From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Wed, 17 Mar 2021 14:38:57 +0100 Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content This variable contains the descriptive form of all the components used by the operating systems that ship signed shim binaries. Along with a minimum generation number for each component. More information in can be found in the UEFI Secure Boot Advanced Targeting (SBAT) specification: https://github.com/rhboot/shim/blob/main/SBAT.md Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8 encoded strings, the data could just be printed without the need to do any previous processing. Signed-off-by: Javier Martinez Canillas --- src/mokutil.c | 33 +++++++++++++++++++++++++++++++++ man/mokutil.1 | 5 +++++ 2 files changed, 38 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index a9d97f4..dba77c9 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -83,6 +83,7 @@ #define DELETE_HASH (1 << 21) #define VERBOSITY (1 << 22) #define TIMEOUT (1 << 23) +#define LIST_SBAT (1 << 24) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -173,6 +174,7 @@ print_help () printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); + printf (" --sbat\t\t\t\tList the entries in SBAT\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file \t\tUse the specific password hash\n"); @@ -1557,6 +1559,31 @@ error: return ret; } +static int +print_var_content (const char *var_name, const efi_guid_t guid) +{ + uint8_t *data = NULL; + size_t data_size; + uint32_t attributes; + int ret; + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { + if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } + + fprintf (stderr, "Failed to read %s: %m\n", var_name); + return -1; + } + + printf ("%s", data); + free (data); + + return ret; +} + static int revoke_request (MokRequest req) { @@ -2133,6 +2160,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, + {"sbat", no_argument, 0, 0 }, {"timeout", required_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2217,6 +2245,8 @@ main (int argc, char *argv[]) } else { db_name = DBX; } + } else if (strcmp (option, "sbat") == 0) { + command |= LIST_SBAT; } else if (strcmp (option, "timeout") == 0) { command |= TIMEOUT; timeout = strdup (optarg); @@ -2470,6 +2500,9 @@ main (int argc, char *argv[]) case TIMEOUT: ret = set_timeout (timeout); break; + case LIST_SBAT: + ret = print_var_content ("SBAT", efi_guid_shim); + break; default: print_help (); break; diff --git a/man/mokutil.1 b/man/mokutil.1 index 7cee5da..1f82ff1 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -71,6 +71,8 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--dbx] .br +\fBmokutil\fR [--sbat] +.br .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys @@ -166,3 +168,6 @@ List the keys in the secure boot signature store (db) \fB--dbx\fR List the keys in the secure boot blacklist signature store (dbx) .TP +\fB--sbat\fR +List the entries in the Secure Boot Advanced Targeting store (SBAT) +.TP