You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
181 lines
6.1 KiB
181 lines
6.1 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
|
Date: Thu, 21 Apr 2022 17:28:07 -0700
|
|
Subject: [PATCH] SBAT revocation update support
|
|
|
|
Control how shim will apply SBAT revocations:
|
|
|
|
mokutil --set-sbat-policy latest
|
|
|
|
applies the latest SBAT revocations
|
|
(default behavior)
|
|
|
|
mokutil --set-sbat-policy previous
|
|
|
|
applies previous SBAT revocations to
|
|
allow falling back to an older release
|
|
|
|
In both of the above cases shim will only apply SBAT revocations that
|
|
are newer than the ones currently installed.
|
|
|
|
mokutil --set-sbat-policy delete
|
|
|
|
resets SBAT revocations only if Secure
|
|
Boot is disabled. This setting does not
|
|
persist.
|
|
|
|
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
(cherry picked from commit 68f122d79677cf4a8298cf60ab7dc8a7bf43091c)
|
|
[rharwood: renumbering, new options not present, renamed var]
|
|
---
|
|
src/mokutil.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
|
|
man/mokutil.1 | 14 ++++++++++++--
|
|
2 files changed, 55 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 3fdc791..ac158b3 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -84,6 +84,7 @@
|
|
#define VERBOSITY (1 << 23)
|
|
#define TIMEOUT (1 << 24)
|
|
#define LIST_SBAT (1 << 25)
|
|
+#define SET_SBAT (1 << 27)
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
@@ -169,12 +170,13 @@ print_help ()
|
|
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
|
|
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
|
|
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
|
++ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
|
|
++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
|
|
printf (" --pk\t\t\t\t\tList the keys in PK\n");
|
|
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
|
printf (" --db\t\t\t\t\tList the keys in db\n");
|
|
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
|
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
|
|
- printf (" --sbat\t\t\t\tList the entries in SBAT\n");
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
@@ -2261,6 +2263,26 @@ list_db (DBName db_name)
|
|
return -1;
|
|
}
|
|
|
|
+static int
|
|
+manage_sbat (const uint8_t sbat_policy)
|
|
+{
|
|
+ if (sbat_policy) {
|
|
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
|
|
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
|
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
|
|
+ (uint8_t *)&sbat_policy,
|
|
+ sizeof (sbat_policy),
|
|
+ attributes, S_IRUSR | S_IWUSR) < 0) {
|
|
+ fprintf (stderr, "Failed to set SbatPolicy\n");
|
|
+ return -1;
|
|
+ }
|
|
+ } else {
|
|
+ return test_and_delete_var ("SbatPolicy");
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
int
|
|
main (int argc, char *argv[])
|
|
{
|
|
@@ -2275,6 +2297,7 @@ main (int argc, char *argv[])
|
|
unsigned int command = 0;
|
|
int use_root_pw = 0;
|
|
uint8_t verbosity = 0;
|
|
+ uint8_t sbat_policy = 0;
|
|
DBName db_name = MOK_LIST_RT;
|
|
int ret = -1;
|
|
|
|
@@ -2311,11 +2334,12 @@ main (int argc, char *argv[])
|
|
{"import-hash", required_argument, 0, 0 },
|
|
{"delete-hash", required_argument, 0, 0 },
|
|
{"set-verbosity", required_argument, 0, 0 },
|
|
+ {"set-sbat-policy", required_argument, 0, 0 },
|
|
+ {"list-sbat-revocations", no_argument, 0, 0 },
|
|
{"pk", no_argument, 0, 0 },
|
|
{"kek", no_argument, 0, 0 },
|
|
{"db", no_argument, 0, 0 },
|
|
{"dbx", no_argument, 0, 0 },
|
|
- {"sbat", no_argument, 0, 0 },
|
|
{"timeout", required_argument, 0, 0 },
|
|
{0, 0, 0, 0}
|
|
};
|
|
@@ -2376,6 +2400,20 @@ main (int argc, char *argv[])
|
|
verbosity = 0;
|
|
else
|
|
command |= HELP;
|
|
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
|
|
+ command |= SET_SBAT;
|
|
+ if (strcmp (optarg, "latest") == 0)
|
|
+ sbat_policy = 1;
|
|
+ else if (strcmp (optarg, "previous") == 0)
|
|
+ sbat_policy = 2;
|
|
+ else if (strcmp (optarg, "delete") == 0)
|
|
+ sbat_policy = 3;
|
|
+ else
|
|
+ command |= HELP;
|
|
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
|
|
+ command |= LIST_SBAT;
|
|
+ } else if (strcmp (option, "sbat") == 0) {
|
|
+ command |= LIST_SBAT;
|
|
} else if (strcmp (option, "pk") == 0) {
|
|
if (db_name != MOK_LIST_RT) {
|
|
command |= HELP;
|
|
@@ -2400,8 +2438,6 @@ main (int argc, char *argv[])
|
|
} else {
|
|
db_name = DBX;
|
|
}
|
|
- } else if (strcmp (option, "sbat") == 0) {
|
|
- command |= LIST_SBAT;
|
|
} else if (strcmp (option, "timeout") == 0) {
|
|
command |= TIMEOUT;
|
|
timeout = strdup (optarg);
|
|
@@ -2658,6 +2694,9 @@ main (int argc, char *argv[])
|
|
case LIST_SBAT:
|
|
ret = print_var_content ("SBAT", efi_guid_shim);
|
|
break;
|
|
+ case SET_SBAT:
|
|
+ ret = manage_sbat(sbat_policy);
|
|
+ break;
|
|
default:
|
|
print_help ();
|
|
break;
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index 1f82ff1..48fbe25 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -71,7 +71,9 @@ mokutil \- utility to manipulate machine owner keys
|
|
.br
|
|
\fBmokutil\fR [--dbx]
|
|
.br
|
|
-\fBmokutil\fR [--sbat]
|
|
+\fBmokutil\fR [--list-sbat-revocations]
|
|
+.br
|
|
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
|
|
.br
|
|
|
|
.SH DESCRIPTION
|
|
@@ -168,6 +170,14 @@ List the keys in the secure boot signature store (db)
|
|
\fB--dbx\fR
|
|
List the keys in the secure boot blacklist signature store (dbx)
|
|
.TP
|
|
-\fB--sbat\fR
|
|
+\fB--list-sbat-revocations\fR
|
|
List the entries in the Secure Boot Advanced Targeting store (SBAT)
|
|
.TP
|
|
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
|
|
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
|
|
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
|
|
+delete will reset the SBAT revocations to an empty revocation list.
|
|
+While latest and previous are persistent configuration, delete will be
|
|
+cleared by shim on the next boot whether or not it succeeds. The default
|
|
+behavior is for shim to apply the previous revocations.
|
|
+.TP
|
|
|