Compare commits

...

No commits in common. 'c8' and 'c9-beta' have entirely different histories.
c8 ... c9-beta

  1. 2
      .gitignore
  2. 2
      .mokutil.metadata
  3. 114
      SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch
  4. 33
      SOURCES/0001-Fix-the-potential-buffer-overflow.patch
  5. 4
      SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch
  6. 31
      SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
  7. 39
      SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
  8. 257
      SOURCES/0003-mokutil-remove-simple-hash.patch
  9. 29
      SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
  10. 78
      SOURCES/0004-man-remove-simple-hash.patch
  11. 84
      SOURCES/0005-Make-all-efi_guid_t-const.patch
  12. 38
      SOURCES/0005-mokutil-adjust-the-command-bits.patch
  13. 121
      SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
  14. 34
      SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
  15. 95
      SOURCES/0007-Add-bash-completion-file.patch
  16. 20
      SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch
  17. 24
      SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
  18. 95
      SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
  19. 23
      SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
  20. 191
      SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
  21. 98
      SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
  22. 211
      SOURCES/0013-SBAT-revocation-update-support.patch
  23. 22
      SOURCES/mokutil.patches
  24. 81
      SPECS/mokutil.spec

2
.gitignore

@ -1 +1 @@
SOURCES/0.3.0.tar.gz
SOURCES/0.4.0.tar.gz

2
.mokutil.metadata

@ -1 +1 @@
8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz
42d6c1551535386cba63265a6ed7172d11c88b97 SOURCES/0.4.0.tar.gz

114
SOURCES/0001-Avoid-taking-pointer-to-packed-struct.patch

@ -0,0 +1,114 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Harry Youd <harry@harryyoud.co.uk>
Date: Wed, 31 Jul 2019 19:44:53 +0100
Subject: [PATCH] Avoid taking pointer to packed struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes:
error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
---
src/mokutil.c | 38 ++++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e2d567d..8892613 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
+ efi_guid_t sigtype = CertList->SignatureType;
+
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
continue;
}
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
+ (CertList->SignatureSize != signature_size (&sigtype))) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
}
list[count].header = CertList;
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
/* X509 certificate */
list[count].mok_size = CertList->SignatureSize -
sizeof(efi_guid_t);
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
for (unsigned int i = 0; i < mok_num; i++) {
printf ("[key %d]\n", i+1);
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
print_x509 ((char *)list[i].mok, list[i].mok_size);
} else {
- print_hash_array (&list[i].header->SignatureType,
+ print_hash_array (&sigtype,
list[i].mok, list[i].mok_size);
}
if (i < mok_num - 1)
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
remain = total;
for (unsigned int i = 0; i < mok_num; i++) {
remain -= list[i].header->SignatureListSize;
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
sig_list_size = list[i].header->SignatureListSize;
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
}
for (unsigned int i = 0; i < node_num; i++) {
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
+ efi_guid_t sigtype = list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, type) != 0)
continue;
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
goto error;
/* Check if there is a signature list with the same type */
for (unsigned int i = 0; i < mok_num; i++) {
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
- &hash_type) == 0) {
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
merge_ind = i;
list_size -= sizeof(EFI_SIGNATURE_LIST);
break;
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
for (unsigned i = 0; i < mok_num; i++) {
off_t offset = 0;
ssize_t write_size;
+ efi_guid_t sigtype = list[i].header->SignatureType;
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
continue;
/* Dump X509 certificate to files */

33
SOURCES/0001-Fix-the-potential-buffer-overflow.patch

@ -1,33 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 15:50:03 +0800
Subject: [PATCH] Fix the potential buffer overflow
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/mokutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22..93fb6fa 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
MokToggleVar tvar;
char *password = NULL;
unsigned int pw_len;
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
int ret = -1;
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
efichar_from_char (efichar_pass, password,
SB_PASSWORD_MAX * sizeof(efi_char16_t));
- memcpy(tvar.password, efichar_pass,
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
tvar.mok_toggle_state = state;

4
SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch → SOURCES/0002-Fix-a-integer-comparison-sign-issue.patch

@ -16,10 +16,10 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index b508010..ac15c73 100644
index 8892613..b66c1b8 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
@@ -2011,7 +2011,7 @@ generate_pw_hash (const char *input_pw)
char *password = NULL;
char *crypt_string;
const char *prefix;

31
SOURCES/0002-Fix-the-32bit-signedness-comparison.patch

@ -1,31 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Nov 2014 11:38:54 +0800
Subject: [PATCH] Fix the 32bit signedness comparison
---
src/mokutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 93fb6fa..a7e83f7 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
/* Mok */
read_size = read (fd, ptr, sizes[i]);
- if (read_size < 0 || read_size != sizes[i]) {
+ if (read_size < 0 || read_size != (int64_t)sizes[i]) {
fprintf (stderr, "Failed to read %s\n", files[i]);
goto error;
}
@@ -1645,7 +1645,7 @@ export_moks ()
goto error;
}
- while (offset < list[i].mok_size) {
+ while (offset < (int64_t)list[i].mok_size) {
write_size = write (fd, list[i].mok + offset,
list[i].mok_size - offset);
if (write_size < 0) {

39
SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch

@ -1,39 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Jun 2015 16:53:36 -0400
Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
This source tree uses:
typedef wchar_t efi_char16_t;
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
32-bits by default. As a result, efichar_from_char winds up writing
4-byte characters instead of 2-byte characters. In the case where we
hash the password in mokutil, this works fine, because the same datatype
is used, and the values are the same. But for our feature toggles,
where we store the raw data and shim is interpretting the character
array, every other character winds up being L'\0', and verification
fails.
So always build with -fshort-wchar to ensure we get 2-byte character
storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fe28fb9..69d412a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ else
default_strict=no
fi
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
enable_strict=$default_strict)

257
SOURCES/0003-mokutil-remove-simple-hash.patch

@ -0,0 +1,257 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 25 May 2021 12:46:03 +0200
Subject: [PATCH] mokutil: remove "--simple-hash"
The simple-hash password format is used by the very early MokManager and
not the default format anymore after we changed to password-crypt.
Remove the code to reduce the code size.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 87 +++++------------------------------------------------------
1 file changed, 7 insertions(+), 80 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index b66c1b8..e811266 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,7 +76,6 @@
#define TEST_KEY (1 << 14)
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
-#define SIMPLE_HASH (1 << 17)
#define IGNORE_DB (1 << 18)
#define USE_DB (1 << 19)
#define MOKX (1 << 20)
@@ -94,8 +93,6 @@ typedef unsigned long efi_status_t;
typedef uint8_t efi_bool_t;
typedef wchar_t efi_char16_t; /* UNICODE character */
-static int use_simple_hash;
-
typedef enum {
DELETE_MOK = 0,
ENROLL_MOK,
@@ -180,7 +177,6 @@ print_help ()
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
printf (" --root-pw\t\t\t\tUse the root password\n");
- printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
}
@@ -736,32 +732,6 @@ error:
return ret;
}
-static int
-generate_auth (void *new_list, int list_len, char *password,
- unsigned int pw_len, uint8_t *auth)
-{
- efi_char16_t efichar_pass[PASSWORD_MAX+1];
- unsigned long efichar_len;
- SHA256_CTX ctx;
-
- if (!password || !auth)
- return -1;
-
- efichar_len = efichar_from_char (efichar_pass, password,
- pw_len * sizeof(efi_char16_t));
-
- SHA256_Init (&ctx);
-
- if (new_list)
- SHA256_Update (&ctx, new_list, list_len);
-
- SHA256_Update (&ctx, efichar_pass, efichar_len);
-
- SHA256_Final (auth, &ctx);
-
- return 0;
-}
-
static void
generate_salt (char salt[], unsigned int salt_size)
{
@@ -901,7 +871,6 @@ update_request (void *new_list, int list_len, MokRequest req,
size_t data_size;
const char *req_name, *auth_name;
pw_crypt_t pw_crypt;
- uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
unsigned int pw_len;
int auth_ret;
@@ -950,12 +919,7 @@ update_request (void *new_list, int list_len, MokRequest req,
goto error;
}
- if (!use_simple_hash) {
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
- } else {
- auth_ret = generate_auth (new_list, list_len, password,
- pw_len, auth);
- }
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n");
goto error;
@@ -991,13 +955,8 @@ update_request (void *new_list, int list_len, MokRequest req,
}
/* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
- if (!use_simple_hash) {
- data = (void *)&pw_crypt;
- data_size = PASSWORD_CRYPT_SIZE;
- } else {
- data = (void *)auth;
- data_size = SHA256_DIGEST_LENGTH;
- }
+ data = (void *)&pw_crypt;
+ data_size = PASSWORD_CRYPT_SIZE;
if (efi_set_variable (efi_guid_shim, auth_name, data, data_size,
attributes, S_IRUSR | S_IWUSR) < 0) {
@@ -1750,26 +1709,16 @@ set_password (const char *hash_file, const int root_pw, const int clear)
goto error;
}
- if (!use_simple_hash) {
- pw_crypt.method = DEFAULT_CRYPT_METHOD;
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
- } else {
- auth_ret = generate_auth (NULL, 0, password, pw_len,
- auth);
- }
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
if (auth_ret < 0) {
fprintf (stderr, "Couldn't generate hash\n");
goto error;
}
}
- if (!use_simple_hash) {
- data = (void *)&pw_crypt;
- data_size = PASSWORD_CRYPT_SIZE;
- } else {
- data = (void *)auth;
- data_size = SHA256_DIGEST_LENGTH;
- }
+ data = (void *)auth;
+ data_size = SHA256_DIGEST_LENGTH;
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
@@ -2147,8 +2096,6 @@ main (int argc, char *argv[])
DBName db_name = MOK_LIST_RT;
int ret = -1;
- use_simple_hash = 0;
-
if (!efi_variables_supported ()) {
fprintf (stderr, "EFI variables are not supported on this system\n");
exit (1);
@@ -2175,7 +2122,6 @@ main (int argc, char *argv[])
{"hash-file", required_argument, 0, 'f'},
{"generate-hash", optional_argument, 0, 'g'},
{"root-pw", no_argument, 0, 'P'},
- {"simple-hash", no_argument, 0, 's'},
{"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 },
{"mok", no_argument, 0, 'm'},
@@ -2374,10 +2320,6 @@ main (int argc, char *argv[])
case 'x':
command |= EXPORT;
break;
- case 's':
- command |= SIMPLE_HASH;
- use_simple_hash = 1;
- break;
case 'm':
db_name = MOK_LIST_RT;
break;
@@ -2398,9 +2340,6 @@ main (int argc, char *argv[])
}
}
- if (use_root_pw == 1 && use_simple_hash == 1)
- use_simple_hash = 0;
-
if (hash_file && use_root_pw)
command |= HELP;
@@ -2436,22 +2375,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokDel", efi_guid_shim);
break;
case IMPORT:
- case IMPORT | SIMPLE_HASH:
ret = issue_mok_request (files, total, ENROLL_MOK,
hash_file, use_root_pw);
break;
case DELETE:
- case DELETE | SIMPLE_HASH:
ret = issue_mok_request (files, total, DELETE_MOK,
hash_file, use_root_pw);
break;
case IMPORT_HASH:
- case IMPORT_HASH | SIMPLE_HASH:
ret = issue_hash_request (hash_str, ENROLL_MOK,
hash_file, use_root_pw);
break;
case DELETE_HASH:
- case DELETE_HASH | SIMPLE_HASH:
ret = issue_hash_request (hash_str, DELETE_MOK,
hash_file, use_root_pw);
break;
@@ -2466,11 +2401,9 @@ main (int argc, char *argv[])
ret = export_db_keys (db_name);
break;
case PASSWORD:
- case PASSWORD | SIMPLE_HASH:
ret = set_password (hash_file, use_root_pw, 0);
break;
case CLEAR_PASSWORD:
- case CLEAR_PASSWORD | SIMPLE_HASH:
ret = set_password (NULL, 0, 1);
break;
case DISABLE_VALIDATION:
@@ -2486,7 +2419,6 @@ main (int argc, char *argv[])
ret = test_key (ENROLL_MOK, key_file);
break;
case RESET:
- case RESET | SIMPLE_HASH:
ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
break;
case GENERATE_PW_HASH:
@@ -2505,22 +2437,18 @@ main (int argc, char *argv[])
ret = list_keys_in_var ("MokXDel", efi_guid_shim);
break;
case IMPORT | MOKX:
- case IMPORT | SIMPLE_HASH | MOKX:
ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
hash_file, use_root_pw);
break;
case DELETE | MOKX:
- case DELETE | SIMPLE_HASH | MOKX:
ret = issue_mok_request (files, total, DELETE_BLACKLIST,
hash_file, use_root_pw);
break;
case IMPORT_HASH | MOKX:
- case IMPORT_HASH | SIMPLE_HASH | MOKX:
ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
hash_file, use_root_pw);
break;
case DELETE_HASH | MOKX:
- case DELETE_HASH | SIMPLE_HASH | MOKX:
ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
hash_file, use_root_pw);
break;
@@ -2531,7 +2459,6 @@ main (int argc, char *argv[])
ret = revoke_request (DELETE_BLACKLIST);
break;
case RESET | MOKX:
- case RESET | SIMPLE_HASH | MOKX:
ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
break;
case TEST_KEY | MOKX:

29
SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch

@ -1,29 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 16 Jun 2015 17:06:30 -0400
Subject: [PATCH] Don't allow sha1 on the mokutil command line.
Related: rhbz#1115843
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index a7e83f7..1fb34f9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
}
switch (len) {
+#if 0
case SHA_DIGEST_LENGTH*2:
*type = efi_guid_sha1;
hash_size = SHA_DIGEST_LENGTH;
break;
+#endif
case SHA224_DIGEST_LENGTH*2:
*type = efi_guid_sha224;
hash_size = SHA224_DIGEST_LENGTH;

78
SOURCES/0004-man-remove-simple-hash.patch

@ -0,0 +1,78 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 14:48:08 +0800
Subject: [PATCH] man: remove "--simple-hash"
Remove "--simple-hash" from the man page.
Signed-off-by: Gary Lin <glin@suse.com>
---
man/mokutil.1 | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..7cee5da 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx |- X])
+ [--mokx |- X])
.br
\fBmokutil\fR [--revoke-import]
([--mokx | -X])
@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s])
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--clear-password | -c]
- ([--simple-hash | -s])
.br
\fBmokutil\fR [--disable-validation]
.br
@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mok | -X])
+ [--mok | -X])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--import-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--delete-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx | -X])
+ [--mokx | -X])
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
@@ -136,11 +134,6 @@ Use the password hash from a specific file
\fB-P, --root-pw\fR
Use the root password hash from /etc/shadow
.TP
-\fB-s, --simple-hash\fR
-Use the old SHA256 password hash method to hash the password
-.br
-Note: --root-pw invalidates --simple-hash
-.TP
\fB--ignore-db\fR
Tell shim to not use the keys in db to verify EFI images
.TP

84
SOURCES/0005-Make-all-efi_guid_t-const.patch

@ -1,84 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jan 2016 16:05:21 +0800
Subject: [PATCH] Make all efi_guid_t const
All UEFI GUIDs defined in efivar are const. Declare all of them const
to make gcc happy.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1fb34f9..d2c52b4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
}
static uint32_t
-efi_hash_size (efi_guid_t *hash_type)
+efi_hash_size (const efi_guid_t *hash_type)
{
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
return SHA_DIGEST_LENGTH;
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
}
static uint32_t
-signature_size (efi_guid_t *hash_type)
+signature_size (const efi_guid_t *hash_type)
{
uint32_t hash_size;
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
/* match the hash in the hash array and return the index if matched */
static int
-match_hash_array (efi_guid_t *hash_type, const void *hash,
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
const void *hash_array, const uint32_t array_size)
{
uint32_t hash_size, hash_count;
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
}
static int
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
- efi_guid_t *type, void *data, uint32_t data_size)
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ const efi_guid_t *type, void *data, uint32_t data_size)
{
uint8_t *var_data = NULL;
size_t var_data_size = 0;
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
- efi_guid_t *vendor, const char *db_name)
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+ const efi_guid_t *vendor, const char *db_name)
{
uint8_t *var_data;
size_t var_data_size;
@@ -1059,7 +1059,7 @@ done:
}
static int
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)
{
switch (req) {
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
}
static int
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
MokRequest req)
{
uint8_t *authvar_data;

38
SOURCES/0005-mokutil-adjust-the-command-bits.patch

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 27 Aug 2020 16:10:50 +0800
Subject: [PATCH] mokutil: adjust the command bits
Adjust the bits after removing SIMPLE_HASH.
Signed-off-by: Gary Lin <glin@suse.com>
(cherry picked from commit 25191c38156b90004b783d0265d967dbe8e76a38)
---
src/mokutil.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e811266..a9d97f4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -76,13 +76,13 @@
#define TEST_KEY (1 << 14)
#define RESET (1 << 15)
#define GENERATE_PW_HASH (1 << 16)
-#define IGNORE_DB (1 << 18)
-#define USE_DB (1 << 19)
-#define MOKX (1 << 20)
-#define IMPORT_HASH (1 << 21)
-#define DELETE_HASH (1 << 22)
-#define VERBOSITY (1 << 23)
-#define TIMEOUT (1 << 24)
+#define IGNORE_DB (1 << 17)
+#define USE_DB (1 << 18)
+#define MOKX (1 << 19)
+#define IMPORT_HASH (1 << 20)
+#define DELETE_HASH (1 << 21)
+#define VERBOSITY (1 << 22)
+#define TIMEOUT (1 << 23)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX

121
SOURCES/0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch

@ -0,0 +1,121 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 17 Mar 2021 14:38:57 +0100
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
This variable contains the descriptive form of all the components used by
the operating systems that ship signed shim binaries. Along with a minimum
generation number for each component. More information in can be found in
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
https://github.com/rhboot/shim/blob/main/SBAT.md
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
encoded strings, the data could just be printed without the need to do any
previous processing.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
man/mokutil.1 | 5 +++++
2 files changed, 38 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index a9d97f4..dba77c9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,7 @@
#define DELETE_HASH (1 << 21)
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
+#define LIST_SBAT (1 << 24)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -173,6 +174,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1557,6 +1559,31 @@ error:
return ret;
}
+static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+ uint8_t *data = NULL;
+ size_t data_size;
+ uint32_t attributes;
+ int ret;
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
+ return -1;
+ }
+
+ printf ("%s", data);
+ free (data);
+
+ return ret;
+}
+
static int
revoke_request (MokRequest req)
{
@@ -2133,6 +2160,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2217,6 +2245,8 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
@@ -2470,6 +2500,9 @@ main (int argc, char *argv[])
case TIMEOUT:
ret = set_timeout (timeout);
break;
+ case LIST_SBAT:
+ ret = print_var_content ("SBAT", efi_guid_shim);
+ break;
default:
print_help ();
break;
diff --git a/man/mokutil.1 b/man/mokutil.1
index 7cee5da..1f82ff1 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -71,6 +71,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--sbat]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -166,3 +168,6 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP

34
SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch

@ -1,34 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:19:43 -0400
Subject: [PATCH] mokutil: be explicit about file modes in all cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d2c52b4..d554f6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
ret = efi_set_variable (*var_guid, var_name,
- var_data, total, attributes);
+ var_data, total, attributes,
+ S_IRUSR | S_IWUSR);
if (ret < 0) {
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
var_name);
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
data_size = list_len;
if (efi_set_variable (efi_guid_shim, req_name,
- data, data_size, attributes) < 0) {
+ data, data_size, attributes,
+ S_IRUSR | S_IWUSR) < 0) {
switch (req) {
case ENROLL_MOK:
fprintf (stderr, "Failed to enroll new keys\n");

95
SOURCES/0007-Add-bash-completion-file.patch

@ -1,95 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:20:14 -0400
Subject: [PATCH] Add bash completion file.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
configure.ac | 17 +++++++++++++++++
Makefile.am | 5 +++++
data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 data/mokutil
diff --git a/configure.ac b/configure.ac
index 69d412a..7b52a06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+AC_ARG_WITH([bash-completion-dir],
+ AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
+ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
+ [],
+ [with_bash_completion_dir=yes])
+
+if test "x$with_bash_completion_dir" = "xyes"; then
+ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
+ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
+ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
+else
+ BASH_COMPLETION_DIR="$with_bash_completion_dir"
+fi
+
+AC_SUBST([BASH_COMPLETION_DIR])
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile])
diff --git a/Makefile.am b/Makefile.am
index 9f0d419..c17cc4a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1 +1,6 @@
SUBDIRS = src man
+
+if ENABLE_BASH_COMPLETION
+ bashcompletiondir = $(BASH_COMPLETION_DIR)
+ dist_bashcompletion_DATA = data/mokutil
+endif
diff --git a/data/mokutil b/data/mokutil
new file mode 100755
index 0000000..800b039
--- /dev/null
+++ b/data/mokutil
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+_mokutil()
+{
+ local cur=${COMP_WORDS[COMP_CWORD]}
+
+ if [[ "$cur" == -* ]]; then
+ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
+ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
+ [[ $COMPREPLY == *= ]] && compopt -o nospace
+ return 0
+ fi
+
+ case "${COMP_WORDS[COMP_CWORD-1]}" in
+ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
+ _filedir
+ return 0
+ ;;
+ --import-hash|--delete-hash)
+ COMPREPLY=( $( compgen -W "" ) )
+ return 0
+ ;;
+ --set-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --generate-hash|-g)
+ COMPREPLY=( $( compgen -o nospace -P= -W "") )
+ return 0
+ ;;
+ *)
+ return 0
+ ;;
+ esac
+}
+
+complete -F _mokutil mokutil

20
SOURCES/0012-initial-mok-variables-code.patch → SOURCES/0007-mokutil-add-mok-variables-parsing-support.patch

@ -1,25 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 17 Aug 2020 14:18:31 -0400
Subject: [PATCH] initial mok-variables code
Date: Wed, 17 Mar 2021 14:49:21 +0100
Subject: [PATCH] mokutil: add mok-variables parsing support
This patch adds support for getting mok variables from
/sys/firmware/fi/mok-variables/$NAME , if they are present, as well as
his patch adds support for getting mok variables from
/sys/firmware/efi/mok-variables/$NAME , if they are present, as well as
for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
variables.
Resolves: rhbz#1868820
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 151 insertions(+), 24 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index ac15c73..838599c 100644
index dba77c9..9153b10 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type)
@@ -247,6 +247,63 @@ signature_size (const efi_guid_t *hash_type)
return 0;
}
@ -83,7 +81,7 @@ index ac15c73..838599c 100644
static MokListNode*
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
{
@@ -596,25 +653,44 @@ static int
@@ -618,25 +675,44 @@ static int
list_keys_in_var (const char *var_name, const efi_guid_t guid)
{
uint8_t *data = NULL;
@ -140,7 +138,7 @@ index ac15c73..838599c 100644
}
static int
@@ -1013,22 +1089,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
@@ -998,22 +1074,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
@ -167,7 +165,7 @@ index ac15c73..838599c 100644
return 0;
list = build_mok_list (var_data, var_data_size, &node_num);
@@ -1060,11 +1129,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
@@ -1046,11 +1115,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
done:
if (list)
free (list);

24
SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch

@ -1,24 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Mon, 20 Jun 2016 11:18:17 -0500
Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot
support
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d554f6c..27f1292 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
rc = efi_get_variable (efi_guid_global, "SecureBoot",
&data, &data_size, &attributes);
if (rc < 0) {
- fprintf(stderr, "This system does't support Secure Boot\n");
+ fprintf(stderr, "This system doesn't support Secure Boot\n");
ret = -1;
goto out;
}

95
SOURCES/0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch

@ -0,0 +1,95 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 25 May 2021 15:22:29 +0200
Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the
deprecated SHA1_*()
The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads
to compile errors when building with -Werror=deprecated-declarations, i.e:
mokutil.c: In function 'print_x509':
mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
424 | SHA1_Init (&ctx);
| ^~~~~~~~~
...
instead, the EVP_Digest*() functions could be used. Port to them and avoid
these build failures with the latest OpenSSL 3.0 version.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 9153b10..0fd2dc3 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)
{
X509 *X509cert;
BIO *cert_bio;
- SHA_CTX ctx;
- uint8_t fingerprint[SHA_DIGEST_LENGTH];
+ EVP_MD_CTX *ctx;
+ const EVP_MD *md;
+ unsigned int md_len;
+ unsigned char fingerprint[EVP_MAX_MD_SIZE];
cert_bio = BIO_new (BIO_s_mem ());
BIO_write (cert_bio, cert, cert_size);
@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size)
X509cert = d2i_X509_bio (cert_bio, NULL);
if (X509cert == NULL) {
fprintf (stderr, "Invalid X509 certificate\n");
- return -1;
+ goto cleanup_bio;
}
- SHA1_Init (&ctx);
- SHA1_Update (&ctx, cert, cert_size);
- SHA1_Final (fingerprint, &ctx);
+ md = EVP_get_digestbyname ("SHA1");
+ if(md == NULL) {
+ fprintf (stderr, "Failed to get SHA1 digest\n");
+ goto cleanup_bio;
+ }
+
+ ctx = EVP_MD_CTX_create ();
+ if (ctx == NULL) {
+ fprintf (stderr, "Failed to create digest context\n");
+ goto cleanup_bio;
+ }
+
+ if (!EVP_DigestInit_ex (ctx, md, NULL)) {
+ fprintf (stderr, "Failed to initialize digest context\n");
+ goto cleanup_ctx;
+ }
+
+ if (!EVP_DigestUpdate (ctx, cert, cert_size)) {
+ fprintf (stderr, "Failed to hash into the digest context\n");
+ goto cleanup_ctx;
+ }
+
+ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) {
+ fprintf (stderr, "Failed to get digest value\n");
+ goto cleanup_ctx;
+ }
printf ("SHA1 Fingerprint: ");
- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) {
+ for (unsigned int i = 0; i < md_len; i++) {
printf ("%02x", fingerprint[i]);
- if (i < SHA_DIGEST_LENGTH - 1)
+ if (i < md_len - 1)
printf (":");
}
printf ("\n");
X509_print_fp (stdout, X509cert);
+cleanup_ctx:
+ EVP_MD_CTX_destroy (ctx);
+cleanup_bio:
BIO_free (cert_bio);
return 0;

23
SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch

@ -1,23 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 3 Apr 2017 16:33:38 -0400
Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 27f1292..0be9e84 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
if (ret < 0) {
- if (ret == ENOENT) {
+ if (errno == ENOENT) {
printf ("%s is empty\n", var_name);
return 0;
}

191
SOURCES/0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch

@ -0,0 +1,191 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Fri, 3 Dec 2021 14:18:31 +0100
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
fallback debugging.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
[rharwood: no sb_check, no util renaming]
---
src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
data/mokutil | 8 +++++++
man/mokutil.1 | 10 +++++++++
3 files changed, 88 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0fd2dc3..f9641a1 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,8 @@
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
#define LIST_SBAT (1 << 24)
+#define FB_VERBOSITY (1 << 25)
+#define FB_NOREBOOT (1 << 26)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -169,6 +171,8 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
@@ -2240,6 +2244,46 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+ if (verbosity) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+ (uint8_t *)&verbosity, sizeof (verbosity),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FALLBACK_VERBOSE");
+ }
+
+ return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+ if (noreboot) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+ (uint8_t *)&noreboot, sizeof (noreboot),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("FB_NO_REBOOT");
+ }
+
+ return 0;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -2275,6 +2319,8 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t fb_verbosity = 0;
+ uint8_t fb_noreboot = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2311,6 +2357,8 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-fallback-verbosity", required_argument, 0, 0 },
+ {"set-fallback-noreboot", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
@@ -2376,6 +2424,22 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
+ command |= FB_VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ fb_verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_verbosity = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
+ command |= FB_NOREBOOT;
+ if (strcmp (optarg, "true") == 0)
+ fb_noreboot = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_noreboot = 0;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2652,6 +2716,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case FB_VERBOSITY:
+ ret = set_fallback_verbosity (fb_verbosity);
+ break;
+ case FB_NOREBOOT:
+ ret = set_fallback_noreboot (fb_noreboot);
+ break;
case TIMEOUT:
ret = set_timeout (timeout);
break;
diff --git a/data/mokutil b/data/mokutil
index 800b039..af6b6ff 100755
--- a/data/mokutil
+++ b/data/mokutil
@@ -24,6 +24,14 @@ _mokutil()
COMPREPLY=( $( compgen -W "true false") )
return 0
;;
+ --set-fallback-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --set-fallback-noreboot)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
--generate-hash|-g)
COMPREPLY=( $( compgen -o nospace -P= -W "") )
return 0
diff --git a/man/mokutil.1 b/man/mokutil.1
index 1f82ff1..a3a73e1 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
@@ -156,6 +160,12 @@ this is not the password hash.
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP

98
SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch

@ -1,98 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 15 May 2018 11:20:15 -0400
Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for
strncpy bounds
New gcc rightly comlplains when we do the following:
strncpy (dest, src, strlen(src));
For two reasons:
a) it doesn't copy the NUL byte
b) it's otherwise the same thing strcpy() would have done
This patch replaces that with stpncpy (just because it's slightly easier
to use) and the real bounds for the destination.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 0be9e84..b508010 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
{
pw_crypt_t new_crypt;
char settings[SETTINGS_LEN];
+ char *next;
char *crypt_string;
const char *prefix;
- int hash_len, prefix_len;
+ int hash_len, settings_len = sizeof (settings) - 2;
if (!password || !pw_crypt || password[pw_len] != '\0')
return -1;
@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
prefix = get_crypt_prefix (pw_crypt->method);
if (!prefix)
return -1;
- prefix_len = strlen(prefix);
pw_crypt->salt_size = get_salt_size (pw_crypt->method);
generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
- strncpy (settings, prefix, prefix_len);
- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
- pw_crypt->salt_size);
- settings[pw_crypt->salt_size + prefix_len] = '\0';
+ memset (settings, 0, sizeof (settings));
+ next = stpncpy (settings, prefix, settings_len);
+ if (pw_crypt->salt_size > settings_len - (next - settings)) {
+ errno = EOVERFLOW;
+ return -1;
+ }
+ next = stpncpy (next, (const char *)pw_crypt->salt,
+ pw_crypt->salt_size);
+ *next = '\0';
crypt_string = crypt (password, settings);
if (!crypt_string)
@@ -1929,10 +1934,11 @@ static int
generate_pw_hash (const char *input_pw)
{
char settings[SETTINGS_LEN];
+ char *next;
char *password = NULL;
char *crypt_string;
const char *prefix;
- int prefix_len;
+ int settings_len = sizeof (settings) - 2;
unsigned int pw_len, salt_size;
if (input_pw) {
@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
if (!prefix)
return -1;
- prefix_len = strlen(prefix);
- strncpy (settings, prefix, prefix_len);
+ memset (settings, 0, sizeof (settings));
+ next = stpncpy (settings, prefix, settings_len);
salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
- generate_salt ((settings + prefix_len), salt_size);
- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
+ if (salt_size > settings_len - (next - settings)) {
+ errno = EOVERFLOW;
+ return -1;
+ }
+ generate_salt (next, salt_size);
+ next += salt_size;
+ *next = '\0';
crypt_string = crypt (password, settings);
free (password);

211
SOURCES/0013-SBAT-revocation-update-support.patch

@ -1,211 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Apr 2022 17:28:07 -0700
Subject: [PATCH] SBAT revocation update support
Control how shim will apply SBAT revocations:
mokutil --set-sbat-policy latest
applies the latest SBAT revocations
(default behavior)
mokutil --set-sbat-policy previous
applies previous SBAT revocations to
allow falling back to an older release
In both of the above cases shim will only apply SBAT revocations that
are newer than the ones currently installed.
mokutil --set-sbat-policy delete
resets SBAT revocations only if Secure
Boot is disabled. This setting does not
persist.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
(cherry picked from commit 2122b5e4323137509bc38615e269cc352c971815)
[rharwood: renumber, options not added yet]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/mokutil.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
man/mokutil.1 | 14 ++++++++++++
2 files changed, 86 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 838599c..0327275 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,8 @@
#define IMPORT_HASH (1 << 21)
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
+#define LIST_SBAT (1 << 27)
+#define SET_SBAT (1 << 28)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -152,10 +154,12 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
+ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2115,6 +2119,31 @@ generate_pw_hash (const char *input_pw)
return 0;
}
+static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+ uint8_t *data = NULL;
+ size_t data_size;
+ uint32_t attributes;
+ int ret;
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
+ return -1;
+ }
+
+ printf ("%s", data);
+ free (data);
+
+ return ret;
+}
+
static int
set_verbosity (uint8_t verbosity)
{
@@ -2156,6 +2185,26 @@ list_db (DBName db_name)
return -1;
}
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+ if (sbat_policy) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+ (uint8_t *)&sbat_policy,
+ sizeof (sbat_policy),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set SbatPolicy\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("SbatPolicy");
+ }
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -2169,6 +2218,7 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t sbat_policy = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
@@ -2207,10 +2257,12 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-sbat-policy", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"list-sbat-revocations", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2270,6 +2322,16 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
+ command |= SET_SBAT;
+ if (strcmp (optarg, "latest") == 0)
+ sbat_policy = 1;
+ else if (strcmp (optarg, "previous") == 0)
+ sbat_policy = 2;
+ else if (strcmp (optarg, "delete") == 0)
+ sbat_policy = 3;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -2298,6 +2360,10 @@ main (int argc, char *argv[])
command |= LIST_ENROLLED;
db_name = DBX;
}
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
+ command |= LIST_SBAT;
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
}
break;
@@ -2557,6 +2623,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case LIST_SBAT:
+ ret = print_var_content ("SbatLevelRT", efi_guid_shim);
+ break;
+ case SET_SBAT:
+ ret = manage_sbat(sbat_policy);
+ break;
default:
print_help ();
break;
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..f5a0ea3 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,9 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +176,14 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--list-sbat-revocations\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP

22
SOURCES/mokutil.patches

@ -1,13 +1,9 @@
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
Patch0005: 0005-Make-all-efi_guid_t-const.patch
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
Patch0012: 0012-initial-mok-variables-code.patch
Patch0013: 0013-SBAT-revocation-update-support.patch
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
Patch0003: 0003-mokutil-remove-simple-hash.patch
Patch0004: 0004-man-remove-simple-hash.patch
Patch0005: 0005-mokutil-adjust-the-command-bits.patch
Patch0006: 0006-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
Patch0007: 0007-mokutil-add-mok-variables-parsing-support.patch
Patch0008: 0008-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
Patch0009: 0009-mokutil-enable-setting-fallback-verbosity-and-norebo.patch

81
SPECS/mokutil.spec

@ -1,17 +1,19 @@
Name: mokutil
Version: 0.3.0
Release: 11%{?dist}.1
Epoch: 1
Version: 0.4.0
Release: 9%{?dist}
Epoch: 2
Summary: Tool to manage UEFI Secure Boot MoK Keys
License: GPLv3+
URL: https://github.com/lcp/mokutil
ExclusiveArch: %{ix86} x86_64 aarch64
BuildRequires: make
BuildRequires: gcc
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
BuildRequires: efivar-devel >= 31-1
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
Source1: mokutil.patches
Conflicts: shim < 0.8-1%{?dist}
Obsoletes: mokutil <= 1:0.3.0-1
Obsoletes: mokutil < 0.2.0
%include %{SOURCE1}
@ -48,23 +50,60 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil
%changelog
* Wed Jun 01 2022 Robbie Harwood <rharwood@redhat.com> - 0.3.0-11.el8_6.1
- Support listing sbat revocations and setting sbat policy
- Resolves: CVE-2022-28737
* Tue Jan 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-11
- Bump NVR for brew to build the package
Related: rhbz##1907418
* Wed Dec 30 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-10
- Add mokutil code to consume data from /sys/firmware/efi/mok-variables/
as well as attempting to consume numbered mok variables from efivarfs
when mok-variables aren't present (pjones)
Resolves: rhbz#1907418
* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
- Minor obsoletes fix
- Import some fixes from upstream
* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-9
- Add ability to change fallback verbose mode
- Resolves: #2069296
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-7
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue May 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-6
- Port to OpenSSL 3.0
Resolves: rhbz#1958040
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-4
- Add SBAT and mok-variables support
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-1
- Update to 0.4.0 release
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.3.0-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.3.0-14
- Pull one more upstream patch to keep this in sync with the f31 build.
* Thu Oct 24 2019 Leigh Scott <leigh123linux@googlemail.com> - 1:0.3.0-14
- Apply upstream commits to fix FTBFS
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-11
- Rebuilt for libcrypt.so.2 (#1666033)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
- Rebuilt for switch to libxcrypt

Loading…
Cancel
Save