Compare commits
1 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| c87f49f78e |
BIN
0.6.0.tar.gz
LFS
Normal file
BIN
0.6.0.tar.gz
LFS
Normal file
Binary file not shown.
BIN
0.7.2.tar.gz
LFS
BIN
0.7.2.tar.gz
LFS
Binary file not shown.
149
modhash
Normal file
149
modhash
Normal file
@@ -0,0 +1,149 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Calculate the digest of the kernel module
|
||||
# It will strip kernel modules signature before calculation.
|
||||
#
|
||||
# Based on modsign-verify, written by Michal Marek
|
||||
# Authors:
|
||||
# Gary Lin <GLin@suse.com>
|
||||
# Joey Lee <JLee@suse.com>
|
||||
#
|
||||
|
||||
my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n";
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use IPC::Open2;
|
||||
use Getopt::Long;
|
||||
use File::Temp qw(tempfile);
|
||||
|
||||
my $verbose = 1;
|
||||
my $dgst = "sha256";
|
||||
GetOptions(
|
||||
"d=s" => \$dgst,
|
||||
"q|quiet" => sub { $verbose-- if $verbose; },
|
||||
"v|verbose" => sub { $verbose++; },
|
||||
"h|help" => sub {
|
||||
print $USAGE;
|
||||
exit(0);
|
||||
}
|
||||
) or die($USAGE);
|
||||
|
||||
sub _verbose {
|
||||
my $level = shift;
|
||||
|
||||
return if $verbose < $level;
|
||||
print STDERR @_;
|
||||
}
|
||||
|
||||
sub info { _verbose(1, @_); }
|
||||
sub verbose { _verbose(2, @_); }
|
||||
sub debug { _verbose(3, @_); }
|
||||
|
||||
if (@ARGV > 1) {
|
||||
print STDERR "Excess arguments\n";
|
||||
die($USAGE);
|
||||
} elsif (@ARGV < 1) {
|
||||
print STDERR "No module supplied\n";
|
||||
die($USAGE);
|
||||
}
|
||||
my $module_name = shift(@ARGV);
|
||||
|
||||
if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and
|
||||
$dgst ne "sha384" and $dgst ne "sha512") {
|
||||
die("unsupported algorithm: $dgst");
|
||||
}
|
||||
|
||||
#
|
||||
# Function to read the contents of a file into a variable.
|
||||
#
|
||||
sub read_file($)
|
||||
{
|
||||
my ($file) = @_;
|
||||
my $contents;
|
||||
my $len;
|
||||
|
||||
open(FD, "<$file") || die $file;
|
||||
binmode FD;
|
||||
my @st = stat(FD);
|
||||
die $file if (!@st);
|
||||
$len = read(FD, $contents, $st[7]) || die $file;
|
||||
close(FD) || die $file;
|
||||
die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
|
||||
if ($len != $st[7]);
|
||||
return $contents;
|
||||
}
|
||||
|
||||
sub openssl_pipe($$) {
|
||||
my ($input, $cmd) = @_;
|
||||
my ($pid, $res);
|
||||
|
||||
$pid = open2(*read_from, *write_to, $cmd) || die $cmd;
|
||||
binmode write_to;
|
||||
if (defined($input) && $input ne "") {
|
||||
print write_to $input || die "$cmd: $!";
|
||||
}
|
||||
close(write_to) || die "$cmd: $!";
|
||||
|
||||
binmode read_from;
|
||||
read(read_from, $res, 4096) || die "$cmd: $!";
|
||||
close(read_from) || die "$cmd: $!";
|
||||
waitpid($pid, 0) || die;
|
||||
die "$cmd died: $?" if ($? >> 8);
|
||||
return $res;
|
||||
}
|
||||
|
||||
my $module = read_file($module_name);
|
||||
my $module_len = length($module);
|
||||
my $magic_number = "~Module signature appended~\n";
|
||||
my $magic_len = length($magic_number);
|
||||
my $info_len = 12;
|
||||
|
||||
if ($module_len < $magic_len) {
|
||||
die "Module size too short\n";
|
||||
}
|
||||
|
||||
sub eat
|
||||
{
|
||||
my $length = shift;
|
||||
if ($module_len < $length) {
|
||||
die "Module size too short\n";
|
||||
}
|
||||
my $res = substr($module, -$length);
|
||||
$module = substr($module, 0, $module_len - $length);
|
||||
$module_len -= $length;
|
||||
return $res;
|
||||
}
|
||||
|
||||
if (substr($module, -$magic_len) eq $magic_number) {
|
||||
$module = substr($module, 0, $module_len - $magic_len);
|
||||
$module_len -= $magic_len;
|
||||
my $info = eat($info_len);
|
||||
my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) =
|
||||
unpack("CCCCCxxxN", $info);
|
||||
my $signature = eat($sig_len);
|
||||
if ($id_type == 1) {
|
||||
if (unpack("n", $signature) == $sig_len - 2) {
|
||||
verbose ("signed module (X.509)\n");
|
||||
} else {
|
||||
die "Invalid signature format\n";
|
||||
}
|
||||
if ($algo != 1) {
|
||||
die "Unsupported signature algorithm\n";
|
||||
}
|
||||
$signature = substr($signature, 2);
|
||||
my $key_id = eat($key_len);
|
||||
my $name = eat($name_len);
|
||||
} elsif ($id_type == 2) {
|
||||
verbose ("signed module (PKCS#7)\n");
|
||||
}
|
||||
} else {
|
||||
verbose ("unsigned module\n");
|
||||
}
|
||||
|
||||
verbose("Hash algorithm: $dgst\n");
|
||||
|
||||
my $digest = openssl_pipe($module, "openssl dgst -$dgst");
|
||||
$digest =~ s/\(stdin\)= //;
|
||||
|
||||
print "$module_name: $digest"
|
||||
@@ -1,62 +1,3 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Feb 8 21:16:36 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 0.7.2:
|
||||
* mokutil: revert the default listing to the verbose form
|
||||
- update to 0.7.1:
|
||||
* Fix an off-by-one reading passwords from a file.
|
||||
* Short certificate listing by default
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 1 08:23:24 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
|
||||
|
||||
- Update to 0.7.0
|
||||
+ 82694cb Show usage instead of aborting on bad flags
|
||||
+ 04791c2 mokutil bugfix: del unused opt "-s"
|
||||
+ d978c18 Fix leak of list in delete_data_from_req_var()
|
||||
+ e498f64 Fix leak of fd in mok_get_variable()
|
||||
+ 7b6258a Show the key owner GUID
|
||||
+ 51b5e55 Use PKG_PROG_PKG_CONFIG macro from pkg.m4 to detect pkg-config
|
||||
+ 1aefcdb mokutil: handle the parsing error from "mok-variables"
|
||||
+ 71140ef mokutil: Fix memory leak in export_db_keys
|
||||
+ 0011d52 mokutil:check the result of malloc() is necessary
|
||||
+ a0d8702 Fix inconsistency in skip messages
|
||||
+ ae59d89 man: add "--trust-mok" and "--untrust-mok"
|
||||
+ dd55c28 Avoid conflicting efi_char16_t type definitions
|
||||
+ 8b6d116 fix: typo "accesss" -> "access"
|
||||
+ f68a4f4 Do not exit with non zero status for version query
|
||||
+ 5f49730 Check for efi variabales support after processing commands
|
||||
+ 2d6c409 Return 0 after printing help messages
|
||||
+ c64741d Add support for SSPPolicy, depricate --set-sbat-policy delete
|
||||
+ 48e3d2a Fix tab alignment for help (set-fallback-verbosity/set-fallback-noreboot)
|
||||
+ c361087 (HEAD -> master, tag: 0.7.0, origin/ssppolicy-v2-fix, origin/master, origin/HEAD) Rename "previous" revocations to "automatic"
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 23 09:19:54 UTC 2024 - pgajdos@suse.com
|
||||
|
||||
- Use %patch -P N instead of deprecated %patchN.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 19 08:10:49 UTC 2023 - Joey Lee <jlee@suse.com>
|
||||
|
||||
- Sync change log to prepare for sending mokutil 0.6.0 to SLE15-SP6
|
||||
(jsc#PED-6528)
|
||||
- Removed the following backported patches because they are merged
|
||||
to 0.6.0:
|
||||
- mokutil-fix-missing-header.patch
|
||||
b15e7c4d7 util: add the missing stdio.h
|
||||
- mokutil-enable-setting-fallback-verbosity-and-norebo.patch (bsc#1198458)
|
||||
57bc38582 mokutil: enable setting fallback verbosity and noreboot mode
|
||||
- mokutil-SBAT-revocation-update-support.patch (bsc#1198458)
|
||||
6c9890730 SBAT revocation update support
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 18 07:07:08 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Remove modhash (bsc#1214358)
|
||||
+ The modhash script is rarely used and it's impractical to block
|
||||
a kernel module with the hash.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 27 05:00:25 UTC 2022 - Joey Lee <jlee@suse.com>
|
||||
|
||||
@@ -126,7 +67,7 @@ Thu Jul 15 06:39:26 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
-------------------------------------------------------------------
|
||||
Tue May 4 06:52:03 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- spec file cleanup
|
||||
- spec file cleanup
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 16 09:06:02 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package mokutil
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2022 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -17,13 +17,14 @@
|
||||
|
||||
|
||||
Name: mokutil
|
||||
Version: 0.7.2
|
||||
Version: 0.6.0
|
||||
Release: 0
|
||||
Summary: Tools for manipulating machine owner keys
|
||||
License: GPL-3.0-only
|
||||
Group: Productivity/Security
|
||||
URL: https://github.com/lcp/mokutil
|
||||
Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz
|
||||
Source1: modhash
|
||||
# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch glin@suse.com -- Disable the check of libkeyutils version
|
||||
Patch1: mokutil-remove-libkeyutils-check.patch
|
||||
BuildRequires: autoconf
|
||||
@@ -42,7 +43,7 @@ keys (MOK) stored in the database of shim.
|
||||
%prep
|
||||
%setup -q
|
||||
%if 0%{?suse_version} <= 1500
|
||||
%patch -P 1 -p1
|
||||
%patch1 -p1
|
||||
%endif
|
||||
|
||||
%build
|
||||
@@ -52,10 +53,12 @@ keys (MOK) stored in the database of shim.
|
||||
|
||||
%install
|
||||
%make_install
|
||||
install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%{_bindir}/mokutil
|
||||
%{_bindir}/modhash
|
||||
%{_mandir}/man?/*
|
||||
%dir %{_datadir}/bash-completion/completions/
|
||||
%{_datadir}/bash-completion/completions/mokutil
|
||||
|
||||
Reference in New Issue
Block a user