Auto sync2gitlab import of mokutil-0.3.0-12.el8.src.rpm

2023-01-15 11:11:00 +00:00 · 2023-01-15 11:11:00 +00:00 · df792783cc
commit df792783cc
parent c3e0b2f162
18 changed files with 1074 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+/0.3.0.tar.gz
--- a/0001-Fix-the-potential-buffer-overflow.patch
+++ b/0001-Fix-the-potential-buffer-overflow.patch
@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 4 Nov 2014 15:50:03 +0800
+Subject: [PATCH] Fix the potential buffer overflow
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 5b34f22..93fb6fa 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	MokToggleVar tvar;
+ 	char *password = NULL;
+ 	unsigned int pw_len;
+-	efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+	efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
+ 	int ret = -1;
+ 
+ 	printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
+@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	efichar_from_char (efichar_pass, password,
+ 			   SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ 
+-	memcpy(tvar.password, efichar_pass,
+-	       SB_PASSWORD_MAX * sizeof(efi_char16_t));
+	memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
+ 
+ 	tvar.mok_toggle_state = state;
+ 
--- a/0002-Fix-the-32bit-signedness-comparison.patch
+++ b/0002-Fix-the-32bit-signedness-comparison.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Nov 2014 11:38:54 +0800
+Subject: [PATCH] Fix the 32bit signedness comparison
+
+---
+ src/mokutil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 93fb6fa..a7e83f7 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 
+ 		/* Mok */
+ 		read_size = read (fd, ptr, sizes[i]);
+-		if (read_size < 0 || read_size != sizes[i]) {
+		if (read_size < 0 || read_size != (int64_t)sizes[i]) {
+ 			fprintf (stderr, "Failed to read %s\n", files[i]);
+ 			goto error;
+ 		}
+@@ -1645,7 +1645,7 @@ export_moks ()
+ 			goto error;
+ 		}
+ 
+-		while (offset < list[i].mok_size) {
+		while (offset < (int64_t)list[i].mok_size) {
+ 			write_size = write (fd, list[i].mok + offset,
+ 						list[i].mok_size - offset);
+ 			if (write_size < 0) {
--- a/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+++ b/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 19 Jun 2015 16:53:36 -0400
+Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
+
+This source tree uses:
+
+typedef wchar_t efi_char16_t;
+
+to define UEFI's UCS-2 character type.  On many platforms, wchar_t is
+32-bits by default.  As a result, efichar_from_char winds up writing
+4-byte characters instead of 2-byte characters.  In the case where we
+hash the password in mokutil, this works fine, because the same datatype
+is used, and the values are the same.  But for our feature toggles,
+where we store the raw data and shim is interpretting the character
+array, every other character winds up being L'\0', and verification
+fails.
+
+So always build with -fshort-wchar to ensure we get 2-byte character
+storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index fe28fb9..69d412a 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -37,7 +37,7 @@ else
+ 	default_strict=no
+ fi
+ 
+-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
+ 
+ AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
+ 		enable_strict=$default_strict)
--- a/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+++ b/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 16 Jun 2015 17:06:30 -0400
+Subject: [PATCH] Don't allow sha1 on the mokutil command line.
+
+Related: rhbz#1115843
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index a7e83f7..1fb34f9 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
+ 	}
+ 
+ 	switch (len) {
+#if 0
+ 	case SHA_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha1;
+ 		hash_size = SHA_DIGEST_LENGTH;
+ 		break;
+#endif
+ 	case SHA224_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha224;
+ 		hash_size = SHA224_DIGEST_LENGTH;
--- a/0005-Make-all-efi_guid_t-const.patch
+++ b/0005-Make-all-efi_guid_t-const.patch
@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 13 Jan 2016 16:05:21 +0800
+Subject: [PATCH] Make all efi_guid_t const
+
+All UEFI GUIDs defined in efivar are const. Declare all of them const
+to make gcc happy.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/mokutil.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 1fb34f9..d2c52b4 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
+ }
+ 
+ static uint32_t
+-efi_hash_size (efi_guid_t *hash_type)
+efi_hash_size (const efi_guid_t *hash_type)
+ {
+ 	if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
+ 		return SHA_DIGEST_LENGTH;
+@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
+ }
+ 
+ static uint32_t
+-signature_size (efi_guid_t *hash_type)
+signature_size (const efi_guid_t *hash_type)
+ {
+ 	uint32_t hash_size;
+ 
+@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
+ 
+ /* match the hash in the hash array and return the index if matched */
+ static int
+-match_hash_array (efi_guid_t *hash_type, const void *hash,
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
+ 		  const void *hash_array, const uint32_t array_size)
+ {
+ 	uint32_t hash_size, hash_count;
+@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
+ }
+ 
+ static int
+-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
+-		       efi_guid_t *type, void *data, uint32_t data_size)
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+		       const efi_guid_t *type, void *data, uint32_t data_size)
+ {
+ 	uint8_t *var_data = NULL;
+ 	size_t var_data_size = 0;
+@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
+ }
+ 
+ static int
+-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
+-	      efi_guid_t *vendor, const char *db_name)
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+	      const efi_guid_t *vendor, const char *db_name)
+ {
+ 	uint8_t *var_data;
+ 	size_t var_data_size;
+@@ -1059,7 +1059,7 @@ done:
+ }
+ 
+ static int
+-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
+ 		  MokRequest req)
+ {
+ 	switch (req) {
+@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+ }
+ 
+ static int
+-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
+ 		    MokRequest req)
+ {
+ 	uint8_t *authvar_data;
--- a/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+++ b/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:19:43 -0400
+Subject: [PATCH] mokutil: be explicit about file modes in all cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d2c52b4..d554f6c 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ 		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ 		     | EFI_VARIABLE_RUNTIME_ACCESS;
+ 	ret = efi_set_variable (*var_guid, var_name,
+-				var_data, total, attributes);
+				var_data, total, attributes,
+				S_IRUSR | S_IWUSR);
+ 	if (ret < 0) {
+ 		fprintf (stderr, "Failed to write variable \"%s\": %m\n",
+ 			 var_name);
+@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
+ 		data_size = list_len;
+ 
+ 		if (efi_set_variable (efi_guid_shim, req_name,
+-				      data, data_size, attributes) < 0) {
+				      data, data_size, attributes,
+				      S_IRUSR | S_IWUSR) < 0) {
+ 			switch (req) {
+ 			case ENROLL_MOK:
+ 				fprintf (stderr, "Failed to enroll new keys\n");
--- a/0007-Add-bash-completion-file.patch
+++ b/0007-Add-bash-completion-file.patch
@ -0,0 +1,95 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:20:14 -0400
+Subject: [PATCH] Add bash completion file.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 17 +++++++++++++++++
+ Makefile.am  |  5 +++++
+ data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 data/mokutil
+
+diff --git a/configure.ac b/configure.ac
+index 69d412a..7b52a06 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
+ PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
+ PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+ 
+AC_ARG_WITH([bash-completion-dir],
+    AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
+        [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
+    [],
+    [with_bash_completion_dir=yes])
+
+if test "x$with_bash_completion_dir" = "xyes"; then
+    PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
+        [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
+        [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
+else
+    BASH_COMPLETION_DIR="$with_bash_completion_dir"
+fi
+
+AC_SUBST([BASH_COMPLETION_DIR])
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
+
+ AC_CONFIG_FILES([Makefile
+                  src/Makefile
+ 		 man/Makefile])
+diff --git a/Makefile.am b/Makefile.am
+index 9f0d419..c17cc4a 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1 +1,6 @@
+ SUBDIRS = src man
+
+if ENABLE_BASH_COMPLETION
+  bashcompletiondir = $(BASH_COMPLETION_DIR)
+  dist_bashcompletion_DATA = data/mokutil
+endif
+diff --git a/data/mokutil b/data/mokutil
+new file mode 100755
+index 0000000..800b039
+--- /dev/null
+++ b/data/mokutil
+@@ -0,0 +1,37 @@
+#!/bin/bash
+
+_mokutil()
+{
+	local cur=${COMP_WORDS[COMP_CWORD]}
+
+	if [[ "$cur" == -* ]]; then
+		#COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
+		COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
+		[[ $COMPREPLY == *= ]] && compopt -o nospace
+		return 0
+	fi
+
+	case "${COMP_WORDS[COMP_CWORD-1]}" in
+	--import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
+		_filedir
+		return 0
+		;;
+	--import-hash|--delete-hash)
+		COMPREPLY=( $( compgen -W "" ) )
+		return 0
+		;;
+	--set-verbosity)
+		COMPREPLY=( $( compgen -W "true false") )
+		return 0
+		;;
+	--generate-hash|-g)
+		COMPREPLY=( $( compgen -o nospace -P= -W "") )
+		return 0
+		;;
+	*)
+		return 0
+		;;
+	esac
+}
+
+complete -F _mokutil mokutil
--- a/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+++ b/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 20 Jun 2016 11:18:17 -0500
+Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot
+ support
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d554f6c..27f1292 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
+ 		rc = efi_get_variable (efi_guid_global, "SecureBoot",
+ 				       &data, &data_size, &attributes);
+ 		if (rc < 0) {
+-			fprintf(stderr, "This system does't support Secure Boot\n");
+			fprintf(stderr, "This system doesn't support Secure Boot\n");
+ 			ret = -1;
+ 			goto out;
+ 		}
--- a/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+++ b/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 3 Apr 2017 16:33:38 -0400
+Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 27f1292..0be9e84 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+ 
+ 	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ 	if (ret < 0) {
+-		if (ret == ENOENT) {
+		if (errno == ENOENT) {
+ 			printf ("%s is empty\n", var_name);
+ 			return 0;
+ 		}
--- a/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
+++ b/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 May 2018 11:20:15 -0400
+Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for
+ strncpy bounds
+
+New gcc rightly comlplains when we do the following:
+
+strncpy (dest, src, strlen(src));
+
+For two reasons:
+a) it doesn't copy the NUL byte
+b) it's otherwise the same thing strcpy() would have done
+
+This patch replaces that with stpncpy (just because it's slightly easier
+to use) and the real bounds for the destination.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 0be9e84..b508010 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ {
+ 	pw_crypt_t new_crypt;
+ 	char settings[SETTINGS_LEN];
+	char *next;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int hash_len, prefix_len;
+	int hash_len, settings_len = sizeof (settings) - 2;
+ 
+ 	if (!password || !pw_crypt || password[pw_len] != '\0')
+ 		return -1;
+@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ 	prefix = get_crypt_prefix (pw_crypt->method);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+ 	pw_crypt->salt_size = get_salt_size (pw_crypt->method);
+ 	generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
+ 
+-	strncpy (settings, prefix, prefix_len);
+-	strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
+-		 pw_crypt->salt_size);
+-	settings[pw_crypt->salt_size + prefix_len] = '\0';
+	memset (settings, 0, sizeof (settings));
+	next = stpncpy (settings, prefix, settings_len);
+	if (pw_crypt->salt_size > settings_len - (next - settings)) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+	next = stpncpy (next, (const char *)pw_crypt->salt,
+			pw_crypt->salt_size);
+	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	if (!crypt_string)
+@@ -1929,10 +1934,11 @@ static int
+ generate_pw_hash (const char *input_pw)
+ {
+ 	char settings[SETTINGS_LEN];
+        char *next;
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int prefix_len;
+	int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
+@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
+ 	prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+-	strncpy (settings, prefix, prefix_len);
+	memset (settings, 0, sizeof (settings));
+	next = stpncpy (settings, prefix, settings_len);
+ 	salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
+-	generate_salt ((settings + prefix_len), salt_size);
+-	settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
+	if (salt_size > settings_len - (next - settings)) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+	generate_salt (next, salt_size);
+	next += salt_size;
+	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	free (password);
--- a/0011-Fix-a-integer-comparison-sign-issue.patch
+++ b/0011-Fix-a-integer-comparison-sign-issue.patch
@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 25 Jul 2018 10:27:34 -0400
+Subject: [PATCH] Fix a integer comparison sign issue.
+
+I introduced this, and it's stupid:
+
+mokutil.c: In function 'generate_pw_hash':
+mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
+  if (salt_size > settings_len - (next - settings)) {
+                ^
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index b508010..ac15c73 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int settings_len = sizeof (settings) - 2;
+	unsigned int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
--- a/0012-initial-mok-variables-code.patch
+++ b/0012-initial-mok-variables-code.patch
@ -0,0 +1,240 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 17 Aug 2020 14:18:31 -0400
+Subject: [PATCH] initial mok-variables code
+
+This patch adds support for getting mok variables from
+/sys/firmware/fi/mok-variables/$NAME , if they are present, as well as
+for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
+variables.
+
+Resolves: rhbz#1868820
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 151 insertions(+), 24 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index ac15c73..838599c 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type)
+ 	return 0;
+ }
+ 
+static int
+mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
+{
+	char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name";
+	size_t filename_sz = sizeof(filename);
+	int fd, rc;
+	struct stat sb = { 0, };
+	uint8_t *buf;
+	size_t bufsz, pos = 0;
+	ssize_t ssz;
+
+	*datap = 0;
+	*data_sizep = 0;
+
+	snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name);
+
+	fd = open(filename, O_RDONLY);
+	if (fd < 0)
+		return fd;
+
+	rc = fstat(fd, &sb);
+	if (rc < 0) {
+err_close:
+		close(fd);
+		return rc;
+	}
+
+	if (sb.st_size == 0) {
+		errno = ENOENT;
+		rc = -1;
+		goto err_close;
+	}
+
+	bufsz = sb.st_size;
+	buf = calloc(1, bufsz);
+	if (!buf)
+		goto err_close;
+
+	while (pos < bufsz) {
+		ssz = read(fd, &buf[pos], bufsz - pos);
+		if (ssz < 0) {
+			if (errno == EAGAIN ||
+			    errno == EWOULDBLOCK ||
+			    errno == EINTR)
+				continue;
+			free(buf);
+			goto err_close;
+		}
+
+		pos += ssz;
+	}
+	*datap = buf;
+	*data_sizep = pos;
+
+	return 0;
+}
+
+ static MokListNode*
+ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
+ {
+@@ -596,25 +653,44 @@ static int
+ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+ {
+ 	uint8_t *data = NULL;
+-	size_t data_size;
+	char varname[] = "implausibly-long-mok-variable-name";
+	size_t data_sz, i, varname_sz = sizeof(varname);
+ 	uint32_t attributes;
+ 	int ret;
+ 
+-	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+-	if (ret < 0) {
+-		if (errno == ENOENT) {
+-			printf ("%s is empty\n", var_name);
+-			return 0;
+	ret = mok_get_variable(var_name, &data, &data_sz);
+	if (ret >= 0) {
+		ret = list_keys (data, data_sz);
+		free(data);
+		return ret;
+	}
+
+	for (i = 0; i < SIZE_MAX; i++) {
+		if (i == 0) {
+			snprintf(varname, varname_sz, "%s", var_name);
+		} else {
+			snprintf(varname, varname_sz, "%s%zu", var_name, i);
+ 		}
+ 
+-		fprintf (stderr, "Failed to read %s: %m\n", var_name);
+-		return -1;
+		ret = efi_get_variable (guid, varname, &data, &data_sz,
+					&attributes);
+		if (ret < 0)
+			return 0;
+
+		ret = list_keys (data, data_sz);
+		free(data);
+		/*
+		 * If ret is < 0, the next one will error as well.
+		 * If ret is 0, we need to test the next variable.
+		 * If it's 1, that's a real answer.
+		 */
+		if (ret < 0)
+			return 0;
+		if (ret > 0)
+			return ret;
+ 	}
+ 
+-	ret = list_keys (data, data_size);
+-	free (data);
+-
+-	return ret;
+	return 0;
+ }
+ 
+ static int
+@@ -1013,22 +1089,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
+ }
+ 
+ static int
+-is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+-	      const efi_guid_t *vendor, const char *db_name)
+is_one_duplicate (const efi_guid_t *type,
+		  const void *data, const uint32_t data_size,
+		  uint8_t *var_data, size_t var_data_size)
+ {
+-	uint8_t *var_data;
+-	size_t var_data_size;
+-	uint32_t attributes;
+ 	uint32_t node_num;
+ 	MokListNode *list;
+ 	int ret = 0;
+ 
+-	if (!data || data_size == 0 || !db_name)
+-		return 0;
+-
+-	ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size,
+-				&attributes);
+-	if (ret < 0)
+	if (!data || data_size == 0)
+ 		return 0;
+ 
+ 	list = build_mok_list (var_data, var_data_size, &node_num);
+@@ -1060,11 +1129,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
+ done:
+ 	if (list)
+ 		free (list);
+-	free (var_data);
+ 
+ 	return ret;
+ }
+ 
+static int
+is_duplicate (const efi_guid_t *type,
+	      const void *data, const uint32_t data_size,
+	      const efi_guid_t *vendor, const char *db_name)
+{
+	uint32_t attributes;
+	char varname[] = "implausibly-long-mok-variable-name";
+	size_t varname_sz = sizeof(varname);
+	int ret = 0;
+	size_t i;
+
+	if (!strncmp(db_name, "Mok", 3)) {
+		uint8_t *var_data = NULL;
+		size_t var_data_size = 0;
+		ret = mok_get_variable(db_name, &var_data, &var_data_size);
+		if (ret >= 0) {
+			ret = is_one_duplicate(type, data, data_size,
+					       var_data, var_data_size);
+			if (ret >= 0) {
+				free (var_data);
+				return ret;
+			}
+			var_data = NULL;
+			var_data_size = 0;
+		}
+	}
+
+	for (i = 0; i < SIZE_MAX; i++) {
+		uint8_t *var_data = NULL;
+		size_t var_data_size = 0;
+		if (i == 0) {
+			snprintf(varname, varname_sz, "%s", db_name);
+		} else {
+			snprintf(varname, varname_sz, "%s%zu", db_name, i);
+		}
+
+		ret = efi_get_variable (*vendor, varname,
+					&var_data, &var_data_size,
+					&attributes);
+		if (ret < 0)
+			return 0;
+
+		ret = is_one_duplicate(type, data, data_size,
+				       var_data, var_data_size);
+		free (var_data);
+		/*
+		 * If ret is < 0, the next one will error as well.
+		 * If ret is 0, we need to test the next variable.
+		 * If it's 1, that's a real answer.
+		 */
+		if (ret < 0)
+			return 0;
+		if (ret > 0)
+			return ret;
+	}
+
+	return 0;
+}
+
+ static int
+ is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
+ 		  MokRequest req)
--- a/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
+++ b/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
@ -0,0 +1,193 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Fri, 3 Dec 2021 14:18:31 +0100
+Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
+fallback debugging.
+
+Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
+(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
+(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
+[rharwood: no sb_check, no util renaming]
+(cherry picked from commit 157a0969bdb5e7df152b4241f90b48209c235f2f)
+[rharwood: flags are sparse now]
+---
+ src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ data/mokutil  |  8 +++++++
+ man/mokutil.1 | 10 +++++++++
+ 3 files changed, 88 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 838599c..1cec4e9 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -83,6 +83,8 @@
+ #define IMPORT_HASH        (1 << 21)
+ #define DELETE_HASH        (1 << 22)
+ #define VERBOSITY          (1 << 23)
+#define FB_VERBOSITY       (1 << 25)
+#define FB_NOREBOOT        (1 << 26)
+ 
+ #define DEFAULT_CRYPT_METHOD SHA512_BASED
+ #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
+@@ -152,6 +154,8 @@ print_help ()
+ 	printf ("  --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
+ 	printf ("  --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
+ 	printf ("  --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+	printf ("  --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+	printf ("  --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
+ 	printf ("  --pk\t\t\t\t\tList the keys in PK\n");
+ 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
+ 	printf ("  --db\t\t\t\t\tList the keys in db\n");
+@@ -2135,6 +2139,46 @@ set_verbosity (uint8_t verbosity)
+ 	return 0;
+ }
+ 
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+	if (verbosity) {
+		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
+				      | EFI_VARIABLE_RUNTIME_ACCESS;
+		if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+				      (uint8_t *)&verbosity, sizeof (verbosity),
+				      attributes, S_IRUSR | S_IWUSR) < 0) {
+			fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+			return -1;
+		}
+	} else {
+		return test_and_delete_var ("FALLBACK_VERBOSE");
+	}
+
+	return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+	if (noreboot) {
+		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
+				      | EFI_VARIABLE_RUNTIME_ACCESS;
+		if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+				      (uint8_t *)&noreboot, sizeof (noreboot),
+				      attributes, S_IRUSR | S_IWUSR) < 0) {
+			fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+			return -1;
+		}
+	} else {
+		return test_and_delete_var ("FB_NO_REBOOT");
+	}
+
+	return 0;
+}
+
+ static inline int
+ list_db (DBName db_name)
+ {
+@@ -2169,6 +2213,8 @@ main (int argc, char *argv[])
+ 	unsigned int command = 0;
+ 	int use_root_pw = 0;
+ 	uint8_t verbosity = 0;
+	uint8_t fb_verbosity = 0;
+	uint8_t fb_noreboot = 0;
+ 	DBName db_name = MOK_LIST_RT;
+ 	int ret = -1;
+ 
+@@ -2207,6 +2253,8 @@ main (int argc, char *argv[])
+ 			{"import-hash",        required_argument, 0, 0  },
+ 			{"delete-hash",        required_argument, 0, 0  },
+ 			{"set-verbosity",      required_argument, 0, 0  },
+			{"set-fallback-verbosity", required_argument, 0, 0  },
+			{"set-fallback-noreboot", required_argument, 0, 0  },
+ 			{"pk",                 no_argument,       0, 0  },
+ 			{"kek",                no_argument,       0, 0  },
+ 			{"db",                 no_argument,       0, 0  },
+@@ -2270,6 +2318,22 @@ main (int argc, char *argv[])
+ 					verbosity = 0;
+ 				else
+ 					command |= HELP;
+			} else if (strcmp (option, "set-fallback-verbosity") == 0) {
+				command |= FB_VERBOSITY;
+				if (strcmp (optarg, "true") == 0)
+					fb_verbosity = 1;
+				else if (strcmp (optarg, "false") == 0)
+					fb_verbosity = 0;
+				else
+					command |= HELP;
+			} else if (strcmp (option, "set-fallback-noreboot") == 0) {
+				command |= FB_NOREBOOT;
+				if (strcmp (optarg, "true") == 0)
+					fb_noreboot = 1;
+				else if (strcmp (optarg, "false") == 0)
+					fb_noreboot = 0;
+				else
+					command |= HELP;
+ 			} else if (strcmp (option, "pk") == 0) {
+ 				if (db_name != MOK_LIST_RT) {
+ 					command |= HELP;
+@@ -2557,6 +2621,12 @@ main (int argc, char *argv[])
+ 		case VERBOSITY:
+ 			ret = set_verbosity (verbosity);
+ 			break;
+		case FB_VERBOSITY:
+			ret = set_fallback_verbosity (fb_verbosity);
+			break;
+		case FB_NOREBOOT:
+			ret = set_fallback_noreboot (fb_noreboot);
+			break;
+ 		default:
+ 			print_help ();
+ 			break;
+diff --git a/data/mokutil b/data/mokutil
+index 800b039..af6b6ff 100755
+--- a/data/mokutil
+++ b/data/mokutil
+@@ -24,6 +24,14 @@ _mokutil()
+ 		COMPREPLY=( $( compgen -W "true false") )
+ 		return 0
+ 		;;
+	--set-fallback-verbosity)
+		COMPREPLY=( $( compgen -W "true false") )
+		return 0
+		;;
+	--set-fallback-noreboot)
+		COMPREPLY=( $( compgen -W "true false") )
+		return 0
+		;;
+ 	--generate-hash|-g)
+ 		COMPREPLY=( $( compgen -o nospace -P= -W "") )
+ 		return 0
+diff --git a/man/mokutil.1 b/man/mokutil.1
+index 25fe8b4..30dcfb2 100644
+--- a/man/mokutil.1
+++ b/man/mokutil.1
+@@ -65,6 +65,10 @@ mokutil \- utility to manipulate machine owner keys
+ .br
+ \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
+ .br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
+ \fBmokutil\fR [--pk]
+ .br
+ \fBmokutil\fR [--kek]
+@@ -161,6 +165,12 @@ this is not the password hash.
+ \fB--set-verbosity\fR
+ Set the SHIM_VERBOSE to make shim more or less verbose
+ .TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
+ \fB--pk\fR
+ List the keys in the public Platform Key (PK)
+ .TP
--- a/1
+++ b/1
@ -1 +0,0 @@
- 
--- a/mokutil.patches
+++ b/mokutil.patches
@ -0,0 +1,13 @@
+Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
+Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
+Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+Patch0005: 0005-Make-all-efi_guid_t-const.patch
+Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+Patch0007: 0007-Add-bash-completion-file.patch
+Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
+Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
+Patch0012: 0012-initial-mok-variables-code.patch
+Patch0013: 0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
--- a/mokutil.spec
+++ b/mokutil.spec
@ -0,0 +1,106 @@
+Name:           mokutil
+Version:        0.3.0
+Release:        12%{?dist}
+Epoch:          1
+Summary:        Tool to manage UEFI Secure Boot MoK Keys
+License:        GPLv3+
+URL:            https://github.com/lcp/mokutil
+ExclusiveArch:  %{ix86} x86_64 aarch64
+BuildRequires:  autoconf automake gnu-efi git openssl-devel openssl
+BuildRequires:  efivar-devel >= 31-1
+Source0:        https://github.com/lcp/mokutil/archive/%{version}.tar.gz
+Source1:        mokutil.patches
+Conflicts:      shim < 0.8-1%{?dist}
+Obsoletes:      mokutil <= 1:0.3.0-1
+
+%include %{SOURCE1}
+
+%description
+mokutil provides a tool to manage keys for Secure Boot through the MoK
+("Machine's Own Keys") mechanism.
+
+%prep
+%setup -q -n %{name}-%{version}
+git init
+git config user.email "%{name}-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+
+%build
+./autogen.sh
+%configure
+make %{?_smp_mflags}
+
+%install
+rm -rf %{buildroot}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README
+%{_bindir}/mokutil
+%{_mandir}/man1/*
+%{_datadir}/bash-completion/completions/mokutil
+
+%changelog
+* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 1:0.3.0-12
+- Add ability to set fallback verbose mode
+- Resolves: #2030704
+
+* Tue Jan 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-11
+- Bump NVR for brew to build the package
+  Related: rhbz##1907418
+
+* Wed Dec 30 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-10
+- Add mokutil code to consume data from /sys/firmware/efi/mok-variables/
+  as well as attempting to consume numbered mok variables from efivarfs
+  when mok-variables aren't present (pjones)
+  Resolves: rhbz#1907418
+
+* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
+- Minor obsoletes fix
+- Import some fixes from upstream
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
+- Rebuilt for switch to libxcrypt
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.3.0-5
+- Rebuild for efivar-31-1.fc26
+  Related: rhbz#1468841
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.3.0-3
+- Rebuild for newer efivar again.
+
+* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.3.0-2
+- Update for newer efivar.
+
+* Tue Jun 14 2016 Peter Jones <pjones@redhat.com> - 0.3.0-1
+- Update to 0.3.0 release.
+  Resolves: rhbz#1334628
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.2.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.2.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1:0.2.0-2
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Mon Oct 06 2014 Peter Jones <pjones@redhat.com> - 0.2.0-1
+- First independent package.
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (0.3.0.tar.gz) = abe6f5548e28596af52b629c432aae1606a8377f616fbd500e17cc14ca5e1cd1cfcbcafcf976cd9bf25bb2007a1d188d9905b81afa36b6724c44e90da5a7da85
				`@ -0,0 +1 @@`
				`SHA512 (0.3.0.tar.gz) = abe6f5548e28596af52b629c432aae1606a8377f616fbd500e17cc14ca5e1cd1cfcbcafcf976cd9bf25bb2007a1d188d9905b81afa36b6724c44e90da5a7da85`