pool/mokutil
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 184304 from home:gary_lin:branches:Base:System

Browse Source 
- Update to 0.2.0
  + Generate the password hash with crypt() by default instead of
    the original sha256 password hash
  + Add an option to import the root password hash
  + Amend error messages, help, and man page

OBS-URL: https://build.opensuse.org/request/show/184304
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=10
This commit is contained in:
Gary Ching-Pang Lin 2013-07-25 10:27:41 +00:00 committed by Git OBS Bridge
parent bc678d18f9
commit 44db4978c2
14 changed files with 24 additions and 5165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mokutil-0.1.0.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:739a241e18cc5b89c46eecc473568fb295952598ff518e7af90f81900afb62d4
size 94722

3
mokutil-0.2.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:03cf595bd1b4d4a17dc1814b0529b25505d57429d583e7f9489ef0a2354b320e
size 102028

50
mokutil-allow-password-from-pipe.patch
View File

@ -1,50 +0,0 @@
commit adce7208ddcb65daac83ea3429aa8586d9cc4ea5
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed Jan 2 17:30:07 2013 +0800
Only change terminal settings
tcgetattr() will fail if we send password through a pipeline instead
of a TTY.
diff --git a/src/mokutil.c b/src/mokutil.c
index a99e355..ea8481a 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -278,22 +278,27 @@ read_hidden_line (char **line, size_t *n)
{
struct termios old, new;
int nread;
+ int isTTY = isatty(fileno (stdin));
- /* Turn echoing off and fail if we can't. */
- if (tcgetattr (fileno (stdin), &old) != 0)
- return -1;
+ if (isTTY) {
+ /* Turn echoing off and fail if we can't. */
+ if (tcgetattr (fileno (stdin), &old) != 0)
+ return -1;
- new = old;
- new.c_lflag &= ~ECHO;
+ new = old;
+ new.c_lflag &= ~ECHO;
- if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
- return -1;
+ if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
+ return -1;
+ }
/* Read the password. */
nread = getline (line, n, stdin);
- /* Restore terminal. */
- (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
+ if (isTTY) {
+ /* Restore terminal. */
+ (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
+ }
/* Remove the newline */
(*line)[nread-1] = '\0';

105
mokutil-bnc809215-improve-wording.patch
View File

@ -1,105 +0,0 @@
commit 08e7fbbfec644406b5f6f3ce787444bc5e2c4b3d
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri Mar 29 12:12:00 2013 +0800
Make the error message more understandable
diff --git a/src/efilib.c b/src/efilib.c
index cb1aca6..1b72cd9 100644
--- a/src/efilib.c
+++ b/src/efilib.c
@@ -5,6 +5,7 @@
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
+#include <errno.h>
#include "efi.h"
#define SYSFS_DIR_EFI_VARS "/sys/firmware/efi/efivars"
@@ -95,7 +96,9 @@ read_variable (efi_variable_t *var)
snprintf (filename, PATH_MAX-1, "%s/%s", SYSFS_DIR_EFI_VARS, name);
fd = open (filename, O_RDONLY);
if (fd == -1) {
- return EFI_NOT_FOUND;
+ if (errno == ENOENT)
+ return EFI_NOT_FOUND;
+ return EFI_INVALID_PARAMETER;
}
if (fstat (fd, &buf) != 0) {
diff --git a/src/mokutil.c b/src/mokutil.c
index 27ebf09..3f89db2 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -236,14 +236,20 @@ static int
list_enrolled_keys ()
{
efi_variable_t var;
+ efi_status_t status;
int ret;
memset (&var, 0, sizeof(var));
var.VariableName = "MokListRT";
-
var.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&var) != EFI_SUCCESS) {
+ status = read_variable (&var);
+ if (status != EFI_SUCCESS) {
+ if (status == EFI_NOT_FOUND) {
+ printf ("MokListRT is empty\n");
+ return 0;
+ }
+
fprintf (stderr, "Failed to read MokListRT\n");
return -1;
}
@@ -258,14 +264,20 @@ static int
list_new_keys ()
{
efi_variable_t var;
+ efi_status_t status;
int ret;
memset (&var, 0, sizeof(var));
var.VariableName = "MokNew";
-
var.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&var) != EFI_SUCCESS) {
+ status = read_variable (&var);
+ if (status != EFI_SUCCESS) {
+ if (status == EFI_NOT_FOUND) {
+ printf ("No MOK new key request\n");
+ return 0;
+ }
+
fprintf (stderr, "Failed to read MokNew\n");
return -1;
}
@@ -812,6 +824,7 @@ static int
export_moks ()
{
efi_variable_t var;
+ efi_status_t status;
char filename[PATH_MAX];
uint32_t mok_num;
MokListNode *list;
@@ -822,10 +835,15 @@ export_moks ()
memset (&var, 0, sizeof(var));
var.VariableName = "MokListRT";
-
var.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&var) != EFI_SUCCESS) {
+ status = read_variable (&var);
+ if (status != EFI_SUCCESS) {
+ if (status == EFI_NOT_FOUND) {
+ printf ("MokListRT is empty\n");
+ return 0;
+ }
+
fprintf (stderr, "Failed to read MokListRT\n");
return -1;
}

340
mokutil-bnc809703-check-pending-request.patch
View File

@ -1,340 +0,0 @@
From 9a114bb26e81f3b2764d84b8a6f5b9bd2e1528de Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 29 Mar 2013 18:00:55 +0800
Subject: [PATCH 1/3] Delete key from the pending request
---
src/mokutil.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 108 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3f89db2..01a1b79 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -49,8 +49,9 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define SETTINGS_LEN (DEFAULT_SALT_SIZE*2)
typedef struct {
- uint32_t mok_size;
- void *mok;
+ EFI_SIGNATURE_LIST *header;
+ uint32_t mok_size;
+ void *mok;
} MokListNode;
typedef struct {
@@ -154,8 +155,9 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
+ list[count].header = CertList;
list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
- list[count].mok = (void *)Cert->SignatureData;
+ list[count].mok = (void *)Cert->SignatureData;
count++;
dbsize -= CertList->SignatureListSize;
@@ -233,6 +235,74 @@ list_keys (efi_variable_t *var)
}
static int
+delete_key_from_list (void *mok, uint32_t mok_size,
+ const char *var_name, efi_guid_t guid)
+{
+ efi_variable_t var;
+ MokListNode *list;
+ uint32_t mok_num, total, remain;
+ void *ptr, *data = NULL;
+ int i, del_ind, ret = 0;
+
+ if (!var_name || !mok || mok_size == 0)
+ return 0;
+
+ memset (&var, 0, sizeof(var));
+ var.VariableName = var_name;
+ var.VendorGuid = guid;
+
+ if (read_variable (&var) != EFI_SUCCESS)
+ return 0;
+
+ total = var.DataSize;
+
+ list = build_mok_list (var.Data, var.DataSize, &mok_num);
+ if (list == NULL)
+ goto done;
+
+ for (i = 0; i < mok_num; i++) {
+ if (list[i].mok_size != mok_size)
+ continue;
+
+ if (memcmp (list[i].mok, mok, mok_size) == 0) {
+ /* Remove this key */
+ del_ind = i;
+ data = (void *)list[i].header;
+ ptr = data + list[i].header->SignatureListSize;
+ total -= list[i].header->SignatureListSize;
+ break;
+ }
+ }
+
+ /* the key is not in this list */
+ if (data == NULL)
+ return 0;
+
+ /* Move the rest of the keys */
+ remain = 0;
+ for (i = del_ind + 1; i < mok_num; i++)
+ remain += list[i].header->SignatureListSize;
+ if (remain > 0)
+ memmove (data, ptr, remain);
+
+ var.DataSize = total;
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to write %s\n", var_name);
+ goto done;
+ }
+
+ ret = 1;
+done:
+ free (var.Data);
+
+ return ret;
+}
+
+static int
list_enrolled_keys ()
{
efi_variable_t var;
@@ -658,6 +728,34 @@ is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
}
static int
+in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
+{
+ efi_variable_t authvar;
+ const char *var_name = import ? "MokDel" : "MokNew";
+
+ if (!mok || mok_size == 0)
+ return 0;
+
+ memset (&authvar, 0, sizeof(authvar));
+ authvar.VariableName = import ? "MokDelAuth" : "MokAuth";
+ authvar.VendorGuid = SHIM_LOCK_GUID;
+
+ if (read_variable (&authvar) != EFI_SUCCESS) {
+ return 0;
+ }
+
+ free (authvar.Data);
+ /* Check if the password hash is in the old format */
+ if (authvar.DataSize == SHA256_DIGEST_LENGTH)
+ return 0;
+
+ if (delete_key_from_list (mok, mok_size, var_name, SHIM_LOCK_GUID))
+ return 1;
+
+ return 0;
+}
+
+static int
issue_mok_request (char **files, uint32_t total, uint8_t import,
const char *hash_file, const int root_pw)
{
@@ -678,10 +776,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
if (!files)
return -1;
- if (import)
- req_name = "MokNew";
- else
- req_name = "MokDel";
+ req_name = import ? "MokNew" : "MokDel";
sizes = malloc (total * sizeof(uint32_t));
@@ -692,6 +787,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
goto error;
}
+ /* get the sizes of the key files */
for (i = 0; i < total; i++) {
if (stat (files[i], &buf) != 0) {
fprintf (stderr, "Failed to get file status, %s\n",
@@ -752,6 +848,10 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
if (is_valid_request (ptr, sizes[i], import)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ } else if (in_pending_request (ptr, sizes[i], import)) {
+ printf ("Removed %s from %s\n", files[i], import ? "MokDel" : "MokNew");
+
+ ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
printf ("Skip %s\n", files[i]);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
@@ -760,7 +860,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
close (fd);
}
- /* All keys are enrolled, nothing to do here... */
+ /* All keys are in the list, nothing to do here... */
if (real_size == 0) {
ret = 0;
goto error;
--
1.8.1.4
From d00c50c0eb73c27b1c49d8d947b99e24a4da4a66 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 29 Mar 2013 14:21:00 +0800
Subject: [PATCH 2/3] Remove the unnecessary command flags
---
src/mokutil.c | 47 ++++++++++++++++++++++-------------------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 01a1b79..6c3a135 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -40,9 +40,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define SB_STATE 0x800
#define TEST_KEY 0x1000
#define RESET 0x2000
-#define HASH_FILE 0x4000
-#define GENERATE_PW_HASH 0x8000
-#define ROOT_PW 0x10000
+#define GENERATE_PW_HASH 0x4000
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -1247,6 +1245,7 @@ main (int argc, char *argv[])
const char *option;
int c, i, f_ind, total = 0;
unsigned int command = 0;
+ int use_root_pw = 0;
int ret = -1;
while (1) {
@@ -1329,7 +1328,6 @@ main (int argc, char *argv[])
case 'f':
hash_file = strdup (optarg);
- command |= HASH_FILE;
break;
case 'g':
if (optarg)
@@ -1341,7 +1339,7 @@ main (int argc, char *argv[])
command |= PASSWORD;
break;
case 'P':
- command |= ROOT_PW;
+ use_root_pw = 1;
break;
case 't':
key_file = strdup (optarg);
@@ -1360,6 +1358,9 @@ main (int argc, char *argv[])
}
}
+ if (hash_file && use_root_pw)
+ command |= HELP;
+
switch (command) {
case LIST_ENROLLED:
ret = list_enrolled_keys ();
@@ -1368,18 +1369,16 @@ main (int argc, char *argv[])
ret = list_new_keys ();
break;
case IMPORT:
- case IMPORT | HASH_FILE:
- ret = import_moks (files, total, hash_file, 0);
- break;
- case IMPORT | ROOT_PW:
- ret = import_moks (files, total, NULL, 1);
+ if (use_root_pw)
+ ret = import_moks (files, total, NULL, 1);
+ else
+ ret = import_moks (files, total, hash_file, 0);
break;
case DELETE:
- case DELETE | HASH_FILE:
- ret = delete_moks (files, total, hash_file, 0);
- break;
- case DELETE | ROOT_PW:
- ret = delete_moks (files, total, NULL, 1);
+ if (use_root_pw)
+ ret = delete_moks (files, total, NULL, 1);
+ else
+ ret = delete_moks (files, total, hash_file, 0);
break;
case REVOKE_IMPORT:
ret = revoke_request (1);
@@ -1391,11 +1390,10 @@ main (int argc, char *argv[])
ret = export_moks ();
break;
case PASSWORD:
- case PASSWORD | HASH_FILE:
- ret = set_password (hash_file, 0);
- break;
- case PASSWORD | ROOT_PW:
- ret = set_password (NULL, 1);
+ if (use_root_pw)
+ ret = set_password (NULL, 1);
+ else
+ ret = set_password (hash_file, 0);
break;
case DISABLE_VALIDATION:
ret = disable_validation ();
@@ -1410,11 +1408,10 @@ main (int argc, char *argv[])
ret = test_key (key_file);
break;
case RESET:
- case RESET | HASH_FILE:
- ret = reset_moks (hash_file, 0);
- break;
- case RESET | ROOT_PW:
- ret = reset_moks (NULL, 1);
+ if (use_root_pw)
+ ret = reset_moks (NULL, 1);
+ else
+ ret = reset_moks (hash_file, 0);
break;
case GENERATE_PW_HASH:
ret = generate_pw_hash (input_pw);
--
1.8.1.4
From 3c3725784cd31d867443675cb5aa6698b952ac2b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 2 Apr 2013 11:29:01 +0800
Subject: [PATCH 3/3] Show help if there is no key to be imported/deleted
---
src/mokutil.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6c3a135..58566f9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1317,6 +1317,11 @@ main (int argc, char *argv[])
total++;
}
+ if (total == 0) {
+ command |= HELP;
+ break;
+ }
+
files = malloc (total * sizeof (char *));
for (i = 0; i < total; i++) {
f_ind = i + optind - 1;
--
1.8.1.4

29
mokutil-lcrypt-ldflag.patch
View File

@ -1,29 +0,0 @@
From aa48dc644fbf775970d01a368c532d0668015f18 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 30 Jan 2013 16:30:23 +0800
Subject: [PATCH] Include lcrypt in LDFLAGS
---
src/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index afe1752..de7ddca 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,10 +1,10 @@
bin_PROGRAMS = mokutil
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
- -lcrypt \
$(WARNINGFLAGS_C)
-mokutil_LDADD = $(OPENSSL_LIBS)
+mokutil_LDADD = $(OPENSSL_LIBS) \
+ -lcrypt
mokutil_SOURCES = efi.h \
efilib.c \
--
1.7.10.4

283
mokutil-no-duplicate-keys-imported.patch
View File

@ -1,283 +0,0 @@
From 0e1ac853fb889b3d8d00e3a4751f388b0b8d8f26 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 5 Dec 2012 11:12:43 +0800
Subject: [PATCH 1/4] Correct MOK size and SignatureSize
The MOK size didn't include the SignatureOwner GUID.
The SignatureData header size was added twice accidentally.
---
src/mokutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1c32828..1b8465f 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -143,7 +143,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
- list[count].mok_size = CertList->SignatureSize;
+ list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
list[count].mok = (void *)Cert->SignatureData;
count++;
@@ -497,8 +497,7 @@ import_moks (char **files, uint32_t total)
CertList->SignatureListSize = sizes[i] +
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = sizes[i] +
- sizeof(EFI_SIGNATURE_DATA) + 16;
+ CertList->SignatureSize = sizes[i] + sizeof(efi_guid_t);
CertData->SignatureOwner = SHIM_LOCK_GUID;
fd = open (files[i], O_RDONLY);
--
1.7.10.4
From 69955da3819da3abaf198e5dae038c44814df5c0 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 5 Dec 2012 11:24:58 +0800
Subject: [PATCH 2/4] Don't import duplicate keys
This commit compares keys in PK, KEK, db, MokListRT, and MokNew
before issuing a new request to avoid enrolling keys twice.
---
src/mokutil.c | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 124 insertions(+), 4 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1b8465f..cf38422 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -333,8 +333,8 @@ get_password (char **password, int *len, int min, int max)
}
static int
-generate_auth (void *new_list, int list_len, char *password, int pw_len,
- uint8_t *auth)
+generate_auth (void *new_list, unsigned long list_len, char *password,
+ int pw_len, uint8_t *auth)
{
efi_char16_t efichar_pass[PASSWORD_MAX+1];
unsigned long efichar_len;
@@ -444,12 +444,97 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
+is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
+ efi_guid_t guid)
+{
+ efi_variable_t var;
+ uint32_t mok_num;
+ MokListNode *list;
+ int i, ret = 0;
+
+ if (!cert || cert_size == 0 || !db_name)
+ return 0;
+
+ memset (&var, 0, sizeof(var));
+ var.VariableName = db_name;
+ var.VendorGuid = guid;
+
+ if (read_variable (&var) != EFI_SUCCESS)
+ return 0;
+
+ list = build_mok_list (var.Data, var.DataSize, &mok_num);
+ if (list == NULL) {
+ goto done;
+ }
+
+ for (i = 0; i < mok_num; i++) {
+ if (list[i].mok_size != cert_size)
+ continue;
+
+ if (memcmp (list[i].mok, cert, cert_size) == 0) {
+ ret = 1;
+ break;
+ }
+ }
+
+done:
+ free (var.Data);
+
+ return ret;
+}
+
+static int
+verify_mok_new (void *mok_new, unsigned long mok_new_size)
+{
+ efi_variable_t mok_auth;
+ uint8_t auth[SHA256_DIGEST_LENGTH];
+ char *password;
+ int pw_len, fail = 0;
+ size_t n;
+ int ret = 0;
+
+ memset (&mok_auth, 0, sizeof(mok_auth));
+ mok_auth.VariableName = "MokAuth";
+ mok_auth.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&mok_auth) == EFI_SUCCESS)
+ return 0;
+
+ while (fail < 3) {
+ printf ("input old password: ");
+ pw_len = read_hidden_line (&password, &n);
+ printf ("\n");
+
+ if (pw_len > PASSWORD_MAX || pw_len < PASSWORD_MIN) {
+ free (password);
+ fprintf (stderr, "invalid password\n");
+ fail++;
+ continue;
+ }
+
+ generate_auth (mok_new, mok_new_size, password, pw_len, auth);
+ if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
+ ret = 1;
+ break;
+ }
+
+ fail++;
+ }
+
+ if (mok_auth.Data)
+ free (mok_auth.Data);
+
+ return ret;
+}
+
+static int
import_moks (char **files, uint32_t total)
{
+ efi_variable_t mok_new;
void *new_list = NULL;
void *ptr;
struct stat buf;
unsigned long list_size = 0;
+ unsigned long real_size = 0;
uint32_t *sizes = NULL;
int fd = -1;
ssize_t read_size;
@@ -481,6 +566,12 @@ import_moks (char **files, uint32_t total)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
+ memset (&mok_new, 0, sizeof(mok_new));
+ mok_new.VariableName = "MokNew";
+ mok_new.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&mok_new) == EFI_SUCCESS)
+ list_size += mok_new.DataSize;
+
new_list = malloc (list_size);
if (!new_list) {
fprintf (stderr, "Failed to allocate space for MokNew\n");
@@ -518,17 +609,46 @@ import_moks (char **files, uint32_t total)
fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n",
files[i]);
}
- ptr += sizes[i];
+
+ /* whether this key is already enrolled... */
+ if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
+ !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
+ ptr += sizes[i];
+ real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ } else {
+ ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ }
close (fd);
}
- if (update_request (new_list, list_size) < 0) {
+ /* All keys are enrolled, nothing to do here... */
+ if (real_size == 0) {
+ ret = 0;
+ goto error;
+ }
+
+ /* append the keys in MokNew */
+ if (mok_new.Data) {
+ /* request the previous password to verify the keys */
+ if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
+ goto error;
+ }
+
+ memcpy (ptr, mok_new.Data, mok_new.DataSize);
+ }
+
+ if (update_request (new_list, real_size) < 0) {
goto error;
}
ret = 0;
error:
+ if (mok_new.Data)
+ free (mok_new.Data);
if (sizes)
free (sizes);
if (new_list)
--
1.7.10.4
From 10046350e223b6912bd9c3a7031f06779cb326bb Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Dec 2012 15:57:50 +0800
Subject: [PATCH 3/4] Check MokAuth correctly
---
src/mokutil.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index cf38422..9d56a90 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -496,8 +496,10 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
memset (&mok_auth, 0, sizeof(mok_auth));
mok_auth.VariableName = "MokAuth";
mok_auth.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_auth) == EFI_SUCCESS)
+ if (read_variable (&mok_auth) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read MokAuth\n");
return 0;
+ }
while (fail < 3) {
printf ("input old password: ");
--
1.7.10.4
From 9674b3249fef0d2ba00364f9f120f1ef17b710fc Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Dec 2012 15:58:30 +0800
Subject: [PATCH 4/4] Really append the old request to the new one...
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 9d56a90..aba1cfb 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -640,7 +640,8 @@ import_moks (char **files, uint32_t total)
goto error;
}
- memcpy (ptr, mok_new.Data, mok_new.DataSize);
+ memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
+ real_size += mok_new.DataSize;
}
if (update_request (new_list, real_size) < 0) {
--
1.7.10.4

111
mokutil-probe-secure-boot-state.patch
View File

@ -1,111 +0,0 @@
commit b2602eee326c15df8d23baa44f9e9e3e8b6bad93
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon Dec 3 17:45:41 2012 +0800
Probe the state of SecureBoot
diff --git a/src/mokutil.c b/src/mokutil.c
index 3707220..1c32828 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -40,6 +40,7 @@ enum Command {
COMMAND_PASSWORD,
COMMAND_DISABLE_VALIDATION,
COMMAND_ENABLE_VALIDATION,
+ COMMAND_SB_STATE,
};
static void
@@ -48,22 +49,33 @@ print_help ()
printf("Usage:\n");
printf("List the enrolled keys:\n");
printf(" mokutil --list-enrolled\n\n");
+
printf("List the keys to be enrolled:\n");
printf(" mokutil --list-new\n\n");
+
printf("Import keys:\n");
printf(" mokutil --import <der file>...\n\n");
+
printf("Request to delete all keys\n");
printf(" mokutil --delete-all\n\n");
+
printf("Revoke the request:\n");
printf(" mokutil --revoke\n\n");
+
printf("Export enrolled keys to files:\n");
printf(" mokutil --export\n\n");
+
printf("Set MOK password:\n");
printf(" mokutil --password\n\n");
+
printf("Disable signature validation:\n");
printf(" mokutil --disable-validation\n\n");
+
printf("Enable signature validation:\n");
printf(" mokutil --enable-validation\n\n");
+
+ printf("SecureBoot State:\n");
+ printf(" mokutil --sb-state\n\n");
}
static int
@@ -709,7 +721,36 @@ enable_validation()
{
return set_validation(1);
}
-
+
+static int
+sb_state ()
+{
+ efi_variable_t var;
+ char *state;
+
+ memset (&var, 0, sizeof(var));
+ var.VariableName = "SecureBoot";
+ var.VendorGuid = EFI_GLOBAL_VARIABLE;
+
+ if (read_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read SecureBoot\n");
+ return -1;
+ }
+
+ state = (char *)var.Data;
+ if (*state == 1) {
+ printf ("SecureBoot enabled\n");
+ } else if (*state == 0) {
+ printf ("SecureBoot disabled\n");
+ } else {
+ printf ("SecureBoot unknown");
+ }
+
+ free (var.Data);
+
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -786,6 +827,10 @@ main (int argc, char *argv[])
command = COMMAND_ENABLE_VALIDATION;
+ } else if (strcmp (argv[1], "--sb-state") == 0) {
+
+ command = COMMAND_SB_STATE;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -820,6 +865,9 @@ main (int argc, char *argv[])
case COMMAND_ENABLE_VALIDATION:
enable_validation ();
break;
+ case COMMAND_SB_STATE:
+ sb_state ();
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;

1911
mokutil-support-crypt-hash-methods.patch
View File

File diff suppressed because it is too large Load Diff

835
mokutil-support-delete-keys.patch
View File

@ -1,835 +0,0 @@
From 36241509b1c96c3103becae75dc6df72d794cce7 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 13 Dec 2012 17:09:34 +0800
Subject: [PATCH 1/7] Move fail check to get_password()
---
src/mokutil.c | 83 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 46 insertions(+), 37 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index aba1cfb..eea2b6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -297,39 +297,60 @@ static int
get_password (char **password, int *len, int min, int max)
{
char *password_1, *password_2;
- int len_1, len_2;
+ int len_1, len_2, fail, ret = -1;
size_t n;
password_1 = password_2 = NULL;
- printf ("input password (%d~%d characters): ", min, max);
- len_1 = read_hidden_line (&password_1, &n);
- printf ("\n");
+ fail = 0;
- if (len_1 > max || len_1 < min) {
- free (password_1);
- fprintf (stderr, "password should be %d~%d characters\n",
- min, max);
- return -1;
+ while (fail < 3) {
+ printf ("input password (%d~%d characters): ", min, max);
+ len_1 = read_hidden_line (&password_1, &n);
+ printf ("\n");
+
+ if (len_1 > max || len_1 < min) {
+ fail++;
+ fprintf (stderr, "password should be %d~%d characters\n",
+ min, max);
+ } else {
+ break;
+ }
}
- printf ("input password again: ");
- len_2 = read_hidden_line (&password_2, &n);
- printf ("\n");
+ if (fail >= 3) {
+ if (password_1)
+ free (password_1);
+ goto error;
+ }
- if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
- free (password_1);
- free (password_2);
- fprintf (stderr, "password doesn't match\n");
- return -1;
+ fail = 0;
+
+ while (fail < 3) {
+ printf ("input password again: ");
+ len_2 = read_hidden_line (&password_2, &n);
+ printf ("\n");
+
+ if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
+ fail++;
+ fprintf (stderr, "password doesn't match\n");
+ } else {
+ break;
+ }
}
+ if (fail >= 3)
+ goto error;
+
*password = password_1;
*len = len_1;
- free (password_2);
+ ret = 0;
+error:
+ if (password_2)
+ free (password_2);
- return 0;
+ return ret;
}
static int
@@ -364,14 +385,10 @@ update_request (void *new_list, int list_len)
efi_variable_t var;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
@@ -745,14 +762,10 @@ set_password ()
efi_variable_t var;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
@@ -789,15 +802,11 @@ set_validation (uint32_t state)
efi_variable_t var;
MokSBVar sbvar;
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
efi_char16_t efichar_pass[PASSWORD_MAX];
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
--
1.7.10.4
From 2649dde769b563f55a85ea68eb1fc9ce5bc7c984 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Dec 2012 16:22:41 +0800
Subject: [PATCH 2/7] Add "--test-key" to test if the key is enrolled or not
---
src/mokutil.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index eea2b6c..68a25bc 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -41,6 +41,7 @@ enum Command {
COMMAND_DISABLE_VALIDATION,
COMMAND_ENABLE_VALIDATION,
COMMAND_SB_STATE,
+ COMMAND_TEST_KEY,
};
static void
@@ -76,6 +77,9 @@ print_help ()
printf("SecureBoot State:\n");
printf(" mokutil --sb-state\n\n");
+
+ printf("Test if the key is enrolled or not:\n");
+ printf(" mokutil --test-key\n\n");
}
static int
@@ -882,10 +886,57 @@ sb_state ()
return 0;
}
+static int
+test_key (const char *key_file)
+{
+ struct stat buf;
+ void *key = NULL;
+ ssize_t read_size;
+ int fd, ret = -1;
+
+ if (stat (key_file, &buf) != 0) {
+ fprintf (stderr, "Failed to get file status, %s\n", key_file);
+ return -1;
+ }
+
+ key = malloc (buf.st_size);
+
+ fd = open (key_file, O_RDONLY);
+ if (fd < 0) {
+ fprintf (stderr, "Failed to open %s\n", key_file);
+ goto error;
+ }
+
+ read_size = read (fd, key, buf.st_size);
+ if (read_size < 0 || read_size != buf.st_size) {
+ fprintf (stderr, "Failed to read %s\n", key_file);
+ goto error;
+ }
+
+ if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
+ !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
+ printf ("%s is not enrolled\n", key_file);
+ ret = 0;
+ } else {
+ printf ("%s is already enrolled\n", key_file);
+ ret = 1;
+ }
+
+error:
+ if (key)
+ free (key);
+
+ return ret;
+}
+
int
main (int argc, char *argv[])
{
char **files = NULL;
+ char *key_file = NULL;
int i, total;
int command;
@@ -962,6 +1013,17 @@ main (int argc, char *argv[])
command = COMMAND_SB_STATE;
+ } else if (strcmp (argv[1], "--test-key") == 0) {
+
+ if (argc < 3) {
+ print_help ();
+ return -1;
+ }
+
+ key_file = argv[2];
+
+ command = COMMAND_TEST_KEY;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -999,6 +1061,9 @@ main (int argc, char *argv[])
case COMMAND_SB_STATE:
sb_state ();
break;
+ case COMMAND_TEST_KEY:
+ test_key (key_file);
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;
--
1.7.10.4
From bba82fceec875ccf0d92eae1e9c7db54e92bcec9 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Dec 2012 16:33:59 +0800
Subject: [PATCH 3/7] Handle the return values
---
src/mokutil.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 68a25bc..13ef69d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -939,6 +939,7 @@ main (int argc, char *argv[])
char *key_file = NULL;
int i, total;
int command;
+ int ret = -1;
if (argc < 2) {
print_help ();
@@ -1032,37 +1033,37 @@ main (int argc, char *argv[])
switch (command) {
case COMMAND_LIST_ENROLLED:
- list_enrolled_keys ();
+ ret = list_enrolled_keys ();
break;
case COMMAND_LIST_NEW:
- list_new_keys ();
+ ret = list_new_keys ();
break;
case COMMAND_IMPORT:
- import_moks (files, total);
+ ret = import_moks (files, total);
break;
case COMMAND_DELETE:
- delete_all ();
+ ret = delete_all ();
break;
case COMMAND_REVOKE:
- revoke_request ();
+ ret = revoke_request ();
break;
case COMMAND_EXPORT:
- export_moks ();
+ ret = export_moks ();
break;
case COMMAND_PASSWORD:
- set_password ();
+ ret = set_password ();
break;
case COMMAND_DISABLE_VALIDATION:
- disable_validation ();
+ ret = disable_validation ();
break;
case COMMAND_ENABLE_VALIDATION:
- enable_validation ();
+ ret = enable_validation ();
break;
case COMMAND_SB_STATE:
- sb_state ();
+ ret = sb_state ();
break;
case COMMAND_TEST_KEY:
- test_key (key_file);
+ ret = test_key (key_file);
break;
default:
fprintf (stderr, "Unknown command\n");
@@ -1072,5 +1073,5 @@ main (int argc, char *argv[])
if (files)
free (files);
- return 0;
+ return ret;
}
--
1.7.10.4
From fee5db0bd74fd7239832d435cdc653ade426c61c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Dec 2012 16:35:37 +0800
Subject: [PATCH 4/7] Correct the GUID of "db"
---
src/efi.h | 2 ++
src/mokutil.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/efi.h b/src/efi.h
index 7185179..d2640b4 100644
--- a/src/efi.h
+++ b/src/efi.h
@@ -86,6 +86,8 @@ EFI_GUID( 0x47c7b225, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
EFI_GUID( 0x47c7b227, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
#define ESP_UNKNOWN_GUID \
EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
static inline int
efi_guidcmp(efi_guid_t left, efi_guid_t right)
diff --git a/src/mokutil.c b/src/mokutil.c
index 13ef69d..6af5a9c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -636,7 +636,7 @@ import_moks (char **files, uint32_t total)
/* whether this key is already enrolled... */
if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
!is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
!is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
!is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
ptr += sizes[i];
--
1.7.10.4
From b1a6476307909b4c391b5cc632c0535ea43b08b1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Dec 2012 18:12:48 +0800
Subject: [PATCH 5/7] Initialize password array
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6af5a9c..3d00df0 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -509,7 +509,7 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
{
efi_variable_t mok_auth;
uint8_t auth[SHA256_DIGEST_LENGTH];
- char *password;
+ char *password = NULL;
int pw_len, fail = 0;
size_t n;
int ret = 0;
--
1.7.10.4
From e772f72f23b4cf13c033292b55570a861281b71b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 25 Dec 2012 15:53:56 +0800
Subject: [PATCH 6/7] Add support for deleting specific keys
---
src/mokutil.c | 179 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 128 insertions(+), 51 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3d00df0..e6807da 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -42,6 +42,7 @@ enum Command {
COMMAND_ENABLE_VALIDATION,
COMMAND_SB_STATE,
COMMAND_TEST_KEY,
+ COMMAND_RESET,
};
static void
@@ -57,8 +58,8 @@ print_help ()
printf("Import keys:\n");
printf(" mokutil --import <der file>...\n\n");
- printf("Request to delete all keys\n");
- printf(" mokutil --delete-all\n\n");
+ printf("Request to delete specific keys\n");
+ printf(" mokutil --delete <der file>...\n\n");
printf("Revoke the request:\n");
printf(" mokutil --revoke\n\n");
@@ -80,6 +81,9 @@ print_help ()
printf("Test if the key is enrolled or not:\n");
printf(" mokutil --test-key\n\n");
+
+ printf("Reset MOK list:\n");
+ printf(" mokutil --reset\n\n");
}
static int
@@ -384,14 +388,23 @@ generate_auth (void *new_list, unsigned long list_len, char *password,
}
static int
-update_request (void *new_list, int list_len)
+update_request (void *new_list, int list_len, uint8_t import)
{
efi_variable_t var;
+ const char *req_name, *auth_name;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
int pw_len;
int ret = -1;
+ if (import) {
+ req_name = "MokNew";
+ auth_name = "MokAuth";
+ } else {
+ req_name = "MokDel";
+ auth_name = "MokDelAuth";
+ }
+
if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
@@ -403,7 +416,7 @@ update_request (void *new_list, int list_len)
/* Write MokNew*/
var.Data = new_list;
var.DataSize = list_len;
- var.VariableName = "MokNew";
+ var.VariableName = req_name;
var.VendorGuid = SHIM_LOCK_GUID;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -411,17 +424,18 @@ update_request (void *new_list, int list_len)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to enroll new keys\n");
+ fprintf (stderr, "Failed to %s keys\n",
+ import ? "enroll new" : "delete");
goto error;
}
} else {
- test_and_delete_var ("MokNew");
+ test_and_delete_var (req_name);
}
/* Write MokAuth */
var.Data = auth;
var.DataSize = SHA256_DIGEST_LENGTH;
- var.VariableName = "MokAuth";
+ var.VariableName = auth_name;
var.VendorGuid = SHIM_LOCK_GUID;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -429,8 +443,8 @@ update_request (void *new_list, int list_len)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to write MokAuth\n");
- test_and_delete_var ("MokNew");
+ fprintf (stderr, "Failed to write %s\n", auth_name);
+ test_and_delete_var (req_name);
goto error;
}
@@ -505,20 +519,47 @@ done:
}
static int
-verify_mok_new (void *mok_new, unsigned long mok_new_size)
+is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
{
- efi_variable_t mok_auth;
+ if (import) {
+ if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
+ is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
+ is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
+ is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
+ is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
+ return 0;
+ }
+ } else {
+ if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
+ is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static int
+verify_old_req (void *old_req, unsigned long old_req_size, uint8_t import)
+{
+ efi_variable_t req_auth;
+ const char *auth_name;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
int pw_len, fail = 0;
size_t n;
int ret = 0;
- memset (&mok_auth, 0, sizeof(mok_auth));
- mok_auth.VariableName = "MokAuth";
- mok_auth.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_auth) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to read MokAuth\n");
+ if (import)
+ auth_name = "MokAuth";
+ else
+ auth_name = "MokDelAuth";
+
+ memset (&req_auth, 0, sizeof(req_auth));
+ req_auth.VariableName = auth_name;
+ req_auth.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&req_auth) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read %s\n", auth_name);
return 0;
}
@@ -534,8 +575,8 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
continue;
}
- generate_auth (mok_new, mok_new_size, password, pw_len, auth);
- if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
+ generate_auth (old_req, old_req_size, password, pw_len, auth);
+ if (memcmp (auth, req_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
ret = 1;
break;
}
@@ -543,16 +584,17 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
fail++;
}
- if (mok_auth.Data)
- free (mok_auth.Data);
+ if (req_auth.Data)
+ free (req_auth.Data);
return ret;
}
static int
-import_moks (char **files, uint32_t total)
+issue_mok_request (char **files, uint32_t total, uint8_t import)
{
- efi_variable_t mok_new;
+ efi_variable_t old_req;
+ const char *req_name;
void *new_list = NULL;
void *ptr;
struct stat buf;
@@ -568,6 +610,11 @@ import_moks (char **files, uint32_t total)
if (!files)
return -1;
+ if (import)
+ req_name = "MokNew";
+ else
+ req_name = "MokDel";
+
sizes = malloc (total * sizeof(uint32_t));
if (!sizes) {
@@ -589,15 +636,15 @@ import_moks (char **files, uint32_t total)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
- memset (&mok_new, 0, sizeof(mok_new));
- mok_new.VariableName = "MokNew";
- mok_new.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_new) == EFI_SUCCESS)
- list_size += mok_new.DataSize;
+ memset (&old_req, 0, sizeof(old_req));
+ old_req.VariableName = req_name;
+ old_req.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&old_req) == EFI_SUCCESS)
+ list_size += old_req.DataSize;
new_list = malloc (list_size);
if (!new_list) {
- fprintf (stderr, "Failed to allocate space for MokNew\n");
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
goto error;
}
ptr = new_list;
@@ -633,15 +680,11 @@ import_moks (char **files, uint32_t total)
files[i]);
}
- /* whether this key is already enrolled... */
- if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
- !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
- !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
+ if (is_valid_request (ptr, sizes[i], import)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
+ printf ("Skip %s\n", files[i]);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
}
@@ -654,25 +697,25 @@ import_moks (char **files, uint32_t total)
goto error;
}
- /* append the keys in MokNew */
- if (mok_new.Data) {
+ /* append the keys to the previous request */
+ if (old_req.Data) {
/* request the previous password to verify the keys */
- if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
+ if (!verify_old_req (old_req.Data, old_req.DataSize, import)) {
goto error;
}
- memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
- real_size += mok_new.DataSize;
+ memcpy (new_list + real_size, old_req.Data, old_req.DataSize);
+ real_size += old_req.DataSize;
}
- if (update_request (new_list, real_size) < 0) {
+ if (update_request (new_list, real_size, import) < 0) {
goto error;
}
ret = 0;
error:
- if (mok_new.Data)
- free (mok_new.Data);
+ if (old_req.Data)
+ free (old_req.Data);
if (sizes)
free (sizes);
if (new_list)
@@ -682,14 +725,15 @@ error:
}
static int
-delete_all ()
+import_moks (char **files, uint32_t total)
{
- if (update_request (NULL, 0)) {
- fprintf (stderr, "Failed to issue an delete request\n");
- return -1;
- }
+ return issue_mok_request (files, total, 1);
+}
- return 0;
+static int
+delete_moks (char **files, uint32_t total)
+{
+ return issue_mok_request (files, total, 0);
}
static int
@@ -932,6 +976,17 @@ error:
return ret;
}
+static int
+reset_moks ()
+{
+ if (update_request (NULL, 0, 1)) {
+ fprintf (stderr, "Failed to issue a reset request\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -982,8 +1037,23 @@ main (int argc, char *argv[])
command = COMMAND_IMPORT;
- } else if (strcmp (argv[1], "-D") == 0 ||
- strcmp (argv[1], "--delete-all") == 0) {
+ } else if (strcmp (argv[1], "-d") == 0 ||
+ strcmp (argv[1], "--delete") == 0) {
+
+ if (argc < 3) {
+ print_help ();
+ return -1;
+ }
+ total = argc - 2;
+
+ files = malloc (total * sizeof(char *));
+ if (!files) {
+ fprintf (stderr, "Failed to allocate file list\n");
+ return -1;
+ }
+
+ for (i = 0; i < total; i++)
+ files[i] = argv[i+2];
command = COMMAND_DELETE;
@@ -1025,6 +1095,10 @@ main (int argc, char *argv[])
command = COMMAND_TEST_KEY;
+ } else if (strcmp (argv[1], "--reset") == 0) {
+
+ command = COMMAND_RESET;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -1042,7 +1116,7 @@ main (int argc, char *argv[])
ret = import_moks (files, total);
break;
case COMMAND_DELETE:
- ret = delete_all ();
+ ret = delete_moks (files, total);
break;
case COMMAND_REVOKE:
ret = revoke_request ();
@@ -1065,6 +1139,9 @@ main (int argc, char *argv[])
case COMMAND_TEST_KEY:
ret = test_key (key_file);
break;
+ case COMMAND_RESET:
+ ret = reset_moks ();
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;
--
1.7.10.4
From 799d37815f470739ed079e2fea49077decaee3d3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 2 Jan 2013 17:09:35 +0800
Subject: [PATCH 7/7] Initialize the variable to prevent a potential crash
In issue_mok_request(), old_req.Data must be intialized before
"goto error", or the process would segfault when freeing old_req.Data.
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e6807da..a99e355 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -617,6 +617,8 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
sizes = malloc (total * sizeof(uint32_t));
+ memset (&old_req, 0, sizeof(old_req));
+
if (!sizes) {
fprintf (stderr, "Failed to allocate space for sizes\n");
goto error;
@@ -636,7 +638,6 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
- memset (&old_req, 0, sizeof(old_req));
old_req.VariableName = req_name;
old_req.VendorGuid = SHIM_LOCK_GUID;
if (read_variable (&old_req) == EFI_SUCCESS)
--
1.7.10.4

1342
mokutil-support-new-pw-hash.patch
View File

File diff suppressed because it is too large Load Diff

124
mokutil-update-man-page.patch
View File

@ -1,124 +0,0 @@
From 53a40965390cfa3b99d636874c6b9d968380f312 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 30 Jan 2013 14:16:16 +0800
Subject: [PATCH] Update man page
---
man/mokutil.1 | 59 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 43 insertions(+), 16 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 7a70d3e..fabd7a9 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -1,27 +1,41 @@
-.TH MOKUTIL 1 "Wed Nov 07 2012"
+.TH MOKUTIL 1 "Wed Jan 30 2013"
.SH NAME
mokutil \- utility to manipulate machine owner keys
.SH SYNOPSIS
-\fBmokutil\fR [--list-enrolled | -le]
+\fBmokutil\fR [--list-enrolled]
.br
-\fBmokutil\fR [--list-new | -ln]
+\fBmokutil\fR [--list-new]
.br
-\fBmokutil\fR [--import | -i] ...
+\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
-\fBmokutil\fR [--delete-all | -D]
+\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
-\fBmokutil\fR [--revoke | -r]
+\fBmokutil\fR [--revoke-import]
+.br
+\fBmokutil\fR [--revoke-delete]
.br
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--disable-validation]
.br
\fBmokutil\fR [--enable-validation]
.br
+\fBmokutil\fR [--sb-state]
+.br
+\fBmokutil\fR [--test-key | -t] ...
+.br
+\fBmokutil\fR [--reset]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
+.br
+\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -31,36 +45,49 @@ mokutil \- utility to manipulate machine owner keys
.TP
\fB--list-enrolled\fR
List the keys the already stored in the database
-
.TP
\fB--list-new\fR
List the keys to be enrolled
-
.TP
\fB--import\fR
Collect the followed files and form a request to shim. The files must be in DER
format.
-
.TP
\fB--delete-all\fR
Request shim to delete all stored keys
-
.TP
-\fB--revoke\fR
-Revoke the current request
-
+\fB--revoke-import\fR
+Revoke the current import request (MokNew)
+.TP
+\fB--revoke-delete\fR
+Revoke the current delete request (MokDel)
.TP
\fB--export\fR
Export the keys stored in MokListRT
-
.TP
\fB--password\fR
Setup the password for MokManager
-
.TP
\fB--disable-validation\fR
Disable the validation process in shim
-
.TP
\fB--enrolled-validation\fR
Enable the validation process in shim
+.TP
+\fB--sb-state\fR
+Show SecureBoot State
+.TP
+\fB--test-key\fR
+Test if the key is enrolled or not
+.TP
+\fB--reset\fR
+Reset MOK list
+.TP
+\fB--generate-hash\fR
+Generate the password hash
+.TP
+\fB--hash-file\fR
+Use the password hash from a specific file
+.TP
+\fB--root-pw\fR
+Use the root password hash from /etc/shadow
--
1.7.10.4

20
mokutil.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com
- Update to 0.2.0
+ Generate the password hash with crypt() by default instead of
the original sha256 password hash
+ Add an option to import the root password hash
+ Amend error messages, help, and man page
- Drop upstreamed patches
+ mokutil-lcrypt-ldflag.patch
+ mokutil-probe-secure-boot-state.patch
+ mokutil-allow-password-from-pipe.patch
+ mokutil-bnc809703-check-pending-request.patch
+ mokutil-support-delete-keys.patch
+ mokutil-support-crypt-hash-methods.patch
+ mokutil-update-man-page.patch
+ mokutil-bnc809215-improve-wording.patch
+ mokutil-support-new-pw-hash.patch
+ mokutil-no-duplicate-keys-imported.patch
-------------------------------------------------------------------
Tue Apr 2 04:43:59 UTC 2013 - glin@suse.com

33
mokutil.spec
View File

@ -17,33 +17,13 @@
Name: mokutil
Version: 0.1.0
Version: 0.2.0
Release: 0
Summary: Tools for manipulating machine owner keys
License: GPL-3.0
Group: Productivity/Security
Url: https://github.com/lcp/mokutil
Source: %{name}-%{version}.tar.bz2
# PATCH-FIX-UPSTREAM mokutil-probe-secure-boot-state.patch glin@suse.com -- Probe the state of secure boot
Patch1: mokutil-probe-secure-boot-state.patch
# PATCH-FIX-UPSTREAM mokutil-no-duplicate-keys-imported.patch glin@suse.com -- Do not import duplicate keys
Patch2: mokutil-no-duplicate-keys-imported.patch
# PATCH-FIX-UPSTREAM mokutil-accept-password-from-pipe.patch glin@suse.com -- Allow the password to be sent through pipeline
Patch3: mokutil-allow-password-from-pipe.patch
# PATCH-FIX-UPSTREAM mokutil-support-delete-keys.patch glin@suse.com -- Add support for deleting specific keys
Patch4: mokutil-support-delete-keys.patch
# PATCH-FIX-UPSTREAM mokutil-support-new-pw-hash.patch glin@suse.com -- Support the new password hash format
Patch5: mokutil-support-new-pw-hash.patch
# PATCH-FIX-UPSTREAM mokutil-support-crypt-hash-methods.patch glin@suse.com -- Support the hash methods used for /etc/shadow
Patch6: mokutil-support-crypt-hash-methods.patch
# PATCH-FIX-UPSTREAM mokutil-update-man-page.patch glin@suse.com -- Update man page
Patch7: mokutil-update-man-page.patch
# PATCH-FIX-UPSTREAM mokutil-lcrypt-ldflag.patch glin@suse.com -- Add -lcrpyt correctly
Patch8: mokutil-lcrypt-ldflag.patch
# PATCH-FIX-UPSTREAM mokutil-bnc809215-improve-wording.patch bnc#809215 glin@suse.com -- Improve the wording of error messages
Patch9: mokutil-bnc809215-improve-wording.patch
# PATCH-FIX-UPSTREAM mokutil-bnc809703-check-pending-request.patch bnc#809703 glin@suse.com -- Remove the key from the pending requests if necessary
Patch10: mokutil-bnc809703-check-pending-request.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libopenssl-devel >= 0.9.8
@ -63,19 +43,8 @@ Authors:
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%build
autoreconf -i -f
%configure
make