mokutil/mokutil-mokx-support.patch

2969 lines
85 KiB
Diff
Raw Normal View History

From 65c8d2eb32beda5e90af891de3e5bda41a8aa6f1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 21 Oct 2013 17:49:33 +0800
Subject: [PATCH 01/20] Update TODO
---
TODO | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/TODO b/TODO
index 373e48d..465835a 100644
--- a/TODO
+++ b/TODO
@@ -1,17 +1,5 @@
-* Validate the DER file [DONE]
* Show the detail of the DER file when enrolling (?)
* Add an option to slience the output (?)
-* Show the current value of MokNew and MokListRT [DONE]
-* Request the user to input a password before enrolling [DONE]
-* Read the list from a volatile RT variable [DONE]
-* Export keys in MokListRT [DONE]
* List hashes in MokListRT
-* Add a new command to probe the state of SecureBoot
- - SecureBoot, EFI_GLOBAL_VARIABLE
-* Do not to enroll duplicate key
- - compare the keys in MokListRT before enrolling the new keys
- - compare the keys in MokNew
- - add a new command to check duplicate
-* Add a new command to append the new key request to the old one
- - use the old password to verify the old request
-* Delete a specific key
+* Support MokX
+* Import hash into MokNew, NokDel, MokXNew
--
1.8.4
From 012d82be0468e876a10691fbabab2ed11b7a4954 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 22 Oct 2013 14:24:13 +0800
Subject: [PATCH 02/20] Show the hashes in the database
---
src/efi.h | 2 +-
src/mokutil.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
src/signature.h | 14 ++++++--
3 files changed, 113 insertions(+), 13 deletions(-)
diff --git a/src/efi.h b/src/efi.h
index a622a2b..33579c5 100644
--- a/src/efi.h
+++ b/src/efi.h
@@ -102,7 +102,7 @@ EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
static inline int
-efi_guidcmp(efi_guid_t left, efi_guid_t right)
+efi_guidcmp(const efi_guid_t left, const efi_guid_t right)
{
return memcmp(&left, &right, sizeof (efi_guid_t));
}
diff --git a/src/mokutil.c b/src/mokutil.c
index e4e247c..62690ef 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -157,14 +157,29 @@ test_and_delete_var (const char *var_name)
return 0;
}
+static uint32_t
+signature_size (efi_guid_t hash_type)
+{
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0)
+ return (SHA_DIGEST_LENGTH + sizeof(efi_guid_t));
+ else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0)
+ return (SHA224_DIGEST_LENGTH + sizeof(efi_guid_t));
+ else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0)
+ return (SHA256_DIGEST_LENGTH + sizeof(efi_guid_t));
+ else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0)
+ return (SHA384_DIGEST_LENGTH + sizeof(efi_guid_t));
+ else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0)
+ return (SHA512_DIGEST_LENGTH + sizeof(efi_guid_t));
+
+ return 0;
+}
+
static MokListNode*
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
{
MokListNode *list;
EFI_SIGNATURE_LIST *CertList = data;
EFI_SIGNATURE_DATA *Cert;
- efi_guid_t CertType = EfiCertX509Guid;
- efi_guid_t HashType = EfiHashSha256Guid;
unsigned long dbsize = data_size;
unsigned long count = 0;
@@ -176,16 +191,20 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((efi_guidcmp (CertList->SignatureType, CertType) != 0) &&
- (efi_guidcmp (CertList->SignatureType, HashType) != 0)) {
+ if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) &&
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha224Guid) != 0) &&
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha256Guid) != 0) &&
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha384Guid) != 0) &&
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha512Guid) != 0)) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
continue;
}
- if ((efi_guidcmp (CertList->SignatureType, HashType) == 0) &&
- (CertList->SignatureSize != 48)) {
+ if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
+ (CertList->SignatureSize != signature_size (CertList->SignatureType))) {
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
CertList->SignatureListSize);
@@ -203,8 +222,18 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
}
list[count].header = CertList;
- list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
- list[count].mok = (void *)Cert->SignatureData;
+ if (efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) == 0) {
+ /* X509 certificate */
+ list[count].mok_size = CertList->SignatureSize -
+ sizeof(efi_guid_t);
+ list[count].mok = (void *)Cert->SignatureData;
+ } else {
+ /* hash array */
+ list[count].mok_size = CertList->SignatureListSize -
+ sizeof(EFI_SIGNATURE_LIST) -
+ CertList->SignatureHeaderSize;
+ list[count].mok = (void *)Cert;
+ }
count++;
dbsize -= CertList->SignatureListSize;
@@ -258,6 +287,64 @@ print_x509 (char *cert, int cert_size)
}
static int
+print_hash_array (efi_guid_t hash_type, void *hash_array, uint32_t array_size)
+{
+ uint32_t hash_size, remain;
+ uint32_t sig_size;
+ uint8_t *hash;
+ const char *name;
+ int i;
+
+ if (!hash_array || array_size == 0) {
+ fprintf (stderr, "invalid hash array\n");
+ return -1;
+ }
+
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
+ name = "SHA1";
+ hash_size = SHA_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
+ name = "SHA224";
+ hash_size = SHA224_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
+ name = "SHA256";
+ hash_size = SHA256_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
+ name = "SHA384";
+ hash_size = SHA384_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
+ name = "SHA512";
+ hash_size = SHA512_DIGEST_LENGTH;
+ } else {
+ fprintf (stderr, "unknown hash type\n");
+ return -1;
+ }
+ sig_size = hash_size + sizeof(efi_guid_t);
+
+ printf (" [%s]\n", name);
+
+ remain = array_size;
+ hash = (uint8_t *)hash_array;
+
+ while (remain > 0) {
+ if (remain < sig_size) {
+ fprintf (stderr, "invalid array size\n");
+ return -1;
+ }
+
+ printf (" ");
+ hash += sizeof(efi_guid_t);
+ for (i = 0; i<hash_size; i++)
+ printf ("%02x", *(hash + i));
+ printf ("\n");
+ hash += hash_size;
+ remain -= sig_size;
+ }
+
+ return 0;
+}
+
+static int
list_keys (efi_variable_t *var)
{
uint32_t mok_num;
@@ -271,7 +358,12 @@ list_keys (efi_variable_t *var)
for (i = 0; i < mok_num; i++) {
printf ("[key %d]\n", i+1);
- print_x509 ((char *)list[i].mok, list[i].mok_size);
+ if (efi_guidcmp (list[i].header->SignatureType, EfiCertX509Guid) == 0) {
+ print_x509 ((char *)list[i].mok, list[i].mok_size);
+ } else {
+ print_hash_array (list[i].header->SignatureType,
+ list[i].mok, list[i].mok_size);
+ }
if (i < mok_num - 1)
printf ("\n");
}
diff --git a/src/signature.h b/src/signature.h
index df88e98..02f0211 100644
--- a/src/signature.h
+++ b/src/signature.h
@@ -28,11 +28,17 @@
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
-#define SHA256_DIGEST_SIZE 32
+#ifndef SIGNATURE_H
+#define SIGNATURE_H
-#define EfiHashSha1Guid EFI_GUID (0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd)
+#include "efi.h"
+
+#define EfiHashSha1Guid EFI_GUID (0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd)
+#define EfiHashSha224Guid EFI_GUID (0xb6e5233, 0xa65c, 0x44c9, 0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd)
#define EfiHashSha256Guid EFI_GUID (0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
-#define EfiCertX509Guid EFI_GUID (0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
+#define EfiHashSha384Guid EFI_GUID (0xff3e5307, 0x9fd0, 0x48c9, 0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1)
+#define EfiHashSha512Guid EFI_GUID (0x93e0fae, 0xa6c4, 0x4f50, 0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a)
+#define EfiCertX509Guid EFI_GUID (0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
typedef struct {
///
@@ -71,3 +77,5 @@ typedef struct {
/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
///
} __attribute__ ((packed)) EFI_SIGNATURE_LIST;
+
+#endif /* SIGNATURE_H */
--
1.8.4
From 77a215f86139b21fd55dca4d032b7269f62b51c1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 22 Oct 2013 14:34:21 +0800
Subject: [PATCH 03/20] Don't allocate the MOK list until there is a node
---
src/mokutil.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 62690ef..ec476dd 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -177,19 +177,12 @@ signature_size (efi_guid_t hash_type)
static MokListNode*
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
{
- MokListNode *list;
+ MokListNode *list = NULL;
EFI_SIGNATURE_LIST *CertList = data;
EFI_SIGNATURE_DATA *Cert;
unsigned long dbsize = data_size;
unsigned long count = 0;
- list = malloc(sizeof(MokListNode));
-
- if (!list) {
- fprintf(stderr, "Unable to allocate MOK list\n");
- return NULL;
- }
-
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
(efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) &&
--
1.8.4
From befae0e92ea24e35208b07786857d195ce8aa086 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 22 Oct 2013 14:40:58 +0800
Subject: [PATCH 04/20] Skip hashes while exporting MokListRT
---
src/mokutil.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index ec476dd..04f7655 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1119,6 +1119,10 @@ export_moks ()
/* mode 644 */
mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
for (i = 0; i < mok_num; i++) {
+ if (efi_guidcmp (list[i].header->SignatureType, EfiCertX509Guid) != 0)
+ continue;
+
+ /* Dump X509 certificate to files */
snprintf (filename, PATH_MAX, "MOK-%04d.der", i+1);
fd = open (filename, O_CREAT | O_WRONLY, mode);
if (fd == -1) {
--
1.8.4
From 9cfc5f93e15e05dabf46a86e4f8e899e32443176 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 22 Oct 2013 16:05:33 +0800
Subject: [PATCH 05/20] Match the hashes in the database
---
src/mokutil.c | 162 +++++++++++++++++++++++++++++++++++++++-------------------
1 file changed, 109 insertions(+), 53 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 04f7655..fa5d668 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -157,19 +157,50 @@ test_and_delete_var (const char *var_name)
return 0;
}
+static const char*
+efi_hash_to_string (efi_guid_t hash_type)
+{
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
+ return "SHA1";
+ } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
+ return "SHA224";
+ } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
+ return "SHA256";
+ } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
+ return "SHA384";
+ } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
+ return "SHA512";
+ }
+
+ return NULL;
+}
+
+static uint32_t
+efi_hash_size (efi_guid_t hash_type)
+{
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
+ return SHA_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
+ return SHA224_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
+ return SHA256_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
+ return SHA384_DIGEST_LENGTH;
+ } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
+ return SHA512_DIGEST_LENGTH;
+ }
+
+ return 0;
+}
+
static uint32_t
signature_size (efi_guid_t hash_type)
{
- if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0)
- return (SHA_DIGEST_LENGTH + sizeof(efi_guid_t));
- else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0)
- return (SHA224_DIGEST_LENGTH + sizeof(efi_guid_t));
- else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0)
- return (SHA256_DIGEST_LENGTH + sizeof(efi_guid_t));
- else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0)
- return (SHA384_DIGEST_LENGTH + sizeof(efi_guid_t));
- else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0)
- return (SHA512_DIGEST_LENGTH + sizeof(efi_guid_t));
+ uint32_t hash_size;
+
+ hash_size = efi_hash_size (hash_type);
+ if (hash_size)
+ return (hash_size + sizeof(efi_guid_t));
return 0;
}
@@ -293,29 +324,16 @@ print_hash_array (efi_guid_t hash_type, void *hash_array, uint32_t array_size)
return -1;
}
- if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
- name = "SHA1";
- hash_size = SHA_DIGEST_LENGTH;
- } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
- name = "SHA224";
- hash_size = SHA224_DIGEST_LENGTH;
- } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
- name = "SHA256";
- hash_size = SHA256_DIGEST_LENGTH;
- } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
- name = "SHA384";
- hash_size = SHA384_DIGEST_LENGTH;
- } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
- name = "SHA512";
- hash_size = SHA512_DIGEST_LENGTH;
- } else {
+ name = efi_hash_to_string (hash_type);
+ hash_size = efi_hash_size (hash_type);
+ sig_size = hash_size + sizeof(efi_guid_t);
+
+ if (!name) {
fprintf (stderr, "unknown hash type\n");
return -1;
}
- sig_size = hash_size + sizeof(efi_guid_t);
printf (" [%s]\n", name);
-
remain = array_size;
hash = (uint8_t *)hash_array;
@@ -829,36 +847,78 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
- efi_guid_t guid)
+match_hash_array (efi_guid_t hash_type, const void *hash,
+ const void *hash_array, const uint32_t array_size)
+{
+ uint32_t hash_size, hash_count;
+ uint32_t sig_size;
+ int i;
+ void *ptr;
+
+ hash_size = efi_hash_size (hash_type);
+ if (!hash_size)
+ return 0;
+
+ sig_size = hash_size + sizeof(efi_guid_t);
+ if ((array_size % sig_size) != 0) {
+ fprintf (stderr, "invalid hash array size\n");
+ return 0;
+ }
+
+ ptr = (void *)hash_array;
+ hash_count = array_size / sig_size;
+ for (i = 0; i < hash_count; i++) {
+ ptr += sizeof(efi_guid_t);
+ if (memcmp (ptr, hash, hash_size) == 0)
+ return 1;
+ ptr += hash_size;
+ }
+
+ return 0;
+}
+
+static int
+is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
+ efi_guid_t vendor, const char *db_name)
{
efi_variable_t var;
- uint32_t mok_num;
+ uint32_t node_num;
MokListNode *list;
int i, ret = 0;
- if (!cert || cert_size == 0 || !db_name)
+ if (!data || data_size == 0 || !db_name)
return 0;
memset (&var, 0, sizeof(var));
var.VariableName = db_name;
- var.VendorGuid = guid;
+ var.VendorGuid = vendor;
if (read_variable (&var) != EFI_SUCCESS)
return 0;
- list = build_mok_list (var.Data, var.DataSize, &mok_num);
+ list = build_mok_list (var.Data, var.DataSize, &node_num);
if (list == NULL) {
goto done;
}
- for (i = 0; i < mok_num; i++) {
- if (list[i].mok_size != cert_size)
+ for (i = 0; i < node_num; i++) {
+ if (efi_guidcmp (list[i].header->SignatureType, type) != 0)
continue;
- if (memcmp (list[i].mok, cert, cert_size) == 0) {
- ret = 1;
- break;
+ if (efi_guidcmp (type, EfiCertX509Guid) == 0) {
+ if (list[i].mok_size != data_size)
+ continue;
+
+ if (memcmp (list[i].mok, data, data_size) == 0) {
+ ret = 1;
+ break;
+ }
+ } else {
+ if (match_hash_array (type, data, list[i].mok,
+ list[i].mok_size)) {
+ ret = 1;
+ break;
+ }
}
}
@@ -870,19 +930,19 @@ done:
}
static int
-is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
+is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, uint8_t import)
{
if (import) {
- if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
- is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
- is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
- is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
- is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
+ if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "PK") ||
+ is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "KEK") ||
+ is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "db") ||
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") ||
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) {
return 0;
}
} else {
- if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
- is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
+ if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") ||
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokDel")) {
return 0;
}
}
@@ -1008,7 +1068,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
files[i]);
}
- if (is_valid_request (ptr, sizes[i], import)) {
+ if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], import)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else if (in_pending_request (ptr, sizes[i], import)) {
@@ -1359,11 +1419,7 @@ test_key (const char *key_file)
goto error;
}
- if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
- !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
+ if (!is_valid_request (EfiCertX509Guid, key, read_size, 1)) {
printf ("%s is not enrolled\n", key_file);
ret = 0;
} else {
--
1.8.4
From 9ec6f6836a386d527cf62d6583c3ea5e394f62a5 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 22 Oct 2013 18:01:11 +0800
Subject: [PATCH 06/20] Support MOK blacklist
---
src/mokutil.c | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 195 insertions(+), 28 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index fa5d668..f10e6e8 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -79,6 +79,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define SIMPLE_HASH (1 << 17)
#define IGNORE_DB (1 << 18)
#define USE_DB (1 << 19)
+#define MOKX (1 << 20)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -86,6 +87,13 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
static int use_simple_hash;
+typedef enum {
+ DELETE_MOK = 0,
+ ENROLL_MOK,
+ DELETE_BLACKLIST,
+ ENROLL_BLACKLIST
+} MokRequest;
+
typedef struct {
EFI_SIGNATURE_LIST *header;
uint32_t mok_size;
@@ -135,6 +143,10 @@ print_help ()
printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
printf (" \t\t\t\t(For --import, --delete, --password,\n");
printf (" \t\t\t\t --clear-password and --reset)\n");
+ printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
+ printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
+ printf (" \t\t\t\t --list-delete, --import, --delete,\n");
+ printf (" \t\t\t\t --revoke-import, and --revoke-delete)\n");
}
static int
@@ -724,7 +736,7 @@ get_password_from_shadow (pw_crypt_t *pw_crypt)
}
static int
-update_request (void *new_list, int list_len, uint8_t import,
+update_request (void *new_list, int list_len, MokRequest req,
const char *hash_file, const int root_pw)
{
efi_variable_t var;
@@ -739,12 +751,25 @@ update_request (void *new_list, int list_len, uint8_t import,
bzero (&pw_crypt, sizeof(pw_crypt_t));
pw_crypt.method = DEFAULT_CRYPT_METHOD;
- if (import) {
+ switch (req) {
+ case ENROLL_MOK:
req_name = "MokNew";
auth_name = "MokAuth";
- } else {
+ break;
+ case DELETE_MOK:
req_name = "MokDel";
auth_name = "MokDelAuth";
+ break;
+ case ENROLL_BLACKLIST:
+ req_name = "MokXNew";
+ auth_name = "MokXAuth";
+ break;
+ case DELETE_BLACKLIST:
+ req_name = "MokXDel";
+ auth_name = "MokXDelAuth";
+ break;
+ default:
+ return -1;
}
if (hash_file) {
@@ -776,7 +801,7 @@ update_request (void *new_list, int list_len, uint8_t import,
}
if (new_list) {
- /* Write MokNew*/
+ /* Write MokNew, MokDel, MokXNew, or MokXDel*/
var.Data = new_list;
var.DataSize = list_len;
var.VariableName = req_name;
@@ -787,15 +812,27 @@ update_request (void *new_list, int list_len, uint8_t import,
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to %s keys\n",
- import ? "enroll new" : "delete");
+ switch (req) {
+ case ENROLL_MOK:
+ fprintf (stderr, "Failed to enroll new keys\n");
+ break;
+ case ENROLL_BLACKLIST:
+ fprintf (stderr, "Failed to enroll blacklist\n");
+ break;
+ case DELETE_MOK:
+ fprintf (stderr, "Failed to delete keys\n");
+ break;
+ case DELETE_BLACKLIST:
+ fprintf (stderr, "Failed to delete blacklist\n");
+ break;
+ }
goto error;
}
} else {
test_and_delete_var (req_name);
}
- /* Write MokAuth or MokDelAuth */
+ /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
if (!use_simple_hash) {
var.Data = (void *)&pw_crypt;
var.DataSize = PASSWORD_CRYPT_SIZE;
@@ -930,9 +967,10 @@ done:
}
static int
-is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, uint8_t import)
+is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, MokRequest req)
{
- if (import) {
+ switch (req) {
+ case ENROLL_MOK:
if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "PK") ||
is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "KEK") ||
is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "db") ||
@@ -940,29 +978,63 @@ is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, uint8_t import)
is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) {
return 0;
}
- } else {
+ break;
+ case DELETE_MOK:
if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") ||
is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokDel")) {
return 0;
}
+ break;
+ case ENROLL_BLACKLIST:
+ if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT") ||
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXNew")) {
+ return 0;
+ }
+ break;
+ case DELETE_BLACKLIST:
+ if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT") ||
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXDel")) {
+ return 0;
+ }
+ break;
}
return 1;
}
static int
-in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
+in_pending_request (void *mok, uint32_t mok_size, MokRequest req)
{
efi_variable_t authvar;
- const char *var_name = import ? "MokDel" : "MokNew";
+ const char *var_name;
if (!mok || mok_size == 0)
return 0;
memset (&authvar, 0, sizeof(authvar));
- authvar.VariableName = import ? "MokDelAuth" : "MokAuth";
authvar.VendorGuid = SHIM_LOCK_GUID;
+ switch (req) {
+ case ENROLL_MOK:
+ var_name = "MokDel";
+ authvar.VariableName = "MokDelAuth";
+ break;
+ case DELETE_MOK:
+ var_name = "MokNew";
+ authvar.VariableName = "MokAuth";
+ break;
+ case ENROLL_BLACKLIST:
+ var_name = "MokXDel";
+ authvar.VariableName = "MokXDelAuth";
+ break;
+ case DELETE_BLACKLIST:
+ var_name = "MokXNew";
+ authvar.VariableName = "MokXAuth";
+ break;
+ default:
+ return 0;
+ }
+
if (read_variable (&authvar) != EFI_SUCCESS) {
return 0;
}
@@ -979,7 +1051,7 @@ in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
}
static int
-issue_mok_request (char **files, uint32_t total, uint8_t import,
+issue_mok_request (char **files, uint32_t total, MokRequest req,
const char *hash_file, const int root_pw)
{
efi_variable_t old_req;
@@ -999,7 +1071,22 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
if (!files)
return -1;
- req_name = import ? "MokNew" : "MokDel";
+ switch (req) {
+ case ENROLL_MOK:
+ req_name = "MokNew";
+ break;
+ case DELETE_MOK:
+ req_name = "MokDel";
+ break;
+ case ENROLL_BLACKLIST:
+ req_name = "MokXNew";
+ break;
+ case DELETE_BLACKLIST:
+ req_name = "MokXDel";
+ break;
+ default:
+ return -1;
+ }
sizes = malloc (total * sizeof(uint32_t));
@@ -1068,11 +1155,29 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
files[i]);
}
- if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], import)) {
+ if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
- } else if (in_pending_request (ptr, sizes[i], import)) {
- printf ("Removed %s from %s\n", files[i], import ? "MokDel" : "MokNew");
+ } else if (in_pending_request (ptr, sizes[i], req)) {
+ const char *pending;
+ switch (req) {
+ case ENROLL_MOK:
+ pending = "MokDel";
+ break;
+ case DELETE_MOK:
+ pending = "MokNew";
+ break;
+ case ENROLL_BLACKLIST:
+ pending = "MokXDel";
+ break;
+ case DELETE_BLACKLIST:
+ pending = "MokXNew";
+ break;
+ default:
+ pending = "";
+ break;
+ }
+ printf ("Removed %s from %s\n", files[i], pending);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
@@ -1095,7 +1200,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
real_size += old_req.DataSize;
}
- if (update_request (new_list, real_size, import, hash_file, root_pw) < 0) {
+ if (update_request (new_list, real_size, req, hash_file, root_pw) < 0) {
goto error;
}
@@ -1115,29 +1220,58 @@ static int
import_moks (char **files, uint32_t total, const char *hash_file,
const int root_pw)
{
- return issue_mok_request (files, total, 1, hash_file, root_pw);
+ return issue_mok_request (files, total, ENROLL_MOK, hash_file, root_pw);
}
static int
delete_moks (char **files, uint32_t total, const char *hash_file,
const int root_pw)
{
- return issue_mok_request (files, total, 0, hash_file, root_pw);
+ return issue_mok_request (files, total, DELETE_MOK, hash_file, root_pw);
}
static int
-revoke_request (uint8_t import)
+import_blacklist (char **files, uint32_t total, const char *hash_file,
+ const int root_pw)
{
- if (import == 1) {
+ return issue_mok_request (files, total, ENROLL_BLACKLIST, hash_file, root_pw);
+}
+
+static int
+delete_blacklist (char **files, uint32_t total, const char *hash_file,
+ const int root_pw)
+{
+ return issue_mok_request (files, total, DELETE_BLACKLIST, hash_file, root_pw);
+}
+
+static int
+revoke_request (MokRequest req)
+{
+ switch (req) {
+ case ENROLL_MOK:
if (test_and_delete_var ("MokNew") < 0)
return -1;
if (test_and_delete_var ("MokAuth") < 0)
return -1;
- } else {
+ break;
+ case DELETE_MOK:
if (test_and_delete_var ("MokDel") < 0)
return -1;
if (test_and_delete_var ("MokDelAuth") < 0)
return -1;
+ break;
+ case ENROLL_BLACKLIST:
+ if (test_and_delete_var ("MokXNew") < 0)
+ return -1;
+ if (test_and_delete_var ("MokXAuth") < 0)
+ return -1;
+ break;
+ case DELETE_BLACKLIST:
+ if (test_and_delete_var ("MokXDel") < 0)
+ return -1;
+ if (test_and_delete_var ("MokXDelAuth") < 0)
+ return -1;
+ break;
}
return 0;
@@ -1419,7 +1553,7 @@ test_key (const char *key_file)
goto error;
}
- if (!is_valid_request (EfiCertX509Guid, key, read_size, 1)) {
+ if (!is_valid_request (EfiCertX509Guid, key, read_size, ENROLL_MOK)) {
printf ("%s is not enrolled\n", key_file);
ret = 0;
} else {
@@ -1440,7 +1574,7 @@ error:
static int
reset_moks (const char *hash_file, const int root_pw)
{
- if (update_request (NULL, 0, 1, hash_file, root_pw)) {
+ if (update_request (NULL, 0, ENROLL_MOK, hash_file, root_pw)) {
fprintf (stderr, "Failed to issue a reset request\n");
return -1;
}
@@ -1539,6 +1673,7 @@ main (int argc, char *argv[])
{"simple-hash", no_argument, 0, 's'},
{"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 },
+ {"mokx", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -1574,6 +1709,8 @@ main (int argc, char *argv[])
command |= IGNORE_DB;
} else if (strcmp (option, "use-db") == 0) {
command |= USE_DB;
+ } else if (strcmp (option, "mokx") == 0) {
+ command |= MOKX;
}
break;
case 'd':
@@ -1683,10 +1820,10 @@ main (int argc, char *argv[])
ret = delete_moks (files, total, hash_file, 0);
break;
case REVOKE_IMPORT:
- ret = revoke_request (1);
+ ret = revoke_request (ENROLL_MOK);
break;
case REVOKE_DELETE:
- ret = revoke_request (0);
+ ret = revoke_request (DELETE_MOK);
break;
case EXPORT:
ret = export_moks ();
@@ -1730,6 +1867,36 @@ main (int argc, char *argv[])
case USE_DB:
ret = enable_db ();
break;
+ case LIST_ENROLLED | MOKX:
+ ret = list_keys_in_var ("MokListXRT");
+ break;
+ case LIST_NEW | MOKX:
+ ret = list_keys_in_var ("MokXNew");
+ break;
+ case LIST_DELETE | MOKX:
+ ret = list_keys_in_var ("MokXDel");
+ break;
+ case IMPORT | MOKX:
+ case IMPORT | SIMPLE_HASH | MOKX:
+ if (use_root_pw)
+ ret = import_blacklist (files, total, NULL, 1);
+ else
+ ret = import_blacklist (files, total, hash_file, 0);
+ break;
+ case DELETE | MOKX:
+ case DELETE | SIMPLE_HASH | MOKX:
+ if (use_root_pw)
+ ret = delete_blacklist (files, total, NULL, 1);
+ else
+ ret = delete_blacklist (files, total, hash_file, 0);
+ break;
+ case REVOKE_IMPORT | MOKX:
+ ret = revoke_request (ENROLL_BLACKLIST);
+ break;
+ case REVOKE_DELETE | MOKX:
+ ret = revoke_request (DELETE_BLACKLIST);
+ break;
+
default:
print_help ();
break;
--
1.8.4
From 73c2a558b6fa9fb42526d4d2ac5c7db40d402c8f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 23 Oct 2013 10:41:58 +0800
Subject: [PATCH 07/20] Fix the memory leakage
---
src/mokutil.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index f10e6e8..bcc12ca 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1746,10 +1746,18 @@ main (int argc, char *argv[])
break;
case 'f':
+ if (hash_file) {
+ command |= HELP;
+ break;
+ }
hash_file = strdup (optarg);
break;
case 'g':
+ if (input_pw) {
+ command |= HELP;
+ break;
+ }
if (optarg)
input_pw = strdup (optarg);
@@ -1765,6 +1773,10 @@ main (int argc, char *argv[])
use_root_pw = 1;
break;
case 't':
+ if (key_file) {
+ command |= HELP;
+ break;
+ }
key_file = strdup (optarg);
if (key_file == NULL) {
fprintf (stderr, "Could not allocate space: %m\n");
--
1.8.4
From 62162fc5a5c33c987e4b8106a9e98c3abf8288ae Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 23 Oct 2013 17:29:53 +0800
Subject: [PATCH 08/20] Support import and delete a hash
---
src/mokutil.c | 424 ++++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 322 insertions(+), 102 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index bcc12ca..b8edf74 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -80,6 +80,8 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define IGNORE_DB (1 << 18)
#define USE_DB (1 << 19)
#define MOKX (1 << 20)
+#define IMPORT_HASH (1 << 21)
+#define DELETE_HASH (1 << 22)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -132,21 +134,27 @@ print_help ()
printf (" --generate-hash[=password]\t\tGenerate the password hash\n");
printf (" --ignore-db\t\t\t\tIgnore DB for validation\n");
printf (" --use-db\t\t\t\tUse DB for validation\n");
+ printf (" --import-hash <hash>\t\t\tImport a hash\n");
+ printf (" --delete-hash <hash>\t\t\tDelete a specific hash\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
printf (" \t\t(For --import, --delete, --password,\n");
- printf (" \t\t and --reset)\n");
+ printf (" \t\t --reset, --import-hash,\n");
+ printf (" \t\t and --delete-hash)\n");
printf (" --root-pw\t\t\t\tUse the root password\n");
printf (" \t\t\t\t(For --import, --delete, --password,\n");
- printf (" \t\t\t\t and --reset)\n");
+ printf (" \t\t\t\t --reset, --import-hash,\n");
+ printf (" \t\t\t\t and --delete-hash)\n");
printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
printf (" \t\t\t\t(For --import, --delete, --password,\n");
- printf (" \t\t\t\t --clear-password and --reset)\n");
+ printf (" \t\t\t\t --clear-password, --reset,\n");
+ printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
printf (" \t\t\t\t --list-delete, --import, --delete,\n");
- printf (" \t\t\t\t --revoke-import, and --revoke-delete)\n");
+ printf (" \t\t\t\t --revoke-import, --revoke-delete,\n");
+ printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
}
static int
@@ -396,17 +404,50 @@ list_keys (efi_variable_t *var)
return 0;
}
+/* match the hash in the hash array and return the index if matched */
static int
-delete_key_from_list (void *mok, uint32_t mok_size,
- const char *var_name, efi_guid_t guid)
+match_hash_array (efi_guid_t hash_type, const void *hash,
+ const void *hash_array, const uint32_t array_size)
+{
+ uint32_t hash_size, hash_count;
+ uint32_t sig_size;
+ int i;
+ void *ptr;
+
+ hash_size = efi_hash_size (hash_type);
+ if (!hash_size)
+ return -1;
+
+ sig_size = hash_size + sizeof(efi_guid_t);
+ if ((array_size % sig_size) != 0) {
+ fprintf (stderr, "invalid hash array size\n");
+ return -1;
+ }
+
+ ptr = (void *)hash_array;
+ hash_count = array_size / sig_size;
+ for (i = 0; i < hash_count; i++) {
+ ptr += sizeof(efi_guid_t);
+ if (memcmp (ptr, hash, hash_size) == 0)
+ return i;
+ ptr += hash_size;
+ }
+
+ return -1;
+}
+
+static int
+delete_data_from_list (efi_guid_t type, void *data, uint32_t data_size,
+ const char *var_name, efi_guid_t guid)
{
efi_variable_t var;
MokListNode *list;
uint32_t mok_num, total, remain;
- void *ptr, *data = NULL;
+ void *end, *start = NULL;
int i, del_ind, ret = 0;
+ uint32_t sig_list_size, sig_size;
- if (!var_name || !mok || mok_size == 0)
+ if (!var_name || !data || data_size == 0)
return 0;
memset (&var, 0, sizeof(var));
@@ -422,30 +463,56 @@ delete_key_from_list (void *mok, uint32_t mok_size,
if (list == NULL)
goto done;
+ remain = total;
for (i = 0; i < mok_num; i++) {
- if (list[i].mok_size != mok_size)
+ remain -= list[i].header->SignatureListSize;
+ if (efi_guidcmp (list[i].header->SignatureType, type) != 0)
continue;
- if (memcmp (list[i].mok, mok, mok_size) == 0) {
- /* Remove this key */
- del_ind = i;
- data = (void *)list[i].header;
- ptr = data + list[i].header->SignatureListSize;
- total -= list[i].header->SignatureListSize;
+ sig_list_size = list[i].header->SignatureListSize;
+
+ if (efi_guidcmp (type, EfiCertX509Guid) == 0) {
+ if (list[i].mok_size != data_size)
+ continue;
+
+ if (memcmp (list[i].mok, data, data_size) == 0) {
+ /* Remove this key */
+ start = (void *)list[i].header;
+ end = start + sig_list_size;
+ total -= sig_list_size;
+ break;
+ }
+ } else {
+ del_ind = match_hash_array (type, data, list[i].mok,
+ list[i].mok_size);
+ if (del_ind < 0)
+ continue;
+
+ start = (void *)list[i].header;
+ sig_size = signature_size (type);
+ if (sig_list_size == (sizeof(EFI_SIGNATURE_LIST) + sig_size)) {
+ /* Only one hash in the list */
+ end = start + sig_list_size;
+ total -= sig_list_size;
+ } else {
+ /* More than one hash in the list */
+ start += sizeof(EFI_SIGNATURE_LIST) + sig_size * del_ind;
+ end = start + sig_size;
+ total -= sig_size;
+ remain += sig_list_size - sizeof(EFI_SIGNATURE_LIST) -
+ (del_ind + 1) * sig_size;
+ }
break;
}
}
- /* the key is not in this list */
- if (data == NULL)
+ /* the key or hash is not in this list */
+ if (start == NULL)
return 0;
- /* Move the rest of the keys */
- remain = 0;
- for (i = del_ind + 1; i < mok_num; i++)
- remain += list[i].header->SignatureListSize;
+ /* remove the key or hash */
if (remain > 0)
- memmove (data, ptr, remain);
+ memmove (start, end, remain);
var.DataSize = total;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -459,7 +526,8 @@ delete_key_from_list (void *mok, uint32_t mok_size,
ret = 1;
done:
- free (list);
+ if (list)
+ free (list);
free (var.Data);
return ret;
@@ -884,37 +952,6 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-match_hash_array (efi_guid_t hash_type, const void *hash,
- const void *hash_array, const uint32_t array_size)
-{
- uint32_t hash_size, hash_count;
- uint32_t sig_size;
- int i;
- void *ptr;
-
- hash_size = efi_hash_size (hash_type);
- if (!hash_size)
- return 0;
-
- sig_size = hash_size + sizeof(efi_guid_t);
- if ((array_size % sig_size) != 0) {
- fprintf (stderr, "invalid hash array size\n");
- return 0;
- }
-
- ptr = (void *)hash_array;
- hash_count = array_size / sig_size;
- for (i = 0; i < hash_count; i++) {
- ptr += sizeof(efi_guid_t);
- if (memcmp (ptr, hash, hash_size) == 0)
- return 1;
- ptr += hash_size;
- }
-
- return 0;
-}
-
-static int
is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
efi_guid_t vendor, const char *db_name)
{
@@ -952,7 +989,7 @@ is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
}
} else {
if (match_hash_array (type, data, list[i].mok,
- list[i].mok_size)) {
+ list[i].mok_size) >= 0) {
ret = 1;
break;
}
@@ -960,7 +997,8 @@ is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
}
done:
- free (list);
+ if (list)
+ free (list);
free (var.Data);
return ret;
@@ -1003,12 +1041,13 @@ is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, MokRequest req)
}
static int
-in_pending_request (void *mok, uint32_t mok_size, MokRequest req)
+in_pending_request (efi_guid_t type, void *data, uint32_t data_size,
+ MokRequest req)
{
efi_variable_t authvar;
const char *var_name;
- if (!mok || mok_size == 0)
+ if (!data || data_size == 0)
return 0;
memset (&authvar, 0, sizeof(authvar));
@@ -1044,8 +1083,9 @@ in_pending_request (void *mok, uint32_t mok_size, MokRequest req)
if (authvar.DataSize == SHA256_DIGEST_LENGTH)
return 0;
- if (delete_key_from_list (mok, mok_size, var_name, SHIM_LOCK_GUID))
- return 1;
+ if (delete_data_from_list (type, data, data_size, var_name,
+ SHIM_LOCK_GUID))
+ return 1;
return 0;
}
@@ -1158,7 +1198,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
- } else if (in_pending_request (ptr, sizes[i], req)) {
+ } else if (in_pending_request (EfiCertX509Guid, ptr, sizes[i], req)) {
const char *pending;
switch (req) {
case ENROLL_MOK:
@@ -1217,31 +1257,186 @@ error:
}
static int
-import_moks (char **files, uint32_t total, const char *hash_file,
- const int root_pw)
+identify_hash_type (const char *hash_str, efi_guid_t *type)
{
- return issue_mok_request (files, total, ENROLL_MOK, hash_file, root_pw);
-}
+ int len = strlen (hash_str);
+ int hash_size;
+ int i;
-static int
-delete_moks (char **files, uint32_t total, const char *hash_file,
- const int root_pw)
-{
- return issue_mok_request (files, total, DELETE_MOK, hash_file, root_pw);
+ for (i = 0; i < len; i++) {
+ if ((hash_str[i] > '9' || hash_str[i] < '0') &&
+ (hash_str[i] > 'f' || hash_str[i] < 'a') &&
+ (hash_str[i] > 'F' || hash_str[i] < 'A'))
+ return -1;
+ }
+
+ switch (len) {
+ case SHA_DIGEST_LENGTH*2:
+ *type = EfiHashSha1Guid;
+ hash_size = SHA_DIGEST_LENGTH;
+ break;
+ case SHA224_DIGEST_LENGTH*2:
+ *type = EfiHashSha224Guid;
+ hash_size = SHA224_DIGEST_LENGTH;
+ break;
+ case SHA256_DIGEST_LENGTH*2:
+ *type = EfiHashSha256Guid;
+ hash_size = SHA256_DIGEST_LENGTH;
+ break;
+ case SHA384_DIGEST_LENGTH*2:
+ *type = EfiHashSha384Guid;
+ hash_size = SHA384_DIGEST_LENGTH;
+ break;
+ case SHA512_DIGEST_LENGTH*2:
+ *type = EfiHashSha512Guid;
+ hash_size = SHA512_DIGEST_LENGTH;
+ break;
+ default:
+ return -1;
+ }
+
+ return hash_size;
}
static int
-import_blacklist (char **files, uint32_t total, const char *hash_file,
- const int root_pw)
+hex_str_to_binary (const char *hex_str, uint8_t *array, int len)
{
- return issue_mok_request (files, total, ENROLL_BLACKLIST, hash_file, root_pw);
+ char *pos;
+ int i;
+
+ if (!hex_str || !array)
+ return -1;
+
+ pos = (char *)hex_str;
+ for (i = 0; i < len; i++) {
+ sscanf (pos, "%2hhx", &array[i]);
+ pos += 2;
+ }
+
+ return 0;
}
static int
-delete_blacklist (char **files, uint32_t total, const char *hash_file,
- const int root_pw)
+issue_hash_request (const char *hash_str, MokRequest req,
+ const char *hash_file, const int root_pw)
{
- return issue_mok_request (files, total, DELETE_BLACKLIST, hash_file, root_pw);
+ efi_variable_t old_req;
+ const char *req_name;
+ void *new_list = NULL;
+ void *ptr;
+ unsigned long list_size = 0;
+ uint32_t sig_list_size;
+ int ret = -1;
+ EFI_SIGNATURE_LIST *CertList;
+ EFI_SIGNATURE_DATA *CertData;
+ efi_guid_t hash_type;
+ uint8_t db_hash[SHA512_DIGEST_LENGTH];
+ int hash_size;
+ uint8_t valid = 0;
+
+ if (!hash_str)
+ return -1;
+
+ hash_size = identify_hash_type (hash_str, &hash_type);
+ if (hash_size < 0)
+ return -1;
+
+ if (hex_str_to_binary (hash_str, db_hash, hash_size) < 0)
+ return -1;
+
+ switch (req) {
+ case ENROLL_MOK:
+ req_name = "MokNew";
+ break;
+ case DELETE_MOK:
+ req_name = "MokDel";
+ break;
+ case ENROLL_BLACKLIST:
+ req_name = "MokXNew";
+ break;
+ case DELETE_BLACKLIST:
+ req_name = "MokXDel";
+ break;
+ default:
+ return -1;
+ }
+
+ sig_list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
+ list_size += sig_list_size;
+
+ memset (&old_req, 0, sizeof(old_req));
+
+ old_req.VariableName = req_name;
+ old_req.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&old_req) == EFI_SUCCESS)
+ list_size += old_req.DataSize;
+
+ new_list = malloc (list_size);
+ if (!new_list) {
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
+ goto error;
+ }
+ ptr = new_list;
+
+ CertList = ptr;
+ CertList->SignatureType = hash_type;
+ CertList->SignatureListSize = sig_list_size;
+ CertList->SignatureHeaderSize = 0;
+ CertList->SignatureSize = hash_size + sizeof(efi_guid_t);
+
+ CertData = (EFI_SIGNATURE_DATA *)(((uint8_t *)ptr) +
+ sizeof(EFI_SIGNATURE_LIST));
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
+ memcpy (CertData->SignatureData, db_hash, hash_size);
+
+ if (is_valid_request (hash_type, db_hash, hash_size, req)) {
+ valid = 1;
+ } else if (in_pending_request (hash_type, db_hash, hash_size, req)) {
+ const char *pending;
+ switch (req) {
+ case ENROLL_MOK:
+ pending = "MokDel";
+ break;
+ case DELETE_MOK:
+ pending = "MokNew";
+ break;
+ case ENROLL_BLACKLIST:
+ pending = "MokXDel";
+ break;
+ case DELETE_BLACKLIST:
+ pending = "MokXNew";
+ break;
+ default:
+ pending = "";
+ break;
+ }
+ printf ("Removed hash from %s\n", pending);
+ } else {
+ printf ("Skip hash\n");
+ }
+
+ if (!valid) {
+ ret = 0;
+ goto error;
+ }
+
+ /* append the keys to the previous request */
+ if (old_req.Data) {
+ memcpy (new_list + sig_list_size, old_req.Data, old_req.DataSize);
+ }
+
+ if (update_request (new_list, list_size, req, hash_file, root_pw) < 0) {
+ goto error;
+ }
+
+ ret = 0;
+error:
+ if (old_req.Data)
+ free (old_req.Data);
+ if (new_list)
+ free (new_list);
+
+ return ret;
}
static int
@@ -1641,6 +1836,7 @@ main (int argc, char *argv[])
char *key_file = NULL;
char *hash_file = NULL;
char *input_pw = NULL;
+ char *hash_str = NULL;
const char *option;
int c, i, f_ind, total = 0;
unsigned int command = 0;
@@ -1674,6 +1870,8 @@ main (int argc, char *argv[])
{"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 },
{"mokx", no_argument, 0, 0 },
+ {"import-hash", required_argument, 0, 0 },
+ {"delete-hash", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -1711,6 +1909,20 @@ main (int argc, char *argv[])
command |= USE_DB;
} else if (strcmp (option, "mokx") == 0) {
command |= MOKX;
+ } else if (strcmp (option, "import-hash") == 0) {
+ command |= IMPORT_HASH;
+ if (hash_str) {
+ command |= HELP;
+ break;
+ }
+ hash_str = strdup (optarg);
+ } else if (strcmp (option, "delete-hash") == 0) {
+ command |= DELETE_HASH;
+ if (hash_str) {
+ command |= HELP;
+ break;
+ }
+ hash_str = strdup (optarg);
}
break;
case 'd':
@@ -1802,7 +2014,7 @@ main (int argc, char *argv[])
}
if (use_root_pw == 1 && use_simple_hash == 1)
- use_simple_hash = 0;;
+ use_simple_hash = 0;
if (hash_file && use_root_pw)
command |= HELP;
@@ -1819,17 +2031,23 @@ main (int argc, char *argv[])
break;
case IMPORT:
case IMPORT | SIMPLE_HASH:
- if (use_root_pw)
- ret = import_moks (files, total, NULL, 1);
- else
- ret = import_moks (files, total, hash_file, 0);
+ ret = issue_mok_request (files, total, ENROLL_MOK,
+ hash_file, use_root_pw);
break;
case DELETE:
case DELETE | SIMPLE_HASH:
- if (use_root_pw)
- ret = delete_moks (files, total, NULL, 1);
- else
- ret = delete_moks (files, total, hash_file, 0);
+ ret = issue_mok_request (files, total, DELETE_MOK,
+ hash_file, use_root_pw);
+ break;
+ case IMPORT_HASH:
+ case IMPORT_HASH | SIMPLE_HASH:
+ ret = issue_hash_request (hash_str, ENROLL_MOK,
+ hash_file, use_root_pw);
+ break;
+ case DELETE_HASH:
+ case DELETE_HASH | SIMPLE_HASH:
+ ret = issue_hash_request (hash_str, DELETE_MOK,
+ hash_file, use_root_pw);
break;
case REVOKE_IMPORT:
ret = revoke_request (ENROLL_MOK);
@@ -1842,10 +2060,7 @@ main (int argc, char *argv[])
break;
case PASSWORD:
case PASSWORD | SIMPLE_HASH:
- if (use_root_pw)
- ret = set_password (NULL, 1, 0);
- else
- ret = set_password (hash_file, 0, 0);
+ ret = set_password (hash_file, use_root_pw, 0);
break;
case CLEAR_PASSWORD:
case CLEAR_PASSWORD | SIMPLE_HASH:
@@ -1865,10 +2080,7 @@ main (int argc, char *argv[])
break;
case RESET:
case RESET | SIMPLE_HASH:
- if (use_root_pw)
- ret = reset_moks (NULL, 1);
- else
- ret = reset_moks (hash_file, 0);
+ ret = reset_moks (hash_file, use_root_pw);
break;
case GENERATE_PW_HASH:
ret = generate_pw_hash (input_pw);
@@ -1890,17 +2102,23 @@ main (int argc, char *argv[])
break;
case IMPORT | MOKX:
case IMPORT | SIMPLE_HASH | MOKX:
- if (use_root_pw)
- ret = import_blacklist (files, total, NULL, 1);
- else
- ret = import_blacklist (files, total, hash_file, 0);
+ ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
+ hash_file, use_root_pw);
break;
case DELETE | MOKX:
case DELETE | SIMPLE_HASH | MOKX:
- if (use_root_pw)
- ret = delete_blacklist (files, total, NULL, 1);
- else
- ret = delete_blacklist (files, total, hash_file, 0);
+ ret = issue_mok_request (files, total, DELETE_BLACKLIST,
+ hash_file, use_root_pw);
+ break;
+ case IMPORT_HASH | MOKX:
+ case IMPORT_HASH | SIMPLE_HASH | MOKX:
+ ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
+ hash_file, use_root_pw);
+ break;
+ case DELETE_HASH | MOKX:
+ case DELETE_HASH | SIMPLE_HASH | MOKX:
+ ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
+ hash_file, use_root_pw);
break;
case REVOKE_IMPORT | MOKX:
ret = revoke_request (ENROLL_BLACKLIST);
@@ -1908,7 +2126,6 @@ main (int argc, char *argv[])
case REVOKE_DELETE | MOKX:
ret = revoke_request (DELETE_BLACKLIST);
break;
-
default:
print_help ();
break;
@@ -1929,5 +2146,8 @@ main (int argc, char *argv[])
if (input_pw)
free (input_pw);
+ if (hash_str)
+ free (hash_str);
+
return ret;
}
--
1.8.4
From e852519aad00c669716c76db8908b89c6b5583e1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 23 Oct 2013 17:42:05 +0800
Subject: [PATCH 09/20] Reorganize issue_*_request
---
src/mokutil.c | 75 +++++++++++++++++++----------------------------------------
1 file changed, 24 insertions(+), 51 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index b8edf74..862cfbf 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1096,6 +1096,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
{
efi_variable_t old_req;
const char *req_name;
+ const char *reverse_req;
void *new_list = NULL;
void *ptr;
struct stat buf;
@@ -1114,15 +1115,19 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
switch (req) {
case ENROLL_MOK:
req_name = "MokNew";
+ reverse_req = "MokDel";
break;
case DELETE_MOK:
req_name = "MokDel";
+ reverse_req = "MokNew";
break;
case ENROLL_BLACKLIST:
req_name = "MokXNew";
+ reverse_req = "MokXDel";
break;
case DELETE_BLACKLIST:
req_name = "MokXDel";
+ reverse_req = "MokXNew";
break;
default:
return -1;
@@ -1199,26 +1204,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else if (in_pending_request (EfiCertX509Guid, ptr, sizes[i], req)) {
- const char *pending;
- switch (req) {
- case ENROLL_MOK:
- pending = "MokDel";
- break;
- case DELETE_MOK:
- pending = "MokNew";
- break;
- case ENROLL_BLACKLIST:
- pending = "MokXDel";
- break;
- case DELETE_BLACKLIST:
- pending = "MokXNew";
- break;
- default:
- pending = "";
- break;
- }
- printf ("Removed %s from %s\n", files[i], pending);
-
+ printf ("Removed %s from %s\n", files[i], reverse_req);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
printf ("Skip %s\n", files[i]);
@@ -1322,6 +1308,7 @@ issue_hash_request (const char *hash_str, MokRequest req,
{
efi_variable_t old_req;
const char *req_name;
+ const char *reverse_req;
void *new_list = NULL;
void *ptr;
unsigned long list_size = 0;
@@ -1347,20 +1334,37 @@ issue_hash_request (const char *hash_str, MokRequest req,
switch (req) {
case ENROLL_MOK:
req_name = "MokNew";
+ reverse_req = "MokDel";
break;
case DELETE_MOK:
req_name = "MokDel";
+ reverse_req = "MokNew";
break;
case ENROLL_BLACKLIST:
req_name = "MokXNew";
+ reverse_req = "MokXDel";
break;
case DELETE_BLACKLIST:
req_name = "MokXDel";
+ reverse_req = "MokXNew";
break;
default:
return -1;
}
+ if (is_valid_request (hash_type, db_hash, hash_size, req)) {
+ valid = 1;
+ } else if (in_pending_request (hash_type, db_hash, hash_size, req)) {
+ printf ("Removed hash from %s\n", reverse_req);
+ } else {
+ printf ("Skip hash\n");
+ }
+
+ if (!valid) {
+ ret = 0;
+ goto error;
+ }
+
sig_list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
list_size += sig_list_size;
@@ -1389,37 +1393,6 @@ issue_hash_request (const char *hash_str, MokRequest req,
CertData->SignatureOwner = SHIM_LOCK_GUID;
memcpy (CertData->SignatureData, db_hash, hash_size);
- if (is_valid_request (hash_type, db_hash, hash_size, req)) {
- valid = 1;
- } else if (in_pending_request (hash_type, db_hash, hash_size, req)) {
- const char *pending;
- switch (req) {
- case ENROLL_MOK:
- pending = "MokDel";
- break;
- case DELETE_MOK:
- pending = "MokNew";
- break;
- case ENROLL_BLACKLIST:
- pending = "MokXDel";
- break;
- case DELETE_BLACKLIST:
- pending = "MokXNew";
- break;
- default:
- pending = "";
- break;
- }
- printf ("Removed hash from %s\n", pending);
- } else {
- printf ("Skip hash\n");
- }
-
- if (!valid) {
- ret = 0;
- goto error;
- }
-
/* append the keys to the previous request */
if (old_req.Data) {
memcpy (new_list + sig_list_size, old_req.Data, old_req.DataSize);
--
1.8.4
From 8603b648095d847fbed56b956b0b5aeaa62f091a Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 23 Oct 2013 18:29:09 +0800
Subject: [PATCH 10/20] Merge the hash into an existed signature list
---
src/mokutil.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 70 insertions(+), 17 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 862cfbf..f87ae7a 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1312,14 +1312,17 @@ issue_hash_request (const char *hash_str, MokRequest req,
void *new_list = NULL;
void *ptr;
unsigned long list_size = 0;
- uint32_t sig_list_size;
+ uint32_t sig_size, sig_list_size;
int ret = -1;
EFI_SIGNATURE_LIST *CertList;
EFI_SIGNATURE_DATA *CertData;
efi_guid_t hash_type;
uint8_t db_hash[SHA512_DIGEST_LENGTH];
int hash_size;
+ int merge_ind = -1;
uint8_t valid = 0;
+ MokListNode *mok_list = NULL;
+ uint32_t mok_num;
if (!hash_str)
return -1;
@@ -1365,16 +1368,31 @@ issue_hash_request (const char *hash_str, MokRequest req,
goto error;
}
- sig_list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
- list_size += sig_list_size;
-
memset (&old_req, 0, sizeof(old_req));
old_req.VariableName = req_name;
old_req.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&old_req) == EFI_SUCCESS)
+ if (read_variable (&old_req) == EFI_SUCCESS) {
+ int i;
list_size += old_req.DataSize;
+ mok_list = build_mok_list (old_req.Data, old_req.DataSize,
+ &mok_num);
+ if (mok_list == NULL)
+ goto error;
+
+ /* Check if there is a signature list with the same type */
+ for (i = 0; i < mok_num; i++) {
+ if (efi_guidcmp (mok_list[i].header->SignatureType,
+ hash_type) == 0) {
+ merge_ind = i;
+ break;
+ }
+ }
+ }
+
+ list_size += sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
+
new_list = malloc (list_size);
if (!new_list) {
fprintf (stderr, "Failed to allocate space for %s\n", req_name);
@@ -1382,20 +1400,53 @@ issue_hash_request (const char *hash_str, MokRequest req,
}
ptr = new_list;
- CertList = ptr;
- CertList->SignatureType = hash_type;
- CertList->SignatureListSize = sig_list_size;
- CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = hash_size + sizeof(efi_guid_t);
+ if (merge_ind < 0) {
+ /* Create a new signature list for the hash */
+ sig_list_size = sizeof(EFI_SIGNATURE_LIST) +
+ sizeof(efi_guid_t) + hash_size;
+ CertList = ptr;
+ CertList->SignatureType = hash_type;
+ CertList->SignatureListSize = sig_list_size;
+ CertList->SignatureHeaderSize = 0;
+ CertList->SignatureSize = hash_size + sizeof(efi_guid_t);
- CertData = (EFI_SIGNATURE_DATA *)(((uint8_t *)ptr) +
- sizeof(EFI_SIGNATURE_LIST));
- CertData->SignatureOwner = SHIM_LOCK_GUID;
- memcpy (CertData->SignatureData, db_hash, hash_size);
+ CertData = (EFI_SIGNATURE_DATA *)(((uint8_t *)ptr) +
+ sizeof(EFI_SIGNATURE_LIST));
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
+ memcpy (CertData->SignatureData, db_hash, hash_size);
- /* append the keys to the previous request */
- if (old_req.Data) {
- memcpy (new_list + sig_list_size, old_req.Data, old_req.DataSize);
+ /* prepend the hash to the previous request */
+ ptr += sig_list_size;
+ if (old_req.Data) {
+ memcpy (ptr, old_req.Data, old_req.DataSize);
+ }
+ } else {
+ /* Merge the hash into an existed signature list */
+ int i;
+
+ for (i = 0; i < merge_ind; i++) {
+ sig_list_size = mok_list[i].header->SignatureListSize;
+ memcpy (ptr, (void *)mok_list[i].header, sig_list_size);
+ ptr += sig_list_size;
+ }
+
+ /* Append the hash to the list */
+ i = merge_ind;
+ sig_list_size = mok_list[i].header->SignatureListSize;
+ sig_size = hash_size + sizeof(efi_guid_t);
+ mok_list[i].header->SignatureListSize += sig_size;
+ memcpy (ptr, (void *)mok_list[i].header, sig_list_size);
+ ptr += sig_list_size;
+ memcpy (ptr, (void *)&hash_type, sizeof(efi_guid_t));
+ ptr += sizeof(efi_guid_t);
+ memcpy (ptr, db_hash, hash_size);
+ ptr += hash_size;
+
+ for (i = merge_ind + 1; i < mok_num; i++) {
+ sig_list_size = mok_list[i].header->SignatureListSize;
+ memcpy (ptr, (void *)mok_list[i].header, sig_list_size);
+ ptr += sig_list_size;
+ }
}
if (update_request (new_list, list_size, req, hash_file, root_pw) < 0) {
@@ -1406,6 +1457,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
error:
if (old_req.Data)
free (old_req.Data);
+ if (mok_list)
+ free (mok_list);
if (new_list)
free (new_list);
--
1.8.4
From d933eba21ebad708d85ff23a715a14a7d67f51a9 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 24 Oct 2013 17:54:18 +0800
Subject: [PATCH 11/20] Initialize the request variable to avoid the potential
crash
---
src/mokutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index f87ae7a..880c38f 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1334,6 +1334,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
if (hex_str_to_binary (hash_str, db_hash, hash_size) < 0)
return -1;
+ memset (&old_req, 0, sizeof(old_req));
+
switch (req) {
case ENROLL_MOK:
req_name = "MokNew";
@@ -1368,8 +1370,6 @@ issue_hash_request (const char *hash_str, MokRequest req,
goto error;
}
- memset (&old_req, 0, sizeof(old_req));
-
old_req.VariableName = req_name;
old_req.VendorGuid = SHIM_LOCK_GUID;
if (read_variable (&old_req) == EFI_SUCCESS) {
--
1.8.4
From 6c9d5519172ca5f87a08d1a46105c2a68b9f4db7 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 25 Oct 2013 18:29:07 +0800
Subject: [PATCH 12/20] Make test-key and reset support MOK blacklist
---
src/mokutil.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 880c38f..8ff4b41 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -154,7 +154,8 @@ print_help ()
printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
printf (" \t\t\t\t --list-delete, --import, --delete,\n");
printf (" \t\t\t\t --revoke-import, --revoke-delete,\n");
- printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
+ printf (" \t\t\t\t --import-hash, --delete-hash,\n");
+ printf (" \t\t\t\t --reset, and --test-key)\n");
}
static int
@@ -1756,7 +1757,7 @@ read_file(int fd, void **bufp, size_t *lenptr) {
}
static int
-test_key (const char *key_file)
+test_key (MokRequest req, const char *key_file)
{
void *key = NULL;
size_t read_size;
@@ -1774,7 +1775,7 @@ test_key (const char *key_file)
goto error;
}
- if (!is_valid_request (EfiCertX509Guid, key, read_size, ENROLL_MOK)) {
+ if (!is_valid_request (EfiCertX509Guid, key, read_size, req)) {
printf ("%s is not enrolled\n", key_file);
ret = 0;
} else {
@@ -1793,9 +1794,9 @@ error:
}
static int
-reset_moks (const char *hash_file, const int root_pw)
+reset_moks (MokRequest req, const char *hash_file, const int root_pw)
{
- if (update_request (NULL, 0, ENROLL_MOK, hash_file, root_pw)) {
+ if (update_request (NULL, 0, req, hash_file, root_pw)) {
fprintf (stderr, "Failed to issue a reset request\n");
return -1;
}
@@ -2102,11 +2103,11 @@ main (int argc, char *argv[])
ret = sb_state ();
break;
case TEST_KEY:
- ret = test_key (key_file);
+ ret = test_key (ENROLL_MOK, key_file);
break;
case RESET:
case RESET | SIMPLE_HASH:
- ret = reset_moks (hash_file, use_root_pw);
+ ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
break;
case GENERATE_PW_HASH:
ret = generate_pw_hash (input_pw);
@@ -2152,6 +2153,13 @@ main (int argc, char *argv[])
case REVOKE_DELETE | MOKX:
ret = revoke_request (DELETE_BLACKLIST);
break;
+ case RESET | MOKX:
+ case RESET | SIMPLE_HASH | MOKX:
+ ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
+ break;
+ case TEST_KEY | MOKX:
+ ret = test_key (ENROLL_BLACKLIST, key_file);
+ break;
default:
print_help ();
break;
--
1.8.4
From 0fdc023cf98addb23ae511b91c963619ec1e8e2d Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 30 Oct 2013 10:29:25 +0800
Subject: [PATCH 13/20] Set the verbosity for shim and MokManager
---
src/mokutil.c | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 8ff4b41..cd3b622 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -82,6 +82,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define MOKX (1 << 20)
#define IMPORT_HASH (1 << 21)
#define DELETE_HASH (1 << 22)
+#define VERBOSITY (1 << 23)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -136,6 +137,7 @@ print_help ()
printf (" --use-db\t\t\t\tUse DB for validation\n");
printf (" --import-hash <hash>\t\t\tImport a hash\n");
printf (" --delete-hash <hash>\t\t\tDelete a specific hash\n");
+ printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1856,6 +1858,31 @@ generate_pw_hash (const char *input_pw)
return 0;
}
+static int
+set_verbosity (uint8_t verbosity)
+{
+ efi_variable_t var;
+
+ if (verbosity) {
+ var.VariableName = "SHIM_VERBOSE";
+ var.VendorGuid = SHIM_LOCK_GUID;
+ var.Data = (void *)&verbosity;
+ var.DataSize = sizeof(uint8_t);
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to set SHIM_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_var ("SHIM_VERBOSE");
+ }
+
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -1868,6 +1895,7 @@ main (int argc, char *argv[])
int c, i, f_ind, total = 0;
unsigned int command = 0;
int use_root_pw = 0;
+ uint8_t verbosity = 0;
int ret = -1;
use_simple_hash = 0;
@@ -1899,6 +1927,7 @@ main (int argc, char *argv[])
{"mokx", no_argument, 0, 0 },
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
+ {"set-verbosity", required_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -1950,6 +1979,14 @@ main (int argc, char *argv[])
break;
}
hash_str = strdup (optarg);
+ } else if (strcmp (option, "set-verbosity") == 0) {
+ command |= VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ verbosity = 0;
+ else
+ command |= HELP;
}
break;
case 'd':
@@ -2160,6 +2197,9 @@ main (int argc, char *argv[])
case TEST_KEY | MOKX:
ret = test_key (ENROLL_BLACKLIST, key_file);
break;
+ case VERBOSITY:
+ ret = set_verbosity (verbosity);
+ break;
default:
print_help ();
break;
--
1.8.4
From 96dfa331c2067c3a44d6086ec86e6abb87f3c30f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 26 Nov 2013 12:36:12 +0800
Subject: [PATCH 14/20] Update the help and manpage
---
man/mokutil.1 | 30 +++++++++++++++++++++++++++---
src/mokutil.c | 4 ++--
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index abfdebb..fa990e5 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -5,22 +5,27 @@ mokutil \- utility to manipulate machine owner keys
.SH SYNOPSIS
\fBmokutil\fR [--list-enrolled]
+ ([--mokx])
.br
\fBmokutil\fR [--list-new]
+ ([--mokx])
.br
\fBmokutil\fR [--list-delete]
+ ([--mokx])
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s])
+ [--simple-hash | -s] | [--mokx])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s])
+ [--simple-hash | -s] | [--mokx])
.br
\fBmokutil\fR [--revoke-import]
+ ([--mokx])
.br
\fBmokutil\fR [--revoke-delete]
+ ([--mokx])
.br
\fBmokutil\fR [--export | -x]
.br
@@ -41,10 +46,16 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s])
+ [--simple-hash | -s] | [--mok])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
+\fBmokutil\fR [--ignore-db]
+.br
+\fBmokutil\fR [--use-db]
+.br
+\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -108,3 +119,16 @@ Use the root password hash from /etc/shadow
Use the old SHA256 password hash method to hash the password
.br
Note: --root-pw invalidates --simple-hash
+.TP
+\fB--ignore-db\fR
+Tell shim to not use the keys in db to verify EFI images
+.TP
+\fB--use-db\fR
+Tell shim to use the keys in db to verify EFI images (default)
+.TP
+\fB--mokx\fR
+Manipulate the MOK blacklist (MOKX) instead of the MOK list
+.TP
+\fB--set-verbosity\fR
+Set the SHIM_VERBOSE to make shim more or less verbose
+.TP
diff --git a/src/mokutil.c b/src/mokutil.c
index cd3b622..a1f1213 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -135,8 +135,8 @@ print_help ()
printf (" --generate-hash[=password]\t\tGenerate the password hash\n");
printf (" --ignore-db\t\t\t\tIgnore DB for validation\n");
printf (" --use-db\t\t\t\tUse DB for validation\n");
- printf (" --import-hash <hash>\t\t\tImport a hash\n");
- printf (" --delete-hash <hash>\t\t\tDelete a specific hash\n");
+ printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
+ printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
printf ("\n");
printf ("Supplimentary Options:\n");
--
1.8.4
From e2ea0acb875247d70626545d5f3837f2a422af2f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 26 Nov 2013 12:40:57 +0800
Subject: [PATCH 15/20] Make the help less verbose
It's all in the manpage anyway.
---
src/mokutil.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index a1f1213..628df7d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -141,23 +141,9 @@ print_help ()
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
- printf (" \t\t(For --import, --delete, --password,\n");
- printf (" \t\t --reset, --import-hash,\n");
- printf (" \t\t and --delete-hash)\n");
printf (" --root-pw\t\t\t\tUse the root password\n");
- printf (" \t\t\t\t(For --import, --delete, --password,\n");
- printf (" \t\t\t\t --reset, --import-hash,\n");
- printf (" \t\t\t\t and --delete-hash)\n");
printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
- printf (" \t\t\t\t(For --import, --delete, --password,\n");
- printf (" \t\t\t\t --clear-password, --reset,\n");
- printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
- printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
- printf (" \t\t\t\t --list-delete, --import, --delete,\n");
- printf (" \t\t\t\t --revoke-import, --revoke-delete,\n");
- printf (" \t\t\t\t --import-hash, --delete-hash,\n");
- printf (" \t\t\t\t --reset, and --test-key)\n");
}
static int
--
1.8.4
From 72dd17981660747bc84b7ce643451110529ece38 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 26 Nov 2013 16:26:16 +0800
Subject: [PATCH 16/20] New options to list the firmware keys
---
man/mokutil.1 | 20 +++++++++++++
src/mokutil.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
2 files changed, 102 insertions(+), 11 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index fa990e5..86846b4 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -56,6 +56,14 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--pk]
+.br
+\fBmokutil\fR [--kek]
+.br
+\fBmokutil\fR [--db]
+.br
+\fBmokutil\fR [--dbx]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -132,3 +140,15 @@ Manipulate the MOK blacklist (MOKX) instead of the MOK list
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--pk\fR
+List the keys in the public Platform Key (PK)
+.TP
+\fB--kek\fR
+List the keys in the Key Exchange Key Signature database (KEK)
+.TP
+\fB--db\fR
+List the keys in the secure boot signature store (db)
+.TP
+\fB--dbx\fR
+List the keys in the secure boot blacklist signature store (dbx)
+.TP
diff --git a/src/mokutil.c b/src/mokutil.c
index 628df7d..6f5aec4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -97,6 +97,15 @@ typedef enum {
ENROLL_BLACKLIST
} MokRequest;
+typedef enum {
+ MOK_LIST_RT = 0,
+ MOK_LIST_X_RT,
+ PK,
+ KEK,
+ DB,
+ DBX,
+} DBName;
+
typedef struct {
EFI_SIGNATURE_LIST *header;
uint32_t mok_size;
@@ -138,6 +147,10 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --pk\t\t\t\t\tList the keys in PK\n");
+ printf (" --kek\t\t\t\t\tList the keys in KEK\n");
+ printf (" --db\t\t\t\t\tList the keys in db\n");
+ printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -523,7 +536,7 @@ done:
}
static int
-list_keys_in_var (const char *var_name)
+list_keys_in_var (const char *var_name, const efi_guid_t guid)
{
efi_variable_t var;
efi_status_t status;
@@ -531,7 +544,7 @@ list_keys_in_var (const char *var_name)
memset (&var, 0, sizeof(var));
var.VariableName = var_name;
- var.VendorGuid = SHIM_LOCK_GUID;
+ var.VendorGuid = guid;
status = read_variable (&var);
if (status != EFI_SUCCESS) {
@@ -1869,6 +1882,27 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static inline int
+list_db (DBName db_name)
+{
+ switch (db_name) {
+ case MOK_LIST_RT:
+ return list_keys_in_var ("MokListRT", SHIM_LOCK_GUID);
+ case MOK_LIST_X_RT:
+ return list_keys_in_var ("MokListXRT", SHIM_LOCK_GUID);
+ case PK:
+ return list_keys_in_var ("PK", EFI_GLOBAL_VARIABLE);
+ case KEK:
+ return list_keys_in_var ("KEK", EFI_GLOBAL_VARIABLE);
+ case DB:
+ return list_keys_in_var ("db", EFI_IMAGE_SECURITY_DATABASE_GUID);
+ case DBX:
+ return list_keys_in_var ("dbx", EFI_IMAGE_SECURITY_DATABASE_GUID);
+ }
+
+ return -1;
+}
+
int
main (int argc, char *argv[])
{
@@ -1882,6 +1916,7 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ DBName db_name = MOK_LIST_RT;
int ret = -1;
use_simple_hash = 0;
@@ -1914,6 +1949,10 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"pk", no_argument, 0, 0 },
+ {"kek", no_argument, 0, 0 },
+ {"db", no_argument, 0, 0 },
+ {"dbx", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -1950,7 +1989,12 @@ main (int argc, char *argv[])
} else if (strcmp (option, "use-db") == 0) {
command |= USE_DB;
} else if (strcmp (option, "mokx") == 0) {
- command |= MOKX;
+ if (db_name != MOK_LIST_RT) {
+ command |= HELP;
+ } else {
+ command |= MOKX;
+ db_name = MOK_LIST_X_RT;
+ }
} else if (strcmp (option, "import-hash") == 0) {
command |= IMPORT_HASH;
if (hash_str) {
@@ -1973,7 +2017,36 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "pk") == 0) {
+ if (db_name != MOK_LIST_RT) {
+ command |= HELP;
+ } else {
+ command |= LIST_ENROLLED;
+ db_name = PK;
+ }
+ } else if (strcmp (option, "kek") == 0) {
+ if (db_name != MOK_LIST_RT) {
+ command |= HELP;
+ } else {
+ command |= LIST_ENROLLED;
+ db_name = KEK;
+ }
+ } else if (strcmp (option, "db") == 0) {
+ if (db_name != MOK_LIST_RT) {
+ command |= HELP;
+ } else {
+ command |= LIST_ENROLLED;
+ db_name = DB;
+ }
+ } else if (strcmp (option, "dbx") == 0) {
+ if (db_name != MOK_LIST_RT) {
+ command |= HELP;
+ } else {
+ command |= LIST_ENROLLED;
+ db_name = DBX;
+ }
}
+
break;
case 'd':
case 'i':
@@ -2071,13 +2144,14 @@ main (int argc, char *argv[])
switch (command) {
case LIST_ENROLLED:
- ret = list_keys_in_var ("MokListRT");
+ case LIST_ENROLLED | MOKX:
+ ret = list_db (db_name);
break;
case LIST_NEW:
- ret = list_keys_in_var ("MokNew");
+ ret = list_keys_in_var ("MokNew", SHIM_LOCK_GUID);
break;
case LIST_DELETE:
- ret = list_keys_in_var ("MokDel");
+ ret = list_keys_in_var ("MokDel", SHIM_LOCK_GUID);
break;
case IMPORT:
case IMPORT | SIMPLE_HASH:
@@ -2141,14 +2215,11 @@ main (int argc, char *argv[])
case USE_DB:
ret = enable_db ();
break;
- case LIST_ENROLLED | MOKX:
- ret = list_keys_in_var ("MokListXRT");
- break;
case LIST_NEW | MOKX:
- ret = list_keys_in_var ("MokXNew");
+ ret = list_keys_in_var ("MokXNew", SHIM_LOCK_GUID);
break;
case LIST_DELETE | MOKX:
- ret = list_keys_in_var ("MokXDel");
+ ret = list_keys_in_var ("MokXDel", SHIM_LOCK_GUID);
break;
case IMPORT | MOKX:
case IMPORT | SIMPLE_HASH | MOKX:
--
1.8.4
From 9820c083e2a9b605a59aae7bdf56992f63abf7b8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 26 Nov 2013 16:49:14 +0800
Subject: [PATCH 17/20] Add more short options
---
man/mokutil.1 | 54 +++++++++++++++++++++++++++++-------------------------
src/mokutil.c | 42 +++++++++++++++++++++++-------------------
2 files changed, 52 insertions(+), 44 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 86846b4..02b346f 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -4,28 +4,28 @@
mokutil \- utility to manipulate machine owner keys
.SH SYNOPSIS
-\fBmokutil\fR [--list-enrolled]
- ([--mokx])
+\fBmokutil\fR [--list-enrolled | -l]
+ ([--mokx | -X])
.br
-\fBmokutil\fR [--list-new]
- ([--mokx])
+\fBmokutil\fR [--list-new | -N]
+ ([--mokx | -X])
.br
-\fBmokutil\fR [--list-delete]
- ([--mokx])
+\fBmokutil\fR [--list-delete | -D]
+ ([--mokx | -X])
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx])
+ [--simple-hash | -s] | [--mokx | -X])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mokx])
+ [--simple-hash | -s] | [--mokx |- X])
.br
\fBmokutil\fR [--revoke-import]
- ([--mokx])
+ ([--mokx | -X])
.br
\fBmokutil\fR [--revoke-delete]
- ([--mokx])
+ ([--mokx | -X])
.br
\fBmokutil\fR [--export | -x]
.br
@@ -42,11 +42,11 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--sb-state]
.br
-\fBmokutil\fR [--test-key | -t] ...
+\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
- [--simple-hash | -s] | [--mok])
+ [--simple-hash | -s] | [--mok | -X])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
@@ -71,18 +71,22 @@ mokutil \- utility to manipulate machine owner keys
.SH OPTIONS
.TP
-\fB--list-enrolled\fR
+\fB-l, --list-enrolled\fR
List the keys the already stored in the database
.TP
-\fB--list-new\fR
+\fB-N, --list-new\fR
List the keys to be enrolled
.TP
-\fB--list-delete\fR
+\fB-D, --list-delete\fR
List the keys to be deleted
.TP
-\fB--import\fR
-Collect the followed files and form a request to shim. The files must be in DER
-format.
+\fB-i, --import\fR
+Collect the followed files and form a enrolling request to shim. The files must
+be in DER format.
+.TP
+\fB-d, --delete\fR
+Collect the followed files and form a deleting request to shim. The files must be
+in DER format.
.TP
\fB--revoke-import\fR
Revoke the current import request (MokNew)
@@ -90,13 +94,13 @@ Revoke the current import request (MokNew)
\fB--revoke-delete\fR
Revoke the current delete request (MokDel)
.TP
-\fB--export\fR
+\fB-x, --export\fR
Export the keys stored in MokListRT
.TP
-\fB--password\fR
+\fB-p, --password\fR
Setup the password for MokManager (MokPW)
.TP
-\fB--clear-password\fR
+\fB-c, --clear-password\fR
Clear the password for MokManager (MokPW)
.TP
\fB--disable-validation\fR
@@ -108,7 +112,7 @@ Enable the validation process in shim
\fB--sb-state\fR
Show SecureBoot State
.TP
-\fB--test-key\fR
+\fB-t, --test-key\fR
Test if the key is enrolled or not
.TP
\fB--reset\fR
@@ -120,10 +124,10 @@ Generate the password hash
\fB--hash-file\fR
Use the password hash from a specific file
.TP
-\fB--root-pw\fR
+\fB-P, --root-pw\fR
Use the root password hash from /etc/shadow
.TP
-\fB--simple-hash\fR
+\fB-s, --simple-hash\fR
Use the old SHA256 password hash method to hash the password
.br
Note: --root-pw invalidates --simple-hash
@@ -134,7 +138,7 @@ Tell shim to not use the keys in db to verify EFI images
\fB--use-db\fR
Tell shim to use the keys in db to verify EFI images (default)
.TP
-\fB--mokx\fR
+\fB-X, --mokx\fR
Manipulate the MOK blacklist (MOKX) instead of the MOK list
.TP
\fB--set-verbosity\fR
diff --git a/src/mokutil.c b/src/mokutil.c
index 6f5aec4..6fe8ae2 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1924,9 +1924,9 @@ main (int argc, char *argv[])
while (1) {
static struct option long_options[] = {
{"help", no_argument, 0, 'h'},
- {"list-enrolled", no_argument, 0, 0 },
- {"list-new", no_argument, 0, 0 },
- {"list-delete", no_argument, 0, 0 },
+ {"list-enrolled", no_argument, 0, 'l'},
+ {"list-new", no_argument, 0, 'N'},
+ {"list-delete", no_argument, 0, 'D'},
{"import", required_argument, 0, 'i'},
{"delete", required_argument, 0, 'd'},
{"revoke-import", no_argument, 0, 0 },
@@ -1945,7 +1945,7 @@ main (int argc, char *argv[])
{"simple-hash", no_argument, 0, 's'},
{"ignore-db", no_argument, 0, 0 },
{"use-db", no_argument, 0, 0 },
- {"mokx", no_argument, 0, 0 },
+ {"mokx", no_argument, 0, 'X'},
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
@@ -1957,7 +1957,7 @@ main (int argc, char *argv[])
};
int option_index = 0;
- c = getopt_long (argc, argv, "cd:f:g::hi:pst:xP",
+ c = getopt_long (argc, argv, "cd:f:g::hi:lpst:xDNPX",
long_options, &option_index);
if (c == -1)
@@ -1966,13 +1966,7 @@ main (int argc, char *argv[])
switch (c) {
case 0:
option = long_options[option_index].name;
- if (strcmp (option, "list-enrolled") == 0) {
- command |= LIST_ENROLLED;
- } else if (strcmp (option, "list-new") == 0) {
- command |= LIST_NEW;
- } else if (strcmp (option, "list-delete") == 0) {
- command |= LIST_DELETE;
- } else if (strcmp (option, "revoke-import") == 0) {
+ if (strcmp (option, "revoke-import") == 0) {
command |= REVOKE_IMPORT;
} else if (strcmp (option, "revoke-delete") == 0) {
command |= REVOKE_DELETE;
@@ -1988,13 +1982,6 @@ main (int argc, char *argv[])
command |= IGNORE_DB;
} else if (strcmp (option, "use-db") == 0) {
command |= USE_DB;
- } else if (strcmp (option, "mokx") == 0) {
- if (db_name != MOK_LIST_RT) {
- command |= HELP;
- } else {
- command |= MOKX;
- db_name = MOK_LIST_X_RT;
- }
} else if (strcmp (option, "import-hash") == 0) {
command |= IMPORT_HASH;
if (hash_str) {
@@ -2048,6 +2035,15 @@ main (int argc, char *argv[])
}
break;
+ case 'l':
+ command |= LIST_ENROLLED;
+ break;
+ case 'N':
+ command |= LIST_NEW;
+ break;
+ case 'D':
+ command |= LIST_DELETE;
+ break;
case 'd':
case 'i':
if (c == 'd')
@@ -2127,6 +2123,14 @@ main (int argc, char *argv[])
command |= SIMPLE_HASH;
use_simple_hash = 1;
break;
+ case 'X':
+ if (db_name != MOK_LIST_RT) {
+ command |= HELP;
+ } else {
+ command |= MOKX;
+ db_name = MOK_LIST_X_RT;
+ }
+ break;
case 'h':
case '?':
command |= HELP;
--
1.8.4
From 0ff8112146c355c1bc4eec57cdeb0aed4cc4065c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 26 Nov 2013 18:13:20 +0800
Subject: [PATCH 18/20] Catch the error from strdup()
---
src/mokutil.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6fe8ae2..27b9585 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1989,6 +1989,10 @@ main (int argc, char *argv[])
break;
}
hash_str = strdup (optarg);
+ if (hash_str == NULL) {
+ fprintf (stderr, "Could not allocate space: %m\n");
+ exit(1);
+ }
} else if (strcmp (option, "delete-hash") == 0) {
command |= DELETE_HASH;
if (hash_str) {
@@ -1996,6 +2000,10 @@ main (int argc, char *argv[])
break;
}
hash_str = strdup (optarg);
+ if (hash_str == NULL) {
+ fprintf (stderr, "Could not allocate space: %m\n");
+ exit(1);
+ }
} else if (strcmp (option, "set-verbosity") == 0) {
command |= VERBOSITY;
if (strcmp (optarg, "true") == 0)
@@ -2069,6 +2077,10 @@ main (int argc, char *argv[])
}
files = malloc (total * sizeof (char *));
+ if (files == NULL) {
+ fprintf (stderr, "Could not allocate space: %m\n");
+ exit(1);
+ }
for (i = 0; i < total; i++) {
f_ind = i + optind - 1;
files[i] = malloc (strlen(argv[f_ind]) + 1);
@@ -2082,6 +2094,10 @@ main (int argc, char *argv[])
break;
}
hash_file = strdup (optarg);
+ if (hash_file == NULL) {
+ fprintf (stderr, "Could not allocate space: %m\n");
+ exit(1);
+ }
break;
case 'g':
@@ -2089,8 +2105,13 @@ main (int argc, char *argv[])
command |= HELP;
break;
}
- if (optarg)
+ if (optarg) {
input_pw = strdup (optarg);
+ if (input_pw == NULL) {
+ fprintf (stderr, "Could not allocate space: %m\n");
+ exit(1);
+ }
+ }
command |= GENERATE_PW_HASH;
break;
--
1.8.4
From f77d5e52b0318dbf8f92b2bd89aab0a3d5d77078 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 22 Jan 2014 13:46:24 +0800
Subject: [PATCH 19/20] Fix the test-key request check
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 27b9585..dbec25b 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1776,7 +1776,7 @@ test_key (MokRequest req, const char *key_file)
goto error;
}
- if (!is_valid_request (EfiCertX509Guid, key, read_size, req)) {
+ if (is_valid_request (EfiCertX509Guid, key, read_size, req)) {
printf ("%s is not enrolled\n", key_file);
ret = 0;
} else {
--
1.8.4
From d921883b2f8ce4e9e9304af5d9b44aac1e701e51 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 22 Jan 2014 13:51:36 +0800
Subject: [PATCH 20/20] Update manpage for --test-key
---
man/mokutil.1 | 1 +
1 file changed, 1 insertion(+)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 02b346f..ca9380d 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -43,6 +43,7 @@ mokutil \- utility to manipulate machine owner keys
\fBmokutil\fR [--sb-state]
.br
\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
+ ([--mokx | -X])
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
--
1.8.4