836 lines
21 KiB
Diff
836 lines
21 KiB
Diff
|
From 36241509b1c96c3103becae75dc6df72d794cce7 Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Thu, 13 Dec 2012 17:09:34 +0800
|
||
|
Subject: [PATCH 1/7] Move fail check to get_password()
|
||
|
|
||
|
---
|
||
|
src/mokutil.c | 83 ++++++++++++++++++++++++++++++++-------------------------
|
||
|
1 file changed, 46 insertions(+), 37 deletions(-)
|
||
|
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index aba1cfb..eea2b6c 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -297,39 +297,60 @@ static int
|
||
|
get_password (char **password, int *len, int min, int max)
|
||
|
{
|
||
|
char *password_1, *password_2;
|
||
|
- int len_1, len_2;
|
||
|
+ int len_1, len_2, fail, ret = -1;
|
||
|
size_t n;
|
||
|
|
||
|
password_1 = password_2 = NULL;
|
||
|
|
||
|
- printf ("input password (%d~%d characters): ", min, max);
|
||
|
- len_1 = read_hidden_line (&password_1, &n);
|
||
|
- printf ("\n");
|
||
|
+ fail = 0;
|
||
|
|
||
|
- if (len_1 > max || len_1 < min) {
|
||
|
- free (password_1);
|
||
|
- fprintf (stderr, "password should be %d~%d characters\n",
|
||
|
- min, max);
|
||
|
- return -1;
|
||
|
+ while (fail < 3) {
|
||
|
+ printf ("input password (%d~%d characters): ", min, max);
|
||
|
+ len_1 = read_hidden_line (&password_1, &n);
|
||
|
+ printf ("\n");
|
||
|
+
|
||
|
+ if (len_1 > max || len_1 < min) {
|
||
|
+ fail++;
|
||
|
+ fprintf (stderr, "password should be %d~%d characters\n",
|
||
|
+ min, max);
|
||
|
+ } else {
|
||
|
+ break;
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
- printf ("input password again: ");
|
||
|
- len_2 = read_hidden_line (&password_2, &n);
|
||
|
- printf ("\n");
|
||
|
+ if (fail >= 3) {
|
||
|
+ if (password_1)
|
||
|
+ free (password_1);
|
||
|
+ goto error;
|
||
|
+ }
|
||
|
|
||
|
- if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
|
||
|
- free (password_1);
|
||
|
- free (password_2);
|
||
|
- fprintf (stderr, "password doesn't match\n");
|
||
|
- return -1;
|
||
|
+ fail = 0;
|
||
|
+
|
||
|
+ while (fail < 3) {
|
||
|
+ printf ("input password again: ");
|
||
|
+ len_2 = read_hidden_line (&password_2, &n);
|
||
|
+ printf ("\n");
|
||
|
+
|
||
|
+ if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
|
||
|
+ fail++;
|
||
|
+ fprintf (stderr, "password doesn't match\n");
|
||
|
+ } else {
|
||
|
+ break;
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
+ if (fail >= 3)
|
||
|
+ goto error;
|
||
|
+
|
||
|
*password = password_1;
|
||
|
*len = len_1;
|
||
|
|
||
|
- free (password_2);
|
||
|
+ ret = 0;
|
||
|
+error:
|
||
|
+ if (password_2)
|
||
|
+ free (password_2);
|
||
|
|
||
|
- return 0;
|
||
|
+ return ret;
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
@@ -364,14 +385,10 @@ update_request (void *new_list, int list_len)
|
||
|
efi_variable_t var;
|
||
|
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||
|
char *password = NULL;
|
||
|
- int pw_len, fail = 0;
|
||
|
+ int pw_len;
|
||
|
int ret = -1;
|
||
|
|
||
|
- while (fail < 3 &&
|
||
|
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
|
||
|
- fail++;
|
||
|
-
|
||
|
- if (fail >= 3) {
|
||
|
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||
|
fprintf (stderr, "Abort\n");
|
||
|
goto error;
|
||
|
}
|
||
|
@@ -745,14 +762,10 @@ set_password ()
|
||
|
efi_variable_t var;
|
||
|
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||
|
char *password = NULL;
|
||
|
- int pw_len, fail = 0;
|
||
|
+ int pw_len;
|
||
|
int ret = -1;
|
||
|
|
||
|
- while (fail < 3 &&
|
||
|
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
|
||
|
- fail++;
|
||
|
-
|
||
|
- if (fail >= 3) {
|
||
|
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||
|
fprintf (stderr, "Abort\n");
|
||
|
goto error;
|
||
|
}
|
||
|
@@ -789,15 +802,11 @@ set_validation (uint32_t state)
|
||
|
efi_variable_t var;
|
||
|
MokSBVar sbvar;
|
||
|
char *password = NULL;
|
||
|
- int pw_len, fail = 0;
|
||
|
+ int pw_len;
|
||
|
efi_char16_t efichar_pass[PASSWORD_MAX];
|
||
|
int ret = -1;
|
||
|
|
||
|
- while (fail < 3 &&
|
||
|
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
|
||
|
- fail++;
|
||
|
-
|
||
|
- if (fail >= 3) {
|
||
|
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||
|
fprintf (stderr, "Abort\n");
|
||
|
goto error;
|
||
|
}
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
|
||
|
From 2649dde769b563f55a85ea68eb1fc9ce5bc7c984 Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Mon, 17 Dec 2012 16:22:41 +0800
|
||
|
Subject: [PATCH 2/7] Add "--test-key" to test if the key is enrolled or not
|
||
|
|
||
|
---
|
||
|
src/mokutil.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
|
1 file changed, 65 insertions(+)
|
||
|
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index eea2b6c..68a25bc 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -41,6 +41,7 @@ enum Command {
|
||
|
COMMAND_DISABLE_VALIDATION,
|
||
|
COMMAND_ENABLE_VALIDATION,
|
||
|
COMMAND_SB_STATE,
|
||
|
+ COMMAND_TEST_KEY,
|
||
|
};
|
||
|
|
||
|
static void
|
||
|
@@ -76,6 +77,9 @@ print_help ()
|
||
|
|
||
|
printf("SecureBoot State:\n");
|
||
|
printf(" mokutil --sb-state\n\n");
|
||
|
+
|
||
|
+ printf("Test if the key is enrolled or not:\n");
|
||
|
+ printf(" mokutil --test-key\n\n");
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
@@ -882,10 +886,57 @@ sb_state ()
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
+static int
|
||
|
+test_key (const char *key_file)
|
||
|
+{
|
||
|
+ struct stat buf;
|
||
|
+ void *key = NULL;
|
||
|
+ ssize_t read_size;
|
||
|
+ int fd, ret = -1;
|
||
|
+
|
||
|
+ if (stat (key_file, &buf) != 0) {
|
||
|
+ fprintf (stderr, "Failed to get file status, %s\n", key_file);
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ key = malloc (buf.st_size);
|
||
|
+
|
||
|
+ fd = open (key_file, O_RDONLY);
|
||
|
+ if (fd < 0) {
|
||
|
+ fprintf (stderr, "Failed to open %s\n", key_file);
|
||
|
+ goto error;
|
||
|
+ }
|
||
|
+
|
||
|
+ read_size = read (fd, key, buf.st_size);
|
||
|
+ if (read_size < 0 || read_size != buf.st_size) {
|
||
|
+ fprintf (stderr, "Failed to read %s\n", key_file);
|
||
|
+ goto error;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
|
||
|
+ !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
|
||
|
+ !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
|
||
|
+ !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
|
||
|
+ !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
|
||
|
+ printf ("%s is not enrolled\n", key_file);
|
||
|
+ ret = 0;
|
||
|
+ } else {
|
||
|
+ printf ("%s is already enrolled\n", key_file);
|
||
|
+ ret = 1;
|
||
|
+ }
|
||
|
+
|
||
|
+error:
|
||
|
+ if (key)
|
||
|
+ free (key);
|
||
|
+
|
||
|
+ return ret;
|
||
|
+}
|
||
|
+
|
||
|
int
|
||
|
main (int argc, char *argv[])
|
||
|
{
|
||
|
char **files = NULL;
|
||
|
+ char *key_file = NULL;
|
||
|
int i, total;
|
||
|
int command;
|
||
|
|
||
|
@@ -962,6 +1013,17 @@ main (int argc, char *argv[])
|
||
|
|
||
|
command = COMMAND_SB_STATE;
|
||
|
|
||
|
+ } else if (strcmp (argv[1], "--test-key") == 0) {
|
||
|
+
|
||
|
+ if (argc < 3) {
|
||
|
+ print_help ();
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ key_file = argv[2];
|
||
|
+
|
||
|
+ command = COMMAND_TEST_KEY;
|
||
|
+
|
||
|
} else {
|
||
|
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
|
||
|
print_help ();
|
||
|
@@ -999,6 +1061,9 @@ main (int argc, char *argv[])
|
||
|
case COMMAND_SB_STATE:
|
||
|
sb_state ();
|
||
|
break;
|
||
|
+ case COMMAND_TEST_KEY:
|
||
|
+ test_key (key_file);
|
||
|
+ break;
|
||
|
default:
|
||
|
fprintf (stderr, "Unknown command\n");
|
||
|
break;
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
|
||
|
From bba82fceec875ccf0d92eae1e9c7db54e92bcec9 Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Mon, 17 Dec 2012 16:33:59 +0800
|
||
|
Subject: [PATCH 3/7] Handle the return values
|
||
|
|
||
|
---
|
||
|
src/mokutil.c | 25 +++++++++++++------------
|
||
|
1 file changed, 13 insertions(+), 12 deletions(-)
|
||
|
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index 68a25bc..13ef69d 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -939,6 +939,7 @@ main (int argc, char *argv[])
|
||
|
char *key_file = NULL;
|
||
|
int i, total;
|
||
|
int command;
|
||
|
+ int ret = -1;
|
||
|
|
||
|
if (argc < 2) {
|
||
|
print_help ();
|
||
|
@@ -1032,37 +1033,37 @@ main (int argc, char *argv[])
|
||
|
|
||
|
switch (command) {
|
||
|
case COMMAND_LIST_ENROLLED:
|
||
|
- list_enrolled_keys ();
|
||
|
+ ret = list_enrolled_keys ();
|
||
|
break;
|
||
|
case COMMAND_LIST_NEW:
|
||
|
- list_new_keys ();
|
||
|
+ ret = list_new_keys ();
|
||
|
break;
|
||
|
case COMMAND_IMPORT:
|
||
|
- import_moks (files, total);
|
||
|
+ ret = import_moks (files, total);
|
||
|
break;
|
||
|
case COMMAND_DELETE:
|
||
|
- delete_all ();
|
||
|
+ ret = delete_all ();
|
||
|
break;
|
||
|
case COMMAND_REVOKE:
|
||
|
- revoke_request ();
|
||
|
+ ret = revoke_request ();
|
||
|
break;
|
||
|
case COMMAND_EXPORT:
|
||
|
- export_moks ();
|
||
|
+ ret = export_moks ();
|
||
|
break;
|
||
|
case COMMAND_PASSWORD:
|
||
|
- set_password ();
|
||
|
+ ret = set_password ();
|
||
|
break;
|
||
|
case COMMAND_DISABLE_VALIDATION:
|
||
|
- disable_validation ();
|
||
|
+ ret = disable_validation ();
|
||
|
break;
|
||
|
case COMMAND_ENABLE_VALIDATION:
|
||
|
- enable_validation ();
|
||
|
+ ret = enable_validation ();
|
||
|
break;
|
||
|
case COMMAND_SB_STATE:
|
||
|
- sb_state ();
|
||
|
+ ret = sb_state ();
|
||
|
break;
|
||
|
case COMMAND_TEST_KEY:
|
||
|
- test_key (key_file);
|
||
|
+ ret = test_key (key_file);
|
||
|
break;
|
||
|
default:
|
||
|
fprintf (stderr, "Unknown command\n");
|
||
|
@@ -1072,5 +1073,5 @@ main (int argc, char *argv[])
|
||
|
if (files)
|
||
|
free (files);
|
||
|
|
||
|
- return 0;
|
||
|
+ return ret;
|
||
|
}
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
|
||
|
From fee5db0bd74fd7239832d435cdc653ade426c61c Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Mon, 24 Dec 2012 16:35:37 +0800
|
||
|
Subject: [PATCH 4/7] Correct the GUID of "db"
|
||
|
|
||
|
---
|
||
|
src/efi.h | 2 ++
|
||
|
src/mokutil.c | 2 +-
|
||
|
2 files changed, 3 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/efi.h b/src/efi.h
|
||
|
index 7185179..d2640b4 100644
|
||
|
--- a/src/efi.h
|
||
|
+++ b/src/efi.h
|
||
|
@@ -86,6 +86,8 @@ EFI_GUID( 0x47c7b225, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
|
||
|
EFI_GUID( 0x47c7b227, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
|
||
|
#define ESP_UNKNOWN_GUID \
|
||
|
EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
|
||
|
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||
|
+EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
|
||
|
|
||
|
static inline int
|
||
|
efi_guidcmp(efi_guid_t left, efi_guid_t right)
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index 13ef69d..6af5a9c 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -636,7 +636,7 @@ import_moks (char **files, uint32_t total)
|
||
|
/* whether this key is already enrolled... */
|
||
|
if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
|
||
|
!is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
|
||
|
- !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
|
||
|
+ !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
|
||
|
!is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
|
||
|
!is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
|
||
|
ptr += sizes[i];
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
|
||
|
From b1a6476307909b4c391b5cc632c0535ea43b08b1 Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Mon, 24 Dec 2012 18:12:48 +0800
|
||
|
Subject: [PATCH 5/7] Initialize password array
|
||
|
|
||
|
---
|
||
|
src/mokutil.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index 6af5a9c..3d00df0 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -509,7 +509,7 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||
|
{
|
||
|
efi_variable_t mok_auth;
|
||
|
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||
|
- char *password;
|
||
|
+ char *password = NULL;
|
||
|
int pw_len, fail = 0;
|
||
|
size_t n;
|
||
|
int ret = 0;
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
|
||
|
From e772f72f23b4cf13c033292b55570a861281b71b Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Tue, 25 Dec 2012 15:53:56 +0800
|
||
|
Subject: [PATCH 6/7] Add support for deleting specific keys
|
||
|
|
||
|
---
|
||
|
src/mokutil.c | 179 +++++++++++++++++++++++++++++++++++++++++----------------
|
||
|
1 file changed, 128 insertions(+), 51 deletions(-)
|
||
|
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index 3d00df0..e6807da 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -42,6 +42,7 @@ enum Command {
|
||
|
COMMAND_ENABLE_VALIDATION,
|
||
|
COMMAND_SB_STATE,
|
||
|
COMMAND_TEST_KEY,
|
||
|
+ COMMAND_RESET,
|
||
|
};
|
||
|
|
||
|
static void
|
||
|
@@ -57,8 +58,8 @@ print_help ()
|
||
|
printf("Import keys:\n");
|
||
|
printf(" mokutil --import <der file>...\n\n");
|
||
|
|
||
|
- printf("Request to delete all keys\n");
|
||
|
- printf(" mokutil --delete-all\n\n");
|
||
|
+ printf("Request to delete specific keys\n");
|
||
|
+ printf(" mokutil --delete <der file>...\n\n");
|
||
|
|
||
|
printf("Revoke the request:\n");
|
||
|
printf(" mokutil --revoke\n\n");
|
||
|
@@ -80,6 +81,9 @@ print_help ()
|
||
|
|
||
|
printf("Test if the key is enrolled or not:\n");
|
||
|
printf(" mokutil --test-key\n\n");
|
||
|
+
|
||
|
+ printf("Reset MOK list:\n");
|
||
|
+ printf(" mokutil --reset\n\n");
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
@@ -384,14 +388,23 @@ generate_auth (void *new_list, unsigned long list_len, char *password,
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
-update_request (void *new_list, int list_len)
|
||
|
+update_request (void *new_list, int list_len, uint8_t import)
|
||
|
{
|
||
|
efi_variable_t var;
|
||
|
+ const char *req_name, *auth_name;
|
||
|
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||
|
char *password = NULL;
|
||
|
int pw_len;
|
||
|
int ret = -1;
|
||
|
|
||
|
+ if (import) {
|
||
|
+ req_name = "MokNew";
|
||
|
+ auth_name = "MokAuth";
|
||
|
+ } else {
|
||
|
+ req_name = "MokDel";
|
||
|
+ auth_name = "MokDelAuth";
|
||
|
+ }
|
||
|
+
|
||
|
if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||
|
fprintf (stderr, "Abort\n");
|
||
|
goto error;
|
||
|
@@ -403,7 +416,7 @@ update_request (void *new_list, int list_len)
|
||
|
/* Write MokNew*/
|
||
|
var.Data = new_list;
|
||
|
var.DataSize = list_len;
|
||
|
- var.VariableName = "MokNew";
|
||
|
+ var.VariableName = req_name;
|
||
|
|
||
|
var.VendorGuid = SHIM_LOCK_GUID;
|
||
|
var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
||
|
@@ -411,17 +424,18 @@ update_request (void *new_list, int list_len)
|
||
|
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||
|
|
||
|
if (edit_variable (&var) != EFI_SUCCESS) {
|
||
|
- fprintf (stderr, "Failed to enroll new keys\n");
|
||
|
+ fprintf (stderr, "Failed to %s keys\n",
|
||
|
+ import ? "enroll new" : "delete");
|
||
|
goto error;
|
||
|
}
|
||
|
} else {
|
||
|
- test_and_delete_var ("MokNew");
|
||
|
+ test_and_delete_var (req_name);
|
||
|
}
|
||
|
|
||
|
/* Write MokAuth */
|
||
|
var.Data = auth;
|
||
|
var.DataSize = SHA256_DIGEST_LENGTH;
|
||
|
- var.VariableName = "MokAuth";
|
||
|
+ var.VariableName = auth_name;
|
||
|
|
||
|
var.VendorGuid = SHIM_LOCK_GUID;
|
||
|
var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
||
|
@@ -429,8 +443,8 @@ update_request (void *new_list, int list_len)
|
||
|
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||
|
|
||
|
if (edit_variable (&var) != EFI_SUCCESS) {
|
||
|
- fprintf (stderr, "Failed to write MokAuth\n");
|
||
|
- test_and_delete_var ("MokNew");
|
||
|
+ fprintf (stderr, "Failed to write %s\n", auth_name);
|
||
|
+ test_and_delete_var (req_name);
|
||
|
goto error;
|
||
|
}
|
||
|
|
||
|
@@ -505,20 +519,47 @@ done:
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
-verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||
|
+is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
|
||
|
{
|
||
|
- efi_variable_t mok_auth;
|
||
|
+ if (import) {
|
||
|
+ if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
|
||
|
+ is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
|
||
|
+ is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
|
||
|
+ is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
|
||
|
+ is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+ } else {
|
||
|
+ if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
|
||
|
+ is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ return 1;
|
||
|
+}
|
||
|
+
|
||
|
+static int
|
||
|
+verify_old_req (void *old_req, unsigned long old_req_size, uint8_t import)
|
||
|
+{
|
||
|
+ efi_variable_t req_auth;
|
||
|
+ const char *auth_name;
|
||
|
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||
|
char *password = NULL;
|
||
|
int pw_len, fail = 0;
|
||
|
size_t n;
|
||
|
int ret = 0;
|
||
|
|
||
|
- memset (&mok_auth, 0, sizeof(mok_auth));
|
||
|
- mok_auth.VariableName = "MokAuth";
|
||
|
- mok_auth.VendorGuid = SHIM_LOCK_GUID;
|
||
|
- if (read_variable (&mok_auth) != EFI_SUCCESS) {
|
||
|
- fprintf (stderr, "Failed to read MokAuth\n");
|
||
|
+ if (import)
|
||
|
+ auth_name = "MokAuth";
|
||
|
+ else
|
||
|
+ auth_name = "MokDelAuth";
|
||
|
+
|
||
|
+ memset (&req_auth, 0, sizeof(req_auth));
|
||
|
+ req_auth.VariableName = auth_name;
|
||
|
+ req_auth.VendorGuid = SHIM_LOCK_GUID;
|
||
|
+ if (read_variable (&req_auth) != EFI_SUCCESS) {
|
||
|
+ fprintf (stderr, "Failed to read %s\n", auth_name);
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
@@ -534,8 +575,8 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
- generate_auth (mok_new, mok_new_size, password, pw_len, auth);
|
||
|
- if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
|
||
|
+ generate_auth (old_req, old_req_size, password, pw_len, auth);
|
||
|
+ if (memcmp (auth, req_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
|
||
|
ret = 1;
|
||
|
break;
|
||
|
}
|
||
|
@@ -543,16 +584,17 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||
|
fail++;
|
||
|
}
|
||
|
|
||
|
- if (mok_auth.Data)
|
||
|
- free (mok_auth.Data);
|
||
|
+ if (req_auth.Data)
|
||
|
+ free (req_auth.Data);
|
||
|
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
-import_moks (char **files, uint32_t total)
|
||
|
+issue_mok_request (char **files, uint32_t total, uint8_t import)
|
||
|
{
|
||
|
- efi_variable_t mok_new;
|
||
|
+ efi_variable_t old_req;
|
||
|
+ const char *req_name;
|
||
|
void *new_list = NULL;
|
||
|
void *ptr;
|
||
|
struct stat buf;
|
||
|
@@ -568,6 +610,11 @@ import_moks (char **files, uint32_t total)
|
||
|
if (!files)
|
||
|
return -1;
|
||
|
|
||
|
+ if (import)
|
||
|
+ req_name = "MokNew";
|
||
|
+ else
|
||
|
+ req_name = "MokDel";
|
||
|
+
|
||
|
sizes = malloc (total * sizeof(uint32_t));
|
||
|
|
||
|
if (!sizes) {
|
||
|
@@ -589,15 +636,15 @@ import_moks (char **files, uint32_t total)
|
||
|
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
|
||
|
list_size += sizeof(efi_guid_t) * total;
|
||
|
|
||
|
- memset (&mok_new, 0, sizeof(mok_new));
|
||
|
- mok_new.VariableName = "MokNew";
|
||
|
- mok_new.VendorGuid = SHIM_LOCK_GUID;
|
||
|
- if (read_variable (&mok_new) == EFI_SUCCESS)
|
||
|
- list_size += mok_new.DataSize;
|
||
|
+ memset (&old_req, 0, sizeof(old_req));
|
||
|
+ old_req.VariableName = req_name;
|
||
|
+ old_req.VendorGuid = SHIM_LOCK_GUID;
|
||
|
+ if (read_variable (&old_req) == EFI_SUCCESS)
|
||
|
+ list_size += old_req.DataSize;
|
||
|
|
||
|
new_list = malloc (list_size);
|
||
|
if (!new_list) {
|
||
|
- fprintf (stderr, "Failed to allocate space for MokNew\n");
|
||
|
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
|
||
|
goto error;
|
||
|
}
|
||
|
ptr = new_list;
|
||
|
@@ -633,15 +680,11 @@ import_moks (char **files, uint32_t total)
|
||
|
files[i]);
|
||
|
}
|
||
|
|
||
|
- /* whether this key is already enrolled... */
|
||
|
- if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
|
||
|
- !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
|
||
|
- !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
|
||
|
- !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
|
||
|
- !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
|
||
|
+ if (is_valid_request (ptr, sizes[i], import)) {
|
||
|
ptr += sizes[i];
|
||
|
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||
|
} else {
|
||
|
+ printf ("Skip %s\n", files[i]);
|
||
|
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||
|
}
|
||
|
|
||
|
@@ -654,25 +697,25 @@ import_moks (char **files, uint32_t total)
|
||
|
goto error;
|
||
|
}
|
||
|
|
||
|
- /* append the keys in MokNew */
|
||
|
- if (mok_new.Data) {
|
||
|
+ /* append the keys to the previous request */
|
||
|
+ if (old_req.Data) {
|
||
|
/* request the previous password to verify the keys */
|
||
|
- if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
|
||
|
+ if (!verify_old_req (old_req.Data, old_req.DataSize, import)) {
|
||
|
goto error;
|
||
|
}
|
||
|
|
||
|
- memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
|
||
|
- real_size += mok_new.DataSize;
|
||
|
+ memcpy (new_list + real_size, old_req.Data, old_req.DataSize);
|
||
|
+ real_size += old_req.DataSize;
|
||
|
}
|
||
|
|
||
|
- if (update_request (new_list, real_size) < 0) {
|
||
|
+ if (update_request (new_list, real_size, import) < 0) {
|
||
|
goto error;
|
||
|
}
|
||
|
|
||
|
ret = 0;
|
||
|
error:
|
||
|
- if (mok_new.Data)
|
||
|
- free (mok_new.Data);
|
||
|
+ if (old_req.Data)
|
||
|
+ free (old_req.Data);
|
||
|
if (sizes)
|
||
|
free (sizes);
|
||
|
if (new_list)
|
||
|
@@ -682,14 +725,15 @@ error:
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
-delete_all ()
|
||
|
+import_moks (char **files, uint32_t total)
|
||
|
{
|
||
|
- if (update_request (NULL, 0)) {
|
||
|
- fprintf (stderr, "Failed to issue an delete request\n");
|
||
|
- return -1;
|
||
|
- }
|
||
|
+ return issue_mok_request (files, total, 1);
|
||
|
+}
|
||
|
|
||
|
- return 0;
|
||
|
+static int
|
||
|
+delete_moks (char **files, uint32_t total)
|
||
|
+{
|
||
|
+ return issue_mok_request (files, total, 0);
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
@@ -932,6 +976,17 @@ error:
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
+static int
|
||
|
+reset_moks ()
|
||
|
+{
|
||
|
+ if (update_request (NULL, 0, 1)) {
|
||
|
+ fprintf (stderr, "Failed to issue a reset request\n");
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
int
|
||
|
main (int argc, char *argv[])
|
||
|
{
|
||
|
@@ -982,8 +1037,23 @@ main (int argc, char *argv[])
|
||
|
|
||
|
command = COMMAND_IMPORT;
|
||
|
|
||
|
- } else if (strcmp (argv[1], "-D") == 0 ||
|
||
|
- strcmp (argv[1], "--delete-all") == 0) {
|
||
|
+ } else if (strcmp (argv[1], "-d") == 0 ||
|
||
|
+ strcmp (argv[1], "--delete") == 0) {
|
||
|
+
|
||
|
+ if (argc < 3) {
|
||
|
+ print_help ();
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+ total = argc - 2;
|
||
|
+
|
||
|
+ files = malloc (total * sizeof(char *));
|
||
|
+ if (!files) {
|
||
|
+ fprintf (stderr, "Failed to allocate file list\n");
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ for (i = 0; i < total; i++)
|
||
|
+ files[i] = argv[i+2];
|
||
|
|
||
|
command = COMMAND_DELETE;
|
||
|
|
||
|
@@ -1025,6 +1095,10 @@ main (int argc, char *argv[])
|
||
|
|
||
|
command = COMMAND_TEST_KEY;
|
||
|
|
||
|
+ } else if (strcmp (argv[1], "--reset") == 0) {
|
||
|
+
|
||
|
+ command = COMMAND_RESET;
|
||
|
+
|
||
|
} else {
|
||
|
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
|
||
|
print_help ();
|
||
|
@@ -1042,7 +1116,7 @@ main (int argc, char *argv[])
|
||
|
ret = import_moks (files, total);
|
||
|
break;
|
||
|
case COMMAND_DELETE:
|
||
|
- ret = delete_all ();
|
||
|
+ ret = delete_moks (files, total);
|
||
|
break;
|
||
|
case COMMAND_REVOKE:
|
||
|
ret = revoke_request ();
|
||
|
@@ -1065,6 +1139,9 @@ main (int argc, char *argv[])
|
||
|
case COMMAND_TEST_KEY:
|
||
|
ret = test_key (key_file);
|
||
|
break;
|
||
|
+ case COMMAND_RESET:
|
||
|
+ ret = reset_moks ();
|
||
|
+ break;
|
||
|
default:
|
||
|
fprintf (stderr, "Unknown command\n");
|
||
|
break;
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
|
||
|
From 799d37815f470739ed079e2fea49077decaee3d3 Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||
|
Date: Wed, 2 Jan 2013 17:09:35 +0800
|
||
|
Subject: [PATCH 7/7] Initialize the variable to prevent a potential crash
|
||
|
|
||
|
In issue_mok_request(), old_req.Data must be intialized before
|
||
|
"goto error", or the process would segfault when freeing old_req.Data.
|
||
|
---
|
||
|
src/mokutil.c | 3 ++-
|
||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||
|
index e6807da..a99e355 100644
|
||
|
--- a/src/mokutil.c
|
||
|
+++ b/src/mokutil.c
|
||
|
@@ -617,6 +617,8 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
|
||
|
|
||
|
sizes = malloc (total * sizeof(uint32_t));
|
||
|
|
||
|
+ memset (&old_req, 0, sizeof(old_req));
|
||
|
+
|
||
|
if (!sizes) {
|
||
|
fprintf (stderr, "Failed to allocate space for sizes\n");
|
||
|
goto error;
|
||
|
@@ -636,7 +638,6 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
|
||
|
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
|
||
|
list_size += sizeof(efi_guid_t) * total;
|
||
|
|
||
|
- memset (&old_req, 0, sizeof(old_req));
|
||
|
old_req.VariableName = req_name;
|
||
|
old_req.VendorGuid = SHIM_LOCK_GUID;
|
||
|
if (read_variable (&old_req) == EFI_SUCCESS)
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|