From 698994102afcbbe16e65930a09e0df5248c4d200 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Wed, 17 Mar 2021 14:38:57 +0100 Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content This variable contains the descriptive form of all the components used by the operating systems that ship signed shim binaries. Along with a minimum generation number for each component. More information in can be found in the UEFI Secure Boot Advanced Targeting (SBAT) specification: https://github.com/rhboot/shim/blob/main/SBAT.md Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8 encoded strings, the data could just be printed without the need to do any previous processing. Signed-off-by: Javier Martinez Canillas --- man/mokutil.1 | 5 +++++ src/mokutil.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/man/mokutil.1 b/man/mokutil.1 index 25fe8b433da..446298763ad 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--dbx] .br +\fBmokutil\fR [--sbat] +.br .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys @@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db) \fB--dbx\fR List the keys in the secure boot blacklist signature store (dbx) .TP +\fB--sbat\fR +List the entries in the Secure Boot Advanced Targeting store (SBAT) +.TP diff --git a/src/mokutil.c b/src/mokutil.c index b66c1b8b5a7..0c25ae5033d 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -84,6 +84,7 @@ #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) #define TIMEOUT (1 << 24) +#define LIST_SBAT (1 << 25) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -176,6 +177,7 @@ print_help () printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); + printf (" --sbat\t\t\t\tList the entries in SBAT\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file \t\tUse the specific password hash\n"); @@ -1598,6 +1600,31 @@ error: return ret; } +static int +print_var_content (const char *var_name, const efi_guid_t guid) +{ + uint8_t *data = NULL; + size_t data_size; + uint32_t attributes; + int ret; + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { + if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } + + fprintf (stderr, "Failed to read %s: %m\n", var_name); + return -1; + } + + printf ("%s", data); + free (data); + + return ret; +} + static int revoke_request (MokRequest req) { @@ -2187,6 +2214,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, + {"sbat", no_argument, 0, 0 }, {"timeout", required_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2271,6 +2299,8 @@ main (int argc, char *argv[]) } else { db_name = DBX; } + } else if (strcmp (option, "sbat") == 0) { + command |= LIST_SBAT; } else if (strcmp (option, "timeout") == 0) { command |= TIMEOUT; timeout = strdup (optarg); @@ -2543,6 +2573,9 @@ main (int argc, char *argv[]) case TIMEOUT: ret = set_timeout (timeout); break; + case LIST_SBAT: + ret = print_var_content ("SBAT", efi_guid_shim); + break; default: print_help (); break; -- 2.29.2