2014-11-04 09:19:57 +01:00
|
|
|
From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001
|
2014-02-24 17:32:32 +01:00
|
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
|
Date: Fri, 21 Feb 2014 17:56:55 +0800
|
2016-07-13 09:59:30 +02:00
|
|
|
Subject: [PATCH 1/3] Add the option to revoke the built-in certificate
|
2014-02-24 17:32:32 +01:00
|
|
|
|
|
|
|
|
This is an openSUSE-only patch.
|
|
|
|
|
|
|
|
|
|
This commit adds an option to create ClearVerify which contains
|
|
|
|
|
the password hash to notify MokManager to show the option to
|
|
|
|
|
revoke the built-in certificate.
|
|
|
|
|
---
|
|
|
|
|
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
|
1 file changed, 82 insertions(+)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
2014-11-04 09:19:57 +01:00
|
|
|
index 5b34f22..ab3d04f 100644
|
2014-02-24 17:32:32 +01:00
|
|
|
--- a/src/mokutil.c
|
|
|
|
|
+++ b/src/mokutil.c
|
2014-11-04 09:19:57 +01:00
|
|
|
@@ -83,6 +83,7 @@
|
2014-02-24 17:32:32 +01:00
|
|
|
#define IMPORT_HASH (1 << 21)
|
|
|
|
|
#define DELETE_HASH (1 << 22)
|
|
|
|
|
#define VERBOSITY (1 << 23)
|
|
|
|
|
+#define REVOKE_CERT (1 << 24)
|
|
|
|
|
|
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
|
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
2014-11-04 09:19:57 +01:00
|
|
|
@@ -156,6 +157,7 @@ print_help ()
|
2014-02-24 17:32:32 +01:00
|
|
|
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
|
|
|
|
printf (" --db\t\t\t\t\tList the keys in db\n");
|
|
|
|
|
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
|
|
|
|
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
|
|
|
|
|
printf ("\n");
|
|
|
|
|
printf ("Supplimentary Options:\n");
|
|
|
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
2014-11-04 09:19:57 +01:00
|
|
|
@@ -1994,6 +1996,79 @@ set_verbosity (uint8_t verbosity)
|
2014-02-24 17:32:32 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+static int
|
|
|
|
|
+revoke_builtin_cert (void)
|
|
|
|
|
+{
|
|
|
|
|
+ efi_variable_t var;
|
|
|
|
|
+ pw_crypt_t pw_crypt;
|
|
|
|
|
+ uint8_t auth[SHA256_DIGEST_LENGTH];
|
|
|
|
|
+ char *password = NULL;
|
|
|
|
|
+ int pw_len;
|
|
|
|
|
+ int auth_ret;
|
|
|
|
|
+ int ret = -1;
|
|
|
|
|
+
|
|
|
|
|
+ /* Check use_openSUSE_cert */
|
|
|
|
|
+ memset (&var, 0, sizeof(var));
|
|
|
|
|
+ var.VariableName = "use_openSUSE_cert";
|
|
|
|
|
+ var.VendorGuid = SHIM_LOCK_GUID;
|
|
|
|
|
+
|
|
|
|
|
+ if (read_variable (&var) != EFI_SUCCESS)
|
|
|
|
|
+ return 0;
|
|
|
|
|
+
|
|
|
|
|
+ if ((uint8_t)*var.Data != 1) {
|
|
|
|
|
+ free (var.Data);
|
|
|
|
|
+ fprintf (stderr, "The built-in certificate is already revoked.\n");
|
|
|
|
|
+ return 0;
|
|
|
|
|
+ }
|
|
|
|
|
+ free (var.Data);
|
|
|
|
|
+
|
|
|
|
|
+ memset (&pw_crypt, 0, sizeof(pw_crypt_t));
|
|
|
|
|
+ memset (auth, 0, SHA256_DIGEST_LENGTH);
|
|
|
|
|
+
|
|
|
|
|
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
|
|
|
|
+ fprintf (stderr, "Abort\n");
|
|
|
|
|
+ goto error;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (!use_simple_hash) {
|
|
|
|
|
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
|
|
|
|
|
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ auth_ret = generate_auth (NULL, 0, password, pw_len,
|
|
|
|
|
+ auth);
|
|
|
|
|
+ }
|
|
|
|
|
+ if (auth_ret < 0) {
|
|
|
|
|
+ fprintf (stderr, "Couldn't generate hash\n");
|
|
|
|
|
+ goto error;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (!use_simple_hash) {
|
|
|
|
|
+ var.Data = (void *)&pw_crypt;
|
|
|
|
|
+ var.DataSize = PASSWORD_CRYPT_SIZE;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ var.Data = (void *)auth;
|
|
|
|
|
+ var.DataSize = SHA256_DIGEST_LENGTH;
|
|
|
|
|
+ }
|
|
|
|
|
+ var.VariableName = "ClearVerify";
|
|
|
|
|
+
|
|
|
|
|
+ var.VendorGuid = SHIM_LOCK_GUID;
|
|
|
|
|
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
|
|
|
|
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
|
|
|
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
|
|
|
|
+
|
|
|
|
|
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
|
|
|
|
|
+ fprintf (stderr, "Failed to write ClearVerify\n");
|
|
|
|
|
+ goto error;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ ret = 0;
|
|
|
|
|
+error:
|
|
|
|
|
+ if (password)
|
|
|
|
|
+ free (password);
|
|
|
|
|
+
|
|
|
|
|
+ return ret;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
static inline int
|
|
|
|
|
list_db (DBName db_name)
|
|
|
|
|
{
|
2014-11-04 09:19:57 +01:00
|
|
|
@@ -2070,6 +2145,7 @@ main (int argc, char *argv[])
|
2014-02-24 17:32:32 +01:00
|
|
|
{"kek", no_argument, 0, 0 },
|
|
|
|
|
{"db", no_argument, 0, 0 },
|
|
|
|
|
{"dbx", no_argument, 0, 0 },
|
|
|
|
|
+ {"revoke-cert", no_argument, 0, 0 },
|
|
|
|
|
{0, 0, 0, 0}
|
|
|
|
|
};
|
|
|
|
|
|
2014-11-04 09:19:57 +01:00
|
|
|
@@ -2157,6 +2233,8 @@ main (int argc, char *argv[])
|
2014-02-24 17:32:32 +01:00
|
|
|
command |= LIST_ENROLLED;
|
|
|
|
|
db_name = DBX;
|
|
|
|
|
}
|
|
|
|
|
+ } else if (strcmp (option, "revoke-cert") == 0) {
|
|
|
|
|
+ command |= REVOKE_CERT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
2014-11-04 09:19:57 +01:00
|
|
|
@@ -2416,6 +2494,10 @@ main (int argc, char *argv[])
|
2014-02-24 17:32:32 +01:00
|
|
|
case VERBOSITY:
|
|
|
|
|
ret = set_verbosity (verbosity);
|
|
|
|
|
break;
|
|
|
|
|
+ case REVOKE_CERT:
|
|
|
|
|
+ case REVOKE_CERT | SIMPLE_HASH:
|
|
|
|
|
+ ret = revoke_builtin_cert ();
|
|
|
|
|
+ break;
|
|
|
|
|
default:
|
|
|
|
|
print_help ();
|
|
|
|
|
break;
|
|
|
|
|
--
|
2016-07-13 09:59:30 +02:00
|
|
|
2.9.0
|
2014-02-24 17:32:32 +01:00
|
|
|
|
2014-11-04 09:19:57 +01:00
|
|
|
|
|
|
|
|
From 09ac7c76b0c313abc664fe104bc32d89df0e0976 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
|
Date: Tue, 4 Nov 2014 14:50:36 +0800
|
2016-07-13 09:59:30 +02:00
|
|
|
Subject: [PATCH 2/3] Use the efivar functions to access UEFI variables
|
2014-11-04 09:19:57 +01:00
|
|
|
|
|
|
|
|
This is an openSUSE-only patch.
|
|
|
|
|
|
|
|
|
|
Adapt the changes in the mainline.
|
|
|
|
|
---
|
|
|
|
|
src/mokutil.c | 45 +++++++++++++++++++++++++--------------------
|
|
|
|
|
1 file changed, 25 insertions(+), 20 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
|
|
|
index ab3d04f..9dcf4f1 100644
|
|
|
|
|
--- a/src/mokutil.c
|
|
|
|
|
+++ b/src/mokutil.c
|
|
|
|
|
@@ -1999,28 +1999,35 @@ set_verbosity (uint8_t verbosity)
|
|
|
|
|
static int
|
|
|
|
|
revoke_builtin_cert (void)
|
|
|
|
|
{
|
|
|
|
|
- efi_variable_t var;
|
|
|
|
|
+ uint32_t attributes;
|
|
|
|
|
+ size_t data_size;
|
|
|
|
|
+ uint8_t *data;
|
|
|
|
|
pw_crypt_t pw_crypt;
|
|
|
|
|
uint8_t auth[SHA256_DIGEST_LENGTH];
|
|
|
|
|
char *password = NULL;
|
|
|
|
|
- int pw_len;
|
|
|
|
|
+ unsigned int pw_len;
|
|
|
|
|
int auth_ret;
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
|
|
/* Check use_openSUSE_cert */
|
|
|
|
|
- memset (&var, 0, sizeof(var));
|
|
|
|
|
- var.VariableName = "use_openSUSE_cert";
|
|
|
|
|
- var.VendorGuid = SHIM_LOCK_GUID;
|
|
|
|
|
+ if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert",
|
|
|
|
|
+ &data, &data_size, &attributes) < 0) {
|
|
|
|
|
+ fprintf (stderr, "Failed to get use_openSUSE_cert\n");
|
|
|
|
|
+ return 0;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
- if (read_variable (&var) != EFI_SUCCESS)
|
|
|
|
|
+ if (data_size != 1) {
|
|
|
|
|
+ free (data);
|
|
|
|
|
+ fprintf (stderr, "Invalid variable: use_openSUSE_cert\n");
|
|
|
|
|
return 0;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
- if ((uint8_t)*var.Data != 1) {
|
|
|
|
|
- free (var.Data);
|
|
|
|
|
+ if (*data != 1) {
|
|
|
|
|
+ free (data);
|
|
|
|
|
fprintf (stderr, "The built-in certificate is already revoked.\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
- free (var.Data);
|
|
|
|
|
+ free (data);
|
|
|
|
|
|
|
|
|
|
memset (&pw_crypt, 0, sizeof(pw_crypt_t));
|
|
|
|
|
memset (auth, 0, SHA256_DIGEST_LENGTH);
|
|
|
|
|
@@ -2043,20 +2050,18 @@ revoke_builtin_cert (void)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!use_simple_hash) {
|
|
|
|
|
- var.Data = (void *)&pw_crypt;
|
|
|
|
|
- var.DataSize = PASSWORD_CRYPT_SIZE;
|
|
|
|
|
+ data = (uint8_t *)&pw_crypt;
|
|
|
|
|
+ data_size = PASSWORD_CRYPT_SIZE;
|
|
|
|
|
} else {
|
|
|
|
|
- var.Data = (void *)auth;
|
|
|
|
|
- var.DataSize = SHA256_DIGEST_LENGTH;
|
|
|
|
|
+ data = auth;
|
|
|
|
|
+ data_size = SHA256_DIGEST_LENGTH;
|
|
|
|
|
}
|
|
|
|
|
- var.VariableName = "ClearVerify";
|
|
|
|
|
-
|
|
|
|
|
- var.VendorGuid = SHIM_LOCK_GUID;
|
|
|
|
|
- var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
|
|
|
|
- | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
|
|
|
- | EFI_VARIABLE_RUNTIME_ACCESS;
|
|
|
|
|
+ attributes = EFI_VARIABLE_NON_VOLATILE
|
|
|
|
|
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
|
|
|
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
|
|
|
|
|
|
|
|
|
- if (edit_protected_variable (&var) != EFI_SUCCESS) {
|
|
|
|
|
+ if (efi_set_variable (efi_guid_shim, "ClearVerify",
|
|
|
|
|
+ data, data_size, attributes) < 0) {
|
|
|
|
|
fprintf (stderr, "Failed to write ClearVerify\n");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
--
|
2016-07-13 09:59:30 +02:00
|
|
|
2.9.0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From 05c64b7b7d44f1c2a106e7273a33f83e57452d92 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Gary Lin <glin@suse.com>
|
|
|
|
|
Date: Wed, 13 Jul 2016 14:58:15 +0800
|
|
|
|
|
Subject: [PATCH 3/3] Use efi_set_variable from efivar 0.24
|
|
|
|
|
|
|
|
|
|
This is an openSUSE-only patch.
|
|
|
|
|
---
|
|
|
|
|
src/mokutil.c | 3 ++-
|
|
|
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
|
|
|
index 9dcf4f1..1a8ccc9 100644
|
|
|
|
|
--- a/src/mokutil.c
|
|
|
|
|
+++ b/src/mokutil.c
|
|
|
|
|
@@ -2061,7 +2061,8 @@ revoke_builtin_cert (void)
|
|
|
|
|
| EFI_VARIABLE_RUNTIME_ACCESS;
|
|
|
|
|
|
|
|
|
|
if (efi_set_variable (efi_guid_shim, "ClearVerify",
|
|
|
|
|
- data, data_size, attributes) < 0) {
|
|
|
|
|
+ data, data_size, attributes,
|
|
|
|
|
+ S_IRUSR | S_IWUSR) < 0) {
|
|
|
|
|
fprintf (stderr, "Failed to write ClearVerify\n");
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
--
|
|
|
|
|
2.9.0
|
2014-11-04 09:19:57 +01:00
|
|
|
|
