From 1ac1ba5fd65384a864f84de5a6256678107629f2b35ba42a9713c69289dd1e88 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Mar 2014 09:36:23 +0000
Subject: [PATCH] Accepting request 227281 from
 home:gary_lin:branches:Base:System

- Add mokutil-more-details-for-skipped-keys.patch to show the reason to skip the key
- Add mokutil-check-secure-boot-support.patch to check whether the system supports Secure Boot or not

OBS-URL: https://build.opensuse.org/request/show/227281
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=20
---
 mokutil-check-secure-boot-support.patch     |  49 ++++++
 mokutil-more-details-for-skipped-keys.patch | 164 ++++++++++++++++++++
 mokutil.changes                             |   8 +
 mokutil.spec                                |   6 +
 4 files changed, 227 insertions(+)
 create mode 100644 mokutil-check-secure-boot-support.patch
 create mode 100644 mokutil-more-details-for-skipped-keys.patch

diff --git a/mokutil-check-secure-boot-support.patch b/mokutil-check-secure-boot-support.patch
new file mode 100644
index 0000000..8eb74ee
--- /dev/null
+++ b/mokutil-check-secure-boot-support.patch
@@ -0,0 +1,49 @@
+From e8899f1f26a77dfd870388156381489d53e5548c Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Mar 2014 15:20:27 +0800
+Subject: [PATCH] Check whether the system supports Secure Boot or not
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index cd039f0..149df2b 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -2211,6 +2211,23 @@ main (int argc, char *argv[])
+ 	if (hash_file && use_root_pw)
+ 		command |= HELP;
+ 
++	if (!(command & HELP)) {
++		/* Check whether the machine supports Secure Boot or not */
++		efi_variable_t var;
++		efi_status_t status;
++
++		memset (&var, 0, sizeof(var));
++		var.VariableName = "SecureBoot";
++		var.VendorGuid = EFI_GLOBAL_VARIABLE;
++		status = read_variable (&var);
++		if (status != EFI_SUCCESS) {
++			fprintf (stderr, "This system doesn't support Secure Boot\n");
++			ret = -1;
++			goto out;
++		}
++		free (var.Data);
++	}
++
+ 	switch (command) {
+ 		case LIST_ENROLLED:
+ 		case LIST_ENROLLED | MOKX:
+@@ -2331,6 +2348,7 @@ main (int argc, char *argv[])
+ 			break;
+ 	}
+ 
++out:
+ 	if (files) {
+ 		for (i = 0; i < total; i++)
+ 			free (files[i]);
+-- 
+1.8.4.5
+
diff --git a/mokutil-more-details-for-skipped-keys.patch b/mokutil-more-details-for-skipped-keys.patch
new file mode 100644
index 0000000..77f743c
--- /dev/null
+++ b/mokutil-more-details-for-skipped-keys.patch
@@ -0,0 +1,164 @@
+From 98fe9bfda3bcf6c532d57e07e6ba25c350e7b7a1 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 13 Feb 2014 14:32:18 +0800
+Subject: [PATCH 1/3] Be more verbose while skipping a key
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 1c32313..3655b92 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1228,7 +1228,8 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 			printf ("Removed %s from %s\n", files[i], reverse_req);
+ 			ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ 		} else {
+-			printf ("Skip %s\n", files[i]);
++			printf ("%s is already enrolled or in %s request\n", files[i],
++				import?"an enrollment":"a deletion");
+ 			ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ 		}
+ 
+-- 
+1.8.4.5
+
+
+From 2e5560600b213e35e59d4a7923c01f8b9c095323 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Mar 2014 14:48:53 +0800
+Subject: [PATCH 2/3] Show more details when skipping a key
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 3655b92..cd039f0 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1111,6 +1111,29 @@ in_pending_request (efi_guid_t type, void *data, uint32_t data_size,
+ 	return 0;
+ }
+ 
++static void
++print_skip_message (const char *filename, void *mok, uint32_t mok_size,
++		    uint8_t import)
++{
++	if (import) {
++		if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE))
++			printf ("SKIP: %s is already in PK\n", filename);
++		else if (is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE))
++			printf ("SKIP: %s is already in KEK\n", filename);
++		else if (is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID))
++			printf ("SKIP: %s is already in db\n", filename);
++		else if (is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID))
++			printf ("SKIP: %s is already enrolled\n", filename);
++		else if (is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID))
++			printf ("SKIP: %s is already in the enrollement request\n", filename);
++	} else {
++		if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID))
++			printf ("SKIP: %s is not in MokList\n", filename);
++		else if (is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID))
++			printf ("SKIP: %s is already in the deletion request\n", filename);
++	}
++}
++
+ static int
+ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 		   const char *hash_file, const int root_pw)
+@@ -1228,8 +1251,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 			printf ("Removed %s from %s\n", files[i], reverse_req);
+ 			ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ 		} else {
+-			printf ("%s is already enrolled or in %s request\n", files[i],
+-				import?"an enrollment":"a deletion");
++			print_skip_message (files[i], ptr, sizes[i], import);
+ 			ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ 		}
+ 
+-- 
+1.8.4.5
+
+
+From 19df75d89e636293c93686e1edd8529f4b68170e Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Mar 2014 16:27:06 +0800
+Subject: [PATCH 3/3] Merge MokX for print_skip_message()
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 39 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index cd039f0..492dffc 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1113,24 +1113,41 @@ in_pending_request (efi_guid_t type, void *data, uint32_t data_size,
+ 
+ static void
+ print_skip_message (const char *filename, void *mok, uint32_t mok_size,
+-		    uint8_t import)
++		    MokRequest req)
+ {
+-	if (import) {
+-		if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE))
++	efi_guid_t type = EfiCertX509Guid;
++
++	switch (req) {
++	case ENROLL_MOK:
++		if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "PK"))
+ 			printf ("SKIP: %s is already in PK\n", filename);
+-		else if (is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE))
++		else if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "KEK"))
+ 			printf ("SKIP: %s is already in KEK\n", filename);
+-		else if (is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID))
++		else if (is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "db"))
+ 			printf ("SKIP: %s is already in db\n", filename);
+-		else if (is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID))
++		else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT"))
+ 			printf ("SKIP: %s is already enrolled\n", filename);
+-		else if (is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID))
++		else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew"))
+ 			printf ("SKIP: %s is already in the enrollement request\n", filename);
+-	} else {
+-		if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID))
++		break;
++	case DELETE_MOK:
++		if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT"))
+ 			printf ("SKIP: %s is not in MokList\n", filename);
+-		else if (is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID))
++		else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokDel"))
+ 			printf ("SKIP: %s is already in the deletion request\n", filename);
++		break;
++	case ENROLL_BLACKLIST:
++		if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT"))
++			printf ("SKIP: %s is already in MokListX\n", filename);
++		else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXNew"))
++			printf ("SKIP: %s is already in the MokX enrollment request\n", filename);
++		break;
++	case DELETE_BLACKLIST:
++		if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT"))
++			printf ("SKIP: %s is not in MokListX\n", filename);
++		else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXDel"))
++			printf ("SKIP: %s is already in the MokX deletion request\n", filename);
++		break;
+ 	}
+ }
+ 
+@@ -1251,7 +1268,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 			printf ("Removed %s from %s\n", files[i], reverse_req);
+ 			ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ 		} else {
+-			print_skip_message (files[i], ptr, sizes[i], import);
++			print_skip_message (files[i], ptr, sizes[i], req);
+ 			ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ 		}
+ 
+-- 
+1.8.4.5
+
diff --git a/mokutil.changes b/mokutil.changes
index cfe742a..60c606b 100644
--- a/mokutil.changes
+++ b/mokutil.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Mar 24 07:37:39 UTC 2014 - glin@suse.com
+
+- Add mokutil-more-details-for-skipped-keys.patch to show the
+  reason to skip the key
+- Add mokutil-check-secure-boot-support.patch to check whether the
+  system supports Secure Boot or not
+
 -------------------------------------------------------------------
 Fri Feb 21 10:10:15 UTC 2014 - glin@suse.com
 
diff --git a/mokutil.spec b/mokutil.spec
index 798d516..f6a41f2 100644
--- a/mokutil.spec
+++ b/mokutil.spec
@@ -32,6 +32,10 @@ Patch2:         mokutil-mokx-support.patch
 Patch3:         mokutil-fix-hash-list-size.patch
 # PATCH-FIX-UPSTREAM mokutil-clean-request.patch glin@suse.com -- Clear the request if all keys are removed
 Patch4:         mokutil-clean-request.patch
+# PATCH-FIX-UPSTREAM mokutil-more-details-for-skipped-keys.patch glin@suse.com -- Be more verbose while skipping a key
+Patch5:         mokutil-more-details-for-skipped-keys.patch
+# PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch glin@suse.com -- Check whether the system supports secure boot or not
+Patch6:         mokutil-check-secure-boot-support.patch
 # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
 Patch100:       mokutil-support-revoke-builtin-cert.patch
 BuildRequires:  autoconf
@@ -57,6 +61,8 @@ Authors:
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 %patch100 -p1
 
 %build