import mokutil-0.4.0-9.el9

This commit is contained in:
CentOS Sources 2022-11-15 02:03:53 -05:00 committed by Stepan Oksanichenko
parent 31942e0e52
commit ef34049d75
10 changed files with 280 additions and 231 deletions

View File

@ -13,7 +13,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
1 file changed, 7 insertions(+), 80 deletions(-) 1 file changed, 7 insertions(+), 80 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index 252dc7a..563e585 100644 index b66c1b8..e811266 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -76,7 +76,6 @@ @@ -76,7 +76,6 @@
@ -24,7 +24,7 @@ index 252dc7a..563e585 100644
#define IGNORE_DB (1 << 18) #define IGNORE_DB (1 << 18)
#define USE_DB (1 << 19) #define USE_DB (1 << 19)
#define MOKX (1 << 20) #define MOKX (1 << 20)
@@ -95,8 +94,6 @@ typedef unsigned long efi_status_t; @@ -94,8 +93,6 @@ typedef unsigned long efi_status_t;
typedef uint8_t efi_bool_t; typedef uint8_t efi_bool_t;
typedef wchar_t efi_char16_t; /* UNICODE character */ typedef wchar_t efi_char16_t; /* UNICODE character */
@ -33,7 +33,7 @@ index 252dc7a..563e585 100644
typedef enum { typedef enum {
DELETE_MOK = 0, DELETE_MOK = 0,
ENROLL_MOK, ENROLL_MOK,
@@ -182,7 +179,6 @@ print_help () @@ -180,7 +177,6 @@ print_help ()
printf ("Supplimentary Options:\n"); printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
printf (" --root-pw\t\t\t\tUse the root password\n"); printf (" --root-pw\t\t\t\tUse the root password\n");
@ -41,7 +41,7 @@ index 252dc7a..563e585 100644
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
} }
@@ -814,32 +810,6 @@ error: @@ -736,32 +732,6 @@ error:
return ret; return ret;
} }
@ -74,7 +74,7 @@ index 252dc7a..563e585 100644
static void static void
generate_salt (char salt[], unsigned int salt_size) generate_salt (char salt[], unsigned int salt_size)
{ {
@@ -979,7 +949,6 @@ update_request (void *new_list, int list_len, MokRequest req, @@ -901,7 +871,6 @@ update_request (void *new_list, int list_len, MokRequest req,
size_t data_size; size_t data_size;
const char *req_name, *auth_name; const char *req_name, *auth_name;
pw_crypt_t pw_crypt; pw_crypt_t pw_crypt;
@ -82,7 +82,7 @@ index 252dc7a..563e585 100644
char *password = NULL; char *password = NULL;
unsigned int pw_len; unsigned int pw_len;
int auth_ret; int auth_ret;
@@ -1028,12 +997,7 @@ update_request (void *new_list, int list_len, MokRequest req, @@ -950,12 +919,7 @@ update_request (void *new_list, int list_len, MokRequest req,
goto error; goto error;
} }
@ -96,7 +96,7 @@ index 252dc7a..563e585 100644
if (auth_ret < 0) { if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n"); fprintf (stderr, "Couldn't generate hash\n");
goto error; goto error;
@@ -1069,13 +1033,8 @@ update_request (void *new_list, int list_len, MokRequest req, @@ -991,13 +955,8 @@ update_request (void *new_list, int list_len, MokRequest req,
} }
/* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */ /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
@ -112,7 +112,7 @@ index 252dc7a..563e585 100644
if (efi_set_variable (efi_guid_shim, auth_name, data, data_size, if (efi_set_variable (efi_guid_shim, auth_name, data, data_size,
attributes, S_IRUSR | S_IWUSR) < 0) { attributes, S_IRUSR | S_IWUSR) < 0) {
@@ -1904,26 +1863,16 @@ set_password (const char *hash_file, const int root_pw, const int clear) @@ -1750,26 +1709,16 @@ set_password (const char *hash_file, const int root_pw, const int clear)
goto error; goto error;
} }
@ -143,7 +143,7 @@ index 252dc7a..563e585 100644
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS; | EFI_VARIABLE_RUNTIME_ACCESS;
@@ -2301,8 +2250,6 @@ main (int argc, char *argv[]) @@ -2147,8 +2096,6 @@ main (int argc, char *argv[])
DBName db_name = MOK_LIST_RT; DBName db_name = MOK_LIST_RT;
int ret = -1; int ret = -1;
@ -152,7 +152,7 @@ index 252dc7a..563e585 100644
if (!efi_variables_supported ()) { if (!efi_variables_supported ()) {
fprintf (stderr, "EFI variables are not supported on this system\n"); fprintf (stderr, "EFI variables are not supported on this system\n");
exit (1); exit (1);
@@ -2329,7 +2276,6 @@ main (int argc, char *argv[]) @@ -2175,7 +2122,6 @@ main (int argc, char *argv[])
{"hash-file", required_argument, 0, 'f'}, {"hash-file", required_argument, 0, 'f'},
{"generate-hash", optional_argument, 0, 'g'}, {"generate-hash", optional_argument, 0, 'g'},
{"root-pw", no_argument, 0, 'P'}, {"root-pw", no_argument, 0, 'P'},
@ -160,7 +160,7 @@ index 252dc7a..563e585 100644
{"ignore-db", no_argument, 0, 0 }, {"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 }, {"use-db", no_argument, 0, 0 },
{"mok", no_argument, 0, 'm'}, {"mok", no_argument, 0, 'm'},
@@ -2531,10 +2477,6 @@ main (int argc, char *argv[]) @@ -2374,10 +2320,6 @@ main (int argc, char *argv[])
case 'x': case 'x':
command |= EXPORT; command |= EXPORT;
break; break;
@ -171,7 +171,7 @@ index 252dc7a..563e585 100644
case 'm': case 'm':
db_name = MOK_LIST_RT; db_name = MOK_LIST_RT;
break; break;
@@ -2555,9 +2497,6 @@ main (int argc, char *argv[]) @@ -2398,9 +2340,6 @@ main (int argc, char *argv[])
} }
} }
@ -181,7 +181,7 @@ index 252dc7a..563e585 100644
if (hash_file && use_root_pw) if (hash_file && use_root_pw)
command |= HELP; command |= HELP;
@@ -2593,22 +2532,18 @@ main (int argc, char *argv[]) @@ -2436,22 +2375,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokDel", efi_guid_shim); ret = list_keys_in_var ("MokDel", efi_guid_shim);
break; break;
case IMPORT: case IMPORT:
@ -204,7 +204,7 @@ index 252dc7a..563e585 100644
ret = issue_hash_request (hash_str, DELETE_MOK, ret = issue_hash_request (hash_str, DELETE_MOK,
hash_file, use_root_pw); hash_file, use_root_pw);
break; break;
@@ -2623,11 +2558,9 @@ main (int argc, char *argv[]) @@ -2466,11 +2401,9 @@ main (int argc, char *argv[])
ret = export_db_keys (db_name); ret = export_db_keys (db_name);
break; break;
case PASSWORD: case PASSWORD:
@ -216,7 +216,7 @@ index 252dc7a..563e585 100644
ret = set_password (NULL, 0, 1); ret = set_password (NULL, 0, 1);
break; break;
case DISABLE_VALIDATION: case DISABLE_VALIDATION:
@@ -2643,7 +2576,6 @@ main (int argc, char *argv[]) @@ -2486,7 +2419,6 @@ main (int argc, char *argv[])
ret = test_key (ENROLL_MOK, key_file); ret = test_key (ENROLL_MOK, key_file);
break; break;
case RESET: case RESET:
@ -224,7 +224,7 @@ index 252dc7a..563e585 100644
ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw); ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
break; break;
case GENERATE_PW_HASH: case GENERATE_PW_HASH:
@@ -2662,22 +2594,18 @@ main (int argc, char *argv[]) @@ -2505,22 +2437,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokXDel", efi_guid_shim); ret = list_keys_in_var ("MokXDel", efi_guid_shim);
break; break;
case IMPORT | MOKX: case IMPORT | MOKX:
@ -247,7 +247,7 @@ index 252dc7a..563e585 100644
ret = issue_hash_request (hash_str, DELETE_BLACKLIST, ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
hash_file, use_root_pw); hash_file, use_root_pw);
break; break;
@@ -2688,7 +2616,6 @@ main (int argc, char *argv[]) @@ -2531,7 +2459,6 @@ main (int argc, char *argv[])
ret = revoke_request (DELETE_BLACKLIST); ret = revoke_request (DELETE_BLACKLIST);
break; break;
case RESET | MOKX: case RESET | MOKX:

View File

@ -11,7 +11,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
1 file changed, 6 insertions(+), 13 deletions(-) 1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1 diff --git a/man/mokutil.1 b/man/mokutil.1
index 4462987..1f82ff1 100644 index 25fe8b4..7cee5da 100644
--- a/man/mokutil.1 --- a/man/mokutil.1
+++ b/man/mokutil.1 +++ b/man/mokutil.1
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys @@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
@ -64,7 +64,7 @@ index 4462987..1f82ff1 100644
.br .br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br .br
@@ -138,11 +136,6 @@ Use the password hash from a specific file @@ -136,11 +134,6 @@ Use the password hash from a specific file
\fB-P, --root-pw\fR \fB-P, --root-pw\fR
Use the root password hash from /etc/shadow Use the root password hash from /etc/shadow
.TP .TP

View File

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 16:10:50 +0800
Subject: [PATCH] mokutil: adjust the command bits
Adjust the bits after removing SIMPLE_HASH.
Signed-off-by: Gary Lin <glin@suse.com>
(cherry picked from commit 25191c38156b90004b783d0265d967dbe8e76a38)
---
src/mokutil.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e811266..a9d97f4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,13 +76,13 @@
#define TEST_KEY (1 << 14)
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
-#define IGNORE_DB (1 << 18)
-#define USE_DB (1 << 19)
-#define MOKX (1 << 20)
-#define IMPORT_HASH (1 << 21)
-#define DELETE_HASH (1 << 22)
-#define VERBOSITY (1 << 23)
-#define TIMEOUT (1 << 24)
+#define IGNORE_DB (1 << 17)
+#define USE_DB (1 << 18)
+#define MOKX (1 << 19)
+#define IMPORT_HASH (1 << 20)
+#define DELETE_HASH (1 << 21)
+#define VERBOSITY (1 << 22)
+#define TIMEOUT (1 << 23)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX

View File

@ -21,18 +21,18 @@ Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2 files changed, 38 insertions(+) 2 files changed, 38 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index b66c1b8..0c25ae5 100644 index a9d97f4..dba77c9 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -84,6 +84,7 @@ @@ -83,6 +83,7 @@
#define DELETE_HASH (1 << 22) #define DELETE_HASH (1 << 21)
#define VERBOSITY (1 << 23) #define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 24) #define TIMEOUT (1 << 23)
+#define LIST_SBAT (1 << 25) +#define LIST_SBAT (1 << 24)
#define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX #define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -176,6 +177,7 @@ print_help () @@ -173,6 +174,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
@ -40,7 +40,7 @@ index b66c1b8..0c25ae5 100644
printf ("\n"); printf ("\n");
printf ("Supplimentary Options:\n"); printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1598,6 +1600,31 @@ error: @@ -1557,6 +1559,31 @@ error:
return ret; return ret;
} }
@ -72,7 +72,7 @@ index b66c1b8..0c25ae5 100644
static int static int
revoke_request (MokRequest req) revoke_request (MokRequest req)
{ {
@@ -2187,6 +2214,7 @@ main (int argc, char *argv[]) @@ -2133,6 +2160,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 }, {"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 }, {"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 },
@ -80,7 +80,7 @@ index b66c1b8..0c25ae5 100644
{"timeout", required_argument, 0, 0 }, {"timeout", required_argument, 0, 0 },
{0, 0, 0, 0} {0, 0, 0, 0}
}; };
@@ -2271,6 +2299,8 @@ main (int argc, char *argv[]) @@ -2217,6 +2245,8 @@ main (int argc, char *argv[])
} else { } else {
db_name = DBX; db_name = DBX;
} }
@ -89,7 +89,7 @@ index b66c1b8..0c25ae5 100644
} else if (strcmp (option, "timeout") == 0) { } else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT; command |= TIMEOUT;
timeout = strdup (optarg); timeout = strdup (optarg);
@@ -2543,6 +2573,9 @@ main (int argc, char *argv[]) @@ -2470,6 +2500,9 @@ main (int argc, char *argv[])
case TIMEOUT: case TIMEOUT:
ret = set_timeout (timeout); ret = set_timeout (timeout);
break; break;
@ -100,10 +100,10 @@ index b66c1b8..0c25ae5 100644
print_help (); print_help ();
break; break;
diff --git a/man/mokutil.1 b/man/mokutil.1 diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..4462987 100644 index 7cee5da..1f82ff1 100644
--- a/man/mokutil.1 --- a/man/mokutil.1
+++ b/man/mokutil.1 +++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys @@ -71,6 +71,8 @@ mokutil \- utility to manipulate machine owner keys
.br .br
\fBmokutil\fR [--dbx] \fBmokutil\fR [--dbx]
.br .br
@ -112,7 +112,7 @@ index 25fe8b4..4462987 100644
.SH DESCRIPTION .SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys \fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db) @@ -166,3 +168,6 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR \fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx) List the keys in the secure boot blacklist signature store (dbx)
.TP .TP

View File

@ -14,10 +14,10 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 151 insertions(+), 24 deletions(-) 1 file changed, 151 insertions(+), 24 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index 0c25ae5..252dc7a 100644 index dba77c9..9153b10 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -251,6 +251,63 @@ signature_size (const efi_guid_t *hash_type) @@ -247,6 +247,63 @@ signature_size (const efi_guid_t *hash_type)
return 0; return 0;
} }
@ -81,7 +81,7 @@ index 0c25ae5..252dc7a 100644
static MokListNode* static MokListNode*
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
{ {
@@ -622,25 +679,44 @@ static int @@ -618,25 +675,44 @@ static int
list_keys_in_var (const char *var_name, const efi_guid_t guid) list_keys_in_var (const char *var_name, const efi_guid_t guid)
{ {
uint8_t *data = NULL; uint8_t *data = NULL;
@ -138,7 +138,7 @@ index 0c25ae5..252dc7a 100644
} }
static int static int
@@ -1039,22 +1115,15 @@ is_valid_cert (void *cert, uint32_t cert_size) @@ -998,22 +1074,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
} }
static int static int
@ -165,7 +165,7 @@ index 0c25ae5..252dc7a 100644
return 0; return 0;
list = build_mok_list (var_data, var_data_size, &node_num); list = build_mok_list (var_data, var_data_size, &node_num);
@@ -1087,11 +1156,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size @@ -1046,11 +1115,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
done: done:
if (list) if (list)
free (list); free (list);

View File

@ -1,181 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Apr 2022 17:28:07 -0700
Subject: [PATCH] SBAT revocation update support
Control how shim will apply SBAT revocations:
mokutil --set-sbat-policy latest
applies the latest SBAT revocations
(default behavior)
mokutil --set-sbat-policy previous
applies previous SBAT revocations to
allow falling back to an older release
In both of the above cases shim will only apply SBAT revocations that
are newer than the ones currently installed.
mokutil --set-sbat-policy delete
resets SBAT revocations only if Secure
Boot is disabled. This setting does not
persist.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
(cherry picked from commit 68f122d79677cf4a8298cf60ab7dc8a7bf43091c)
[rharwood: renumbering, new options not present, renamed var]
---
src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
man/mokutil.1 | 14 ++++++++++++--
2 files changed, 55 insertions(+), 6 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3fdc791..ac158b3 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,7 @@
#define VERBOSITY (1 << 23)
#define TIMEOUT (1 << 24)
#define LIST_SBAT (1 << 25)
+#define SET_SBAT (1 << 27)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -169,12 +170,13 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
++ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
- printf (" --sbat\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2261,6 +2263,26 @@ list_db (DBName db_name)
return -1;
}
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+ if (sbat_policy) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+ (uint8_t *)&sbat_policy,
+ sizeof (sbat_policy),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set SbatPolicy\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("SbatPolicy");
+ }
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -2275,6 +2297,7 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t sbat_policy = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2311,11 +2334,12 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-sbat-policy", required_argument, 0, 0 },
+ {"list-sbat-revocations", no_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
- {"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2376,6 +2400,20 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
+ command |= SET_SBAT;
+ if (strcmp (optarg, "latest") == 0)
+ sbat_policy = 1;
+ else if (strcmp (optarg, "previous") == 0)
+ sbat_policy = 2;
+ else if (strcmp (optarg, "delete") == 0)
+ sbat_policy = 3;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
+ command |= LIST_SBAT;
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2400,8 +2438,6 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
- } else if (strcmp (option, "sbat") == 0) {
- command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
@@ -2658,6 +2694,9 @@ main (int argc, char *argv[])
case LIST_SBAT:
ret = print_var_content ("SBAT", efi_guid_shim);
break;
+ case SET_SBAT:
+ ret = manage_sbat(sbat_policy);
+ break;
default:
print_help ();
break;
diff --git a/man/mokutil.1 b/man/mokutil.1
index 1f82ff1..48fbe25 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -71,7 +71,9 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
-\fBmokutil\fR [--sbat]
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
.br
.SH DESCRIPTION
@@ -168,6 +170,14 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
-\fB--sbat\fR
+\fB--list-sbat-revocations\fR
List the entries in the Secure Boot Advanced Targeting store (SBAT)
.TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP

View File

@ -22,7 +22,7 @@ Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
1 file changed, 36 insertions(+), 8 deletions(-) 1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index 563e585..3fdc791 100644 index 9153b10..0fd2dc3 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size) @@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)

View File

@ -0,0 +1,191 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Fri, 3 Dec 2021 14:18:31 +0100
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
fallback debugging.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
[rharwood: no sb_check, no util renaming]
---
src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
data/mokutil | 8 +++++++
man/mokutil.1 | 10 +++++++++
3 files changed, 88 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0fd2dc3..f9641a1 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,8 @@
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
#define LIST_SBAT (1 << 24)
+#define FB_VERBOSITY (1 << 25)
+#define FB_NOREBOOT (1 << 26)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -169,6 +171,8 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
@@ -2240,6 +2244,46 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+ if (verbosity) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+ (uint8_t *)&verbosity, sizeof (verbosity),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FALLBACK_VERBOSE");
+ }
+
+ return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+ if (noreboot) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+ (uint8_t *)&noreboot, sizeof (noreboot),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FB_NO_REBOOT");
+ }
+
+ return 0;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -2275,6 +2319,8 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t fb_verbosity = 0;
+ uint8_t fb_noreboot = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2311,6 +2357,8 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-fallback-verbosity", required_argument, 0, 0 },
+ {"set-fallback-noreboot", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
@@ -2376,6 +2424,22 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
+ command |= FB_VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ fb_verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_verbosity = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
+ command |= FB_NOREBOOT;
+ if (strcmp (optarg, "true") == 0)
+ fb_noreboot = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_noreboot = 0;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2652,6 +2716,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case FB_VERBOSITY:
+ ret = set_fallback_verbosity (fb_verbosity);
+ break;
+ case FB_NOREBOOT:
+ ret = set_fallback_noreboot (fb_noreboot);
+ break;
case TIMEOUT:
ret = set_timeout (timeout);
break;
diff --git a/data/mokutil b/data/mokutil
index 800b039..af6b6ff 100755
--- a/data/mokutil
+++ b/data/mokutil
@@ -24,6 +24,14 @@ _mokutil()
COMPREPLY=( $( compgen -W "true false") )
return 0
;;
+ --set-fallback-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --set-fallback-noreboot)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
--generate-hash|-g)
COMPREPLY=( $( compgen -o nospace -P= -W "") )
return 0
diff --git a/man/mokutil.1 b/man/mokutil.1
index 1f82ff1..a3a73e1 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
@@ -156,6 +160,12 @@ this is not the password hash.
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP

View File

@ -1,8 +1,9 @@
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch Patch0003: 0003-mokutil-remove-simple-hash.patch
Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch Patch0004: 0004-man-remove-simple-hash.patch
Patch0005: 0005-mokutil-remove-simple-hash.patch Patch0005: 0005-mokutil-adjust-the-command-bits.patch
Patch0006: 0006-man-remove-simple-hash.patch Patch0006: 0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch Patch0007: 0007-mokutil-add-mok-variables-parsing-support.patch
Patch0008: 0008-SBAT-revocation-update-support.patch Patch0008: 0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
Patch0009: 0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch

View File

@ -1,6 +1,6 @@
Name: mokutil Name: mokutil
Version: 0.4.0 Version: 0.4.0
Release: 8%{?dist}.1 Release: 9%{?dist}
Epoch: 2 Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+ License: GPLv3+
@ -50,9 +50,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil %{_datadir}/bash-completion/completions/mokutil
%changelog %changelog
* Wed Jun 01 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-8.el9_0.1 * Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-9
- Support sbat revocation and setting policy - Add ability to change fallback verbose mode
- Related: CVE-2022-28737 - Resolves: #2069296
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags