Accepting request 184304 from home:gary_lin:branches:Base:System

- Update to 0.2.0
  + Generate the password hash with crypt() by default instead of
    the original sha256 password hash
  + Add an option to import the root password hash
  + Amend error messages, help, and man page

OBS-URL: https://build.opensuse.org/request/show/184304
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=10
This commit is contained in:
Gary Ching-Pang Lin 2013-07-25 10:27:41 +00:00 committed by Git OBS Bridge
parent bc678d18f9
commit 44db4978c2
14 changed files with 24 additions and 5165 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:739a241e18cc5b89c46eecc473568fb295952598ff518e7af90f81900afb62d4
size 94722

3
mokutil-0.2.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:03cf595bd1b4d4a17dc1814b0529b25505d57429d583e7f9489ef0a2354b320e
size 102028

View File

@ -1,50 +0,0 @@
commit adce7208ddcb65daac83ea3429aa8586d9cc4ea5
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed Jan 2 17:30:07 2013 +0800
Only change terminal settings
tcgetattr() will fail if we send password through a pipeline instead
of a TTY.
diff --git a/src/mokutil.c b/src/mokutil.c
index a99e355..ea8481a 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -278,22 +278,27 @@ read_hidden_line (char **line, size_t *n)
{
struct termios old, new;
int nread;
+ int isTTY = isatty(fileno (stdin));
- /* Turn echoing off and fail if we can't. */
- if (tcgetattr (fileno (stdin), &old) != 0)
- return -1;
+ if (isTTY) {
+ /* Turn echoing off and fail if we can't. */
+ if (tcgetattr (fileno (stdin), &old) != 0)
+ return -1;
- new = old;
- new.c_lflag &= ~ECHO;
+ new = old;
+ new.c_lflag &= ~ECHO;
- if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
- return -1;
+ if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
+ return -1;
+ }
/* Read the password. */
nread = getline (line, n, stdin);
- /* Restore terminal. */
- (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
+ if (isTTY) {
+ /* Restore terminal. */
+ (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
+ }
/* Remove the newline */
(*line)[nread-1] = '\0';

View File

@ -1,105 +0,0 @@
commit 08e7fbbfec644406b5f6f3ce787444bc5e2c4b3d
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri Mar 29 12:12:00 2013 +0800
Make the error message more understandable
diff --git a/src/efilib.c b/src/efilib.c
index cb1aca6..1b72cd9 100644
--- a/src/efilib.c
+++ b/src/efilib.c
@@ -5,6 +5,7 @@
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
+#include <errno.h>
#include "efi.h"
#define SYSFS_DIR_EFI_VARS "/sys/firmware/efi/efivars"
@@ -95,7 +96,9 @@ read_variable (efi_variable_t *var)
snprintf (filename, PATH_MAX-1, "%s/%s", SYSFS_DIR_EFI_VARS, name);
fd = open (filename, O_RDONLY);
if (fd == -1) {
- return EFI_NOT_FOUND;
+ if (errno == ENOENT)
+ return EFI_NOT_FOUND;
+ return EFI_INVALID_PARAMETER;
}
if (fstat (fd, &buf) != 0) {
diff --git a/src/mokutil.c b/src/mokutil.c
index 27ebf09..3f89db2 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -236,14 +236,20 @@ static int
list_enrolled_keys ()
{
efi_variable_t var;
+ efi_status_t status;
int ret;
memset (&var, 0, sizeof(var));
var.VariableName = "MokListRT";
-
var.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&var) != EFI_SUCCESS) {
+ status = read_variable (&var);
+ if (status != EFI_SUCCESS) {
+ if (status == EFI_NOT_FOUND) {
+ printf ("MokListRT is empty\n");
+ return 0;
+ }
+
fprintf (stderr, "Failed to read MokListRT\n");
return -1;
}
@@ -258,14 +264,20 @@ static int
list_new_keys ()
{
efi_variable_t var;
+ efi_status_t status;
int ret;
memset (&var, 0, sizeof(var));
var.VariableName = "MokNew";
-
var.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&var) != EFI_SUCCESS) {
+ status = read_variable (&var);
+ if (status != EFI_SUCCESS) {
+ if (status == EFI_NOT_FOUND) {
+ printf ("No MOK new key request\n");
+ return 0;
+ }
+
fprintf (stderr, "Failed to read MokNew\n");
return -1;
}
@@ -812,6 +824,7 @@ static int
export_moks ()
{
efi_variable_t var;
+ efi_status_t status;
char filename[PATH_MAX];
uint32_t mok_num;
MokListNode *list;
@@ -822,10 +835,15 @@ export_moks ()
memset (&var, 0, sizeof(var));
var.VariableName = "MokListRT";
-
var.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&var) != EFI_SUCCESS) {
+ status = read_variable (&var);
+ if (status != EFI_SUCCESS) {
+ if (status == EFI_NOT_FOUND) {
+ printf ("MokListRT is empty\n");
+ return 0;
+ }
+
fprintf (stderr, "Failed to read MokListRT\n");
return -1;
}

View File

@ -1,340 +0,0 @@
From 9a114bb26e81f3b2764d84b8a6f5b9bd2e1528de Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 29 Mar 2013 18:00:55 +0800
Subject: [PATCH 1/3] Delete key from the pending request
---
src/mokutil.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 108 insertions(+), 8 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3f89db2..01a1b79 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -49,8 +49,9 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define SETTINGS_LEN (DEFAULT_SALT_SIZE*2)
typedef struct {
- uint32_t mok_size;
- void *mok;
+ EFI_SIGNATURE_LIST *header;
+ uint32_t mok_size;
+ void *mok;
} MokListNode;
typedef struct {
@@ -154,8 +155,9 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
+ list[count].header = CertList;
list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
- list[count].mok = (void *)Cert->SignatureData;
+ list[count].mok = (void *)Cert->SignatureData;
count++;
dbsize -= CertList->SignatureListSize;
@@ -233,6 +235,74 @@ list_keys (efi_variable_t *var)
}
static int
+delete_key_from_list (void *mok, uint32_t mok_size,
+ const char *var_name, efi_guid_t guid)
+{
+ efi_variable_t var;
+ MokListNode *list;
+ uint32_t mok_num, total, remain;
+ void *ptr, *data = NULL;
+ int i, del_ind, ret = 0;
+
+ if (!var_name || !mok || mok_size == 0)
+ return 0;
+
+ memset (&var, 0, sizeof(var));
+ var.VariableName = var_name;
+ var.VendorGuid = guid;
+
+ if (read_variable (&var) != EFI_SUCCESS)
+ return 0;
+
+ total = var.DataSize;
+
+ list = build_mok_list (var.Data, var.DataSize, &mok_num);
+ if (list == NULL)
+ goto done;
+
+ for (i = 0; i < mok_num; i++) {
+ if (list[i].mok_size != mok_size)
+ continue;
+
+ if (memcmp (list[i].mok, mok, mok_size) == 0) {
+ /* Remove this key */
+ del_ind = i;
+ data = (void *)list[i].header;
+ ptr = data + list[i].header->SignatureListSize;
+ total -= list[i].header->SignatureListSize;
+ break;
+ }
+ }
+
+ /* the key is not in this list */
+ if (data == NULL)
+ return 0;
+
+ /* Move the rest of the keys */
+ remain = 0;
+ for (i = del_ind + 1; i < mok_num; i++)
+ remain += list[i].header->SignatureListSize;
+ if (remain > 0)
+ memmove (data, ptr, remain);
+
+ var.DataSize = total;
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to write %s\n", var_name);
+ goto done;
+ }
+
+ ret = 1;
+done:
+ free (var.Data);
+
+ return ret;
+}
+
+static int
list_enrolled_keys ()
{
efi_variable_t var;
@@ -658,6 +728,34 @@ is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
}
static int
+in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
+{
+ efi_variable_t authvar;
+ const char *var_name = import ? "MokDel" : "MokNew";
+
+ if (!mok || mok_size == 0)
+ return 0;
+
+ memset (&authvar, 0, sizeof(authvar));
+ authvar.VariableName = import ? "MokDelAuth" : "MokAuth";
+ authvar.VendorGuid = SHIM_LOCK_GUID;
+
+ if (read_variable (&authvar) != EFI_SUCCESS) {
+ return 0;
+ }
+
+ free (authvar.Data);
+ /* Check if the password hash is in the old format */
+ if (authvar.DataSize == SHA256_DIGEST_LENGTH)
+ return 0;
+
+ if (delete_key_from_list (mok, mok_size, var_name, SHIM_LOCK_GUID))
+ return 1;
+
+ return 0;
+}
+
+static int
issue_mok_request (char **files, uint32_t total, uint8_t import,
const char *hash_file, const int root_pw)
{
@@ -678,10 +776,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
if (!files)
return -1;
- if (import)
- req_name = "MokNew";
- else
- req_name = "MokDel";
+ req_name = import ? "MokNew" : "MokDel";
sizes = malloc (total * sizeof(uint32_t));
@@ -692,6 +787,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
goto error;
}
+ /* get the sizes of the key files */
for (i = 0; i < total; i++) {
if (stat (files[i], &buf) != 0) {
fprintf (stderr, "Failed to get file status, %s\n",
@@ -752,6 +848,10 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
if (is_valid_request (ptr, sizes[i], import)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ } else if (in_pending_request (ptr, sizes[i], import)) {
+ printf ("Removed %s from %s\n", files[i], import ? "MokDel" : "MokNew");
+
+ ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
printf ("Skip %s\n", files[i]);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
@@ -760,7 +860,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
close (fd);
}
- /* All keys are enrolled, nothing to do here... */
+ /* All keys are in the list, nothing to do here... */
if (real_size == 0) {
ret = 0;
goto error;
--
1.8.1.4
From d00c50c0eb73c27b1c49d8d947b99e24a4da4a66 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 29 Mar 2013 14:21:00 +0800
Subject: [PATCH 2/3] Remove the unnecessary command flags
---
src/mokutil.c | 47 ++++++++++++++++++++++-------------------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 01a1b79..6c3a135 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -40,9 +40,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define SB_STATE 0x800
#define TEST_KEY 0x1000
#define RESET 0x2000
-#define HASH_FILE 0x4000
-#define GENERATE_PW_HASH 0x8000
-#define ROOT_PW 0x10000
+#define GENERATE_PW_HASH 0x4000
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -1247,6 +1245,7 @@ main (int argc, char *argv[])
const char *option;
int c, i, f_ind, total = 0;
unsigned int command = 0;
+ int use_root_pw = 0;
int ret = -1;
while (1) {
@@ -1329,7 +1328,6 @@ main (int argc, char *argv[])
case 'f':
hash_file = strdup (optarg);
- command |= HASH_FILE;
break;
case 'g':
if (optarg)
@@ -1341,7 +1339,7 @@ main (int argc, char *argv[])
command |= PASSWORD;
break;
case 'P':
- command |= ROOT_PW;
+ use_root_pw = 1;
break;
case 't':
key_file = strdup (optarg);
@@ -1360,6 +1358,9 @@ main (int argc, char *argv[])
}
}
+ if (hash_file && use_root_pw)
+ command |= HELP;
+
switch (command) {
case LIST_ENROLLED:
ret = list_enrolled_keys ();
@@ -1368,18 +1369,16 @@ main (int argc, char *argv[])
ret = list_new_keys ();
break;
case IMPORT:
- case IMPORT | HASH_FILE:
- ret = import_moks (files, total, hash_file, 0);
- break;
- case IMPORT | ROOT_PW:
- ret = import_moks (files, total, NULL, 1);
+ if (use_root_pw)
+ ret = import_moks (files, total, NULL, 1);
+ else
+ ret = import_moks (files, total, hash_file, 0);
break;
case DELETE:
- case DELETE | HASH_FILE:
- ret = delete_moks (files, total, hash_file, 0);
- break;
- case DELETE | ROOT_PW:
- ret = delete_moks (files, total, NULL, 1);
+ if (use_root_pw)
+ ret = delete_moks (files, total, NULL, 1);
+ else
+ ret = delete_moks (files, total, hash_file, 0);
break;
case REVOKE_IMPORT:
ret = revoke_request (1);
@@ -1391,11 +1390,10 @@ main (int argc, char *argv[])
ret = export_moks ();
break;
case PASSWORD:
- case PASSWORD | HASH_FILE:
- ret = set_password (hash_file, 0);
- break;
- case PASSWORD | ROOT_PW:
- ret = set_password (NULL, 1);
+ if (use_root_pw)
+ ret = set_password (NULL, 1);
+ else
+ ret = set_password (hash_file, 0);
break;
case DISABLE_VALIDATION:
ret = disable_validation ();
@@ -1410,11 +1408,10 @@ main (int argc, char *argv[])
ret = test_key (key_file);
break;
case RESET:
- case RESET | HASH_FILE:
- ret = reset_moks (hash_file, 0);
- break;
- case RESET | ROOT_PW:
- ret = reset_moks (NULL, 1);
+ if (use_root_pw)
+ ret = reset_moks (NULL, 1);
+ else
+ ret = reset_moks (hash_file, 0);
break;
case GENERATE_PW_HASH:
ret = generate_pw_hash (input_pw);
--
1.8.1.4
From 3c3725784cd31d867443675cb5aa6698b952ac2b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 2 Apr 2013 11:29:01 +0800
Subject: [PATCH 3/3] Show help if there is no key to be imported/deleted
---
src/mokutil.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6c3a135..58566f9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1317,6 +1317,11 @@ main (int argc, char *argv[])
total++;
}
+ if (total == 0) {
+ command |= HELP;
+ break;
+ }
+
files = malloc (total * sizeof (char *));
for (i = 0; i < total; i++) {
f_ind = i + optind - 1;
--
1.8.1.4

View File

@ -1,29 +0,0 @@
From aa48dc644fbf775970d01a368c532d0668015f18 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 30 Jan 2013 16:30:23 +0800
Subject: [PATCH] Include lcrypt in LDFLAGS
---
src/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index afe1752..de7ddca 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,10 +1,10 @@
bin_PROGRAMS = mokutil
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
- -lcrypt \
$(WARNINGFLAGS_C)
-mokutil_LDADD = $(OPENSSL_LIBS)
+mokutil_LDADD = $(OPENSSL_LIBS) \
+ -lcrypt
mokutil_SOURCES = efi.h \
efilib.c \
--
1.7.10.4

View File

@ -1,283 +0,0 @@
From 0e1ac853fb889b3d8d00e3a4751f388b0b8d8f26 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 5 Dec 2012 11:12:43 +0800
Subject: [PATCH 1/4] Correct MOK size and SignatureSize
The MOK size didn't include the SignatureOwner GUID.
The SignatureData header size was added twice accidentally.
---
src/mokutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1c32828..1b8465f 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -143,7 +143,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
return NULL;
}
- list[count].mok_size = CertList->SignatureSize;
+ list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
list[count].mok = (void *)Cert->SignatureData;
count++;
@@ -497,8 +497,7 @@ import_moks (char **files, uint32_t total)
CertList->SignatureListSize = sizes[i] +
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = sizes[i] +
- sizeof(EFI_SIGNATURE_DATA) + 16;
+ CertList->SignatureSize = sizes[i] + sizeof(efi_guid_t);
CertData->SignatureOwner = SHIM_LOCK_GUID;
fd = open (files[i], O_RDONLY);
--
1.7.10.4
From 69955da3819da3abaf198e5dae038c44814df5c0 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 5 Dec 2012 11:24:58 +0800
Subject: [PATCH 2/4] Don't import duplicate keys
This commit compares keys in PK, KEK, db, MokListRT, and MokNew
before issuing a new request to avoid enrolling keys twice.
---
src/mokutil.c | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 124 insertions(+), 4 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1b8465f..cf38422 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -333,8 +333,8 @@ get_password (char **password, int *len, int min, int max)
}
static int
-generate_auth (void *new_list, int list_len, char *password, int pw_len,
- uint8_t *auth)
+generate_auth (void *new_list, unsigned long list_len, char *password,
+ int pw_len, uint8_t *auth)
{
efi_char16_t efichar_pass[PASSWORD_MAX+1];
unsigned long efichar_len;
@@ -444,12 +444,97 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
+is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
+ efi_guid_t guid)
+{
+ efi_variable_t var;
+ uint32_t mok_num;
+ MokListNode *list;
+ int i, ret = 0;
+
+ if (!cert || cert_size == 0 || !db_name)
+ return 0;
+
+ memset (&var, 0, sizeof(var));
+ var.VariableName = db_name;
+ var.VendorGuid = guid;
+
+ if (read_variable (&var) != EFI_SUCCESS)
+ return 0;
+
+ list = build_mok_list (var.Data, var.DataSize, &mok_num);
+ if (list == NULL) {
+ goto done;
+ }
+
+ for (i = 0; i < mok_num; i++) {
+ if (list[i].mok_size != cert_size)
+ continue;
+
+ if (memcmp (list[i].mok, cert, cert_size) == 0) {
+ ret = 1;
+ break;
+ }
+ }
+
+done:
+ free (var.Data);
+
+ return ret;
+}
+
+static int
+verify_mok_new (void *mok_new, unsigned long mok_new_size)
+{
+ efi_variable_t mok_auth;
+ uint8_t auth[SHA256_DIGEST_LENGTH];
+ char *password;
+ int pw_len, fail = 0;
+ size_t n;
+ int ret = 0;
+
+ memset (&mok_auth, 0, sizeof(mok_auth));
+ mok_auth.VariableName = "MokAuth";
+ mok_auth.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&mok_auth) == EFI_SUCCESS)
+ return 0;
+
+ while (fail < 3) {
+ printf ("input old password: ");
+ pw_len = read_hidden_line (&password, &n);
+ printf ("\n");
+
+ if (pw_len > PASSWORD_MAX || pw_len < PASSWORD_MIN) {
+ free (password);
+ fprintf (stderr, "invalid password\n");
+ fail++;
+ continue;
+ }
+
+ generate_auth (mok_new, mok_new_size, password, pw_len, auth);
+ if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
+ ret = 1;
+ break;
+ }
+
+ fail++;
+ }
+
+ if (mok_auth.Data)
+ free (mok_auth.Data);
+
+ return ret;
+}
+
+static int
import_moks (char **files, uint32_t total)
{
+ efi_variable_t mok_new;
void *new_list = NULL;
void *ptr;
struct stat buf;
unsigned long list_size = 0;
+ unsigned long real_size = 0;
uint32_t *sizes = NULL;
int fd = -1;
ssize_t read_size;
@@ -481,6 +566,12 @@ import_moks (char **files, uint32_t total)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
+ memset (&mok_new, 0, sizeof(mok_new));
+ mok_new.VariableName = "MokNew";
+ mok_new.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&mok_new) == EFI_SUCCESS)
+ list_size += mok_new.DataSize;
+
new_list = malloc (list_size);
if (!new_list) {
fprintf (stderr, "Failed to allocate space for MokNew\n");
@@ -518,17 +609,46 @@ import_moks (char **files, uint32_t total)
fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n",
files[i]);
}
- ptr += sizes[i];
+
+ /* whether this key is already enrolled... */
+ if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
+ !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
+ ptr += sizes[i];
+ real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ } else {
+ ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
+ }
close (fd);
}
- if (update_request (new_list, list_size) < 0) {
+ /* All keys are enrolled, nothing to do here... */
+ if (real_size == 0) {
+ ret = 0;
+ goto error;
+ }
+
+ /* append the keys in MokNew */
+ if (mok_new.Data) {
+ /* request the previous password to verify the keys */
+ if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
+ goto error;
+ }
+
+ memcpy (ptr, mok_new.Data, mok_new.DataSize);
+ }
+
+ if (update_request (new_list, real_size) < 0) {
goto error;
}
ret = 0;
error:
+ if (mok_new.Data)
+ free (mok_new.Data);
if (sizes)
free (sizes);
if (new_list)
--
1.7.10.4
From 10046350e223b6912bd9c3a7031f06779cb326bb Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Dec 2012 15:57:50 +0800
Subject: [PATCH 3/4] Check MokAuth correctly
---
src/mokutil.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index cf38422..9d56a90 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -496,8 +496,10 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
memset (&mok_auth, 0, sizeof(mok_auth));
mok_auth.VariableName = "MokAuth";
mok_auth.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_auth) == EFI_SUCCESS)
+ if (read_variable (&mok_auth) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read MokAuth\n");
return 0;
+ }
while (fail < 3) {
printf ("input old password: ");
--
1.7.10.4
From 9674b3249fef0d2ba00364f9f120f1ef17b710fc Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Dec 2012 15:58:30 +0800
Subject: [PATCH 4/4] Really append the old request to the new one...
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 9d56a90..aba1cfb 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -640,7 +640,8 @@ import_moks (char **files, uint32_t total)
goto error;
}
- memcpy (ptr, mok_new.Data, mok_new.DataSize);
+ memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
+ real_size += mok_new.DataSize;
}
if (update_request (new_list, real_size) < 0) {
--
1.7.10.4

View File

@ -1,111 +0,0 @@
commit b2602eee326c15df8d23baa44f9e9e3e8b6bad93
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon Dec 3 17:45:41 2012 +0800
Probe the state of SecureBoot
diff --git a/src/mokutil.c b/src/mokutil.c
index 3707220..1c32828 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -40,6 +40,7 @@ enum Command {
COMMAND_PASSWORD,
COMMAND_DISABLE_VALIDATION,
COMMAND_ENABLE_VALIDATION,
+ COMMAND_SB_STATE,
};
static void
@@ -48,22 +49,33 @@ print_help ()
printf("Usage:\n");
printf("List the enrolled keys:\n");
printf(" mokutil --list-enrolled\n\n");
+
printf("List the keys to be enrolled:\n");
printf(" mokutil --list-new\n\n");
+
printf("Import keys:\n");
printf(" mokutil --import <der file>...\n\n");
+
printf("Request to delete all keys\n");
printf(" mokutil --delete-all\n\n");
+
printf("Revoke the request:\n");
printf(" mokutil --revoke\n\n");
+
printf("Export enrolled keys to files:\n");
printf(" mokutil --export\n\n");
+
printf("Set MOK password:\n");
printf(" mokutil --password\n\n");
+
printf("Disable signature validation:\n");
printf(" mokutil --disable-validation\n\n");
+
printf("Enable signature validation:\n");
printf(" mokutil --enable-validation\n\n");
+
+ printf("SecureBoot State:\n");
+ printf(" mokutil --sb-state\n\n");
}
static int
@@ -709,7 +721,36 @@ enable_validation()
{
return set_validation(1);
}
-
+
+static int
+sb_state ()
+{
+ efi_variable_t var;
+ char *state;
+
+ memset (&var, 0, sizeof(var));
+ var.VariableName = "SecureBoot";
+ var.VendorGuid = EFI_GLOBAL_VARIABLE;
+
+ if (read_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read SecureBoot\n");
+ return -1;
+ }
+
+ state = (char *)var.Data;
+ if (*state == 1) {
+ printf ("SecureBoot enabled\n");
+ } else if (*state == 0) {
+ printf ("SecureBoot disabled\n");
+ } else {
+ printf ("SecureBoot unknown");
+ }
+
+ free (var.Data);
+
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -786,6 +827,10 @@ main (int argc, char *argv[])
command = COMMAND_ENABLE_VALIDATION;
+ } else if (strcmp (argv[1], "--sb-state") == 0) {
+
+ command = COMMAND_SB_STATE;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -820,6 +865,9 @@ main (int argc, char *argv[])
case COMMAND_ENABLE_VALIDATION:
enable_validation ();
break;
+ case COMMAND_SB_STATE:
+ sb_state ();
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;

File diff suppressed because it is too large Load Diff

View File

@ -1,835 +0,0 @@
From 36241509b1c96c3103becae75dc6df72d794cce7 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 13 Dec 2012 17:09:34 +0800
Subject: [PATCH 1/7] Move fail check to get_password()
---
src/mokutil.c | 83 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 46 insertions(+), 37 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index aba1cfb..eea2b6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -297,39 +297,60 @@ static int
get_password (char **password, int *len, int min, int max)
{
char *password_1, *password_2;
- int len_1, len_2;
+ int len_1, len_2, fail, ret = -1;
size_t n;
password_1 = password_2 = NULL;
- printf ("input password (%d~%d characters): ", min, max);
- len_1 = read_hidden_line (&password_1, &n);
- printf ("\n");
+ fail = 0;
- if (len_1 > max || len_1 < min) {
- free (password_1);
- fprintf (stderr, "password should be %d~%d characters\n",
- min, max);
- return -1;
+ while (fail < 3) {
+ printf ("input password (%d~%d characters): ", min, max);
+ len_1 = read_hidden_line (&password_1, &n);
+ printf ("\n");
+
+ if (len_1 > max || len_1 < min) {
+ fail++;
+ fprintf (stderr, "password should be %d~%d characters\n",
+ min, max);
+ } else {
+ break;
+ }
}
- printf ("input password again: ");
- len_2 = read_hidden_line (&password_2, &n);
- printf ("\n");
+ if (fail >= 3) {
+ if (password_1)
+ free (password_1);
+ goto error;
+ }
- if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
- free (password_1);
- free (password_2);
- fprintf (stderr, "password doesn't match\n");
- return -1;
+ fail = 0;
+
+ while (fail < 3) {
+ printf ("input password again: ");
+ len_2 = read_hidden_line (&password_2, &n);
+ printf ("\n");
+
+ if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
+ fail++;
+ fprintf (stderr, "password doesn't match\n");
+ } else {
+ break;
+ }
}
+ if (fail >= 3)
+ goto error;
+
*password = password_1;
*len = len_1;
- free (password_2);
+ ret = 0;
+error:
+ if (password_2)
+ free (password_2);
- return 0;
+ return ret;
}
static int
@@ -364,14 +385,10 @@ update_request (void *new_list, int list_len)
efi_variable_t var;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
@@ -745,14 +762,10 @@ set_password ()
efi_variable_t var;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
@@ -789,15 +802,11 @@ set_validation (uint32_t state)
efi_variable_t var;
MokSBVar sbvar;
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
efi_char16_t efichar_pass[PASSWORD_MAX];
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
--
1.7.10.4
From 2649dde769b563f55a85ea68eb1fc9ce5bc7c984 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Dec 2012 16:22:41 +0800
Subject: [PATCH 2/7] Add "--test-key" to test if the key is enrolled or not
---
src/mokutil.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index eea2b6c..68a25bc 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -41,6 +41,7 @@ enum Command {
COMMAND_DISABLE_VALIDATION,
COMMAND_ENABLE_VALIDATION,
COMMAND_SB_STATE,
+ COMMAND_TEST_KEY,
};
static void
@@ -76,6 +77,9 @@ print_help ()
printf("SecureBoot State:\n");
printf(" mokutil --sb-state\n\n");
+
+ printf("Test if the key is enrolled or not:\n");
+ printf(" mokutil --test-key\n\n");
}
static int
@@ -882,10 +886,57 @@ sb_state ()
return 0;
}
+static int
+test_key (const char *key_file)
+{
+ struct stat buf;
+ void *key = NULL;
+ ssize_t read_size;
+ int fd, ret = -1;
+
+ if (stat (key_file, &buf) != 0) {
+ fprintf (stderr, "Failed to get file status, %s\n", key_file);
+ return -1;
+ }
+
+ key = malloc (buf.st_size);
+
+ fd = open (key_file, O_RDONLY);
+ if (fd < 0) {
+ fprintf (stderr, "Failed to open %s\n", key_file);
+ goto error;
+ }
+
+ read_size = read (fd, key, buf.st_size);
+ if (read_size < 0 || read_size != buf.st_size) {
+ fprintf (stderr, "Failed to read %s\n", key_file);
+ goto error;
+ }
+
+ if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
+ !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
+ printf ("%s is not enrolled\n", key_file);
+ ret = 0;
+ } else {
+ printf ("%s is already enrolled\n", key_file);
+ ret = 1;
+ }
+
+error:
+ if (key)
+ free (key);
+
+ return ret;
+}
+
int
main (int argc, char *argv[])
{
char **files = NULL;
+ char *key_file = NULL;
int i, total;
int command;
@@ -962,6 +1013,17 @@ main (int argc, char *argv[])
command = COMMAND_SB_STATE;
+ } else if (strcmp (argv[1], "--test-key") == 0) {
+
+ if (argc < 3) {
+ print_help ();
+ return -1;
+ }
+
+ key_file = argv[2];
+
+ command = COMMAND_TEST_KEY;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -999,6 +1061,9 @@ main (int argc, char *argv[])
case COMMAND_SB_STATE:
sb_state ();
break;
+ case COMMAND_TEST_KEY:
+ test_key (key_file);
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;
--
1.7.10.4
From bba82fceec875ccf0d92eae1e9c7db54e92bcec9 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Dec 2012 16:33:59 +0800
Subject: [PATCH 3/7] Handle the return values
---
src/mokutil.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 68a25bc..13ef69d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -939,6 +939,7 @@ main (int argc, char *argv[])
char *key_file = NULL;
int i, total;
int command;
+ int ret = -1;
if (argc < 2) {
print_help ();
@@ -1032,37 +1033,37 @@ main (int argc, char *argv[])
switch (command) {
case COMMAND_LIST_ENROLLED:
- list_enrolled_keys ();
+ ret = list_enrolled_keys ();
break;
case COMMAND_LIST_NEW:
- list_new_keys ();
+ ret = list_new_keys ();
break;
case COMMAND_IMPORT:
- import_moks (files, total);
+ ret = import_moks (files, total);
break;
case COMMAND_DELETE:
- delete_all ();
+ ret = delete_all ();
break;
case COMMAND_REVOKE:
- revoke_request ();
+ ret = revoke_request ();
break;
case COMMAND_EXPORT:
- export_moks ();
+ ret = export_moks ();
break;
case COMMAND_PASSWORD:
- set_password ();
+ ret = set_password ();
break;
case COMMAND_DISABLE_VALIDATION:
- disable_validation ();
+ ret = disable_validation ();
break;
case COMMAND_ENABLE_VALIDATION:
- enable_validation ();
+ ret = enable_validation ();
break;
case COMMAND_SB_STATE:
- sb_state ();
+ ret = sb_state ();
break;
case COMMAND_TEST_KEY:
- test_key (key_file);
+ ret = test_key (key_file);
break;
default:
fprintf (stderr, "Unknown command\n");
@@ -1072,5 +1073,5 @@ main (int argc, char *argv[])
if (files)
free (files);
- return 0;
+ return ret;
}
--
1.7.10.4
From fee5db0bd74fd7239832d435cdc653ade426c61c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Dec 2012 16:35:37 +0800
Subject: [PATCH 4/7] Correct the GUID of "db"
---
src/efi.h | 2 ++
src/mokutil.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/efi.h b/src/efi.h
index 7185179..d2640b4 100644
--- a/src/efi.h
+++ b/src/efi.h
@@ -86,6 +86,8 @@ EFI_GUID( 0x47c7b225, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
EFI_GUID( 0x47c7b227, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
#define ESP_UNKNOWN_GUID \
EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
static inline int
efi_guidcmp(efi_guid_t left, efi_guid_t right)
diff --git a/src/mokutil.c b/src/mokutil.c
index 13ef69d..6af5a9c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -636,7 +636,7 @@ import_moks (char **files, uint32_t total)
/* whether this key is already enrolled... */
if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
!is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
!is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
!is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
ptr += sizes[i];
--
1.7.10.4
From b1a6476307909b4c391b5cc632c0535ea43b08b1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Dec 2012 18:12:48 +0800
Subject: [PATCH 5/7] Initialize password array
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6af5a9c..3d00df0 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -509,7 +509,7 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
{
efi_variable_t mok_auth;
uint8_t auth[SHA256_DIGEST_LENGTH];
- char *password;
+ char *password = NULL;
int pw_len, fail = 0;
size_t n;
int ret = 0;
--
1.7.10.4
From e772f72f23b4cf13c033292b55570a861281b71b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 25 Dec 2012 15:53:56 +0800
Subject: [PATCH 6/7] Add support for deleting specific keys
---
src/mokutil.c | 179 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 128 insertions(+), 51 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3d00df0..e6807da 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -42,6 +42,7 @@ enum Command {
COMMAND_ENABLE_VALIDATION,
COMMAND_SB_STATE,
COMMAND_TEST_KEY,
+ COMMAND_RESET,
};
static void
@@ -57,8 +58,8 @@ print_help ()
printf("Import keys:\n");
printf(" mokutil --import <der file>...\n\n");
- printf("Request to delete all keys\n");
- printf(" mokutil --delete-all\n\n");
+ printf("Request to delete specific keys\n");
+ printf(" mokutil --delete <der file>...\n\n");
printf("Revoke the request:\n");
printf(" mokutil --revoke\n\n");
@@ -80,6 +81,9 @@ print_help ()
printf("Test if the key is enrolled or not:\n");
printf(" mokutil --test-key\n\n");
+
+ printf("Reset MOK list:\n");
+ printf(" mokutil --reset\n\n");
}
static int
@@ -384,14 +388,23 @@ generate_auth (void *new_list, unsigned long list_len, char *password,
}
static int
-update_request (void *new_list, int list_len)
+update_request (void *new_list, int list_len, uint8_t import)
{
efi_variable_t var;
+ const char *req_name, *auth_name;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
int pw_len;
int ret = -1;
+ if (import) {
+ req_name = "MokNew";
+ auth_name = "MokAuth";
+ } else {
+ req_name = "MokDel";
+ auth_name = "MokDelAuth";
+ }
+
if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
@@ -403,7 +416,7 @@ update_request (void *new_list, int list_len)
/* Write MokNew*/
var.Data = new_list;
var.DataSize = list_len;
- var.VariableName = "MokNew";
+ var.VariableName = req_name;
var.VendorGuid = SHIM_LOCK_GUID;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -411,17 +424,18 @@ update_request (void *new_list, int list_len)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to enroll new keys\n");
+ fprintf (stderr, "Failed to %s keys\n",
+ import ? "enroll new" : "delete");
goto error;
}
} else {
- test_and_delete_var ("MokNew");
+ test_and_delete_var (req_name);
}
/* Write MokAuth */
var.Data = auth;
var.DataSize = SHA256_DIGEST_LENGTH;
- var.VariableName = "MokAuth";
+ var.VariableName = auth_name;
var.VendorGuid = SHIM_LOCK_GUID;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -429,8 +443,8 @@ update_request (void *new_list, int list_len)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to write MokAuth\n");
- test_and_delete_var ("MokNew");
+ fprintf (stderr, "Failed to write %s\n", auth_name);
+ test_and_delete_var (req_name);
goto error;
}
@@ -505,20 +519,47 @@ done:
}
static int
-verify_mok_new (void *mok_new, unsigned long mok_new_size)
+is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
{
- efi_variable_t mok_auth;
+ if (import) {
+ if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
+ is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
+ is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
+ is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
+ is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
+ return 0;
+ }
+ } else {
+ if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
+ is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static int
+verify_old_req (void *old_req, unsigned long old_req_size, uint8_t import)
+{
+ efi_variable_t req_auth;
+ const char *auth_name;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
int pw_len, fail = 0;
size_t n;
int ret = 0;
- memset (&mok_auth, 0, sizeof(mok_auth));
- mok_auth.VariableName = "MokAuth";
- mok_auth.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_auth) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to read MokAuth\n");
+ if (import)
+ auth_name = "MokAuth";
+ else
+ auth_name = "MokDelAuth";
+
+ memset (&req_auth, 0, sizeof(req_auth));
+ req_auth.VariableName = auth_name;
+ req_auth.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&req_auth) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read %s\n", auth_name);
return 0;
}
@@ -534,8 +575,8 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
continue;
}
- generate_auth (mok_new, mok_new_size, password, pw_len, auth);
- if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
+ generate_auth (old_req, old_req_size, password, pw_len, auth);
+ if (memcmp (auth, req_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
ret = 1;
break;
}
@@ -543,16 +584,17 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
fail++;
}
- if (mok_auth.Data)
- free (mok_auth.Data);
+ if (req_auth.Data)
+ free (req_auth.Data);
return ret;
}
static int
-import_moks (char **files, uint32_t total)
+issue_mok_request (char **files, uint32_t total, uint8_t import)
{
- efi_variable_t mok_new;
+ efi_variable_t old_req;
+ const char *req_name;
void *new_list = NULL;
void *ptr;
struct stat buf;
@@ -568,6 +610,11 @@ import_moks (char **files, uint32_t total)
if (!files)
return -1;
+ if (import)
+ req_name = "MokNew";
+ else
+ req_name = "MokDel";
+
sizes = malloc (total * sizeof(uint32_t));
if (!sizes) {
@@ -589,15 +636,15 @@ import_moks (char **files, uint32_t total)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
- memset (&mok_new, 0, sizeof(mok_new));
- mok_new.VariableName = "MokNew";
- mok_new.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_new) == EFI_SUCCESS)
- list_size += mok_new.DataSize;
+ memset (&old_req, 0, sizeof(old_req));
+ old_req.VariableName = req_name;
+ old_req.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&old_req) == EFI_SUCCESS)
+ list_size += old_req.DataSize;
new_list = malloc (list_size);
if (!new_list) {
- fprintf (stderr, "Failed to allocate space for MokNew\n");
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
goto error;
}
ptr = new_list;
@@ -633,15 +680,11 @@ import_moks (char **files, uint32_t total)
files[i]);
}
- /* whether this key is already enrolled... */
- if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
- !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
- !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
+ if (is_valid_request (ptr, sizes[i], import)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
+ printf ("Skip %s\n", files[i]);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
}
@@ -654,25 +697,25 @@ import_moks (char **files, uint32_t total)
goto error;
}
- /* append the keys in MokNew */
- if (mok_new.Data) {
+ /* append the keys to the previous request */
+ if (old_req.Data) {
/* request the previous password to verify the keys */
- if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
+ if (!verify_old_req (old_req.Data, old_req.DataSize, import)) {
goto error;
}
- memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
- real_size += mok_new.DataSize;
+ memcpy (new_list + real_size, old_req.Data, old_req.DataSize);
+ real_size += old_req.DataSize;
}
- if (update_request (new_list, real_size) < 0) {
+ if (update_request (new_list, real_size, import) < 0) {
goto error;
}
ret = 0;
error:
- if (mok_new.Data)
- free (mok_new.Data);
+ if (old_req.Data)
+ free (old_req.Data);
if (sizes)
free (sizes);
if (new_list)
@@ -682,14 +725,15 @@ error:
}
static int
-delete_all ()
+import_moks (char **files, uint32_t total)
{
- if (update_request (NULL, 0)) {
- fprintf (stderr, "Failed to issue an delete request\n");
- return -1;
- }
+ return issue_mok_request (files, total, 1);
+}
- return 0;
+static int
+delete_moks (char **files, uint32_t total)
+{
+ return issue_mok_request (files, total, 0);
}
static int
@@ -932,6 +976,17 @@ error:
return ret;
}
+static int
+reset_moks ()
+{
+ if (update_request (NULL, 0, 1)) {
+ fprintf (stderr, "Failed to issue a reset request\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -982,8 +1037,23 @@ main (int argc, char *argv[])
command = COMMAND_IMPORT;
- } else if (strcmp (argv[1], "-D") == 0 ||
- strcmp (argv[1], "--delete-all") == 0) {
+ } else if (strcmp (argv[1], "-d") == 0 ||
+ strcmp (argv[1], "--delete") == 0) {
+
+ if (argc < 3) {
+ print_help ();
+ return -1;
+ }
+ total = argc - 2;
+
+ files = malloc (total * sizeof(char *));
+ if (!files) {
+ fprintf (stderr, "Failed to allocate file list\n");
+ return -1;
+ }
+
+ for (i = 0; i < total; i++)
+ files[i] = argv[i+2];
command = COMMAND_DELETE;
@@ -1025,6 +1095,10 @@ main (int argc, char *argv[])
command = COMMAND_TEST_KEY;
+ } else if (strcmp (argv[1], "--reset") == 0) {
+
+ command = COMMAND_RESET;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -1042,7 +1116,7 @@ main (int argc, char *argv[])
ret = import_moks (files, total);
break;
case COMMAND_DELETE:
- ret = delete_all ();
+ ret = delete_moks (files, total);
break;
case COMMAND_REVOKE:
ret = revoke_request ();
@@ -1065,6 +1139,9 @@ main (int argc, char *argv[])
case COMMAND_TEST_KEY:
ret = test_key (key_file);
break;
+ case COMMAND_RESET:
+ ret = reset_moks ();
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;
--
1.7.10.4
From 799d37815f470739ed079e2fea49077decaee3d3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 2 Jan 2013 17:09:35 +0800
Subject: [PATCH 7/7] Initialize the variable to prevent a potential crash
In issue_mok_request(), old_req.Data must be intialized before
"goto error", or the process would segfault when freeing old_req.Data.
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e6807da..a99e355 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -617,6 +617,8 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
sizes = malloc (total * sizeof(uint32_t));
+ memset (&old_req, 0, sizeof(old_req));
+
if (!sizes) {
fprintf (stderr, "Failed to allocate space for sizes\n");
goto error;
@@ -636,7 +638,6 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
- memset (&old_req, 0, sizeof(old_req));
old_req.VariableName = req_name;
old_req.VendorGuid = SHIM_LOCK_GUID;
if (read_variable (&old_req) == EFI_SUCCESS)
--
1.7.10.4

File diff suppressed because it is too large Load Diff

View File

@ -1,124 +0,0 @@
From 53a40965390cfa3b99d636874c6b9d968380f312 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 30 Jan 2013 14:16:16 +0800
Subject: [PATCH] Update man page
---
man/mokutil.1 | 59 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 43 insertions(+), 16 deletions(-)
diff --git a/man/mokutil.1 b/man/mokutil.1
index 7a70d3e..fabd7a9 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -1,27 +1,41 @@
-.TH MOKUTIL 1 "Wed Nov 07 2012"
+.TH MOKUTIL 1 "Wed Jan 30 2013"
.SH NAME
mokutil \- utility to manipulate machine owner keys
.SH SYNOPSIS
-\fBmokutil\fR [--list-enrolled | -le]
+\fBmokutil\fR [--list-enrolled]
.br
-\fBmokutil\fR [--list-new | -ln]
+\fBmokutil\fR [--list-new]
.br
-\fBmokutil\fR [--import | -i] ...
+\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
-\fBmokutil\fR [--delete-all | -D]
+\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
-\fBmokutil\fR [--revoke | -r]
+\fBmokutil\fR [--revoke-import]
+.br
+\fBmokutil\fR [--revoke-delete]
.br
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--disable-validation]
.br
\fBmokutil\fR [--enable-validation]
.br
+\fBmokutil\fR [--sb-state]
+.br
+\fBmokutil\fR [--test-key | -t] ...
+.br
+\fBmokutil\fR [--reset]
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
+.br
+\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -31,36 +45,49 @@ mokutil \- utility to manipulate machine owner keys
.TP
\fB--list-enrolled\fR
List the keys the already stored in the database
-
.TP
\fB--list-new\fR
List the keys to be enrolled
-
.TP
\fB--import\fR
Collect the followed files and form a request to shim. The files must be in DER
format.
-
.TP
\fB--delete-all\fR
Request shim to delete all stored keys
-
.TP
-\fB--revoke\fR
-Revoke the current request
-
+\fB--revoke-import\fR
+Revoke the current import request (MokNew)
+.TP
+\fB--revoke-delete\fR
+Revoke the current delete request (MokDel)
.TP
\fB--export\fR
Export the keys stored in MokListRT
-
.TP
\fB--password\fR
Setup the password for MokManager
-
.TP
\fB--disable-validation\fR
Disable the validation process in shim
-
.TP
\fB--enrolled-validation\fR
Enable the validation process in shim
+.TP
+\fB--sb-state\fR
+Show SecureBoot State
+.TP
+\fB--test-key\fR
+Test if the key is enrolled or not
+.TP
+\fB--reset\fR
+Reset MOK list
+.TP
+\fB--generate-hash\fR
+Generate the password hash
+.TP
+\fB--hash-file\fR
+Use the password hash from a specific file
+.TP
+\fB--root-pw\fR
+Use the root password hash from /etc/shadow
--
1.7.10.4

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com
- Update to 0.2.0
+ Generate the password hash with crypt() by default instead of
the original sha256 password hash
+ Add an option to import the root password hash
+ Amend error messages, help, and man page
- Drop upstreamed patches
+ mokutil-lcrypt-ldflag.patch
+ mokutil-probe-secure-boot-state.patch
+ mokutil-allow-password-from-pipe.patch
+ mokutil-bnc809703-check-pending-request.patch
+ mokutil-support-delete-keys.patch
+ mokutil-support-crypt-hash-methods.patch
+ mokutil-update-man-page.patch
+ mokutil-bnc809215-improve-wording.patch
+ mokutil-support-new-pw-hash.patch
+ mokutil-no-duplicate-keys-imported.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 2 04:43:59 UTC 2013 - glin@suse.com Tue Apr 2 04:43:59 UTC 2013 - glin@suse.com

View File

@ -17,33 +17,13 @@
Name: mokutil Name: mokutil
Version: 0.1.0 Version: 0.2.0
Release: 0 Release: 0
Summary: Tools for manipulating machine owner keys Summary: Tools for manipulating machine owner keys
License: GPL-3.0 License: GPL-3.0
Group: Productivity/Security Group: Productivity/Security
Url: https://github.com/lcp/mokutil Url: https://github.com/lcp/mokutil
Source: %{name}-%{version}.tar.bz2 Source: %{name}-%{version}.tar.bz2
# PATCH-FIX-UPSTREAM mokutil-probe-secure-boot-state.patch glin@suse.com -- Probe the state of secure boot
Patch1: mokutil-probe-secure-boot-state.patch
# PATCH-FIX-UPSTREAM mokutil-no-duplicate-keys-imported.patch glin@suse.com -- Do not import duplicate keys
Patch2: mokutil-no-duplicate-keys-imported.patch
# PATCH-FIX-UPSTREAM mokutil-accept-password-from-pipe.patch glin@suse.com -- Allow the password to be sent through pipeline
Patch3: mokutil-allow-password-from-pipe.patch
# PATCH-FIX-UPSTREAM mokutil-support-delete-keys.patch glin@suse.com -- Add support for deleting specific keys
Patch4: mokutil-support-delete-keys.patch
# PATCH-FIX-UPSTREAM mokutil-support-new-pw-hash.patch glin@suse.com -- Support the new password hash format
Patch5: mokutil-support-new-pw-hash.patch
# PATCH-FIX-UPSTREAM mokutil-support-crypt-hash-methods.patch glin@suse.com -- Support the hash methods used for /etc/shadow
Patch6: mokutil-support-crypt-hash-methods.patch
# PATCH-FIX-UPSTREAM mokutil-update-man-page.patch glin@suse.com -- Update man page
Patch7: mokutil-update-man-page.patch
# PATCH-FIX-UPSTREAM mokutil-lcrypt-ldflag.patch glin@suse.com -- Add -lcrpyt correctly
Patch8: mokutil-lcrypt-ldflag.patch
# PATCH-FIX-UPSTREAM mokutil-bnc809215-improve-wording.patch bnc#809215 glin@suse.com -- Improve the wording of error messages
Patch9: mokutil-bnc809215-improve-wording.patch
# PATCH-FIX-UPSTREAM mokutil-bnc809703-check-pending-request.patch bnc#809703 glin@suse.com -- Remove the key from the pending requests if necessary
Patch10: mokutil-bnc809703-check-pending-request.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: libopenssl-devel >= 0.9.8
@ -63,19 +43,8 @@ Authors:
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%build %build
autoreconf -i -f
%configure %configure
make make