125 lines
3.7 KiB
Diff
125 lines
3.7 KiB
Diff
From 698994102afcbbe16e65930a09e0df5248c4d200 Mon Sep 17 00:00:00 2001
|
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
Date: Wed, 17 Mar 2021 14:38:57 +0100
|
|
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
|
|
|
|
This variable contains the descriptive form of all the components used by
|
|
the operating systems that ship signed shim binaries. Along with a minimum
|
|
generation number for each component. More information in can be found in
|
|
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
|
|
|
|
https://github.com/rhboot/shim/blob/main/SBAT.md
|
|
|
|
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
|
|
encoded strings, the data could just be printed without the need to do any
|
|
previous processing.
|
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
---
|
|
man/mokutil.1 | 5 +++++
|
|
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
|
|
2 files changed, 38 insertions(+)
|
|
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index 25fe8b433da..446298763ad 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
|
|
.br
|
|
\fBmokutil\fR [--dbx]
|
|
.br
|
|
+\fBmokutil\fR [--sbat]
|
|
+.br
|
|
|
|
.SH DESCRIPTION
|
|
\fBmokutil\fR is a tool to import or delete the machines owner keys
|
|
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db)
|
|
\fB--dbx\fR
|
|
List the keys in the secure boot blacklist signature store (dbx)
|
|
.TP
|
|
+\fB--sbat\fR
|
|
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
|
|
+.TP
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index b66c1b8b5a7..0c25ae5033d 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -84,6 +84,7 @@
|
|
#define DELETE_HASH (1 << 22)
|
|
#define VERBOSITY (1 << 23)
|
|
#define TIMEOUT (1 << 24)
|
|
+#define LIST_SBAT (1 << 25)
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
@@ -176,6 +177,7 @@ print_help ()
|
|
printf (" --db\t\t\t\t\tList the keys in db\n");
|
|
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
|
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
|
|
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
@@ -1598,6 +1600,31 @@ error:
|
|
return ret;
|
|
}
|
|
|
|
+static int
|
|
+print_var_content (const char *var_name, const efi_guid_t guid)
|
|
+{
|
|
+ uint8_t *data = NULL;
|
|
+ size_t data_size;
|
|
+ uint32_t attributes;
|
|
+ int ret;
|
|
+
|
|
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
|
|
+ if (ret < 0) {
|
|
+ if (errno == ENOENT) {
|
|
+ printf ("%s is empty\n", var_name);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ printf ("%s", data);
|
|
+ free (data);
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
static int
|
|
revoke_request (MokRequest req)
|
|
{
|
|
@@ -2187,6 +2214,7 @@ main (int argc, char *argv[])
|
|
{"kek", no_argument, 0, 0 },
|
|
{"db", no_argument, 0, 0 },
|
|
{"dbx", no_argument, 0, 0 },
|
|
+ {"sbat", no_argument, 0, 0 },
|
|
{"timeout", required_argument, 0, 0 },
|
|
{0, 0, 0, 0}
|
|
};
|
|
@@ -2271,6 +2299,8 @@ main (int argc, char *argv[])
|
|
} else {
|
|
db_name = DBX;
|
|
}
|
|
+ } else if (strcmp (option, "sbat") == 0) {
|
|
+ command |= LIST_SBAT;
|
|
} else if (strcmp (option, "timeout") == 0) {
|
|
command |= TIMEOUT;
|
|
timeout = strdup (optarg);
|
|
@@ -2543,6 +2573,9 @@ main (int argc, char *argv[])
|
|
case TIMEOUT:
|
|
ret = set_timeout (timeout);
|
|
break;
|
|
+ case LIST_SBAT:
|
|
+ ret = print_var_content ("SBAT", efi_guid_shim);
|
|
+ break;
|
|
default:
|
|
print_help ();
|
|
break;
|
|
--
|
|
2.29.2
|
|
|