Tool to manage UEFI Secure Boot MoK Keys
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

124 lines
3.7 KiB

From 698994102afcbbe16e65930a09e0df5248c4d200 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 17 Mar 2021 14:38:57 +0100
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
This variable contains the descriptive form of all the components used by
the operating systems that ship signed shim binaries. Along with a minimum
generation number for each component. More information in can be found in
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
https://github.com/rhboot/shim/blob/main/SBAT.md
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
encoded strings, the data could just be printed without the need to do any
previous processing.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
man/mokutil.1 | 5 +++++
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b433da..446298763ad 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--sbat]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db)
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP
diff --git a/src/mokutil.c b/src/mokutil.c
index b66c1b8b5a7..0c25ae5033d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -84,6 +84,7 @@
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
#define TIMEOUT (1 << 24)
+#define LIST_SBAT (1 << 25)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -176,6 +177,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1598,6 +1600,31 @@ error:
return ret;
}
+static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+ uint8_t *data = NULL;
+ size_t data_size;
+ uint32_t attributes;
+ int ret;
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
+ return -1;
+ }
+
+ printf ("%s", data);
+ free (data);
+
+ return ret;
+}
+
static int
revoke_request (MokRequest req)
{
@@ -2187,6 +2214,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2271,6 +2299,8 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
@@ -2543,6 +2573,9 @@ main (int argc, char *argv[])
case TIMEOUT:
ret = set_timeout (timeout);
break;
+ case LIST_SBAT:
+ ret = print_var_content ("SBAT", efi_guid_shim);
+ break;
default:
print_help ();
break;
--
2.29.2