Compare commits
No commits in common. "imports/c9/mokutil-0.4.0-8.el9_0.1" and "c8" have entirely different histories.
imports/c9
...
c8
|
@ -1 +1 @@
|
||||||
SOURCES/0.4.0.tar.gz
|
SOURCES/0.3.0.tar.gz
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
42d6c1551535386cba63265a6ed7172d11c88b97 SOURCES/0.4.0.tar.gz
|
8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz
|
||||||
|
|
|
@ -1,114 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Harry Youd <harry@harryyoud.co.uk>
|
|
||||||
Date: Wed, 31 Jul 2019 19:44:53 +0100
|
|
||||||
Subject: [PATCH] Avoid taking pointer to packed struct
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes:
|
|
||||||
error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
|
|
||||||
---
|
|
||||||
src/mokutil.c | 38 ++++++++++++++++++++++----------------
|
|
||||||
1 file changed, 22 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index e2d567d..8892613 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
|
|
||||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) &&
|
|
||||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) &&
|
|
||||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) &&
|
|
||||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) &&
|
|
||||||
- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) {
|
|
||||||
+ efi_guid_t sigtype = CertList->SignatureType;
|
|
||||||
+
|
|
||||||
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
|
|
||||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) &&
|
|
||||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) &&
|
|
||||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) &&
|
|
||||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) &&
|
|
||||||
+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) {
|
|
||||||
dbsize -= CertList->SignatureListSize;
|
|
||||||
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
|
||||||
CertList->SignatureListSize);
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) &&
|
|
||||||
- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) {
|
|
||||||
+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) &&
|
|
||||||
+ (CertList->SignatureSize != signature_size (&sigtype))) {
|
|
||||||
dbsize -= CertList->SignatureListSize;
|
|
||||||
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
|
||||||
CertList->SignatureListSize);
|
|
||||||
@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
|
||||||
}
|
|
||||||
|
|
||||||
list[count].header = CertList;
|
|
||||||
- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) {
|
|
||||||
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
|
|
||||||
/* X509 certificate */
|
|
||||||
list[count].mok_size = CertList->SignatureSize -
|
|
||||||
sizeof(efi_guid_t);
|
|
||||||
@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size)
|
|
||||||
|
|
||||||
for (unsigned int i = 0; i < mok_num; i++) {
|
|
||||||
printf ("[key %d]\n", i+1);
|
|
||||||
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) {
|
|
||||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
|
||||||
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) {
|
|
||||||
print_x509 ((char *)list[i].mok, list[i].mok_size);
|
|
||||||
} else {
|
|
||||||
- print_hash_array (&list[i].header->SignatureType,
|
|
||||||
+ print_hash_array (&sigtype,
|
|
||||||
list[i].mok, list[i].mok_size);
|
|
||||||
}
|
|
||||||
if (i < mok_num - 1)
|
|
||||||
@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
|
||||||
remain = total;
|
|
||||||
for (unsigned int i = 0; i < mok_num; i++) {
|
|
||||||
remain -= list[i].header->SignatureListSize;
|
|
||||||
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
|
|
||||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
|
||||||
+ if (efi_guid_cmp (&sigtype, type) != 0)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
sig_list_size = list[i].header->SignatureListSize;
|
|
||||||
@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
|
|
||||||
}
|
|
||||||
|
|
||||||
for (unsigned int i = 0; i < node_num; i++) {
|
|
||||||
- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0)
|
|
||||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
|
||||||
+ if (efi_guid_cmp (&sigtype, type) != 0)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) {
|
|
||||||
@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
||||||
goto error;
|
|
||||||
/* Check if there is a signature list with the same type */
|
|
||||||
for (unsigned int i = 0; i < mok_num; i++) {
|
|
||||||
- if (efi_guid_cmp (&mok_list[i].header->SignatureType,
|
|
||||||
- &hash_type) == 0) {
|
|
||||||
+ efi_guid_t sigtype = mok_list[i].header->SignatureType;
|
|
||||||
+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) {
|
|
||||||
merge_ind = i;
|
|
||||||
list_size -= sizeof(EFI_SIGNATURE_LIST);
|
|
||||||
break;
|
|
||||||
@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name)
|
|
||||||
for (unsigned i = 0; i < mok_num; i++) {
|
|
||||||
off_t offset = 0;
|
|
||||||
ssize_t write_size;
|
|
||||||
+ efi_guid_t sigtype = list[i].header->SignatureType;
|
|
||||||
|
|
||||||
- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0)
|
|
||||||
+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
/* Dump X509 certificate to files */
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
Date: Tue, 4 Nov 2014 15:50:03 +0800
|
||||||
|
Subject: [PATCH] Fix the potential buffer overflow
|
||||||
|
|
||||||
|
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 5b34f22..93fb6fa 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
|
||||||
|
MokToggleVar tvar;
|
||||||
|
char *password = NULL;
|
||||||
|
unsigned int pw_len;
|
||||||
|
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
|
||||||
|
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
|
||||||
|
int ret = -1;
|
||||||
|
|
||||||
|
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
|
||||||
|
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
|
||||||
|
efichar_from_char (efichar_pass, password,
|
||||||
|
SB_PASSWORD_MAX * sizeof(efi_char16_t));
|
||||||
|
|
||||||
|
- memcpy(tvar.password, efichar_pass,
|
||||||
|
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
|
||||||
|
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
|
||||||
|
|
||||||
|
tvar.mok_toggle_state = state;
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
Date: Mon, 24 Nov 2014 11:38:54 +0800
|
||||||
|
Subject: [PATCH] Fix the 32bit signedness comparison
|
||||||
|
|
||||||
|
---
|
||||||
|
src/mokutil.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 93fb6fa..a7e83f7 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
|
||||||
|
|
||||||
|
/* Mok */
|
||||||
|
read_size = read (fd, ptr, sizes[i]);
|
||||||
|
- if (read_size < 0 || read_size != sizes[i]) {
|
||||||
|
+ if (read_size < 0 || read_size != (int64_t)sizes[i]) {
|
||||||
|
fprintf (stderr, "Failed to read %s\n", files[i]);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
@@ -1645,7 +1645,7 @@ export_moks ()
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
- while (offset < list[i].mok_size) {
|
||||||
|
+ while (offset < (int64_t)list[i].mok_size) {
|
||||||
|
write_size = write (fd, list[i].mok + offset,
|
||||||
|
list[i].mok_size - offset);
|
||||||
|
if (write_size < 0) {
|
|
@ -0,0 +1,39 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Fri, 19 Jun 2015 16:53:36 -0400
|
||||||
|
Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
|
||||||
|
|
||||||
|
This source tree uses:
|
||||||
|
|
||||||
|
typedef wchar_t efi_char16_t;
|
||||||
|
|
||||||
|
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
|
||||||
|
32-bits by default. As a result, efichar_from_char winds up writing
|
||||||
|
4-byte characters instead of 2-byte characters. In the case where we
|
||||||
|
hash the password in mokutil, this works fine, because the same datatype
|
||||||
|
is used, and the values are the same. But for our feature toggles,
|
||||||
|
where we store the raw data and shim is interpretting the character
|
||||||
|
array, every other character winds up being L'\0', and verification
|
||||||
|
fails.
|
||||||
|
|
||||||
|
So always build with -fshort-wchar to ensure we get 2-byte character
|
||||||
|
storage.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
configure.ac | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index fe28fb9..69d412a 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -37,7 +37,7 @@ else
|
||||||
|
default_strict=no
|
||||||
|
fi
|
||||||
|
|
||||||
|
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
|
||||||
|
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
|
||||||
|
|
||||||
|
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
|
||||||
|
enable_strict=$default_strict)
|
|
@ -1,121 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
||||||
Date: Wed, 17 Mar 2021 14:38:57 +0100
|
|
||||||
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
|
|
||||||
|
|
||||||
This variable contains the descriptive form of all the components used by
|
|
||||||
the operating systems that ship signed shim binaries. Along with a minimum
|
|
||||||
generation number for each component. More information in can be found in
|
|
||||||
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
|
|
||||||
|
|
||||||
https://github.com/rhboot/shim/blob/main/SBAT.md
|
|
||||||
|
|
||||||
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
|
|
||||||
encoded strings, the data could just be printed without the need to do any
|
|
||||||
previous processing.
|
|
||||||
|
|
||||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
||||||
---
|
|
||||||
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
|
|
||||||
man/mokutil.1 | 5 +++++
|
|
||||||
2 files changed, 38 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index b66c1b8..0c25ae5 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -84,6 +84,7 @@
|
|
||||||
#define DELETE_HASH (1 << 22)
|
|
||||||
#define VERBOSITY (1 << 23)
|
|
||||||
#define TIMEOUT (1 << 24)
|
|
||||||
+#define LIST_SBAT (1 << 25)
|
|
||||||
|
|
||||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
||||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
||||||
@@ -176,6 +177,7 @@ print_help ()
|
|
||||||
printf (" --db\t\t\t\t\tList the keys in db\n");
|
|
||||||
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
|
||||||
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
|
|
||||||
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
|
|
||||||
printf ("\n");
|
|
||||||
printf ("Supplimentary Options:\n");
|
|
||||||
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
||||||
@@ -1598,6 +1600,31 @@ error:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+print_var_content (const char *var_name, const efi_guid_t guid)
|
|
||||||
+{
|
|
||||||
+ uint8_t *data = NULL;
|
|
||||||
+ size_t data_size;
|
|
||||||
+ uint32_t attributes;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ if (errno == ENOENT) {
|
|
||||||
+ printf ("%s is empty\n", var_name);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ printf ("%s", data);
|
|
||||||
+ free (data);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
revoke_request (MokRequest req)
|
|
||||||
{
|
|
||||||
@@ -2187,6 +2214,7 @@ main (int argc, char *argv[])
|
|
||||||
{"kek", no_argument, 0, 0 },
|
|
||||||
{"db", no_argument, 0, 0 },
|
|
||||||
{"dbx", no_argument, 0, 0 },
|
|
||||||
+ {"sbat", no_argument, 0, 0 },
|
|
||||||
{"timeout", required_argument, 0, 0 },
|
|
||||||
{0, 0, 0, 0}
|
|
||||||
};
|
|
||||||
@@ -2271,6 +2299,8 @@ main (int argc, char *argv[])
|
|
||||||
} else {
|
|
||||||
db_name = DBX;
|
|
||||||
}
|
|
||||||
+ } else if (strcmp (option, "sbat") == 0) {
|
|
||||||
+ command |= LIST_SBAT;
|
|
||||||
} else if (strcmp (option, "timeout") == 0) {
|
|
||||||
command |= TIMEOUT;
|
|
||||||
timeout = strdup (optarg);
|
|
||||||
@@ -2543,6 +2573,9 @@ main (int argc, char *argv[])
|
|
||||||
case TIMEOUT:
|
|
||||||
ret = set_timeout (timeout);
|
|
||||||
break;
|
|
||||||
+ case LIST_SBAT:
|
|
||||||
+ ret = print_var_content ("SBAT", efi_guid_shim);
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
print_help ();
|
|
||||||
break;
|
|
||||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
||||||
index 25fe8b4..4462987 100644
|
|
||||||
--- a/man/mokutil.1
|
|
||||||
+++ b/man/mokutil.1
|
|
||||||
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--dbx]
|
|
||||||
.br
|
|
||||||
+\fBmokutil\fR [--sbat]
|
|
||||||
+.br
|
|
||||||
|
|
||||||
.SH DESCRIPTION
|
|
||||||
\fBmokutil\fR is a tool to import or delete the machines owner keys
|
|
||||||
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db)
|
|
||||||
\fB--dbx\fR
|
|
||||||
List the keys in the secure boot blacklist signature store (dbx)
|
|
||||||
.TP
|
|
||||||
+\fB--sbat\fR
|
|
||||||
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
|
|
||||||
+.TP
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 16 Jun 2015 17:06:30 -0400
|
||||||
|
Subject: [PATCH] Don't allow sha1 on the mokutil command line.
|
||||||
|
|
||||||
|
Related: rhbz#1115843
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index a7e83f7..1fb34f9 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (len) {
|
||||||
|
+#if 0
|
||||||
|
case SHA_DIGEST_LENGTH*2:
|
||||||
|
*type = efi_guid_sha1;
|
||||||
|
hash_size = SHA_DIGEST_LENGTH;
|
||||||
|
break;
|
||||||
|
+#endif
|
||||||
|
case SHA224_DIGEST_LENGTH*2:
|
||||||
|
*type = efi_guid_sha224;
|
||||||
|
hash_size = SHA224_DIGEST_LENGTH;
|
|
@ -0,0 +1,84 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Wed, 13 Jan 2016 16:05:21 +0800
|
||||||
|
Subject: [PATCH] Make all efi_guid_t const
|
||||||
|
|
||||||
|
All UEFI GUIDs defined in efivar are const. Declare all of them const
|
||||||
|
to make gcc happy.
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 1fb34f9..d2c52b4 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
|
||||||
|
}
|
||||||
|
|
||||||
|
static uint32_t
|
||||||
|
-efi_hash_size (efi_guid_t *hash_type)
|
||||||
|
+efi_hash_size (const efi_guid_t *hash_type)
|
||||||
|
{
|
||||||
|
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
|
||||||
|
return SHA_DIGEST_LENGTH;
|
||||||
|
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
|
||||||
|
}
|
||||||
|
|
||||||
|
static uint32_t
|
||||||
|
-signature_size (efi_guid_t *hash_type)
|
||||||
|
+signature_size (const efi_guid_t *hash_type)
|
||||||
|
{
|
||||||
|
uint32_t hash_size;
|
||||||
|
|
||||||
|
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
|
||||||
|
|
||||||
|
/* match the hash in the hash array and return the index if matched */
|
||||||
|
static int
|
||||||
|
-match_hash_array (efi_guid_t *hash_type, const void *hash,
|
||||||
|
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
|
||||||
|
const void *hash_array, const uint32_t array_size)
|
||||||
|
{
|
||||||
|
uint32_t hash_size, hash_count;
|
||||||
|
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
|
||||||
|
- efi_guid_t *type, void *data, uint32_t data_size)
|
||||||
|
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
||||||
|
+ const efi_guid_t *type, void *data, uint32_t data_size)
|
||||||
|
{
|
||||||
|
uint8_t *var_data = NULL;
|
||||||
|
size_t var_data_size = 0;
|
||||||
|
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
|
||||||
|
- efi_guid_t *vendor, const char *db_name)
|
||||||
|
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
|
||||||
|
+ const efi_guid_t *vendor, const char *db_name)
|
||||||
|
{
|
||||||
|
uint8_t *var_data;
|
||||||
|
size_t var_data_size;
|
||||||
|
@@ -1059,7 +1059,7 @@ done:
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||||
|
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||||
|
MokRequest req)
|
||||||
|
{
|
||||||
|
switch (req) {
|
||||||
|
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
|
||||||
|
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
|
||||||
|
MokRequest req)
|
||||||
|
{
|
||||||
|
uint8_t *authvar_data;
|
|
@ -1,257 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gary Lin <glin@suse.com>
|
|
||||||
Date: Tue, 25 May 2021 12:46:03 +0200
|
|
||||||
Subject: [PATCH] mokutil: remove "--simple-hash"
|
|
||||||
|
|
||||||
The simple-hash password format is used by the very early MokManager and
|
|
||||||
not the default format anymore after we changed to password-crypt.
|
|
||||||
Remove the code to reduce the code size.
|
|
||||||
|
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
|
||||||
---
|
|
||||||
src/mokutil.c | 87 +++++------------------------------------------------------
|
|
||||||
1 file changed, 7 insertions(+), 80 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index 252dc7a..563e585 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -76,7 +76,6 @@
|
|
||||||
#define TEST_KEY (1 << 14)
|
|
||||||
#define RESET (1 << 15)
|
|
||||||
#define GENERATE_PW_HASH (1 << 16)
|
|
||||||
-#define SIMPLE_HASH (1 << 17)
|
|
||||||
#define IGNORE_DB (1 << 18)
|
|
||||||
#define USE_DB (1 << 19)
|
|
||||||
#define MOKX (1 << 20)
|
|
||||||
@@ -95,8 +94,6 @@ typedef unsigned long efi_status_t;
|
|
||||||
typedef uint8_t efi_bool_t;
|
|
||||||
typedef wchar_t efi_char16_t; /* UNICODE character */
|
|
||||||
|
|
||||||
-static int use_simple_hash;
|
|
||||||
-
|
|
||||||
typedef enum {
|
|
||||||
DELETE_MOK = 0,
|
|
||||||
ENROLL_MOK,
|
|
||||||
@@ -182,7 +179,6 @@ print_help ()
|
|
||||||
printf ("Supplimentary Options:\n");
|
|
||||||
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
||||||
printf (" --root-pw\t\t\t\tUse the root password\n");
|
|
||||||
- printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
|
|
||||||
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -814,32 +810,6 @@ error:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int
|
|
||||||
-generate_auth (void *new_list, int list_len, char *password,
|
|
||||||
- unsigned int pw_len, uint8_t *auth)
|
|
||||||
-{
|
|
||||||
- efi_char16_t efichar_pass[PASSWORD_MAX+1];
|
|
||||||
- unsigned long efichar_len;
|
|
||||||
- SHA256_CTX ctx;
|
|
||||||
-
|
|
||||||
- if (!password || !auth)
|
|
||||||
- return -1;
|
|
||||||
-
|
|
||||||
- efichar_len = efichar_from_char (efichar_pass, password,
|
|
||||||
- pw_len * sizeof(efi_char16_t));
|
|
||||||
-
|
|
||||||
- SHA256_Init (&ctx);
|
|
||||||
-
|
|
||||||
- if (new_list)
|
|
||||||
- SHA256_Update (&ctx, new_list, list_len);
|
|
||||||
-
|
|
||||||
- SHA256_Update (&ctx, efichar_pass, efichar_len);
|
|
||||||
-
|
|
||||||
- SHA256_Final (auth, &ctx);
|
|
||||||
-
|
|
||||||
- return 0;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static void
|
|
||||||
generate_salt (char salt[], unsigned int salt_size)
|
|
||||||
{
|
|
||||||
@@ -979,7 +949,6 @@ update_request (void *new_list, int list_len, MokRequest req,
|
|
||||||
size_t data_size;
|
|
||||||
const char *req_name, *auth_name;
|
|
||||||
pw_crypt_t pw_crypt;
|
|
||||||
- uint8_t auth[SHA256_DIGEST_LENGTH];
|
|
||||||
char *password = NULL;
|
|
||||||
unsigned int pw_len;
|
|
||||||
int auth_ret;
|
|
||||||
@@ -1028,12 +997,7 @@ update_request (void *new_list, int list_len, MokRequest req,
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!use_simple_hash) {
|
|
||||||
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
|
||||||
- } else {
|
|
||||||
- auth_ret = generate_auth (new_list, list_len, password,
|
|
||||||
- pw_len, auth);
|
|
||||||
- }
|
|
||||||
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
|
||||||
if (auth_ret < 0) {
|
|
||||||
fprintf (stderr, "Couldn't generate hash\n");
|
|
||||||
goto error;
|
|
||||||
@@ -1069,13 +1033,8 @@ update_request (void *new_list, int list_len, MokRequest req,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
|
|
||||||
- if (!use_simple_hash) {
|
|
||||||
- data = (void *)&pw_crypt;
|
|
||||||
- data_size = PASSWORD_CRYPT_SIZE;
|
|
||||||
- } else {
|
|
||||||
- data = (void *)auth;
|
|
||||||
- data_size = SHA256_DIGEST_LENGTH;
|
|
||||||
- }
|
|
||||||
+ data = (void *)&pw_crypt;
|
|
||||||
+ data_size = PASSWORD_CRYPT_SIZE;
|
|
||||||
|
|
||||||
if (efi_set_variable (efi_guid_shim, auth_name, data, data_size,
|
|
||||||
attributes, S_IRUSR | S_IWUSR) < 0) {
|
|
||||||
@@ -1904,26 +1863,16 @@ set_password (const char *hash_file, const int root_pw, const int clear)
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!use_simple_hash) {
|
|
||||||
- pw_crypt.method = DEFAULT_CRYPT_METHOD;
|
|
||||||
- auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
|
||||||
- } else {
|
|
||||||
- auth_ret = generate_auth (NULL, 0, password, pw_len,
|
|
||||||
- auth);
|
|
||||||
- }
|
|
||||||
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
|
|
||||||
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
|
||||||
if (auth_ret < 0) {
|
|
||||||
fprintf (stderr, "Couldn't generate hash\n");
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!use_simple_hash) {
|
|
||||||
- data = (void *)&pw_crypt;
|
|
||||||
- data_size = PASSWORD_CRYPT_SIZE;
|
|
||||||
- } else {
|
|
||||||
- data = (void *)auth;
|
|
||||||
- data_size = SHA256_DIGEST_LENGTH;
|
|
||||||
- }
|
|
||||||
+ data = (void *)auth;
|
|
||||||
+ data_size = SHA256_DIGEST_LENGTH;
|
|
||||||
uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
|
||||||
| EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
||||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
|
||||||
@@ -2301,8 +2250,6 @@ main (int argc, char *argv[])
|
|
||||||
DBName db_name = MOK_LIST_RT;
|
|
||||||
int ret = -1;
|
|
||||||
|
|
||||||
- use_simple_hash = 0;
|
|
||||||
-
|
|
||||||
if (!efi_variables_supported ()) {
|
|
||||||
fprintf (stderr, "EFI variables are not supported on this system\n");
|
|
||||||
exit (1);
|
|
||||||
@@ -2329,7 +2276,6 @@ main (int argc, char *argv[])
|
|
||||||
{"hash-file", required_argument, 0, 'f'},
|
|
||||||
{"generate-hash", optional_argument, 0, 'g'},
|
|
||||||
{"root-pw", no_argument, 0, 'P'},
|
|
||||||
- {"simple-hash", no_argument, 0, 's'},
|
|
||||||
{"ignore-db", no_argument, 0, 0 },
|
|
||||||
{"use-db", no_argument, 0, 0 },
|
|
||||||
{"mok", no_argument, 0, 'm'},
|
|
||||||
@@ -2531,10 +2477,6 @@ main (int argc, char *argv[])
|
|
||||||
case 'x':
|
|
||||||
command |= EXPORT;
|
|
||||||
break;
|
|
||||||
- case 's':
|
|
||||||
- command |= SIMPLE_HASH;
|
|
||||||
- use_simple_hash = 1;
|
|
||||||
- break;
|
|
||||||
case 'm':
|
|
||||||
db_name = MOK_LIST_RT;
|
|
||||||
break;
|
|
||||||
@@ -2555,9 +2497,6 @@ main (int argc, char *argv[])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (use_root_pw == 1 && use_simple_hash == 1)
|
|
||||||
- use_simple_hash = 0;
|
|
||||||
-
|
|
||||||
if (hash_file && use_root_pw)
|
|
||||||
command |= HELP;
|
|
||||||
|
|
||||||
@@ -2593,22 +2532,18 @@ main (int argc, char *argv[])
|
|
||||||
ret = list_keys_in_var ("MokDel", efi_guid_shim);
|
|
||||||
break;
|
|
||||||
case IMPORT:
|
|
||||||
- case IMPORT | SIMPLE_HASH:
|
|
||||||
ret = issue_mok_request (files, total, ENROLL_MOK,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case DELETE:
|
|
||||||
- case DELETE | SIMPLE_HASH:
|
|
||||||
ret = issue_mok_request (files, total, DELETE_MOK,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case IMPORT_HASH:
|
|
||||||
- case IMPORT_HASH | SIMPLE_HASH:
|
|
||||||
ret = issue_hash_request (hash_str, ENROLL_MOK,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case DELETE_HASH:
|
|
||||||
- case DELETE_HASH | SIMPLE_HASH:
|
|
||||||
ret = issue_hash_request (hash_str, DELETE_MOK,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
@@ -2623,11 +2558,9 @@ main (int argc, char *argv[])
|
|
||||||
ret = export_db_keys (db_name);
|
|
||||||
break;
|
|
||||||
case PASSWORD:
|
|
||||||
- case PASSWORD | SIMPLE_HASH:
|
|
||||||
ret = set_password (hash_file, use_root_pw, 0);
|
|
||||||
break;
|
|
||||||
case CLEAR_PASSWORD:
|
|
||||||
- case CLEAR_PASSWORD | SIMPLE_HASH:
|
|
||||||
ret = set_password (NULL, 0, 1);
|
|
||||||
break;
|
|
||||||
case DISABLE_VALIDATION:
|
|
||||||
@@ -2643,7 +2576,6 @@ main (int argc, char *argv[])
|
|
||||||
ret = test_key (ENROLL_MOK, key_file);
|
|
||||||
break;
|
|
||||||
case RESET:
|
|
||||||
- case RESET | SIMPLE_HASH:
|
|
||||||
ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case GENERATE_PW_HASH:
|
|
||||||
@@ -2662,22 +2594,18 @@ main (int argc, char *argv[])
|
|
||||||
ret = list_keys_in_var ("MokXDel", efi_guid_shim);
|
|
||||||
break;
|
|
||||||
case IMPORT | MOKX:
|
|
||||||
- case IMPORT | SIMPLE_HASH | MOKX:
|
|
||||||
ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case DELETE | MOKX:
|
|
||||||
- case DELETE | SIMPLE_HASH | MOKX:
|
|
||||||
ret = issue_mok_request (files, total, DELETE_BLACKLIST,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case IMPORT_HASH | MOKX:
|
|
||||||
- case IMPORT_HASH | SIMPLE_HASH | MOKX:
|
|
||||||
ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case DELETE_HASH | MOKX:
|
|
||||||
- case DELETE_HASH | SIMPLE_HASH | MOKX:
|
|
||||||
ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
|
|
||||||
hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
@@ -2688,7 +2616,6 @@ main (int argc, char *argv[])
|
|
||||||
ret = revoke_request (DELETE_BLACKLIST);
|
|
||||||
break;
|
|
||||||
case RESET | MOKX:
|
|
||||||
- case RESET | SIMPLE_HASH | MOKX:
|
|
||||||
ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
|
|
||||||
break;
|
|
||||||
case TEST_KEY | MOKX:
|
|
|
@ -1,78 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gary Lin <glin@suse.com>
|
|
||||||
Date: Thu, 27 Aug 2020 14:48:08 +0800
|
|
||||||
Subject: [PATCH] man: remove "--simple-hash"
|
|
||||||
|
|
||||||
Remove "--simple-hash" from the man page.
|
|
||||||
|
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
|
||||||
---
|
|
||||||
man/mokutil.1 | 19 ++++++-------------
|
|
||||||
1 file changed, 6 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
||||||
index 4462987..1f82ff1 100644
|
|
||||||
--- a/man/mokutil.1
|
|
||||||
+++ b/man/mokutil.1
|
|
||||||
@@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
|
|
||||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
||||||
- [--simple-hash | -s] | [--mokx | -X])
|
|
||||||
+ [--mokx | -X])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
|
|
||||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
||||||
- [--simple-hash | -s] | [--mokx |- X])
|
|
||||||
+ [--mokx |- X])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--revoke-import]
|
|
||||||
([--mokx | -X])
|
|
||||||
@@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys
|
|
||||||
\fBmokutil\fR [--export | -x]
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--password | -p]
|
|
||||||
- ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
||||||
- [--simple-hash | -s])
|
|
||||||
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--clear-password | -c]
|
|
||||||
- ([--simple-hash | -s])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--disable-validation]
|
|
||||||
.br
|
|
||||||
@@ -47,7 +45,7 @@ mokutil \- utility to manipulate machine owner keys
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--reset]
|
|
||||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
||||||
- [--simple-hash | -s] | [--mok | -X])
|
|
||||||
+ [--mok | -X])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
|
|
||||||
.br
|
|
||||||
@@ -57,11 +55,11 @@ mokutil \- utility to manipulate machine owner keys
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--import-hash \fIhash\fR]
|
|
||||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
||||||
- [--simple-hash | -s] | [--mokx | -X])
|
|
||||||
+ [--mokx | -X])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--delete-hash \fIhash\fR]
|
|
||||||
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
||||||
- [--simple-hash | -s] | [--mokx | -X])
|
|
||||||
+ [--mokx | -X])
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
|
|
||||||
.br
|
|
||||||
@@ -138,11 +136,6 @@ Use the password hash from a specific file
|
|
||||||
\fB-P, --root-pw\fR
|
|
||||||
Use the root password hash from /etc/shadow
|
|
||||||
.TP
|
|
||||||
-\fB-s, --simple-hash\fR
|
|
||||||
-Use the old SHA256 password hash method to hash the password
|
|
||||||
-.br
|
|
||||||
-Note: --root-pw invalidates --simple-hash
|
|
||||||
-.TP
|
|
||||||
\fB--ignore-db\fR
|
|
||||||
Tell shim to not use the keys in db to verify EFI images
|
|
||||||
.TP
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 14 Jun 2016 10:19:43 -0400
|
||||||
|
Subject: [PATCH] mokutil: be explicit about file modes in all cases.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index d2c52b4..d554f6c 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
||||||
|
| EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||||
|
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||||||
|
ret = efi_set_variable (*var_guid, var_name,
|
||||||
|
- var_data, total, attributes);
|
||||||
|
+ var_data, total, attributes,
|
||||||
|
+ S_IRUSR | S_IWUSR);
|
||||||
|
if (ret < 0) {
|
||||||
|
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
|
||||||
|
var_name);
|
||||||
|
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
|
||||||
|
data_size = list_len;
|
||||||
|
|
||||||
|
if (efi_set_variable (efi_guid_shim, req_name,
|
||||||
|
- data, data_size, attributes) < 0) {
|
||||||
|
+ data, data_size, attributes,
|
||||||
|
+ S_IRUSR | S_IWUSR) < 0) {
|
||||||
|
switch (req) {
|
||||||
|
case ENROLL_MOK:
|
||||||
|
fprintf (stderr, "Failed to enroll new keys\n");
|
|
@ -0,0 +1,95 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 14 Jun 2016 10:20:14 -0400
|
||||||
|
Subject: [PATCH] Add bash completion file.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
configure.ac | 17 +++++++++++++++++
|
||||||
|
Makefile.am | 5 +++++
|
||||||
|
data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 59 insertions(+)
|
||||||
|
create mode 100755 data/mokutil
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 69d412a..7b52a06 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
|
||||||
|
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
|
||||||
|
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
|
||||||
|
|
||||||
|
+AC_ARG_WITH([bash-completion-dir],
|
||||||
|
+ AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
|
||||||
|
+ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
|
||||||
|
+ [],
|
||||||
|
+ [with_bash_completion_dir=yes])
|
||||||
|
+
|
||||||
|
+if test "x$with_bash_completion_dir" = "xyes"; then
|
||||||
|
+ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
|
||||||
|
+ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
|
||||||
|
+ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
|
||||||
|
+else
|
||||||
|
+ BASH_COMPLETION_DIR="$with_bash_completion_dir"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+AC_SUBST([BASH_COMPLETION_DIR])
|
||||||
|
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
|
||||||
|
+
|
||||||
|
AC_CONFIG_FILES([Makefile
|
||||||
|
src/Makefile
|
||||||
|
man/Makefile])
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 9f0d419..c17cc4a 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -1 +1,6 @@
|
||||||
|
SUBDIRS = src man
|
||||||
|
+
|
||||||
|
+if ENABLE_BASH_COMPLETION
|
||||||
|
+ bashcompletiondir = $(BASH_COMPLETION_DIR)
|
||||||
|
+ dist_bashcompletion_DATA = data/mokutil
|
||||||
|
+endif
|
||||||
|
diff --git a/data/mokutil b/data/mokutil
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..800b039
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/data/mokutil
|
||||||
|
@@ -0,0 +1,37 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+_mokutil()
|
||||||
|
+{
|
||||||
|
+ local cur=${COMP_WORDS[COMP_CWORD]}
|
||||||
|
+
|
||||||
|
+ if [[ "$cur" == -* ]]; then
|
||||||
|
+ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
|
||||||
|
+ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
|
||||||
|
+ [[ $COMPREPLY == *= ]] && compopt -o nospace
|
||||||
|
+ return 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ case "${COMP_WORDS[COMP_CWORD-1]}" in
|
||||||
|
+ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
|
||||||
|
+ _filedir
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
+ --import-hash|--delete-hash)
|
||||||
|
+ COMPREPLY=( $( compgen -W "" ) )
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
+ --set-verbosity)
|
||||||
|
+ COMPREPLY=( $( compgen -W "true false") )
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
+ --generate-hash|-g)
|
||||||
|
+ COMPREPLY=( $( compgen -o nospace -P= -W "") )
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
+ *)
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
+ esac
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+complete -F _mokutil mokutil
|
|
@ -1,95 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
||||||
Date: Tue, 25 May 2021 15:22:29 +0200
|
|
||||||
Subject: [PATCH] mokutil: use EVP_Digest()* functions instead of the
|
|
||||||
deprecated SHA1_*()
|
|
||||||
|
|
||||||
The SHA1_*() functions have been deprecated since OpenSSL 3.0, this leads
|
|
||||||
to compile errors when building with -Werror=deprecated-declarations, i.e:
|
|
||||||
|
|
||||||
mokutil.c: In function 'print_x509':
|
|
||||||
mokutil.c:424:9: error: 'SHA1_Init' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
|
|
||||||
424 | SHA1_Init (&ctx);
|
|
||||||
| ^~~~~~~~~
|
|
||||||
...
|
|
||||||
|
|
||||||
instead, the EVP_Digest*() functions could be used. Port to them and avoid
|
|
||||||
these build failures with the latest OpenSSL 3.0 version.
|
|
||||||
|
|
||||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
||||||
---
|
|
||||||
src/mokutil.c | 44 ++++++++++++++++++++++++++++++++++++--------
|
|
||||||
1 file changed, 36 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index 563e585..3fdc791 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -405,8 +405,10 @@ print_x509 (char *cert, int cert_size)
|
|
||||||
{
|
|
||||||
X509 *X509cert;
|
|
||||||
BIO *cert_bio;
|
|
||||||
- SHA_CTX ctx;
|
|
||||||
- uint8_t fingerprint[SHA_DIGEST_LENGTH];
|
|
||||||
+ EVP_MD_CTX *ctx;
|
|
||||||
+ const EVP_MD *md;
|
|
||||||
+ unsigned int md_len;
|
|
||||||
+ unsigned char fingerprint[EVP_MAX_MD_SIZE];
|
|
||||||
|
|
||||||
cert_bio = BIO_new (BIO_s_mem ());
|
|
||||||
BIO_write (cert_bio, cert, cert_size);
|
|
||||||
@@ -418,22 +420,48 @@ print_x509 (char *cert, int cert_size)
|
|
||||||
X509cert = d2i_X509_bio (cert_bio, NULL);
|
|
||||||
if (X509cert == NULL) {
|
|
||||||
fprintf (stderr, "Invalid X509 certificate\n");
|
|
||||||
- return -1;
|
|
||||||
+ goto cleanup_bio;
|
|
||||||
}
|
|
||||||
|
|
||||||
- SHA1_Init (&ctx);
|
|
||||||
- SHA1_Update (&ctx, cert, cert_size);
|
|
||||||
- SHA1_Final (fingerprint, &ctx);
|
|
||||||
+ md = EVP_get_digestbyname ("SHA1");
|
|
||||||
+ if(md == NULL) {
|
|
||||||
+ fprintf (stderr, "Failed to get SHA1 digest\n");
|
|
||||||
+ goto cleanup_bio;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ctx = EVP_MD_CTX_create ();
|
|
||||||
+ if (ctx == NULL) {
|
|
||||||
+ fprintf (stderr, "Failed to create digest context\n");
|
|
||||||
+ goto cleanup_bio;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!EVP_DigestInit_ex (ctx, md, NULL)) {
|
|
||||||
+ fprintf (stderr, "Failed to initialize digest context\n");
|
|
||||||
+ goto cleanup_ctx;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!EVP_DigestUpdate (ctx, cert, cert_size)) {
|
|
||||||
+ fprintf (stderr, "Failed to hash into the digest context\n");
|
|
||||||
+ goto cleanup_ctx;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) {
|
|
||||||
+ fprintf (stderr, "Failed to get digest value\n");
|
|
||||||
+ goto cleanup_ctx;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
printf ("SHA1 Fingerprint: ");
|
|
||||||
- for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) {
|
|
||||||
+ for (unsigned int i = 0; i < md_len; i++) {
|
|
||||||
printf ("%02x", fingerprint[i]);
|
|
||||||
- if (i < SHA_DIGEST_LENGTH - 1)
|
|
||||||
+ if (i < md_len - 1)
|
|
||||||
printf (":");
|
|
||||||
}
|
|
||||||
printf ("\n");
|
|
||||||
X509_print_fp (stdout, X509cert);
|
|
||||||
|
|
||||||
+cleanup_ctx:
|
|
||||||
+ EVP_MD_CTX_destroy (ctx);
|
|
||||||
+cleanup_bio:
|
|
||||||
BIO_free (cert_bio);
|
|
||||||
|
|
||||||
return 0;
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tyler Hicks <tyhicks@canonical.com>
|
||||||
|
Date: Mon, 20 Jun 2016 11:18:17 -0500
|
||||||
|
Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot
|
||||||
|
support
|
||||||
|
|
||||||
|
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index d554f6c..27f1292 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
|
||||||
|
rc = efi_get_variable (efi_guid_global, "SecureBoot",
|
||||||
|
&data, &data_size, &attributes);
|
||||||
|
if (rc < 0) {
|
||||||
|
- fprintf(stderr, "This system does't support Secure Boot\n");
|
||||||
|
+ fprintf(stderr, "This system doesn't support Secure Boot\n");
|
||||||
|
ret = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
|
@ -1,181 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
||||||
Date: Thu, 21 Apr 2022 17:28:07 -0700
|
|
||||||
Subject: [PATCH] SBAT revocation update support
|
|
||||||
|
|
||||||
Control how shim will apply SBAT revocations:
|
|
||||||
|
|
||||||
mokutil --set-sbat-policy latest
|
|
||||||
|
|
||||||
applies the latest SBAT revocations
|
|
||||||
(default behavior)
|
|
||||||
|
|
||||||
mokutil --set-sbat-policy previous
|
|
||||||
|
|
||||||
applies previous SBAT revocations to
|
|
||||||
allow falling back to an older release
|
|
||||||
|
|
||||||
In both of the above cases shim will only apply SBAT revocations that
|
|
||||||
are newer than the ones currently installed.
|
|
||||||
|
|
||||||
mokutil --set-sbat-policy delete
|
|
||||||
|
|
||||||
resets SBAT revocations only if Secure
|
|
||||||
Boot is disabled. This setting does not
|
|
||||||
persist.
|
|
||||||
|
|
||||||
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
||||||
(cherry picked from commit 68f122d79677cf4a8298cf60ab7dc8a7bf43091c)
|
|
||||||
[rharwood: renumbering, new options not present, renamed var]
|
|
||||||
---
|
|
||||||
src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
|
|
||||||
man/mokutil.1 | 14 ++++++++++++--
|
|
||||||
2 files changed, 55 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index 3fdc791..ac158b3 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -84,6 +84,7 @@
|
|
||||||
#define VERBOSITY (1 << 23)
|
|
||||||
#define TIMEOUT (1 << 24)
|
|
||||||
#define LIST_SBAT (1 << 25)
|
|
||||||
+#define SET_SBAT (1 << 27)
|
|
||||||
|
|
||||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
||||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
||||||
@@ -169,12 +170,13 @@ print_help ()
|
|
||||||
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
|
|
||||||
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
|
|
||||||
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
|
||||||
++ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
|
|
||||||
++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
|
|
||||||
printf (" --pk\t\t\t\t\tList the keys in PK\n");
|
|
||||||
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
|
||||||
printf (" --db\t\t\t\t\tList the keys in db\n");
|
|
||||||
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
|
||||||
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
|
|
||||||
- printf (" --sbat\t\t\t\tList the entries in SBAT\n");
|
|
||||||
printf ("\n");
|
|
||||||
printf ("Supplimentary Options:\n");
|
|
||||||
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
||||||
@@ -2261,6 +2263,26 @@ list_db (DBName db_name)
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+manage_sbat (const uint8_t sbat_policy)
|
|
||||||
+{
|
|
||||||
+ if (sbat_policy) {
|
|
||||||
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
|
||||||
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
||||||
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
|
||||||
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
|
|
||||||
+ (uint8_t *)&sbat_policy,
|
|
||||||
+ sizeof (sbat_policy),
|
|
||||||
+ attributes, S_IRUSR | S_IWUSR) < 0) {
|
|
||||||
+ fprintf (stderr, "Failed to set SbatPolicy\n");
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ return test_and_delete_var ("SbatPolicy");
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int
|
|
||||||
main (int argc, char *argv[])
|
|
||||||
{
|
|
||||||
@@ -2275,6 +2297,7 @@ main (int argc, char *argv[])
|
|
||||||
unsigned int command = 0;
|
|
||||||
int use_root_pw = 0;
|
|
||||||
uint8_t verbosity = 0;
|
|
||||||
+ uint8_t sbat_policy = 0;
|
|
||||||
DBName db_name = MOK_LIST_RT;
|
|
||||||
int ret = -1;
|
|
||||||
|
|
||||||
@@ -2311,11 +2334,12 @@ main (int argc, char *argv[])
|
|
||||||
{"import-hash", required_argument, 0, 0 },
|
|
||||||
{"delete-hash", required_argument, 0, 0 },
|
|
||||||
{"set-verbosity", required_argument, 0, 0 },
|
|
||||||
+ {"set-sbat-policy", required_argument, 0, 0 },
|
|
||||||
+ {"list-sbat-revocations", no_argument, 0, 0 },
|
|
||||||
{"pk", no_argument, 0, 0 },
|
|
||||||
{"kek", no_argument, 0, 0 },
|
|
||||||
{"db", no_argument, 0, 0 },
|
|
||||||
{"dbx", no_argument, 0, 0 },
|
|
||||||
- {"sbat", no_argument, 0, 0 },
|
|
||||||
{"timeout", required_argument, 0, 0 },
|
|
||||||
{0, 0, 0, 0}
|
|
||||||
};
|
|
||||||
@@ -2376,6 +2400,20 @@ main (int argc, char *argv[])
|
|
||||||
verbosity = 0;
|
|
||||||
else
|
|
||||||
command |= HELP;
|
|
||||||
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
|
|
||||||
+ command |= SET_SBAT;
|
|
||||||
+ if (strcmp (optarg, "latest") == 0)
|
|
||||||
+ sbat_policy = 1;
|
|
||||||
+ else if (strcmp (optarg, "previous") == 0)
|
|
||||||
+ sbat_policy = 2;
|
|
||||||
+ else if (strcmp (optarg, "delete") == 0)
|
|
||||||
+ sbat_policy = 3;
|
|
||||||
+ else
|
|
||||||
+ command |= HELP;
|
|
||||||
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
|
|
||||||
+ command |= LIST_SBAT;
|
|
||||||
+ } else if (strcmp (option, "sbat") == 0) {
|
|
||||||
+ command |= LIST_SBAT;
|
|
||||||
} else if (strcmp (option, "pk") == 0) {
|
|
||||||
if (db_name != MOK_LIST_RT) {
|
|
||||||
command |= HELP;
|
|
||||||
@@ -2400,8 +2438,6 @@ main (int argc, char *argv[])
|
|
||||||
} else {
|
|
||||||
db_name = DBX;
|
|
||||||
}
|
|
||||||
- } else if (strcmp (option, "sbat") == 0) {
|
|
||||||
- command |= LIST_SBAT;
|
|
||||||
} else if (strcmp (option, "timeout") == 0) {
|
|
||||||
command |= TIMEOUT;
|
|
||||||
timeout = strdup (optarg);
|
|
||||||
@@ -2658,6 +2694,9 @@ main (int argc, char *argv[])
|
|
||||||
case LIST_SBAT:
|
|
||||||
ret = print_var_content ("SBAT", efi_guid_shim);
|
|
||||||
break;
|
|
||||||
+ case SET_SBAT:
|
|
||||||
+ ret = manage_sbat(sbat_policy);
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
print_help ();
|
|
||||||
break;
|
|
||||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
||||||
index 1f82ff1..48fbe25 100644
|
|
||||||
--- a/man/mokutil.1
|
|
||||||
+++ b/man/mokutil.1
|
|
||||||
@@ -71,7 +71,9 @@ mokutil \- utility to manipulate machine owner keys
|
|
||||||
.br
|
|
||||||
\fBmokutil\fR [--dbx]
|
|
||||||
.br
|
|
||||||
-\fBmokutil\fR [--sbat]
|
|
||||||
+\fBmokutil\fR [--list-sbat-revocations]
|
|
||||||
+.br
|
|
||||||
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
|
|
||||||
.br
|
|
||||||
|
|
||||||
.SH DESCRIPTION
|
|
||||||
@@ -168,6 +170,14 @@ List the keys in the secure boot signature store (db)
|
|
||||||
\fB--dbx\fR
|
|
||||||
List the keys in the secure boot blacklist signature store (dbx)
|
|
||||||
.TP
|
|
||||||
-\fB--sbat\fR
|
|
||||||
+\fB--list-sbat-revocations\fR
|
|
||||||
List the entries in the Secure Boot Advanced Targeting store (SBAT)
|
|
||||||
.TP
|
|
||||||
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
|
|
||||||
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
|
|
||||||
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
|
|
||||||
+delete will reset the SBAT revocations to an empty revocation list.
|
|
||||||
+While latest and previous are persistent configuration, delete will be
|
|
||||||
+cleared by shim on the next boot whether or not it succeeds. The default
|
|
||||||
+behavior is for shim to apply the previous revocations.
|
|
||||||
+.TP
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 3 Apr 2017 16:33:38 -0400
|
||||||
|
Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 27f1292..0be9e84 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
|
||||||
|
|
||||||
|
ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
|
||||||
|
if (ret < 0) {
|
||||||
|
- if (ret == ENOENT) {
|
||||||
|
+ if (errno == ENOENT) {
|
||||||
|
printf ("%s is empty\n", var_name);
|
||||||
|
return 0;
|
||||||
|
}
|
|
@ -0,0 +1,98 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 15 May 2018 11:20:15 -0400
|
||||||
|
Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for
|
||||||
|
strncpy bounds
|
||||||
|
|
||||||
|
New gcc rightly comlplains when we do the following:
|
||||||
|
|
||||||
|
strncpy (dest, src, strlen(src));
|
||||||
|
|
||||||
|
For two reasons:
|
||||||
|
a) it doesn't copy the NUL byte
|
||||||
|
b) it's otherwise the same thing strcpy() would have done
|
||||||
|
|
||||||
|
This patch replaces that with stpncpy (just because it's slightly easier
|
||||||
|
to use) and the real bounds for the destination.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/mokutil.c | 33 ++++++++++++++++++++++-----------
|
||||||
|
1 file changed, 22 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 0be9e84..b508010 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
|
||||||
|
{
|
||||||
|
pw_crypt_t new_crypt;
|
||||||
|
char settings[SETTINGS_LEN];
|
||||||
|
+ char *next;
|
||||||
|
char *crypt_string;
|
||||||
|
const char *prefix;
|
||||||
|
- int hash_len, prefix_len;
|
||||||
|
+ int hash_len, settings_len = sizeof (settings) - 2;
|
||||||
|
|
||||||
|
if (!password || !pw_crypt || password[pw_len] != '\0')
|
||||||
|
return -1;
|
||||||
|
@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
|
||||||
|
prefix = get_crypt_prefix (pw_crypt->method);
|
||||||
|
if (!prefix)
|
||||||
|
return -1;
|
||||||
|
- prefix_len = strlen(prefix);
|
||||||
|
|
||||||
|
pw_crypt->salt_size = get_salt_size (pw_crypt->method);
|
||||||
|
generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
|
||||||
|
|
||||||
|
- strncpy (settings, prefix, prefix_len);
|
||||||
|
- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
|
||||||
|
- pw_crypt->salt_size);
|
||||||
|
- settings[pw_crypt->salt_size + prefix_len] = '\0';
|
||||||
|
+ memset (settings, 0, sizeof (settings));
|
||||||
|
+ next = stpncpy (settings, prefix, settings_len);
|
||||||
|
+ if (pw_crypt->salt_size > settings_len - (next - settings)) {
|
||||||
|
+ errno = EOVERFLOW;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ next = stpncpy (next, (const char *)pw_crypt->salt,
|
||||||
|
+ pw_crypt->salt_size);
|
||||||
|
+ *next = '\0';
|
||||||
|
|
||||||
|
crypt_string = crypt (password, settings);
|
||||||
|
if (!crypt_string)
|
||||||
|
@@ -1929,10 +1934,11 @@ static int
|
||||||
|
generate_pw_hash (const char *input_pw)
|
||||||
|
{
|
||||||
|
char settings[SETTINGS_LEN];
|
||||||
|
+ char *next;
|
||||||
|
char *password = NULL;
|
||||||
|
char *crypt_string;
|
||||||
|
const char *prefix;
|
||||||
|
- int prefix_len;
|
||||||
|
+ int settings_len = sizeof (settings) - 2;
|
||||||
|
unsigned int pw_len, salt_size;
|
||||||
|
|
||||||
|
if (input_pw) {
|
||||||
|
@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
|
||||||
|
prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
|
||||||
|
if (!prefix)
|
||||||
|
return -1;
|
||||||
|
- prefix_len = strlen(prefix);
|
||||||
|
|
||||||
|
- strncpy (settings, prefix, prefix_len);
|
||||||
|
+ memset (settings, 0, sizeof (settings));
|
||||||
|
+ next = stpncpy (settings, prefix, settings_len);
|
||||||
|
salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
|
||||||
|
- generate_salt ((settings + prefix_len), salt_size);
|
||||||
|
- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
|
||||||
|
+ if (salt_size > settings_len - (next - settings)) {
|
||||||
|
+ errno = EOVERFLOW;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ generate_salt (next, salt_size);
|
||||||
|
+ next += salt_size;
|
||||||
|
+ *next = '\0';
|
||||||
|
|
||||||
|
crypt_string = crypt (password, settings);
|
||||||
|
free (password);
|
|
@ -16,10 +16,10 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
index 8892613..b66c1b8 100644
|
index b508010..ac15c73 100644
|
||||||
--- a/src/mokutil.c
|
--- a/src/mokutil.c
|
||||||
+++ b/src/mokutil.c
|
+++ b/src/mokutil.c
|
||||||
@@ -2011,7 +2011,7 @@ generate_pw_hash (const char *input_pw)
|
@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
|
||||||
char *password = NULL;
|
char *password = NULL;
|
||||||
char *crypt_string;
|
char *crypt_string;
|
||||||
const char *prefix;
|
const char *prefix;
|
|
@ -1,23 +1,25 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
From: Peter Jones <pjones@redhat.com>
|
From: Peter Jones <pjones@redhat.com>
|
||||||
Date: Wed, 17 Mar 2021 14:49:21 +0100
|
Date: Mon, 17 Aug 2020 14:18:31 -0400
|
||||||
Subject: [PATCH] mokutil: add mok-variables parsing support
|
Subject: [PATCH] initial mok-variables code
|
||||||
|
|
||||||
his patch adds support for getting mok variables from
|
This patch adds support for getting mok variables from
|
||||||
/sys/firmware/efi/mok-variables/$NAME , if they are present, as well as
|
/sys/firmware/fi/mok-variables/$NAME , if they are present, as well as
|
||||||
for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
|
for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
|
||||||
variables.
|
variables.
|
||||||
|
|
||||||
|
Resolves: rhbz#1868820
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
---
|
---
|
||||||
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
|
src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
|
||||||
1 file changed, 151 insertions(+), 24 deletions(-)
|
1 file changed, 151 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
index 0c25ae5..252dc7a 100644
|
index ac15c73..838599c 100644
|
||||||
--- a/src/mokutil.c
|
--- a/src/mokutil.c
|
||||||
+++ b/src/mokutil.c
|
+++ b/src/mokutil.c
|
||||||
@@ -251,6 +251,63 @@ signature_size (const efi_guid_t *hash_type)
|
@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -81,7 +83,7 @@ index 0c25ae5..252dc7a 100644
|
||||||
static MokListNode*
|
static MokListNode*
|
||||||
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||||
{
|
{
|
||||||
@@ -622,25 +679,44 @@ static int
|
@@ -596,25 +653,44 @@ static int
|
||||||
list_keys_in_var (const char *var_name, const efi_guid_t guid)
|
list_keys_in_var (const char *var_name, const efi_guid_t guid)
|
||||||
{
|
{
|
||||||
uint8_t *data = NULL;
|
uint8_t *data = NULL;
|
||||||
|
@ -138,7 +140,7 @@ index 0c25ae5..252dc7a 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@@ -1039,22 +1115,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
@@ -1013,22 +1089,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
@ -165,7 +167,7 @@ index 0c25ae5..252dc7a 100644
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
list = build_mok_list (var_data, var_data_size, &node_num);
|
list = build_mok_list (var_data, var_data_size, &node_num);
|
||||||
@@ -1087,11 +1156,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
|
@@ -1060,11 +1129,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
|
||||||
done:
|
done:
|
||||||
if (list)
|
if (list)
|
||||||
free (list);
|
free (list);
|
|
@ -0,0 +1,193 @@
|
||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Fri, 3 Dec 2021 14:18:31 +0100
|
||||||
|
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
|
||||||
|
fallback debugging.
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
|
||||||
|
(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
|
||||||
|
[rharwood: no sb_check, no util renaming]
|
||||||
|
(cherry picked from commit 157a0969bdb5e7df152b4241f90b48209c235f2f)
|
||||||
|
[rharwood: flags are sparse now]
|
||||||
|
---
|
||||||
|
src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
data/mokutil | 8 +++++++
|
||||||
|
man/mokutil.1 | 10 +++++++++
|
||||||
|
3 files changed, 88 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
|
index 838599c..1cec4e9 100644
|
||||||
|
--- a/src/mokutil.c
|
||||||
|
+++ b/src/mokutil.c
|
||||||
|
@@ -83,6 +83,8 @@
|
||||||
|
#define IMPORT_HASH (1 << 21)
|
||||||
|
#define DELETE_HASH (1 << 22)
|
||||||
|
#define VERBOSITY (1 << 23)
|
||||||
|
+#define FB_VERBOSITY (1 << 25)
|
||||||
|
+#define FB_NOREBOOT (1 << 26)
|
||||||
|
|
||||||
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
||||||
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
||||||
|
@@ -152,6 +154,8 @@ print_help ()
|
||||||
|
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
|
||||||
|
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
|
||||||
|
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
||||||
|
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
|
||||||
|
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
|
||||||
|
printf (" --pk\t\t\t\t\tList the keys in PK\n");
|
||||||
|
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
||||||
|
printf (" --db\t\t\t\t\tList the keys in db\n");
|
||||||
|
@@ -2135,6 +2139,46 @@ set_verbosity (uint8_t verbosity)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+set_fallback_verbosity (const uint8_t verbosity)
|
||||||
|
+{
|
||||||
|
+ if (verbosity) {
|
||||||
|
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
||||||
|
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||||
|
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
||||||
|
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
|
||||||
|
+ (uint8_t *)&verbosity, sizeof (verbosity),
|
||||||
|
+ attributes, S_IRUSR | S_IWUSR) < 0) {
|
||||||
|
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ return test_and_delete_var ("FALLBACK_VERBOSE");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+set_fallback_noreboot (const uint8_t noreboot)
|
||||||
|
+{
|
||||||
|
+ if (noreboot) {
|
||||||
|
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
||||||
|
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||||
|
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
||||||
|
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
|
||||||
|
+ (uint8_t *)&noreboot, sizeof (noreboot),
|
||||||
|
+ attributes, S_IRUSR | S_IWUSR) < 0) {
|
||||||
|
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ return test_and_delete_var ("FB_NO_REBOOT");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static inline int
|
||||||
|
list_db (DBName db_name)
|
||||||
|
{
|
||||||
|
@@ -2169,6 +2213,8 @@ main (int argc, char *argv[])
|
||||||
|
unsigned int command = 0;
|
||||||
|
int use_root_pw = 0;
|
||||||
|
uint8_t verbosity = 0;
|
||||||
|
+ uint8_t fb_verbosity = 0;
|
||||||
|
+ uint8_t fb_noreboot = 0;
|
||||||
|
DBName db_name = MOK_LIST_RT;
|
||||||
|
int ret = -1;
|
||||||
|
|
||||||
|
@@ -2207,6 +2253,8 @@ main (int argc, char *argv[])
|
||||||
|
{"import-hash", required_argument, 0, 0 },
|
||||||
|
{"delete-hash", required_argument, 0, 0 },
|
||||||
|
{"set-verbosity", required_argument, 0, 0 },
|
||||||
|
+ {"set-fallback-verbosity", required_argument, 0, 0 },
|
||||||
|
+ {"set-fallback-noreboot", required_argument, 0, 0 },
|
||||||
|
{"pk", no_argument, 0, 0 },
|
||||||
|
{"kek", no_argument, 0, 0 },
|
||||||
|
{"db", no_argument, 0, 0 },
|
||||||
|
@@ -2270,6 +2318,22 @@ main (int argc, char *argv[])
|
||||||
|
verbosity = 0;
|
||||||
|
else
|
||||||
|
command |= HELP;
|
||||||
|
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
|
||||||
|
+ command |= FB_VERBOSITY;
|
||||||
|
+ if (strcmp (optarg, "true") == 0)
|
||||||
|
+ fb_verbosity = 1;
|
||||||
|
+ else if (strcmp (optarg, "false") == 0)
|
||||||
|
+ fb_verbosity = 0;
|
||||||
|
+ else
|
||||||
|
+ command |= HELP;
|
||||||
|
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
|
||||||
|
+ command |= FB_NOREBOOT;
|
||||||
|
+ if (strcmp (optarg, "true") == 0)
|
||||||
|
+ fb_noreboot = 1;
|
||||||
|
+ else if (strcmp (optarg, "false") == 0)
|
||||||
|
+ fb_noreboot = 0;
|
||||||
|
+ else
|
||||||
|
+ command |= HELP;
|
||||||
|
} else if (strcmp (option, "pk") == 0) {
|
||||||
|
if (db_name != MOK_LIST_RT) {
|
||||||
|
command |= HELP;
|
||||||
|
@@ -2557,6 +2621,12 @@ main (int argc, char *argv[])
|
||||||
|
case VERBOSITY:
|
||||||
|
ret = set_verbosity (verbosity);
|
||||||
|
break;
|
||||||
|
+ case FB_VERBOSITY:
|
||||||
|
+ ret = set_fallback_verbosity (fb_verbosity);
|
||||||
|
+ break;
|
||||||
|
+ case FB_NOREBOOT:
|
||||||
|
+ ret = set_fallback_noreboot (fb_noreboot);
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
print_help ();
|
||||||
|
break;
|
||||||
|
diff --git a/data/mokutil b/data/mokutil
|
||||||
|
index 800b039..af6b6ff 100755
|
||||||
|
--- a/data/mokutil
|
||||||
|
+++ b/data/mokutil
|
||||||
|
@@ -24,6 +24,14 @@ _mokutil()
|
||||||
|
COMPREPLY=( $( compgen -W "true false") )
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
+ --set-fallback-verbosity)
|
||||||
|
+ COMPREPLY=( $( compgen -W "true false") )
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
+ --set-fallback-noreboot)
|
||||||
|
+ COMPREPLY=( $( compgen -W "true false") )
|
||||||
|
+ return 0
|
||||||
|
+ ;;
|
||||||
|
--generate-hash|-g)
|
||||||
|
COMPREPLY=( $( compgen -o nospace -P= -W "") )
|
||||||
|
return 0
|
||||||
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
||||||
|
index 25fe8b4..30dcfb2 100644
|
||||||
|
--- a/man/mokutil.1
|
||||||
|
+++ b/man/mokutil.1
|
||||||
|
@@ -65,6 +65,10 @@ mokutil \- utility to manipulate machine owner keys
|
||||||
|
.br
|
||||||
|
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
|
||||||
|
.br
|
||||||
|
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
|
||||||
|
+.br
|
||||||
|
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
|
||||||
|
+.br
|
||||||
|
\fBmokutil\fR [--pk]
|
||||||
|
.br
|
||||||
|
\fBmokutil\fR [--kek]
|
||||||
|
@@ -161,6 +165,12 @@ this is not the password hash.
|
||||||
|
\fB--set-verbosity\fR
|
||||||
|
Set the SHIM_VERBOSE to make shim more or less verbose
|
||||||
|
.TP
|
||||||
|
+\fB--set-fallback-verbosity\fR
|
||||||
|
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
|
||||||
|
+.TP
|
||||||
|
+\fB--set-fallback-noreboot\fR
|
||||||
|
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
|
||||||
|
+.TP
|
||||||
|
\fB--pk\fR
|
||||||
|
List the keys in the public Platform Key (PK)
|
||||||
|
.TP
|
|
@ -1,8 +1,13 @@
|
||||||
Patch0001: 0001-Avoid-taking-pointer-to-packed-struct.patch
|
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
|
||||||
Patch0002: 0002-Fix-a-integer-comparison-sign-issue.patch
|
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
|
||||||
Patch0003: 0003-mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch
|
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
|
||||||
Patch0004: 0004-mokutil-add-mok-variables-parsing-support.patch
|
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
|
||||||
Patch0005: 0005-mokutil-remove-simple-hash.patch
|
Patch0005: 0005-Make-all-efi_guid_t-const.patch
|
||||||
Patch0006: 0006-man-remove-simple-hash.patch
|
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
|
||||||
Patch0007: 0007-mokutil-use-EVP_Digest-functions-instead-of-the-depr.patch
|
Patch0007: 0007-Add-bash-completion-file.patch
|
||||||
Patch0008: 0008-SBAT-revocation-update-support.patch
|
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
|
||||||
|
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
|
||||||
|
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
|
||||||
|
Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
|
||||||
|
Patch0012: 0012-initial-mok-variables-code.patch
|
||||||
|
Patch0013: 0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
|
||||||
|
|
|
@ -1,19 +1,17 @@
|
||||||
Name: mokutil
|
Name: mokutil
|
||||||
Version: 0.4.0
|
Version: 0.3.0
|
||||||
Release: 8%{?dist}.1
|
Release: 12%{?dist}
|
||||||
Epoch: 2
|
Epoch: 1
|
||||||
Summary: Tool to manage UEFI Secure Boot MoK Keys
|
Summary: Tool to manage UEFI Secure Boot MoK Keys
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: https://github.com/lcp/mokutil
|
URL: https://github.com/lcp/mokutil
|
||||||
ExclusiveArch: %{ix86} x86_64 aarch64
|
ExclusiveArch: %{ix86} x86_64 aarch64
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: gcc
|
|
||||||
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
|
BuildRequires: autoconf automake gnu-efi git openssl-devel openssl
|
||||||
BuildRequires: efivar-devel >= 31-1
|
BuildRequires: efivar-devel >= 31-1
|
||||||
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
|
Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz
|
||||||
Source1: mokutil.patches
|
Source1: mokutil.patches
|
||||||
Conflicts: shim < 0.8-1%{?dist}
|
Conflicts: shim < 0.8-1%{?dist}
|
||||||
Obsoletes: mokutil < 0.2.0
|
Obsoletes: mokutil <= 1:0.3.0-1
|
||||||
|
|
||||||
%include %{SOURCE1}
|
%include %{SOURCE1}
|
||||||
|
|
||||||
|
@ -50,60 +48,23 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||||
%{_datadir}/bash-completion/completions/mokutil
|
%{_datadir}/bash-completion/completions/mokutil
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Jun 01 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-8.el9_0.1
|
* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 1:0.3.0-12
|
||||||
- Support sbat revocation and setting policy
|
- Add ability to set fallback verbose mode
|
||||||
- Related: CVE-2022-28737
|
- Resolves: #2030704
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8
|
* Tue Jan 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-11
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Bump NVR for brew to build the package
|
||||||
Related: rhbz#1991688
|
Related: rhbz##1907418
|
||||||
|
|
||||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-7
|
* Wed Dec 30 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-10
|
||||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
- Add mokutil code to consume data from /sys/firmware/efi/mok-variables/
|
||||||
Related: rhbz#1971065
|
as well as attempting to consume numbered mok variables from efivarfs
|
||||||
|
when mok-variables aren't present (pjones)
|
||||||
|
Resolves: rhbz#1907418
|
||||||
|
|
||||||
* Tue May 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-6
|
* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
|
||||||
- Port to OpenSSL 3.0
|
- Minor obsoletes fix
|
||||||
Resolves: rhbz#1958040
|
- Import some fixes from upstream
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-5
|
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
|
||||||
|
|
||||||
* Wed Mar 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-4
|
|
||||||
- Add SBAT and mok-variables support
|
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-1
|
|
||||||
- Update to 0.4.0 release
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.3.0-15
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.3.0-14
|
|
||||||
- Pull one more upstream patch to keep this in sync with the f31 build.
|
|
||||||
|
|
||||||
* Thu Oct 24 2019 Leigh Scott <leigh123linux@googlemail.com> - 1:0.3.0-14
|
|
||||||
- Apply upstream commits to fix FTBFS
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-13
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-12
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-11
|
|
||||||
- Rebuilt for libcrypt.so.2 (#1666033)
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-10
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-9
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
|
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
|
||||||
- Rebuilt for switch to libxcrypt
|
- Rebuilt for switch to libxcrypt
|
||||||
|
|
Loading…
Reference in New Issue