||||
+ var_data_size = 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < SIZE_MAX; i++) {
|
||||
+ uint8_t *var_data = NULL;
|
||||
+ size_t var_data_size = 0;
|
||||
+ if (i == 0) {
|
||||
+ snprintf(varname, varname_sz, "%s", db_name);
|
||||
+ } else {
|
||||
+ snprintf(varname, varname_sz, "%s%zu", db_name, i);
|
||||
+ }
|
||||
+
|
||||
+ ret = efi_get_variable (*vendor, varname,
|
||||
+ &var_data, &var_data_size,
|
||||
+ &attributes);
|
||||
+ if (ret < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ ret = is_one_duplicate(type, data, data_size,
|
||||
+ var_data, var_data_size);
|
||||
+ free (var_data);
|
||||
+ /*
|
||||
+ * If ret is < 0, the next one will error as well.
|
||||
+ * If ret is 0, we need to test the next variable.
|
||||
+ * If it's 1, that's a real answer.
|
||||
+ */
|
||||
+ if (ret < 0)
|
||||
+ return 0;
|
||||
+ if (ret > 0)
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||
MokRequest req)
|
@ -1,95 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Tue, 25 May 2021 15:22:29 +0200
|
||||
Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the
|
||||
deprecated SHA1_*()
|
||||
|
||||
The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads
|
||||
to compile errors when building with -Werror=deprecated-declarations, i.e:
|
||||
|
||||
mokutil.c: In function 'print_x509':
|
||||
mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
|
||||
424 | SHA1_Init (&ctx);
|
||||
| ^~~~~~~~~
|
||||
...
|
||||
|
||||
instead, the EVP_Digest*() functions could be used. Port to them and avoid
|
||||
these build failures with the latest OpenSSL 3.0 version.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
---
|
||||
src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 36 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 9153b10..0fd2dc3 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)
|
||||
{
|
||||
X509 *X509cert;
|
||||
BIO *cert_bio;
|
||||
- SHA_CTX ctx;
|
||||
- uint8_t fingerprint[SHA_DIGEST_LENGTH];
|
||||
+ EVP_MD_CTX *ctx;
|
||||
+ const EVP_MD *md;
|
||||
+ unsigned int md_len;
|
||||
+ unsigned char fingerprint[EVP_MAX_MD_SIZE];
|
||||
|
||||
cert_bio = BIO_new (BIO_s_mem ());
|
||||
BIO_write (cert_bio, cert, cert_size);
|
||||
@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size)
|
||||
X509cert = d2i_X509_bio (cert_bio, NULL);
|
||||
if (X509cert == NULL) {
|
||||
fprintf (stderr, "Invalid X509 certificate\n");
|
||||
- return -1;
|
||||
+ goto cleanup_bio;
|
||||
}
|
||||
|
||||
- SHA1_Init (&ctx);
|
||||
- SHA1_Update (&ctx, cert, cert_size);
|
||||
- SHA1_Final (fingerprint, &ctx);
|
||||
+ md = EVP_get_digestbyname ("SHA1");
|
||||
+ if(md == NULL) {
|
||||
+ fprintf (stderr, "Failed to get SHA1 digest\n");
|
||||
+ goto cleanup_bio;
|
||||
+ }
|
||||
+
|
||||
+ ctx = EVP_MD_CTX_create ();
|
||||
+ if (ctx == NULL) {
|
||||
+ fprintf (stderr, "Failed to create digest context\n");
|
||||
+ goto cleanup_bio;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestInit_ex (ctx, md, NULL)) {
|
||||
+ fprintf (stderr, "Failed to initialize digest context\n");
|
||||
+ goto cleanup_ctx;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestUpdate (ctx, cert, cert_size)) {
|
||||
+ fprintf (stderr, "Failed to hash into the digest context\n");
|
||||
+ goto cleanup_ctx;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) {
|
||||
+ fprintf (stderr, "Failed to get digest value\n");
|
||||
+ goto cleanup_ctx;
|
||||
+ }
|
||||
|
||||
printf ("SHA1 Fingerprint: ");
|
||||
- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) {
|
||||
+ for (unsigned int i = 0; i < md_len; i++) {
|
||||
printf ("%02x", fingerprint[i]);
|
||||
- if (i < SHA_DIGEST_LENGTH - 1)
|
||||
+ if (i < md_len - 1)
|
||||
printf (":");
|
||||
}
|
||||
printf ("\n");
|
||||
X509_print_fp (stdout, X509cert);
|
||||
|
||||
+cleanup_ctx:
|
||||
+ EVP_MD_CTX_destroy (ctx);
|
||||
+cleanup_bio:
|
||||
BIO_free (cert_bio);
|
||||
|
||||
return 0;
|
@ -1,191 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||
Date: Fri, 3 Dec 2021 14:18:31 +0100
|
||||
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
|
||||
fallback debugging.
|
||||
|
||||
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||
(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
|
||||
(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
|
||||
[rharwood: no sb_check, no util renaming]
|
||||
---
|
||||
src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
data/mokutil | 8 +++++++
|
||||
man/mokutil.1 | 10 +++++++++
|
||||
3 files changed, 88 insertions(+)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 0fd2dc3..f9641a1 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -84,6 +84,8 @@
|
||||
#define VERBOSITY (1 << 22)
|
||||
#define TIMEOUT (1 << 23)
|
||||
#define LIST_SBAT (1 << 24)
|
||||
+#define FB_VERBOSITY (1 << 25)
|
||||
+#define FB_NOREBOOT (1 << 26)
|
||||
|
||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
||||
@@ -169,6 +171,8 @@ print_help ()
|
||||
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
|
||||
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
|
||||
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
||||
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
|
||||
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
|
||||
printf (" --pk\t\t\t\t\tList the keys in PK\n");
|
||||
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
||||
printf (" --db\t\t\t\t\tList the keys in db\n");
|
||||
@@ -2240,6 +2244,46 @@ set_verbosity (uint8_t verbosity)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int
|
||||
+set_fallback_verbosity (const uint8_t verbosity)
|
||||
+{
|
||||
+ if (verbosity) {
|
||||
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
||||
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
|
||||
+ (uint8_t *)&verbosity, sizeof (verbosity),
|
||||
+ attributes, S_IRUSR | S_IWUSR) < 0) {
|
||||
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ return test_and_delete_var ("FALLBACK_VERBOSE");
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+set_fallback_noreboot (const uint8_t noreboot)
|
||||
+{
|
||||
+ if (noreboot) {
|
||||
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
||||
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
|
||||
+ (uint8_t *)&noreboot, sizeof (noreboot),
|
||||
+ attributes, S_IRUSR | S_IWUSR) < 0) {
|
||||
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ return test_and_delete_var ("FB_NO_REBOOT");
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static inline int
|
||||
list_db (DBName db_name)
|
||||
{
|
||||
@@ -2275,6 +2319,8 @@ main (int argc, char *argv[])
|
||||
unsigned int command = 0;
|
||||
int use_root_pw = 0;
|
||||
uint8_t verbosity = 0;
|
||||
+ uint8_t fb_verbosity = 0;
|
||||
+ uint8_t fb_noreboot = 0;
|
||||
DBName db_name = MOK_LIST_RT;
|
||||
int ret = -1;
|
||||
|
||||
@@ -2311,6 +2357,8 @@ main (int argc, char *argv[])
|
||||
{"import-hash", required_argument, 0, 0 },
|
||||
{"delete-hash", required_argument, 0, 0 },
|
||||
{"set-verbosity", required_argument, 0, 0 },
|
||||
+ {"set-fallback-verbosity", required_argument, 0, 0 },
|
||||
+ {"set-fallback-noreboot", required_argument, 0, 0 },
|
||||
{"pk", no_argument, 0, 0 },
|
||||
{"kek", no_argument, 0, 0 },
|
||||
{"db", no_argument, 0, 0 },
|
||||
@@ -2376,6 +2424,22 @@ main (int argc, char *argv[])
|
||||
verbosity = 0;
|
||||
else
|
||||
command |= HELP;
|
||||
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
|
||||
+ command |= FB_VERBOSITY;
|
||||
+ if (strcmp (optarg, "true") == 0)
|
||||
+ fb_verbosity = 1;
|
||||
+ else if (strcmp (optarg, "false") == 0)
|
||||
+ fb_verbosity = 0;
|
||||
+ else
|
||||
+ command |= HELP;
|
||||
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
|
||||
+ command |= FB_NOREBOOT;
|
||||
+ if (strcmp (optarg, "true") == 0)
|
||||
+ fb_noreboot = 1;
|
||||
+ else if (strcmp (optarg, "false") == 0)
|
||||
+ fb_noreboot = 0;
|
||||
+ else
|
||||
+ command |= HELP;
|
||||
} else if (strcmp (option, "pk") == 0) {
|
||||
if (db_name != MOK_LIST_RT) {
|
||||
command |= HELP;
|
||||
@@ -2652,6 +2716,12 @@ main (int argc, char *argv[])
|
||||
case VERBOSITY:
|
||||
ret = set_verbosity (verbosity);
|
||||
break;
|
||||
+ case FB_VERBOSITY:
|
||||
+ ret = set_fallback_verbosity (fb_verbosity);
|
||||
+ break;
|
||||
+ case FB_NOREBOOT:
|
||||
+ ret = set_fallback_noreboot (fb_noreboot);
|
||||
+ break;
|
||||
case TIMEOUT:
|
||||
ret = set_timeout (timeout);
|
||||
break;
|
||||
diff --git a/data/mokutil b/data/mokutil
|
||||
index 800b039..af6b6ff 100755
|
||||
--- a/data/mokutil
|
||||
+++ b/data/mokutil
|
||||
@@ -24,6 +24,14 @@ _mokutil()
|
||||
COMPREPLY=( $( compgen -W "true false") )
|
||||
return 0
|
||||
;;
|
||||
+ --set-fallback-verbosity)
|
||||
+ COMPREPLY=( $( compgen -W "true false") )
|
||||
+ return 0
|
||||
+ ;;
|
||||
+ --set-fallback-noreboot)
|
||||
+ COMPREPLY=( $( compgen -W "true false") )
|
||||
+ return 0
|
||||
+ ;;
|
||||
--generate-hash|-g)
|
||||
COMPREPLY=( $( compgen -o nospace -P= -W "") )
|
||||
return 0
|
||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
||||
index 1f82ff1..a3a73e1 100644
|
||||
--- a/man/mokutil.1
|
||||
+++ b/man/mokutil.1
|
||||
@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys
|
||||
.br
|
||||
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
|
||||
.br
|
||||
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
|
||||
+.br
|
||||
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
|
||||
+.br
|
||||
\fBmokutil\fR [--pk]
|
||||
.br
|
||||
\fBmokutil\fR [--kek]
|
||||
@@ -156,6 +160,12 @@ this is not the password hash.
|
||||
\fB--set-verbosity\fR
|
||||
Set the SHIM_VERBOSE to make shim more or less verbose
|
||||
.TP
|
||||
+\fB--set-fallback-verbosity\fR
|
||||
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
|
||||
+.TP
|
||||
+\fB--set-fallback-noreboot\fR
|
||||
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
|
||||
+.TP
|
||||
\fB--pk\fR
|
||||
List the keys in the public Platform Key (PK)
|
||||
.TP
|
@ -1,9 +1,4 @@
|
||||
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
|
||||
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
|
||||
Patch0003: 0003-mokutil-remove-simple-hash.patch
|
||||
Patch0004: 0004-man-remove-simple-hash.patch
|
||||
Patch0005: 0005-mokutil-adjust-the-command-bits.patch
|
||||
Patch0006: 0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
|
||||
Patch0007: 0007-mokutil-add-mok-variables-parsing-support.patch
|
||||
Patch0008: 0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
|
||||
Patch0009: 0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
|
||||
Patch0001: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
|
||||
Patch0002: 0002-mokutil-bugfix-del-unused-opt-s.patch
|
||||
Patch0003: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
|
||||
Patch0004: 0004-Fix-leak-of-fd-in-mok_get_variable.patch
|
||||
|
@ -1,17 +1,24 @@
|
||||
Name: mokutil
|
||||
Version: 0.4.0
|
||||
Release: 9%{?dist}
|
||||
Version: 0.6.0
|
||||
Release: 4%{?dist}
|
||||
Epoch: 2
|
||||
Summary: Tool to manage UEFI Secure Boot MoK Keys
|
||||
License: GPLv3+
|
||||
URL: https://github.com/lcp/mokutil
|
||||
ExclusiveArch: %{ix86} x86_64 aarch64
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
|
||||
BuildRequires: efivar-devel >= 31-1
|
||||
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
|
||||
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
Source1: mokutil.patches
|
||||
ExclusiveArch: %{ix86} x86_64 aarch64 %{arm}
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: efivar-devel >= 31-1
|
||||
BuildRequires: gcc
|
||||
BuildRequires: git
|
||||
BuildRequires: gnu-efi
|
||||
BuildRequires: keyutils-libs-devel
|
||||
BuildRequires: make
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssl-devel
|
||||
Conflicts: shim < 0.8-1%{?dist}
|
||||
Obsoletes: mokutil < 0.2.0
|
||||
|
||||
@ -22,27 +29,17 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
|
||||
("Machine's Own Keys") mechanism.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
git init
|
||||
git config user.email "%{name}-owner@fedoraproject.org"
|
||||
git config user.name "Fedora Ninjas"
|
||||
git add .
|
||||
git commit -a -q -m "%{version} baseline."
|
||||
git am %{patches} </dev/null
|
||||
git config --unset user.email
|
||||
git config --unset user.name
|
||||
%autosetup -S git_am -b 0 -T
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
%configure
|
||||
make %{?_smp_mflags}
|
||||
%{make_build}
|
||||
|
||||
%install
|
||||
rm -rf %{buildroot}
|
||||
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||
%{make_install}
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%doc README
|
||||
%{_bindir}/mokutil
|
||||
@ -50,6 +47,23 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||
%{_datadir}/bash-completion/completions/mokutil
|
||||
|
||||
%changelog
|
||||
* Thu Oct 27 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.6.0-4
|
||||
- Sync with Fedora at same NVR
|
||||
- Resolves: #2084621
|
||||
|
||||
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 2:0.5.0-3
|
||||
- Add support for "mokutil --list-sbat-revocations" and
|
||||
"mokutil --set-sbat-policy"
|
||||
Related: CVE-2022-28737
|
||||
|
||||
* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-2
|
||||
- Add git to buildrequires
|
||||
- Resolves: #2081474
|
||||
|
||||
* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-1
|
||||
- New upstream version (0.5.0)
|
||||
- Resolves: #2081474
|
||||
|
||||
* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-9
|
||||
- Add ability to change fallback verbose mode
|
||||
- Resolves: #2069296
|
||||
|
Loading…
Reference in New Issue
Block a user