From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Renaud=20M=C3=A9trich?= Date: Fri, 3 Dec 2021 14:18:31 +0100 Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases fallback debugging. Signed-off-by: Renaud Métrich (cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e) --- src/mokutil.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- data/mokutil | 8 +++++++ man/mokutil.1 | 10 ++++++++ 3 files changed, 90 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index 787b85e..e1bd0e3 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -83,6 +83,8 @@ #define VERBOSITY (1 << 22) #define TIMEOUT (1 << 23) #define LIST_SBAT (1 << 24) +#define FB_VERBOSITY (1 << 25) +#define FB_NOREBOOT (1 << 26) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -127,6 +129,8 @@ print_help () printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); + printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); + printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); printf (" --pk\t\t\t\t\tList the keys in PK\n"); printf (" --kek\t\t\t\t\tList the keys in KEK\n"); printf (" --db\t\t\t\t\tList the keys in db\n"); @@ -1672,6 +1676,46 @@ set_verbosity (const uint8_t verbosity) return 0; } +static int +set_fallback_verbosity (const uint8_t verbosity) +{ + if (verbosity) { + uint32_t attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE", + (uint8_t *)&verbosity, sizeof (verbosity), + attributes, S_IRUSR | S_IWUSR) < 0) { + fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n"); + return -1; + } + } else { + return test_and_delete_mok_var ("FALLBACK_VERBOSE"); + } + + return 0; +} + +static int +set_fallback_noreboot (const uint8_t noreboot) +{ + if (noreboot) { + uint32_t attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT", + (uint8_t *)&noreboot, sizeof (noreboot), + attributes, S_IRUSR | S_IWUSR) < 0) { + fprintf (stderr, "Failed to set FB_NO_REBOOT\n"); + return -1; + } + } else { + return test_and_delete_mok_var ("FB_NO_REBOOT"); + } + + return 0; +} + static inline int list_db (const DBName db_name) { @@ -1707,6 +1751,8 @@ main (int argc, char *argv[]) unsigned int command = 0; int use_root_pw = 0; uint8_t verbosity = 0; + uint8_t fb_verbosity = 0; + uint8_t fb_noreboot = 0; DBName db_name = MOK_LIST_RT; int ret = -1; int sb_check; @@ -1747,6 +1793,8 @@ main (int argc, char *argv[]) {"import-hash", required_argument, 0, 0 }, {"delete-hash", required_argument, 0, 0 }, {"set-verbosity", required_argument, 0, 0 }, + {"set-fallback-verbosity", required_argument, 0, 0 }, + {"set-fallback-noreboot", required_argument, 0, 0 }, {"pk", no_argument, 0, 0 }, {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, @@ -1815,6 +1863,22 @@ main (int argc, char *argv[]) verbosity = 0; else command |= HELP; + } else if (strcmp (option, "set-fallback-verbosity") == 0) { + command |= FB_VERBOSITY; + if (strcmp (optarg, "true") == 0) + fb_verbosity = 1; + else if (strcmp (optarg, "false") == 0) + fb_verbosity = 0; + else + command |= HELP; + } else if (strcmp (option, "set-fallback-noreboot") == 0) { + command |= FB_NOREBOOT; + if (strcmp (optarg, "true") == 0) + fb_noreboot = 1; + else if (strcmp (optarg, "false") == 0) + fb_noreboot = 0; + else + command |= HELP; } else if (strcmp (option, "pk") == 0) { if (db_name != MOK_LIST_RT) { command |= HELP; @@ -1978,7 +2042,8 @@ main (int argc, char *argv[]) command |= LIST_ENROLLED; sb_check = !(command & HELP || command & TEST_KEY || - command & VERBOSITY || command & TIMEOUT); + command & VERBOSITY || command & TIMEOUT || + command & FB_VERBOSITY || command & FB_NOREBOOT); if (sb_check) { /* Check whether the machine supports Secure Boot or not */ int rc; @@ -2100,6 +2165,12 @@ main (int argc, char *argv[]) case VERBOSITY: ret = set_verbosity (verbosity); break; + case FB_VERBOSITY: + ret = set_fallback_verbosity (fb_verbosity); + break; + case FB_NOREBOOT: + ret = set_fallback_noreboot (fb_noreboot); + break; case TIMEOUT: ret = set_timeout (timeout); break; diff --git a/data/mokutil b/data/mokutil index cf50606..b6ee859 100755 --- a/data/mokutil +++ b/data/mokutil @@ -24,6 +24,14 @@ _mokutil() COMPREPLY=( $( compgen -W "true false") ) return 0 ;; + --set-fallback-verbosity) + COMPREPLY=( $( compgen -W "true false") ) + return 0 + ;; + --set-fallback-noreboot) + COMPREPLY=( $( compgen -W "true false") ) + return 0 + ;; --generate-hash|-g) COMPREPLY=( $( compgen -o nospace -P= -W "") ) return 0 diff --git a/man/mokutil.1 b/man/mokutil.1 index 11804af..2ea081f 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] .br +\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)] +.br +\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)] +.br \fBmokutil\fR [--pk] .br \fBmokutil\fR [--kek] @@ -158,6 +162,12 @@ this is not the password hash. \fB--set-verbosity\fR Set the SHIM_VERBOSE to make shim more or less verbose .TP +\fB--set-fallback-verbosity\fR +Set the FALLBACK_VERBOSE to make fallback more or less verbose +.TP +\fB--set-fallback-noreboot\fR +Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system +.TP \fB--pk\fR List the keys in the public Platform Key (PK) .TP