pool/mokutil
SHA256
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 835083 from home:gary_lin:branches:Base:System

Browse Source 
add options for CA and kernel keyring checks (bsc#1173115)

OBS-URL: https://build.opensuse.org/request/show/835083
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=45
This commit is contained in:
Gary Ching-Pang Lin 2020-09-17 06:11:04 +00:00 committed by Git OBS Bridge
parent 0e0622e563
commit 016c355cf7
5 changed files with 1251 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1159
mokutil-bsc1173115-add-ca-and-keyring-checks.patch Normal file
View File

File diff suppressed because it is too large Load Diff

46
mokutil-remove-libkeyutils-check.patch Normal file
View File

@ -0,0 +1,46 @@
From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 16 Sep 2020 17:02:56 +0800
Subject: [PATCH] Remove libkeyutils pkgconfig check
keyutils didn't provide pkgconfig in 1.5.*
Signed-off-by: Gary Lin <glin@suse.com>
---
configure.ac | 1 -
src/Makefile.am | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index b0b0376..d74fd21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
-PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5])
AC_ARG_WITH([bash-completion-dir],
AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
diff --git a/src/Makefile.am b/src/Makefile.am
index f616b90..664b80a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -2,12 +2,11 @@ bin_PROGRAMS = mokutil
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
$(EFIVAR_CFLAGS) \
- $(LIBKEYUTILS_CFLAGS) \
$(WARNINGFLAGS_C)
mokutil_LDADD = $(OPENSSL_LIBS) \
$(EFIVAR_LIBS) \
- $(LIBKEYUTILS_LIBS) \
+ -lkeyutils \
-lcrypt
mokutil_SOURCES = signature.h \
--
2.28.0

58
mokutil-support-revoke-builtin-cert.patch
View File

@ -1,4 +1,4 @@
From 93ded288224a18f336f9e3654a33a48bcb748b11 Mon Sep 17 00:00:00 2001 From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com> From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800 Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH 1/4] Add the option to revoke the built-in certificate Subject: [PATCH 1/4] Add the option to revoke the built-in certificate
@ -13,10 +13,10 @@ revoke the built-in certificate.
1 file changed, 82 insertions(+) 1 file changed, 82 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index e2d567d..1ada2a0 100644 index 02ed21f..d95a2eb 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -84,6 +84,7 @@ @@ -86,6 +86,7 @@
#define DELETE_HASH (1 << 22) #define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23) #define VERBOSITY (1 << 23)
#define TIMEOUT (1 << 24) #define TIMEOUT (1 << 24)
@ -24,7 +24,7 @@ index e2d567d..1ada2a0 100644
#define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX #define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -176,6 +177,7 @@ print_help () @@ -180,6 +181,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
@ -32,7 +32,7 @@ index e2d567d..1ada2a0 100644
printf ("\n"); printf ("\n");
printf ("Supplimentary Options:\n"); printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2103,6 +2105,79 @@ set_verbosity (uint8_t verbosity) @@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity)
return 0; return 0;
} }
@ -112,24 +112,24 @@ index e2d567d..1ada2a0 100644
static inline int static inline int
list_db (DBName db_name) list_db (DBName db_name)
{ {
@@ -2182,6 +2257,7 @@ main (int argc, char *argv[]) @@ -2480,6 +2555,7 @@ main (int argc, char *argv[])
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 }, {"timeout", required_argument, 0, 0 },
{"ca-check", no_argument, 0, 0 },
{"ignore-keyring", no_argument, 0, 0 },
+ {"revoke-cert", no_argument, 0, 0 }, + {"revoke-cert", no_argument, 0, 0 },
{0, 0, 0, 0} {0, 0, 0, 0}
}; };
@@ -2268,6 +2344,8 @@ main (int argc, char *argv[]) @@ -2570,6 +2646,8 @@ main (int argc, char *argv[])
} else if (strcmp (option, "timeout") == 0) { force_ca_check = 1;
command |= TIMEOUT; } else if (strcmp (option, "ignore-keyring") == 0) {
timeout = strdup (optarg); check_keyring = 0;
+ } else if (strcmp (option, "revoke-cert") == 0) { + } else if (strcmp (option, "revoke-cert") == 0) {
+ command |= REVOKE_CERT; + command |= REVOKE_CERT;
} }
break; break;
@@ -2537,6 +2615,10 @@ main (int argc, char *argv[]) @@ -2839,6 +2917,10 @@ main (int argc, char *argv[])
case TIMEOUT: case TIMEOUT:
ret = set_timeout (timeout); ret = set_timeout (timeout);
break; break;
@ -141,10 +141,10 @@ index e2d567d..1ada2a0 100644
print_help (); print_help ();
break; break;
-- --
2.27.0 2.28.0
From 17f9850edce4dd40f96107c97d3d720406bf9f09 Mon Sep 17 00:00:00 2001 From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com> From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 14:50:36 +0800 Date: Tue, 4 Nov 2014 14:50:36 +0800
Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables
@ -157,10 +157,10 @@ Adapt the changes in the mainline.
1 file changed, 25 insertions(+), 20 deletions(-) 1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index 1ada2a0..dcf55dc 100644 index d95a2eb..8be0b77 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -2108,28 +2108,35 @@ set_verbosity (uint8_t verbosity) @@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity)
static int static int
revoke_builtin_cert (void) revoke_builtin_cert (void)
{ {
@ -205,7 +205,7 @@ index 1ada2a0..dcf55dc 100644
memset (&pw_crypt, 0, sizeof(pw_crypt_t)); memset (&pw_crypt, 0, sizeof(pw_crypt_t));
memset (auth, 0, SHA256_DIGEST_LENGTH); memset (auth, 0, SHA256_DIGEST_LENGTH);
@@ -2152,20 +2159,18 @@ revoke_builtin_cert (void) @@ -2446,20 +2453,18 @@ revoke_builtin_cert (void)
} }
if (!use_simple_hash) { if (!use_simple_hash) {
@ -236,10 +236,10 @@ index 1ada2a0..dcf55dc 100644
goto error; goto error;
} }
-- --
2.27.0 2.28.0
From 1ab85ee4d98a5436c4612b8f893c3c73f113a6e0 Mon Sep 17 00:00:00 2001 From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com> From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jul 2016 14:58:15 +0800 Date: Wed, 13 Jul 2016 14:58:15 +0800
Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24 Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24
@ -250,10 +250,10 @@ This is an openSUSE-only patch.
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c diff --git a/src/mokutil.c b/src/mokutil.c
index dcf55dc..0160c06 100644 index 8be0b77..f27bba0 100644
--- a/src/mokutil.c --- a/src/mokutil.c
+++ b/src/mokutil.c +++ b/src/mokutil.c
@@ -2170,7 +2170,8 @@ revoke_builtin_cert (void) @@ -2464,7 +2464,8 @@ revoke_builtin_cert (void)
| EFI_VARIABLE_RUNTIME_ACCESS; | EFI_VARIABLE_RUNTIME_ACCESS;
if (efi_set_variable (efi_guid_shim, "ClearVerify", if (efi_set_variable (efi_guid_shim, "ClearVerify",
@ -264,10 +264,10 @@ index dcf55dc..0160c06 100644
goto error; goto error;
} }
-- --
2.27.0 2.28.0
From ca9db2e9aa89a945651787b23046a6213af4144d Mon Sep 17 00:00:00 2001 From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com> From: Gary Lin <glin@suse.com>
Date: Fri, 14 Aug 2020 14:57:23 +0800 Date: Fri, 14 Aug 2020 14:57:23 +0800
Subject: [PATCH 4/4] man: add "--revoke-cert" Subject: [PATCH 4/4] man: add "--revoke-cert"
@ -282,7 +282,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
1 file changed, 5 insertions(+) 1 file changed, 5 insertions(+)
diff --git a/man/mokutil.1 b/man/mokutil.1 diff --git a/man/mokutil.1 b/man/mokutil.1
index 25fe8b4..bf27a52 100644 index cbea367..1c18d7a 100644
--- a/man/mokutil.1 --- a/man/mokutil.1
+++ b/man/mokutil.1 +++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys @@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
@ -294,13 +294,13 @@ index 25fe8b4..bf27a52 100644
.SH DESCRIPTION .SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys \fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db) @@ -180,3 +182,6 @@ databases.
\fB--dbx\fR \fB--ignore-keyring\fR
List the keys in the secure boot blacklist signature store (dbx) Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
.TP .TP
+\fB--revoke-cert\fR +\fB--revoke-cert\fR
+Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic) +Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic)
+.TP +.TP
-- --
2.27.0 2.28.0

10
mokutil.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Wed Sep 16 09:06:02 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add
options for CA and kernel keyring checks (bsc#1173115)
+ Add new BuildRequires: keyutils-devel
+ Add mokutil-remove-libkeyutils-check.patch to disable the
version check of libkeyutils
- Refresh mokutil-support-revoke-builtin-cert.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Aug 14 06:59:46 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com> Fri Aug 14 06:59:46 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>

7
mokutil.spec
View File

@ -27,10 +27,15 @@ Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz
Source1: modhash Source1: modhash
# PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch glin@suse.com -- Remove shebang from bash-completion/mokutil # PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch glin@suse.com -- Remove shebang from bash-completion/mokutil
Patch1: mokutil-remove-shebang-from-bash-completion-file.patch Patch1: mokutil-remove-shebang-from-bash-completion-file.patch
# PATCH-FIX-UPSTREAM mokutil-bsc1173115-add-ca-and-keyring-checks.patch bsc#1173115 glin@suse.com -- Add options for CA and kernel keyring checks
Patch2: mokutil-bsc1173115-add-ca-and-keyring-checks.patch
# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch glin@suse.com -- Disable the check of libkeyutils version
Patch3: mokutil-remove-libkeyutils-check.patch
Patch100: mokutil-support-revoke-builtin-cert.patch Patch100: mokutil-support-revoke-builtin-cert.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: efivar-devel >= 0.12 BuildRequires: efivar-devel >= 0.12
BuildRequires: keyutils-devel >= 1.5.0
BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: libopenssl-devel >= 0.9.8
BuildRequires: pkg-config BuildRequires: pkg-config
Requires: openssl Requires: openssl
@ -50,6 +55,8 @@ Authors:
%prep %prep
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch100 -p1 %patch100 -p1
%build %build