Browse Source

import mokutil-0.3.0-11.el8_6.1

c8 imports/c8/mokutil-0.3.0-11.el8_6.1
CentOS Sources 6 months ago
committed by Stepan Oksanichenko
parent
commit
e7268a5eb1
  1. 9
      SOURCES/0001-Fix-the-potential-buffer-overflow.patch
  2. 9
      SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
  3. 10
      SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
  4. 9
      SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
  5. 9
      SOURCES/0005-Make-all-efi_guid_t-const.patch
  6. 9
      SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
  7. 13
      SOURCES/0007-Add-bash-completion-file.patch
  8. 11
      SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
  9. 10
      SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
  10. 11
      SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
  11. 7
      SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
  12. 11
      SOURCES/0012-initial-mok-variables-code.patch
  13. 211
      SOURCES/0013-SBAT-revocation-update-support.patch
  14. 13
      SOURCES/mokutil.patches
  15. 20
      SPECS/mokutil.spec

9
SOURCES/0001-Fix-the-potential-buffer-overflow.patch

@ -1,7 +1,7 @@
From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 15:50:03 +0800
Subject: [PATCH 01/10] Fix the potential buffer overflow
Subject: [PATCH] Fix the potential buffer overflow
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
@ -9,7 +9,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22fd98..93fb6fabcab 100644
index 5b34f22..93fb6fa 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
@ -31,6 +31,3 @@ index 5b34f22fd98..93fb6fabcab 100644
tvar.mok_toggle_state = state;
--
2.17.1

9
SOURCES/0002-Fix-the-32bit-signedness-comparison.patch

@ -1,14 +1,14 @@
From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Nov 2014 11:38:54 +0800
Subject: [PATCH 02/10] Fix the 32bit signedness comparison
Subject: [PATCH] Fix the 32bit signedness comparison
---
src/mokutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 93fb6fabcab..a7e83f71f0b 100644
index 93fb6fa..a7e83f7 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
@ -29,6 +29,3 @@ index 93fb6fabcab..a7e83f71f0b 100644
write_size = write (fd, list[i].mok + offset,
list[i].mok_size - offset);
if (write_size < 0) {
--
2.17.1

10
SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch

@ -1,8 +1,7 @@
From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Jun 2015 16:53:36 -0400
Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work
right.
Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
This source tree uses:
@ -26,7 +25,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fe28fb92241..69d412ac633 100644
index fe28fb9..69d412a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ else
@ -38,6 +37,3 @@ index fe28fb92241..69d412ac633 100644
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
enable_strict=$default_strict)
--
2.17.1

9
SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch

@ -1,7 +1,7 @@
From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 16 Jun 2015 17:06:30 -0400
Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line.
Subject: [PATCH] Don't allow sha1 on the mokutil command line.
Related: rhbz#1115843
@ -11,7 +11,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 2 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index a7e83f71f0b..1fb34f9d3aa 100644
index a7e83f7..1fb34f9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
@ -27,6 +27,3 @@ index a7e83f71f0b..1fb34f9d3aa 100644
case SHA224_DIGEST_LENGTH*2:
*type = efi_guid_sha224;
hash_size = SHA224_DIGEST_LENGTH;
--
2.17.1

9
SOURCES/0005-Make-all-efi_guid_t-const.patch

@ -1,7 +1,7 @@
From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jan 2016 16:05:21 +0800
Subject: [PATCH 05/10] Make all efi_guid_t const
Subject: [PATCH] Make all efi_guid_t const
All UEFI GUIDs defined in efivar are const. Declare all of them const
to make gcc happy.
@ -12,7 +12,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1fb34f9d3aa..d2c52b4caaf 100644
index 1fb34f9..d2c52b4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
@ -82,6 +82,3 @@ index 1fb34f9d3aa..d2c52b4caaf 100644
MokRequest req)
{
uint8_t *authvar_data;
--
2.17.1

9
SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch

@ -1,7 +1,7 @@
From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:19:43 -0400
Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases.
Subject: [PATCH] mokutil: be explicit about file modes in all cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
@ -9,7 +9,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d2c52b4caaf..d554f6cca21 100644
index d2c52b4..d554f6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
@ -32,6 +32,3 @@ index d2c52b4caaf..d554f6cca21 100644
switch (req) {
case ENROLL_MOK:
fprintf (stderr, "Failed to enroll new keys\n");
--
2.17.1

13
SOURCES/0007-Add-bash-completion-file.patch

@ -1,7 +1,7 @@
From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:20:14 -0400
Subject: [PATCH 07/10] Add bash completion file.
Subject: [PATCH] Add bash completion file.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
@ -12,7 +12,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
create mode 100755 data/mokutil
diff --git a/configure.ac b/configure.ac
index 69d412ac633..7b52a063df0 100644
index 69d412a..7b52a06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
@ -40,7 +40,7 @@ index 69d412ac633..7b52a063df0 100644
src/Makefile
man/Makefile])
diff --git a/Makefile.am b/Makefile.am
index 9f0d4192515..c17cc4a86d8 100644
index 9f0d419..c17cc4a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1 +1,6 @@
@ -52,7 +52,7 @@ index 9f0d4192515..c17cc4a86d8 100644
+endif
diff --git a/data/mokutil b/data/mokutil
new file mode 100755
index 00000000000..800b039e7f4
index 0000000..800b039
--- /dev/null
+++ b/data/mokutil
@@ -0,0 +1,37 @@
@ -93,6 +93,3 @@ index 00000000000..800b039e7f4
+}
+
+complete -F _mokutil mokutil
--
2.17.1

11
SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch

@ -1,8 +1,8 @@
From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Mon, 20 Jun 2016 11:18:17 -0500
Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure
Boot support
Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot
support
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
@ -10,7 +10,7 @@ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d554f6cca21..27f1292f3a9 100644
index d554f6c..27f1292 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
@ -22,6 +22,3 @@ index d554f6cca21..27f1292f3a9 100644
ret = -1;
goto out;
}
--
2.17.1

10
SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch

@ -1,8 +1,7 @@
From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 3 Apr 2017 16:33:38 -0400
Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret
twice.
Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
@ -10,7 +9,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 27f1292f3a9..0be9e8491fd 100644
index 27f1292..0be9e84 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
@ -22,6 +21,3 @@ index 27f1292f3a9..0be9e8491fd 100644
printf ("%s is empty\n", var_name);
return 0;
}
--
2.17.1

11
SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch

@ -1,8 +1,8 @@
From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 15 May 2018 11:20:15 -0400
Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use
strlen() for strncpy bounds
Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for
strncpy bounds
New gcc rightly comlplains when we do the following:
@ -21,7 +21,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0be9e8491fd..b5080107600 100644
index 0be9e84..b508010 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
@ -96,6 +96,3 @@ index 0be9e8491fd..b5080107600 100644
crypt_string = crypt (password, settings);
free (password);
--
2.17.1

7
SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch

@ -1,4 +1,4 @@
From 9292352eb29a4fca41909448799efc524ee3c255 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 25 Jul 2018 10:27:34 -0400
Subject: [PATCH] Fix a integer comparison sign issue.
@ -16,7 +16,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d03127abf54..068df0d109c 100644
index b508010..ac15c73 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
@ -28,6 +28,3 @@ index d03127abf54..068df0d109c 100644
unsigned int pw_len, salt_size;
if (input_pw) {
--
2.17.1

11
SOURCES/0012-initial-mok-variables-code.patch

@ -1,4 +1,4 @@
From 678895d781125544df91432861fadcae8d1c7a80 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 17 Aug 2020 14:18:31 -0400
Subject: [PATCH] initial mok-variables code
@ -12,11 +12,11 @@ Resolves: rhbz#1868820
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 177 +++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 153 insertions(+), 24 deletions(-)
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 151 insertions(+), 24 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index b5080107600..d2fcdc9da0e 100644
index ac15c73..838599c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type)
@ -238,6 +238,3 @@ index b5080107600..d2fcdc9da0e 100644
static int
is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)
--
2.26.2

211
SOURCES/0013-SBAT-revocation-update-support.patch

@ -0,0 +1,211 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Apr 2022 17:28:07 -0700
Subject: [PATCH] SBAT revocation update support
Control how shim will apply SBAT revocations:
mokutil --set-sbat-policy latest
applies the latest SBAT revocations
(default behavior)
mokutil --set-sbat-policy previous
applies previous SBAT revocations to
allow falling back to an older release
In both of the above cases shim will only apply SBAT revocations that
are newer than the ones currently installed.
mokutil --set-sbat-policy delete
resets SBAT revocations only if Secure
Boot is disabled. This setting does not
persist.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
(cherry picked from commit 2122b5e4323137509bc38615e269cc352c971815)
[rharwood: renumber, options not added yet]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/mokutil.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
man/mokutil.1 | 14 ++++++++++++
2 files changed, 86 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 838599c..0327275 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,8 @@
#define IMPORT_HASH (1 << 21)
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
+#define LIST_SBAT (1 << 27)
+#define SET_SBAT (1 << 28)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -152,10 +154,12 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
+ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2115,6 +2119,31 @@ generate_pw_hash (const char *input_pw)
return 0;
}
+static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+ uint8_t *data = NULL;
+ size_t data_size;
+ uint32_t attributes;
+ int ret;
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
+ return -1;
+ }
+
+ printf ("%s", data);
+ free (data);
+
+ return ret;
+}
+
static int
set_verbosity (uint8_t verbosity)
{
@@ -2156,6 +2185,26 @@ list_db (DBName db_name)
return -1;
}
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+ if (sbat_policy) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+ (uint8_t *)&sbat_policy,
+ sizeof (sbat_policy),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set SbatPolicy\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("SbatPolicy");
+ }
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -2169,6 +2218,7 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t sbat_policy = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2207,10 +2257,12 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-sbat-policy", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"list-sbat-revocations", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2270,6 +2322,16 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
+ command |= SET_SBAT;
+ if (strcmp (optarg, "latest") == 0)
+ sbat_policy = 1;
+ else if (strcmp (optarg, "previous") == 0)
+ sbat_policy = 2;
+ else if (strcmp (optarg, "delete") == 0)
+ sbat_policy = 3;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2298,6 +2360,10 @@ main (int argc, char *argv[])
command |= LIST_ENROLLED;
db_name = DBX;
}
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
+ command |= LIST_SBAT;
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
}
break;
@@ -2557,6 +2623,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case LIST_SBAT:
+ ret = print_var_content ("SbatLevelRT", efi_guid_shim);
+ break;
+ case SET_SBAT:
+ ret = manage_sbat(sbat_policy);
+ break;
default:
print_help ();
break;
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..f5a0ea3 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,9 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +176,14 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--list-sbat-revocations\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP

13
SOURCES/mokutil.patches

@ -0,0 +1,13 @@
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
Patch0005: 0005-Make-all-efi_guid_t-const.patch
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
Patch0012: 0012-initial-mok-variables-code.patch
Patch0013: 0013-SBAT-revocation-update-support.patch

20
SPECS/mokutil.spec

@ -1,6 +1,6 @@
Name: mokutil
Version: 0.3.0
Release: 11%{?dist}
Release: 11%{?dist}.1
Epoch: 1
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
@ -9,21 +9,11 @@ ExclusiveArch: %{ix86} x86_64 aarch64
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
BuildRequires: efivar-devel >= 31-1
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
Source1: mokutil.patches
Conflicts: shim < 0.8-1%{?dist}
Obsoletes: mokutil <= 1:0.3.0-1
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
Patch0005: 0005-Make-all-efi_guid_t-const.patch
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
Patch0012: 0012-initial-mok-variables-code.patch
%include %{SOURCE1}
%description
mokutil provides a tool to manage keys for Secure Boot through the MoK
@ -58,6 +48,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Wed Jun 01 2022 Robbie Harwood <rharwood@redhat.com> - 0.3.0-11.el8_6.1
- Support listing sbat revocations and setting sbat policy
- Resolves: CVE-2022-28737
* Tue Jan 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-11
- Bump NVR for brew to build the package
Related: rhbz##1907418

Loading…
Cancel
Save