853ac02b9c
Introduce --is-sb-enabled parameter and better return codes. Also show help on unsupported systems. Resolves: #RHEL-90836 Resolves: #RHEL-90839 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
139 lines
4.2 KiB
Diff
139 lines
4.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Leo Sandoval <lsandova@redhat.com>
|
|
Date: Fri, 25 Apr 2025 13:07:10 -0600
|
|
Subject: [PATCH] mokutil: introduce --is-sb-enabled parameter
|
|
|
|
The result would be 0 if SB is enable, 1 otherwise (or -1 in case of
|
|
error). This is a different outcome when using --sb-state, where it
|
|
returns 0 no matter the SB status (or -1 in case of error).
|
|
|
|
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
|
|
---
|
|
man/mokutil.1 | 5 +++++
|
|
src/mokutil.c | 30 ++++++++++++++++++++++++++++--
|
|
2 files changed, 33 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index ccb285c..6b30610 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -40,6 +40,8 @@ mokutil \- utility to manipulate machine owner keys
|
|
.br
|
|
\fBmokutil\fR [--sb-state]
|
|
.br
|
|
+\fBmokutil\fR [--is-sb-enabled]
|
|
+.br
|
|
\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
|
|
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
|
|
.br
|
|
@@ -133,6 +135,9 @@ Enable the validation process in shim
|
|
\fB--sb-state\fR
|
|
Show SecureBoot State
|
|
.TP
|
|
+\fB--is-sb-enabled\fR
|
|
+Indicates if SecureBoot is enabled
|
|
+.TP
|
|
\fB-t, --test-key\fR
|
|
Test if the key is enrolled or not
|
|
.TP
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index e40579b..918ca06 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -89,6 +89,7 @@
|
|
#define UNTRUST_MOK (1 << 28)
|
|
#define SET_SBAT (1 << 29)
|
|
#define SET_SSP (1 << 30)
|
|
+#define IS_SB_ENABLED (1 << 31)
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
@@ -129,6 +130,7 @@ print_help ()
|
|
printf (" --disable-validation\t\t\tDisable signature validation\n");
|
|
printf (" --enable-validation\t\t\tEnable signature validation\n");
|
|
printf (" --sb-state\t\t\t\tShow SecureBoot State\n");
|
|
+ printf (" --is-sb-enabled\t\t\tIndicates if SecureBoot is enabled or not\n");
|
|
printf (" --test-key, -t <der file>\t\tTest if the key is enrolled or not\n");
|
|
printf (" --reset\t\t\t\tReset MOK list\n");
|
|
printf (" --generate-hash[=password], -g\tGenerate the password hash\n");
|
|
@@ -1400,7 +1402,7 @@ enable_validation(void)
|
|
}
|
|
|
|
static int
|
|
-sb_state ()
|
|
+sb_state_internal ()
|
|
{
|
|
uint8_t *data = NULL;
|
|
size_t data_size;
|
|
@@ -1408,6 +1410,7 @@ sb_state ()
|
|
int32_t secureboot = -1;
|
|
int32_t setupmode = -1;
|
|
int32_t moksbstate = -1;
|
|
+ int ret = 0;
|
|
|
|
if (efi_get_variable (efi_guid_global, "SecureBoot", &data, &data_size,
|
|
&attributes) < 0) {
|
|
@@ -1453,17 +1456,34 @@ sb_state ()
|
|
|
|
if (secureboot == 1 && setupmode == 0) {
|
|
printf ("SecureBoot enabled\n");
|
|
+ ret = 0;
|
|
if (moksbstate == 1)
|
|
printf ("SecureBoot validation is disabled in shim\n");
|
|
} else if (secureboot == 0 || setupmode == 1) {
|
|
printf ("SecureBoot disabled\n");
|
|
+ ret = 1;
|
|
if (setupmode == 1)
|
|
printf ("Platform is in Setup Mode\n");
|
|
} else {
|
|
printf ("Cannot determine secure boot state.\n");
|
|
}
|
|
|
|
- return 0;
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+static int
|
|
+sb_state ()
|
|
+{
|
|
+ int ret = sb_state_internal ();
|
|
+
|
|
+ /* in this case, ignore the ret value except on failure */
|
|
+ return (ret < 0)? ret: 0;
|
|
+}
|
|
+
|
|
+static int
|
|
+is_sb_enabled ()
|
|
+{
|
|
+ return sb_state_internal ();
|
|
}
|
|
|
|
static inline int
|
|
@@ -1855,6 +1875,7 @@ main (int argc, char *argv[])
|
|
{"disable-validation", no_argument, 0, 0 },
|
|
{"enable-validation", no_argument, 0, 0 },
|
|
{"sb-state", no_argument, 0, 0 },
|
|
+ {"is-sb-enabled", no_argument, 0, 0 },
|
|
{"test-key", required_argument, 0, 't'},
|
|
{"reset", no_argument, 0, 0 },
|
|
{"hash-file", required_argument, 0, 'f'},
|
|
@@ -1908,6 +1929,8 @@ main (int argc, char *argv[])
|
|
command |= ENABLE_VALIDATION;
|
|
} else if (strcmp (option, "sb-state") == 0) {
|
|
command |= SB_STATE;
|
|
+ } else if (strcmp (option, "is-sb-enabled") == 0) {
|
|
+ command |= IS_SB_ENABLED;
|
|
} else if (strcmp (option, "reset") == 0) {
|
|
command |= RESET;
|
|
} else if (strcmp (option, "ignore-db") == 0) {
|
|
@@ -2258,6 +2281,9 @@ main (int argc, char *argv[])
|
|
case SB_STATE:
|
|
ret = sb_state ();
|
|
break;
|
|
+ case IS_SB_ENABLED:
|
|
+ ret = is_sb_enabled ();
|
|
+ break;
|
|
case TEST_KEY:
|
|
ret = test_key (ENROLL_MOK, key_file);
|
|
break;
|