From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jan Setje-Eilers Date: Thu, 21 Apr 2022 17:28:07 -0700 Subject: [PATCH] SBAT revocation update support Control how shim will apply SBAT revocations: mokutil --set-sbat-policy latest applies the latest SBAT revocations (default behavior) mokutil --set-sbat-policy previous applies previous SBAT revocations to allow falling back to an older release In both of the above cases shim will only apply SBAT revocations that are newer than the ones currently installed. mokutil --set-sbat-policy delete resets SBAT revocations only if Secure Boot is disabled. This setting does not persist. Signed-off-by: Jan Setje-Eilers (cherry picked from commit 68f122d79677cf4a8298cf60ab7dc8a7bf43091c) [rharwood: renumbering, new options not present, renamed var] --- src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++---- man/mokutil.1 | 14 ++++++++++++-- 2 files changed, 55 insertions(+), 6 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index 3fdc791..ac158b3 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -84,6 +84,7 @@ #define VERBOSITY (1 << 23) #define TIMEOUT (1 << 24) #define LIST_SBAT (1 << 25) +#define SET_SBAT (1 << 27) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -169,12 +170,13 @@ print_help () printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); ++ printf (" --set-sbat-policy \t\tApply Latest, Previous, or Blank SBAT revocations\n"); ++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n"); printf (" --pk\t\t\t\t\tList the keys in PK\n"); printf (" --kek\t\t\t\t\tList the keys in KEK\n"); printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); - printf (" --sbat\t\t\t\tList the entries in SBAT\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file \t\tUse the specific password hash\n"); @@ -2261,6 +2263,26 @@ list_db (DBName db_name) return -1; } +static int +manage_sbat (const uint8_t sbat_policy) +{ + if (sbat_policy) { + uint32_t attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + if (efi_set_variable (efi_guid_shim, "SbatPolicy", + (uint8_t *)&sbat_policy, + sizeof (sbat_policy), + attributes, S_IRUSR | S_IWUSR) < 0) { + fprintf (stderr, "Failed to set SbatPolicy\n"); + return -1; + } + } else { + return test_and_delete_var ("SbatPolicy"); + } + return 0; +} + int main (int argc, char *argv[]) { @@ -2275,6 +2297,7 @@ main (int argc, char *argv[]) unsigned int command = 0; int use_root_pw = 0; uint8_t verbosity = 0; + uint8_t sbat_policy = 0; DBName db_name = MOK_LIST_RT; int ret = -1; @@ -2311,11 +2334,12 @@ main (int argc, char *argv[]) {"import-hash", required_argument, 0, 0 }, {"delete-hash", required_argument, 0, 0 }, {"set-verbosity", required_argument, 0, 0 }, + {"set-sbat-policy", required_argument, 0, 0 }, + {"list-sbat-revocations", no_argument, 0, 0 }, {"pk", no_argument, 0, 0 }, {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, - {"sbat", no_argument, 0, 0 }, {"timeout", required_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2376,6 +2400,20 @@ main (int argc, char *argv[]) verbosity = 0; else command |= HELP; + } else if (strcmp (option, "set-sbat-policy") == 0) { + command |= SET_SBAT; + if (strcmp (optarg, "latest") == 0) + sbat_policy = 1; + else if (strcmp (optarg, "previous") == 0) + sbat_policy = 2; + else if (strcmp (optarg, "delete") == 0) + sbat_policy = 3; + else + command |= HELP; + } else if (strcmp (option, "list-sbat-revocations") == 0) { + command |= LIST_SBAT; + } else if (strcmp (option, "sbat") == 0) { + command |= LIST_SBAT; } else if (strcmp (option, "pk") == 0) { if (db_name != MOK_LIST_RT) { command |= HELP; @@ -2400,8 +2438,6 @@ main (int argc, char *argv[]) } else { db_name = DBX; } - } else if (strcmp (option, "sbat") == 0) { - command |= LIST_SBAT; } else if (strcmp (option, "timeout") == 0) { command |= TIMEOUT; timeout = strdup (optarg); @@ -2658,6 +2694,9 @@ main (int argc, char *argv[]) case LIST_SBAT: ret = print_var_content ("SBAT", efi_guid_shim); break; + case SET_SBAT: + ret = manage_sbat(sbat_policy); + break; default: print_help (); break; diff --git a/man/mokutil.1 b/man/mokutil.1 index 1f82ff1..48fbe25 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -71,7 +71,9 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--dbx] .br -\fBmokutil\fR [--sbat] +\fBmokutil\fR [--list-sbat-revocations] +.br +\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)] .br .SH DESCRIPTION @@ -168,6 +170,14 @@ List the keys in the secure boot signature store (db) \fB--dbx\fR List the keys in the secure boot blacklist signature store (dbx) .TP -\fB--sbat\fR +\fB--list-sbat-revocations\fR List the entries in the Secure Boot Advanced Targeting store (SBAT) .TP +\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR +Set the SbatPolicy UEFI Variable to have shim apply either the latest +or the previous SBAT revocations. If UEFI Secure Boot is disabled, then +delete will reset the SBAT revocations to an empty revocation list. +While latest and previous are persistent configuration, delete will be +cleared by shim on the next boot whether or not it succeeds. The default +behavior is for shim to apply the previous revocations. +.TP