Accepting request 184305 from Base:System
- Update to 0.2.0 + Generate the password hash with crypt() by default instead of the original sha256 password hash + Add an option to import the root password hash + Amend error messages, help, and man page (forwarded request 184304 from gary_lin) OBS-URL: https://build.opensuse.org/request/show/184305 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mokutil?expand=0&rev=6
This commit is contained in:
commit
4befcaf993
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:739a241e18cc5b89c46eecc473568fb295952598ff518e7af90f81900afb62d4
|
||||
size 94722
|
3
mokutil-0.2.0.tar.bz2
Normal file
3
mokutil-0.2.0.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:03cf595bd1b4d4a17dc1814b0529b25505d57429d583e7f9489ef0a2354b320e
|
||||
size 102028
|
@ -1,50 +0,0 @@
|
||||
commit adce7208ddcb65daac83ea3429aa8586d9cc4ea5
|
||||
Author: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Wed Jan 2 17:30:07 2013 +0800
|
||||
|
||||
Only change terminal settings
|
||||
|
||||
tcgetattr() will fail if we send password through a pipeline instead
|
||||
of a TTY.
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index a99e355..ea8481a 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -278,22 +278,27 @@ read_hidden_line (char **line, size_t *n)
|
||||
{
|
||||
struct termios old, new;
|
||||
int nread;
|
||||
+ int isTTY = isatty(fileno (stdin));
|
||||
|
||||
- /* Turn echoing off and fail if we can't. */
|
||||
- if (tcgetattr (fileno (stdin), &old) != 0)
|
||||
- return -1;
|
||||
+ if (isTTY) {
|
||||
+ /* Turn echoing off and fail if we can't. */
|
||||
+ if (tcgetattr (fileno (stdin), &old) != 0)
|
||||
+ return -1;
|
||||
|
||||
- new = old;
|
||||
- new.c_lflag &= ~ECHO;
|
||||
+ new = old;
|
||||
+ new.c_lflag &= ~ECHO;
|
||||
|
||||
- if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
|
||||
- return -1;
|
||||
+ if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
/* Read the password. */
|
||||
nread = getline (line, n, stdin);
|
||||
|
||||
- /* Restore terminal. */
|
||||
- (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
|
||||
+ if (isTTY) {
|
||||
+ /* Restore terminal. */
|
||||
+ (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
|
||||
+ }
|
||||
|
||||
/* Remove the newline */
|
||||
(*line)[nread-1] = '\0';
|
@ -1,105 +0,0 @@
|
||||
commit 08e7fbbfec644406b5f6f3ce787444bc5e2c4b3d
|
||||
Author: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Fri Mar 29 12:12:00 2013 +0800
|
||||
|
||||
Make the error message more understandable
|
||||
|
||||
diff --git a/src/efilib.c b/src/efilib.c
|
||||
index cb1aca6..1b72cd9 100644
|
||||
--- a/src/efilib.c
|
||||
+++ b/src/efilib.c
|
||||
@@ -5,6 +5,7 @@
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
+#include <errno.h>
|
||||
#include "efi.h"
|
||||
|
||||
#define SYSFS_DIR_EFI_VARS "/sys/firmware/efi/efivars"
|
||||
@@ -95,7 +96,9 @@ read_variable (efi_variable_t *var)
|
||||
snprintf (filename, PATH_MAX-1, "%s/%s", SYSFS_DIR_EFI_VARS, name);
|
||||
fd = open (filename, O_RDONLY);
|
||||
if (fd == -1) {
|
||||
- return EFI_NOT_FOUND;
|
||||
+ if (errno == ENOENT)
|
||||
+ return EFI_NOT_FOUND;
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if (fstat (fd, &buf) != 0) {
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 27ebf09..3f89db2 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -236,14 +236,20 @@ static int
|
||||
list_enrolled_keys ()
|
||||
{
|
||||
efi_variable_t var;
|
||||
+ efi_status_t status;
|
||||
int ret;
|
||||
|
||||
memset (&var, 0, sizeof(var));
|
||||
var.VariableName = "MokListRT";
|
||||
-
|
||||
var.VendorGuid = SHIM_LOCK_GUID;
|
||||
|
||||
- if (read_variable (&var) != EFI_SUCCESS) {
|
||||
+ status = read_variable (&var);
|
||||
+ if (status != EFI_SUCCESS) {
|
||||
+ if (status == EFI_NOT_FOUND) {
|
||||
+ printf ("MokListRT is empty\n");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
fprintf (stderr, "Failed to read MokListRT\n");
|
||||
return -1;
|
||||
}
|
||||
@@ -258,14 +264,20 @@ static int
|
||||
list_new_keys ()
|
||||
{
|
||||
efi_variable_t var;
|
||||
+ efi_status_t status;
|
||||
int ret;
|
||||
|
||||
memset (&var, 0, sizeof(var));
|
||||
var.VariableName = "MokNew";
|
||||
-
|
||||
var.VendorGuid = SHIM_LOCK_GUID;
|
||||
|
||||
- if (read_variable (&var) != EFI_SUCCESS) {
|
||||
+ status = read_variable (&var);
|
||||
+ if (status != EFI_SUCCESS) {
|
||||
+ if (status == EFI_NOT_FOUND) {
|
||||
+ printf ("No MOK new key request\n");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
fprintf (stderr, "Failed to read MokNew\n");
|
||||
return -1;
|
||||
}
|
||||
@@ -812,6 +824,7 @@ static int
|
||||
export_moks ()
|
||||
{
|
||||
efi_variable_t var;
|
||||
+ efi_status_t status;
|
||||
char filename[PATH_MAX];
|
||||
uint32_t mok_num;
|
||||
MokListNode *list;
|
||||
@@ -822,10 +835,15 @@ export_moks ()
|
||||
|
||||
memset (&var, 0, sizeof(var));
|
||||
var.VariableName = "MokListRT";
|
||||
-
|
||||
var.VendorGuid = SHIM_LOCK_GUID;
|
||||
|
||||
- if (read_variable (&var) != EFI_SUCCESS) {
|
||||
+ status = read_variable (&var);
|
||||
+ if (status != EFI_SUCCESS) {
|
||||
+ if (status == EFI_NOT_FOUND) {
|
||||
+ printf ("MokListRT is empty\n");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
fprintf (stderr, "Failed to read MokListRT\n");
|
||||
return -1;
|
||||
}
|
@ -1,340 +0,0 @@
|
||||
From 9a114bb26e81f3b2764d84b8a6f5b9bd2e1528de Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Fri, 29 Mar 2013 18:00:55 +0800
|
||||
Subject: [PATCH 1/3] Delete key from the pending request
|
||||
|
||||
---
|
||||
src/mokutil.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 108 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 3f89db2..01a1b79 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -49,8 +49,9 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
|
||||
#define SETTINGS_LEN (DEFAULT_SALT_SIZE*2)
|
||||
|
||||
typedef struct {
|
||||
- uint32_t mok_size;
|
||||
- void *mok;
|
||||
+ EFI_SIGNATURE_LIST *header;
|
||||
+ uint32_t mok_size;
|
||||
+ void *mok;
|
||||
} MokListNode;
|
||||
|
||||
typedef struct {
|
||||
@@ -154,8 +155,9 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ list[count].header = CertList;
|
||||
list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
|
||||
- list[count].mok = (void *)Cert->SignatureData;
|
||||
+ list[count].mok = (void *)Cert->SignatureData;
|
||||
|
||||
count++;
|
||||
dbsize -= CertList->SignatureListSize;
|
||||
@@ -233,6 +235,74 @@ list_keys (efi_variable_t *var)
|
||||
}
|
||||
|
||||
static int
|
||||
+delete_key_from_list (void *mok, uint32_t mok_size,
|
||||
+ const char *var_name, efi_guid_t guid)
|
||||
+{
|
||||
+ efi_variable_t var;
|
||||
+ MokListNode *list;
|
||||
+ uint32_t mok_num, total, remain;
|
||||
+ void *ptr, *data = NULL;
|
||||
+ int i, del_ind, ret = 0;
|
||||
+
|
||||
+ if (!var_name || !mok || mok_size == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ memset (&var, 0, sizeof(var));
|
||||
+ var.VariableName = var_name;
|
||||
+ var.VendorGuid = guid;
|
||||
+
|
||||
+ if (read_variable (&var) != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ total = var.DataSize;
|
||||
+
|
||||
+ list = build_mok_list (var.Data, var.DataSize, &mok_num);
|
||||
+ if (list == NULL)
|
||||
+ goto done;
|
||||
+
|
||||
+ for (i = 0; i < mok_num; i++) {
|
||||
+ if (list[i].mok_size != mok_size)
|
||||
+ continue;
|
||||
+
|
||||
+ if (memcmp (list[i].mok, mok, mok_size) == 0) {
|
||||
+ /* Remove this key */
|
||||
+ del_ind = i;
|
||||
+ data = (void *)list[i].header;
|
||||
+ ptr = data + list[i].header->SignatureListSize;
|
||||
+ total -= list[i].header->SignatureListSize;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* the key is not in this list */
|
||||
+ if (data == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Move the rest of the keys */
|
||||
+ remain = 0;
|
||||
+ for (i = del_ind + 1; i < mok_num; i++)
|
||||
+ remain += list[i].header->SignatureListSize;
|
||||
+ if (remain > 0)
|
||||
+ memmove (data, ptr, remain);
|
||||
+
|
||||
+ var.DataSize = total;
|
||||
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
||||
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
+
|
||||
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
|
||||
+ fprintf (stderr, "Failed to write %s\n", var_name);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = 1;
|
||||
+done:
|
||||
+ free (var.Data);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
list_enrolled_keys ()
|
||||
{
|
||||
efi_variable_t var;
|
||||
@@ -658,6 +728,34 @@ is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
|
||||
}
|
||||
|
||||
static int
|
||||
+in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
|
||||
+{
|
||||
+ efi_variable_t authvar;
|
||||
+ const char *var_name = import ? "MokDel" : "MokNew";
|
||||
+
|
||||
+ if (!mok || mok_size == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ memset (&authvar, 0, sizeof(authvar));
|
||||
+ authvar.VariableName = import ? "MokDelAuth" : "MokAuth";
|
||||
+ authvar.VendorGuid = SHIM_LOCK_GUID;
|
||||
+
|
||||
+ if (read_variable (&authvar) != EFI_SUCCESS) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ free (authvar.Data);
|
||||
+ /* Check if the password hash is in the old format */
|
||||
+ if (authvar.DataSize == SHA256_DIGEST_LENGTH)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (delete_key_from_list (mok, mok_size, var_name, SHIM_LOCK_GUID))
|
||||
+ return 1;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
issue_mok_request (char **files, uint32_t total, uint8_t import,
|
||||
const char *hash_file, const int root_pw)
|
||||
{
|
||||
@@ -678,10 +776,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
||||
if (!files)
|
||||
return -1;
|
||||
|
||||
- if (import)
|
||||
- req_name = "MokNew";
|
||||
- else
|
||||
- req_name = "MokDel";
|
||||
+ req_name = import ? "MokNew" : "MokDel";
|
||||
|
||||
sizes = malloc (total * sizeof(uint32_t));
|
||||
|
||||
@@ -692,6 +787,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
||||
goto error;
|
||||
}
|
||||
|
||||
+ /* get the sizes of the key files */
|
||||
for (i = 0; i < total; i++) {
|
||||
if (stat (files[i], &buf) != 0) {
|
||||
fprintf (stderr, "Failed to get file status, %s\n",
|
||||
@@ -752,6 +848,10 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
||||
if (is_valid_request (ptr, sizes[i], import)) {
|
||||
ptr += sizes[i];
|
||||
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
+ } else if (in_pending_request (ptr, sizes[i], import)) {
|
||||
+ printf ("Removed %s from %s\n", files[i], import ? "MokDel" : "MokNew");
|
||||
+
|
||||
+ ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
} else {
|
||||
printf ("Skip %s\n", files[i]);
|
||||
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
@@ -760,7 +860,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
||||
close (fd);
|
||||
}
|
||||
|
||||
- /* All keys are enrolled, nothing to do here... */
|
||||
+ /* All keys are in the list, nothing to do here... */
|
||||
if (real_size == 0) {
|
||||
ret = 0;
|
||||
goto error;
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
||||
From d00c50c0eb73c27b1c49d8d947b99e24a4da4a66 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Fri, 29 Mar 2013 14:21:00 +0800
|
||||
Subject: [PATCH 2/3] Remove the unnecessary command flags
|
||||
|
||||
---
|
||||
src/mokutil.c | 47 ++++++++++++++++++++++-------------------------
|
||||
1 file changed, 22 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 01a1b79..6c3a135 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -40,9 +40,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
|
||||
#define SB_STATE 0x800
|
||||
#define TEST_KEY 0x1000
|
||||
#define RESET 0x2000
|
||||
-#define HASH_FILE 0x4000
|
||||
-#define GENERATE_PW_HASH 0x8000
|
||||
-#define ROOT_PW 0x10000
|
||||
+#define GENERATE_PW_HASH 0x4000
|
||||
|
||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
||||
@@ -1247,6 +1245,7 @@ main (int argc, char *argv[])
|
||||
const char *option;
|
||||
int c, i, f_ind, total = 0;
|
||||
unsigned int command = 0;
|
||||
+ int use_root_pw = 0;
|
||||
int ret = -1;
|
||||
|
||||
while (1) {
|
||||
@@ -1329,7 +1328,6 @@ main (int argc, char *argv[])
|
||||
case 'f':
|
||||
hash_file = strdup (optarg);
|
||||
|
||||
- command |= HASH_FILE;
|
||||
break;
|
||||
case 'g':
|
||||
if (optarg)
|
||||
@@ -1341,7 +1339,7 @@ main (int argc, char *argv[])
|
||||
command |= PASSWORD;
|
||||
break;
|
||||
case 'P':
|
||||
- command |= ROOT_PW;
|
||||
+ use_root_pw = 1;
|
||||
break;
|
||||
case 't':
|
||||
key_file = strdup (optarg);
|
||||
@@ -1360,6 +1358,9 @@ main (int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
+ if (hash_file && use_root_pw)
|
||||
+ command |= HELP;
|
||||
+
|
||||
switch (command) {
|
||||
case LIST_ENROLLED:
|
||||
ret = list_enrolled_keys ();
|
||||
@@ -1368,18 +1369,16 @@ main (int argc, char *argv[])
|
||||
ret = list_new_keys ();
|
||||
break;
|
||||
case IMPORT:
|
||||
- case IMPORT | HASH_FILE:
|
||||
- ret = import_moks (files, total, hash_file, 0);
|
||||
- break;
|
||||
- case IMPORT | ROOT_PW:
|
||||
- ret = import_moks (files, total, NULL, 1);
|
||||
+ if (use_root_pw)
|
||||
+ ret = import_moks (files, total, NULL, 1);
|
||||
+ else
|
||||
+ ret = import_moks (files, total, hash_file, 0);
|
||||
break;
|
||||
case DELETE:
|
||||
- case DELETE | HASH_FILE:
|
||||
- ret = delete_moks (files, total, hash_file, 0);
|
||||
- break;
|
||||
- case DELETE | ROOT_PW:
|
||||
- ret = delete_moks (files, total, NULL, 1);
|
||||
+ if (use_root_pw)
|
||||
+ ret = delete_moks (files, total, NULL, 1);
|
||||
+ else
|
||||
+ ret = delete_moks (files, total, hash_file, 0);
|
||||
break;
|
||||
case REVOKE_IMPORT:
|
||||
ret = revoke_request (1);
|
||||
@@ -1391,11 +1390,10 @@ main (int argc, char *argv[])
|
||||
ret = export_moks ();
|
||||
break;
|
||||
case PASSWORD:
|
||||
- case PASSWORD | HASH_FILE:
|
||||
- ret = set_password (hash_file, 0);
|
||||
- break;
|
||||
- case PASSWORD | ROOT_PW:
|
||||
- ret = set_password (NULL, 1);
|
||||
+ if (use_root_pw)
|
||||
+ ret = set_password (NULL, 1);
|
||||
+ else
|
||||
+ ret = set_password (hash_file, 0);
|
||||
break;
|
||||
case DISABLE_VALIDATION:
|
||||
ret = disable_validation ();
|
||||
@@ -1410,11 +1408,10 @@ main (int argc, char *argv[])
|
||||
ret = test_key (key_file);
|
||||
break;
|
||||
case RESET:
|
||||
- case RESET | HASH_FILE:
|
||||
- ret = reset_moks (hash_file, 0);
|
||||
- break;
|
||||
- case RESET | ROOT_PW:
|
||||
- ret = reset_moks (NULL, 1);
|
||||
+ if (use_root_pw)
|
||||
+ ret = reset_moks (NULL, 1);
|
||||
+ else
|
||||
+ ret = reset_moks (hash_file, 0);
|
||||
break;
|
||||
case GENERATE_PW_HASH:
|
||||
ret = generate_pw_hash (input_pw);
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
||||
From 3c3725784cd31d867443675cb5aa6698b952ac2b Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 2 Apr 2013 11:29:01 +0800
|
||||
Subject: [PATCH 3/3] Show help if there is no key to be imported/deleted
|
||||
|
||||
---
|
||||
src/mokutil.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 6c3a135..58566f9 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -1317,6 +1317,11 @@ main (int argc, char *argv[])
|
||||
total++;
|
||||
}
|
||||
|
||||
+ if (total == 0) {
|
||||
+ command |= HELP;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
files = malloc (total * sizeof (char *));
|
||||
for (i = 0; i < total; i++) {
|
||||
f_ind = i + optind - 1;
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,29 +0,0 @@
|
||||
From aa48dc644fbf775970d01a368c532d0668015f18 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Wed, 30 Jan 2013 16:30:23 +0800
|
||||
Subject: [PATCH] Include lcrypt in LDFLAGS
|
||||
|
||||
---
|
||||
src/Makefile.am | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index afe1752..de7ddca 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -1,10 +1,10 @@
|
||||
bin_PROGRAMS = mokutil
|
||||
|
||||
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
|
||||
- -lcrypt \
|
||||
$(WARNINGFLAGS_C)
|
||||
|
||||
-mokutil_LDADD = $(OPENSSL_LIBS)
|
||||
+mokutil_LDADD = $(OPENSSL_LIBS) \
|
||||
+ -lcrypt
|
||||
|
||||
mokutil_SOURCES = efi.h \
|
||||
efilib.c \
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -1,283 +0,0 @@
|
||||
From 0e1ac853fb889b3d8d00e3a4751f388b0b8d8f26 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Wed, 5 Dec 2012 11:12:43 +0800
|
||||
Subject: [PATCH 1/4] Correct MOK size and SignatureSize
|
||||
|
||||
The MOK size didn't include the SignatureOwner GUID.
|
||||
The SignatureData header size was added twice accidentally.
|
||||
---
|
||||
src/mokutil.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 1c32828..1b8465f 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -143,7 +143,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- list[count].mok_size = CertList->SignatureSize;
|
||||
+ list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
|
||||
list[count].mok = (void *)Cert->SignatureData;
|
||||
|
||||
count++;
|
||||
@@ -497,8 +497,7 @@ import_moks (char **files, uint32_t total)
|
||||
CertList->SignatureListSize = sizes[i] +
|
||||
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
|
||||
CertList->SignatureHeaderSize = 0;
|
||||
- CertList->SignatureSize = sizes[i] +
|
||||
- sizeof(EFI_SIGNATURE_DATA) + 16;
|
||||
+ CertList->SignatureSize = sizes[i] + sizeof(efi_guid_t);
|
||||
CertData->SignatureOwner = SHIM_LOCK_GUID;
|
||||
|
||||
fd = open (files[i], O_RDONLY);
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 69955da3819da3abaf198e5dae038c44814df5c0 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Wed, 5 Dec 2012 11:24:58 +0800
|
||||
Subject: [PATCH 2/4] Don't import duplicate keys
|
||||
|
||||
This commit compares keys in PK, KEK, db, MokListRT, and MokNew
|
||||
before issuing a new request to avoid enrolling keys twice.
|
||||
---
|
||||
src/mokutil.c | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 124 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 1b8465f..cf38422 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -333,8 +333,8 @@ get_password (char **password, int *len, int min, int max)
|
||||
}
|
||||
|
||||
static int
|
||||
-generate_auth (void *new_list, int list_len, char *password, int pw_len,
|
||||
- uint8_t *auth)
|
||||
+generate_auth (void *new_list, unsigned long list_len, char *password,
|
||||
+ int pw_len, uint8_t *auth)
|
||||
{
|
||||
efi_char16_t efichar_pass[PASSWORD_MAX+1];
|
||||
unsigned long efichar_len;
|
||||
@@ -444,12 +444,97 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
||||
}
|
||||
|
||||
static int
|
||||
+is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
|
||||
+ efi_guid_t guid)
|
||||
+{
|
||||
+ efi_variable_t var;
|
||||
+ uint32_t mok_num;
|
||||
+ MokListNode *list;
|
||||
+ int i, ret = 0;
|
||||
+
|
||||
+ if (!cert || cert_size == 0 || !db_name)
|
||||
+ return 0;
|
||||
+
|
||||
+ memset (&var, 0, sizeof(var));
|
||||
+ var.VariableName = db_name;
|
||||
+ var.VendorGuid = guid;
|
||||
+
|
||||
+ if (read_variable (&var) != EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ list = build_mok_list (var.Data, var.DataSize, &mok_num);
|
||||
+ if (list == NULL) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < mok_num; i++) {
|
||||
+ if (list[i].mok_size != cert_size)
|
||||
+ continue;
|
||||
+
|
||||
+ if (memcmp (list[i].mok, cert, cert_size) == 0) {
|
||||
+ ret = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ free (var.Data);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||||
+{
|
||||
+ efi_variable_t mok_auth;
|
||||
+ uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
+ char *password;
|
||||
+ int pw_len, fail = 0;
|
||||
+ size_t n;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ memset (&mok_auth, 0, sizeof(mok_auth));
|
||||
+ mok_auth.VariableName = "MokAuth";
|
||||
+ mok_auth.VendorGuid = SHIM_LOCK_GUID;
|
||||
+ if (read_variable (&mok_auth) == EFI_SUCCESS)
|
||||
+ return 0;
|
||||
+
|
||||
+ while (fail < 3) {
|
||||
+ printf ("input old password: ");
|
||||
+ pw_len = read_hidden_line (&password, &n);
|
||||
+ printf ("\n");
|
||||
+
|
||||
+ if (pw_len > PASSWORD_MAX || pw_len < PASSWORD_MIN) {
|
||||
+ free (password);
|
||||
+ fprintf (stderr, "invalid password\n");
|
||||
+ fail++;
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ generate_auth (mok_new, mok_new_size, password, pw_len, auth);
|
||||
+ if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
|
||||
+ ret = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ fail++;
|
||||
+ }
|
||||
+
|
||||
+ if (mok_auth.Data)
|
||||
+ free (mok_auth.Data);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
import_moks (char **files, uint32_t total)
|
||||
{
|
||||
+ efi_variable_t mok_new;
|
||||
void *new_list = NULL;
|
||||
void *ptr;
|
||||
struct stat buf;
|
||||
unsigned long list_size = 0;
|
||||
+ unsigned long real_size = 0;
|
||||
uint32_t *sizes = NULL;
|
||||
int fd = -1;
|
||||
ssize_t read_size;
|
||||
@@ -481,6 +566,12 @@ import_moks (char **files, uint32_t total)
|
||||
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
|
||||
list_size += sizeof(efi_guid_t) * total;
|
||||
|
||||
+ memset (&mok_new, 0, sizeof(mok_new));
|
||||
+ mok_new.VariableName = "MokNew";
|
||||
+ mok_new.VendorGuid = SHIM_LOCK_GUID;
|
||||
+ if (read_variable (&mok_new) == EFI_SUCCESS)
|
||||
+ list_size += mok_new.DataSize;
|
||||
+
|
||||
new_list = malloc (list_size);
|
||||
if (!new_list) {
|
||||
fprintf (stderr, "Failed to allocate space for MokNew\n");
|
||||
@@ -518,17 +609,46 @@ import_moks (char **files, uint32_t total)
|
||||
fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n",
|
||||
files[i]);
|
||||
}
|
||||
- ptr += sizes[i];
|
||||
+
|
||||
+ /* whether this key is already enrolled... */
|
||||
+ if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
|
||||
+ !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
|
||||
+ ptr += sizes[i];
|
||||
+ real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
+ } else {
|
||||
+ ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
+ }
|
||||
|
||||
close (fd);
|
||||
}
|
||||
|
||||
- if (update_request (new_list, list_size) < 0) {
|
||||
+ /* All keys are enrolled, nothing to do here... */
|
||||
+ if (real_size == 0) {
|
||||
+ ret = 0;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ /* append the keys in MokNew */
|
||||
+ if (mok_new.Data) {
|
||||
+ /* request the previous password to verify the keys */
|
||||
+ if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ memcpy (ptr, mok_new.Data, mok_new.DataSize);
|
||||
+ }
|
||||
+
|
||||
+ if (update_request (new_list, real_size) < 0) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
error:
|
||||
+ if (mok_new.Data)
|
||||
+ free (mok_new.Data);
|
||||
if (sizes)
|
||||
free (sizes);
|
||||
if (new_list)
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 10046350e223b6912bd9c3a7031f06779cb326bb Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Fri, 7 Dec 2012 15:57:50 +0800
|
||||
Subject: [PATCH 3/4] Check MokAuth correctly
|
||||
|
||||
---
|
||||
src/mokutil.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index cf38422..9d56a90 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -496,8 +496,10 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||||
memset (&mok_auth, 0, sizeof(mok_auth));
|
||||
mok_auth.VariableName = "MokAuth";
|
||||
mok_auth.VendorGuid = SHIM_LOCK_GUID;
|
||||
- if (read_variable (&mok_auth) == EFI_SUCCESS)
|
||||
+ if (read_variable (&mok_auth) != EFI_SUCCESS) {
|
||||
+ fprintf (stderr, "Failed to read MokAuth\n");
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
while (fail < 3) {
|
||||
printf ("input old password: ");
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 9674b3249fef0d2ba00364f9f120f1ef17b710fc Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Fri, 7 Dec 2012 15:58:30 +0800
|
||||
Subject: [PATCH 4/4] Really append the old request to the new one...
|
||||
|
||||
---
|
||||
src/mokutil.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 9d56a90..aba1cfb 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -640,7 +640,8 @@ import_moks (char **files, uint32_t total)
|
||||
goto error;
|
||||
}
|
||||
|
||||
- memcpy (ptr, mok_new.Data, mok_new.DataSize);
|
||||
+ memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
|
||||
+ real_size += mok_new.DataSize;
|
||||
}
|
||||
|
||||
if (update_request (new_list, real_size) < 0) {
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -1,111 +0,0 @@
|
||||
commit b2602eee326c15df8d23baa44f9e9e3e8b6bad93
|
||||
Author: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon Dec 3 17:45:41 2012 +0800
|
||||
|
||||
Probe the state of SecureBoot
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 3707220..1c32828 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -40,6 +40,7 @@ enum Command {
|
||||
COMMAND_PASSWORD,
|
||||
COMMAND_DISABLE_VALIDATION,
|
||||
COMMAND_ENABLE_VALIDATION,
|
||||
+ COMMAND_SB_STATE,
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -48,22 +49,33 @@ print_help ()
|
||||
printf("Usage:\n");
|
||||
printf("List the enrolled keys:\n");
|
||||
printf(" mokutil --list-enrolled\n\n");
|
||||
+
|
||||
printf("List the keys to be enrolled:\n");
|
||||
printf(" mokutil --list-new\n\n");
|
||||
+
|
||||
printf("Import keys:\n");
|
||||
printf(" mokutil --import <der file>...\n\n");
|
||||
+
|
||||
printf("Request to delete all keys\n");
|
||||
printf(" mokutil --delete-all\n\n");
|
||||
+
|
||||
printf("Revoke the request:\n");
|
||||
printf(" mokutil --revoke\n\n");
|
||||
+
|
||||
printf("Export enrolled keys to files:\n");
|
||||
printf(" mokutil --export\n\n");
|
||||
+
|
||||
printf("Set MOK password:\n");
|
||||
printf(" mokutil --password\n\n");
|
||||
+
|
||||
printf("Disable signature validation:\n");
|
||||
printf(" mokutil --disable-validation\n\n");
|
||||
+
|
||||
printf("Enable signature validation:\n");
|
||||
printf(" mokutil --enable-validation\n\n");
|
||||
+
|
||||
+ printf("SecureBoot State:\n");
|
||||
+ printf(" mokutil --sb-state\n\n");
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -709,7 +721,36 @@ enable_validation()
|
||||
{
|
||||
return set_validation(1);
|
||||
}
|
||||
-
|
||||
+
|
||||
+static int
|
||||
+sb_state ()
|
||||
+{
|
||||
+ efi_variable_t var;
|
||||
+ char *state;
|
||||
+
|
||||
+ memset (&var, 0, sizeof(var));
|
||||
+ var.VariableName = "SecureBoot";
|
||||
+ var.VendorGuid = EFI_GLOBAL_VARIABLE;
|
||||
+
|
||||
+ if (read_variable (&var) != EFI_SUCCESS) {
|
||||
+ fprintf (stderr, "Failed to read SecureBoot\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ state = (char *)var.Data;
|
||||
+ if (*state == 1) {
|
||||
+ printf ("SecureBoot enabled\n");
|
||||
+ } else if (*state == 0) {
|
||||
+ printf ("SecureBoot disabled\n");
|
||||
+ } else {
|
||||
+ printf ("SecureBoot unknown");
|
||||
+ }
|
||||
+
|
||||
+ free (var.Data);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int
|
||||
main (int argc, char *argv[])
|
||||
{
|
||||
@@ -786,6 +827,10 @@ main (int argc, char *argv[])
|
||||
|
||||
command = COMMAND_ENABLE_VALIDATION;
|
||||
|
||||
+ } else if (strcmp (argv[1], "--sb-state") == 0) {
|
||||
+
|
||||
+ command = COMMAND_SB_STATE;
|
||||
+
|
||||
} else {
|
||||
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
|
||||
print_help ();
|
||||
@@ -820,6 +865,9 @@ main (int argc, char *argv[])
|
||||
case COMMAND_ENABLE_VALIDATION:
|
||||
enable_validation ();
|
||||
break;
|
||||
+ case COMMAND_SB_STATE:
|
||||
+ sb_state ();
|
||||
+ break;
|
||||
default:
|
||||
fprintf (stderr, "Unknown command\n");
|
||||
break;
|
File diff suppressed because it is too large
Load Diff
@ -1,835 +0,0 @@
|
||||
From 36241509b1c96c3103becae75dc6df72d794cce7 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Thu, 13 Dec 2012 17:09:34 +0800
|
||||
Subject: [PATCH 1/7] Move fail check to get_password()
|
||||
|
||||
---
|
||||
src/mokutil.c | 83 ++++++++++++++++++++++++++++++++-------------------------
|
||||
1 file changed, 46 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index aba1cfb..eea2b6c 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -297,39 +297,60 @@ static int
|
||||
get_password (char **password, int *len, int min, int max)
|
||||
{
|
||||
char *password_1, *password_2;
|
||||
- int len_1, len_2;
|
||||
+ int len_1, len_2, fail, ret = -1;
|
||||
size_t n;
|
||||
|
||||
password_1 = password_2 = NULL;
|
||||
|
||||
- printf ("input password (%d~%d characters): ", min, max);
|
||||
- len_1 = read_hidden_line (&password_1, &n);
|
||||
- printf ("\n");
|
||||
+ fail = 0;
|
||||
|
||||
- if (len_1 > max || len_1 < min) {
|
||||
- free (password_1);
|
||||
- fprintf (stderr, "password should be %d~%d characters\n",
|
||||
- min, max);
|
||||
- return -1;
|
||||
+ while (fail < 3) {
|
||||
+ printf ("input password (%d~%d characters): ", min, max);
|
||||
+ len_1 = read_hidden_line (&password_1, &n);
|
||||
+ printf ("\n");
|
||||
+
|
||||
+ if (len_1 > max || len_1 < min) {
|
||||
+ fail++;
|
||||
+ fprintf (stderr, "password should be %d~%d characters\n",
|
||||
+ min, max);
|
||||
+ } else {
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
|
||||
- printf ("input password again: ");
|
||||
- len_2 = read_hidden_line (&password_2, &n);
|
||||
- printf ("\n");
|
||||
+ if (fail >= 3) {
|
||||
+ if (password_1)
|
||||
+ free (password_1);
|
||||
+ goto error;
|
||||
+ }
|
||||
|
||||
- if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
|
||||
- free (password_1);
|
||||
- free (password_2);
|
||||
- fprintf (stderr, "password doesn't match\n");
|
||||
- return -1;
|
||||
+ fail = 0;
|
||||
+
|
||||
+ while (fail < 3) {
|
||||
+ printf ("input password again: ");
|
||||
+ len_2 = read_hidden_line (&password_2, &n);
|
||||
+ printf ("\n");
|
||||
+
|
||||
+ if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
|
||||
+ fail++;
|
||||
+ fprintf (stderr, "password doesn't match\n");
|
||||
+ } else {
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ if (fail >= 3)
|
||||
+ goto error;
|
||||
+
|
||||
*password = password_1;
|
||||
*len = len_1;
|
||||
|
||||
- free (password_2);
|
||||
+ ret = 0;
|
||||
+error:
|
||||
+ if (password_2)
|
||||
+ free (password_2);
|
||||
|
||||
- return 0;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -364,14 +385,10 @@ update_request (void *new_list, int list_len)
|
||||
efi_variable_t var;
|
||||
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
char *password = NULL;
|
||||
- int pw_len, fail = 0;
|
||||
+ int pw_len;
|
||||
int ret = -1;
|
||||
|
||||
- while (fail < 3 &&
|
||||
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
|
||||
- fail++;
|
||||
-
|
||||
- if (fail >= 3) {
|
||||
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||||
fprintf (stderr, "Abort\n");
|
||||
goto error;
|
||||
}
|
||||
@@ -745,14 +762,10 @@ set_password ()
|
||||
efi_variable_t var;
|
||||
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
char *password = NULL;
|
||||
- int pw_len, fail = 0;
|
||||
+ int pw_len;
|
||||
int ret = -1;
|
||||
|
||||
- while (fail < 3 &&
|
||||
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
|
||||
- fail++;
|
||||
-
|
||||
- if (fail >= 3) {
|
||||
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||||
fprintf (stderr, "Abort\n");
|
||||
goto error;
|
||||
}
|
||||
@@ -789,15 +802,11 @@ set_validation (uint32_t state)
|
||||
efi_variable_t var;
|
||||
MokSBVar sbvar;
|
||||
char *password = NULL;
|
||||
- int pw_len, fail = 0;
|
||||
+ int pw_len;
|
||||
efi_char16_t efichar_pass[PASSWORD_MAX];
|
||||
int ret = -1;
|
||||
|
||||
- while (fail < 3 &&
|
||||
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
|
||||
- fail++;
|
||||
-
|
||||
- if (fail >= 3) {
|
||||
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||||
fprintf (stderr, "Abort\n");
|
||||
goto error;
|
||||
}
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 2649dde769b563f55a85ea68eb1fc9ce5bc7c984 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 17 Dec 2012 16:22:41 +0800
|
||||
Subject: [PATCH 2/7] Add "--test-key" to test if the key is enrolled or not
|
||||
|
||||
---
|
||||
src/mokutil.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 65 insertions(+)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index eea2b6c..68a25bc 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -41,6 +41,7 @@ enum Command {
|
||||
COMMAND_DISABLE_VALIDATION,
|
||||
COMMAND_ENABLE_VALIDATION,
|
||||
COMMAND_SB_STATE,
|
||||
+ COMMAND_TEST_KEY,
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -76,6 +77,9 @@ print_help ()
|
||||
|
||||
printf("SecureBoot State:\n");
|
||||
printf(" mokutil --sb-state\n\n");
|
||||
+
|
||||
+ printf("Test if the key is enrolled or not:\n");
|
||||
+ printf(" mokutil --test-key\n\n");
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -882,10 +886,57 @@ sb_state ()
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int
|
||||
+test_key (const char *key_file)
|
||||
+{
|
||||
+ struct stat buf;
|
||||
+ void *key = NULL;
|
||||
+ ssize_t read_size;
|
||||
+ int fd, ret = -1;
|
||||
+
|
||||
+ if (stat (key_file, &buf) != 0) {
|
||||
+ fprintf (stderr, "Failed to get file status, %s\n", key_file);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ key = malloc (buf.st_size);
|
||||
+
|
||||
+ fd = open (key_file, O_RDONLY);
|
||||
+ if (fd < 0) {
|
||||
+ fprintf (stderr, "Failed to open %s\n", key_file);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ read_size = read (fd, key, buf.st_size);
|
||||
+ if (read_size < 0 || read_size != buf.st_size) {
|
||||
+ fprintf (stderr, "Failed to read %s\n", key_file);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
|
||||
+ !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
|
||||
+ printf ("%s is not enrolled\n", key_file);
|
||||
+ ret = 0;
|
||||
+ } else {
|
||||
+ printf ("%s is already enrolled\n", key_file);
|
||||
+ ret = 1;
|
||||
+ }
|
||||
+
|
||||
+error:
|
||||
+ if (key)
|
||||
+ free (key);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int
|
||||
main (int argc, char *argv[])
|
||||
{
|
||||
char **files = NULL;
|
||||
+ char *key_file = NULL;
|
||||
int i, total;
|
||||
int command;
|
||||
|
||||
@@ -962,6 +1013,17 @@ main (int argc, char *argv[])
|
||||
|
||||
command = COMMAND_SB_STATE;
|
||||
|
||||
+ } else if (strcmp (argv[1], "--test-key") == 0) {
|
||||
+
|
||||
+ if (argc < 3) {
|
||||
+ print_help ();
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ key_file = argv[2];
|
||||
+
|
||||
+ command = COMMAND_TEST_KEY;
|
||||
+
|
||||
} else {
|
||||
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
|
||||
print_help ();
|
||||
@@ -999,6 +1061,9 @@ main (int argc, char *argv[])
|
||||
case COMMAND_SB_STATE:
|
||||
sb_state ();
|
||||
break;
|
||||
+ case COMMAND_TEST_KEY:
|
||||
+ test_key (key_file);
|
||||
+ break;
|
||||
default:
|
||||
fprintf (stderr, "Unknown command\n");
|
||||
break;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From bba82fceec875ccf0d92eae1e9c7db54e92bcec9 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 17 Dec 2012 16:33:59 +0800
|
||||
Subject: [PATCH 3/7] Handle the return values
|
||||
|
||||
---
|
||||
src/mokutil.c | 25 +++++++++++++------------
|
||||
1 file changed, 13 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 68a25bc..13ef69d 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -939,6 +939,7 @@ main (int argc, char *argv[])
|
||||
char *key_file = NULL;
|
||||
int i, total;
|
||||
int command;
|
||||
+ int ret = -1;
|
||||
|
||||
if (argc < 2) {
|
||||
print_help ();
|
||||
@@ -1032,37 +1033,37 @@ main (int argc, char *argv[])
|
||||
|
||||
switch (command) {
|
||||
case COMMAND_LIST_ENROLLED:
|
||||
- list_enrolled_keys ();
|
||||
+ ret = list_enrolled_keys ();
|
||||
break;
|
||||
case COMMAND_LIST_NEW:
|
||||
- list_new_keys ();
|
||||
+ ret = list_new_keys ();
|
||||
break;
|
||||
case COMMAND_IMPORT:
|
||||
- import_moks (files, total);
|
||||
+ ret = import_moks (files, total);
|
||||
break;
|
||||
case COMMAND_DELETE:
|
||||
- delete_all ();
|
||||
+ ret = delete_all ();
|
||||
break;
|
||||
case COMMAND_REVOKE:
|
||||
- revoke_request ();
|
||||
+ ret = revoke_request ();
|
||||
break;
|
||||
case COMMAND_EXPORT:
|
||||
- export_moks ();
|
||||
+ ret = export_moks ();
|
||||
break;
|
||||
case COMMAND_PASSWORD:
|
||||
- set_password ();
|
||||
+ ret = set_password ();
|
||||
break;
|
||||
case COMMAND_DISABLE_VALIDATION:
|
||||
- disable_validation ();
|
||||
+ ret = disable_validation ();
|
||||
break;
|
||||
case COMMAND_ENABLE_VALIDATION:
|
||||
- enable_validation ();
|
||||
+ ret = enable_validation ();
|
||||
break;
|
||||
case COMMAND_SB_STATE:
|
||||
- sb_state ();
|
||||
+ ret = sb_state ();
|
||||
break;
|
||||
case COMMAND_TEST_KEY:
|
||||
- test_key (key_file);
|
||||
+ ret = test_key (key_file);
|
||||
break;
|
||||
default:
|
||||
fprintf (stderr, "Unknown command\n");
|
||||
@@ -1072,5 +1073,5 @@ main (int argc, char *argv[])
|
||||
if (files)
|
||||
free (files);
|
||||
|
||||
- return 0;
|
||||
+ return ret;
|
||||
}
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From fee5db0bd74fd7239832d435cdc653ade426c61c Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 24 Dec 2012 16:35:37 +0800
|
||||
Subject: [PATCH 4/7] Correct the GUID of "db"
|
||||
|
||||
---
|
||||
src/efi.h | 2 ++
|
||||
src/mokutil.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/efi.h b/src/efi.h
|
||||
index 7185179..d2640b4 100644
|
||||
--- a/src/efi.h
|
||||
+++ b/src/efi.h
|
||||
@@ -86,6 +86,8 @@ EFI_GUID( 0x47c7b225, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
|
||||
EFI_GUID( 0x47c7b227, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
|
||||
#define ESP_UNKNOWN_GUID \
|
||||
EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
|
||||
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||||
+EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
|
||||
|
||||
static inline int
|
||||
efi_guidcmp(efi_guid_t left, efi_guid_t right)
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 13ef69d..6af5a9c 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -636,7 +636,7 @@ import_moks (char **files, uint32_t total)
|
||||
/* whether this key is already enrolled... */
|
||||
if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
|
||||
!is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
|
||||
- !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
|
||||
+ !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
|
||||
!is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
|
||||
!is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
|
||||
ptr += sizes[i];
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From b1a6476307909b4c391b5cc632c0535ea43b08b1 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 24 Dec 2012 18:12:48 +0800
|
||||
Subject: [PATCH 5/7] Initialize password array
|
||||
|
||||
---
|
||||
src/mokutil.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 6af5a9c..3d00df0 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -509,7 +509,7 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||||
{
|
||||
efi_variable_t mok_auth;
|
||||
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
- char *password;
|
||||
+ char *password = NULL;
|
||||
int pw_len, fail = 0;
|
||||
size_t n;
|
||||
int ret = 0;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From e772f72f23b4cf13c033292b55570a861281b71b Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 25 Dec 2012 15:53:56 +0800
|
||||
Subject: [PATCH 6/7] Add support for deleting specific keys
|
||||
|
||||
---
|
||||
src/mokutil.c | 179 +++++++++++++++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 128 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index 3d00df0..e6807da 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -42,6 +42,7 @@ enum Command {
|
||||
COMMAND_ENABLE_VALIDATION,
|
||||
COMMAND_SB_STATE,
|
||||
COMMAND_TEST_KEY,
|
||||
+ COMMAND_RESET,
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -57,8 +58,8 @@ print_help ()
|
||||
printf("Import keys:\n");
|
||||
printf(" mokutil --import <der file>...\n\n");
|
||||
|
||||
- printf("Request to delete all keys\n");
|
||||
- printf(" mokutil --delete-all\n\n");
|
||||
+ printf("Request to delete specific keys\n");
|
||||
+ printf(" mokutil --delete <der file>...\n\n");
|
||||
|
||||
printf("Revoke the request:\n");
|
||||
printf(" mokutil --revoke\n\n");
|
||||
@@ -80,6 +81,9 @@ print_help ()
|
||||
|
||||
printf("Test if the key is enrolled or not:\n");
|
||||
printf(" mokutil --test-key\n\n");
|
||||
+
|
||||
+ printf("Reset MOK list:\n");
|
||||
+ printf(" mokutil --reset\n\n");
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -384,14 +388,23 @@ generate_auth (void *new_list, unsigned long list_len, char *password,
|
||||
}
|
||||
|
||||
static int
|
||||
-update_request (void *new_list, int list_len)
|
||||
+update_request (void *new_list, int list_len, uint8_t import)
|
||||
{
|
||||
efi_variable_t var;
|
||||
+ const char *req_name, *auth_name;
|
||||
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
char *password = NULL;
|
||||
int pw_len;
|
||||
int ret = -1;
|
||||
|
||||
+ if (import) {
|
||||
+ req_name = "MokNew";
|
||||
+ auth_name = "MokAuth";
|
||||
+ } else {
|
||||
+ req_name = "MokDel";
|
||||
+ auth_name = "MokDelAuth";
|
||||
+ }
|
||||
+
|
||||
if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
|
||||
fprintf (stderr, "Abort\n");
|
||||
goto error;
|
||||
@@ -403,7 +416,7 @@ update_request (void *new_list, int list_len)
|
||||
/* Write MokNew*/
|
||||
var.Data = new_list;
|
||||
var.DataSize = list_len;
|
||||
- var.VariableName = "MokNew";
|
||||
+ var.VariableName = req_name;
|
||||
|
||||
var.VendorGuid = SHIM_LOCK_GUID;
|
||||
var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
||||
@@ -411,17 +424,18 @@ update_request (void *new_list, int list_len)
|
||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
|
||||
if (edit_variable (&var) != EFI_SUCCESS) {
|
||||
- fprintf (stderr, "Failed to enroll new keys\n");
|
||||
+ fprintf (stderr, "Failed to %s keys\n",
|
||||
+ import ? "enroll new" : "delete");
|
||||
goto error;
|
||||
}
|
||||
} else {
|
||||
- test_and_delete_var ("MokNew");
|
||||
+ test_and_delete_var (req_name);
|
||||
}
|
||||
|
||||
/* Write MokAuth */
|
||||
var.Data = auth;
|
||||
var.DataSize = SHA256_DIGEST_LENGTH;
|
||||
- var.VariableName = "MokAuth";
|
||||
+ var.VariableName = auth_name;
|
||||
|
||||
var.VendorGuid = SHIM_LOCK_GUID;
|
||||
var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
||||
@@ -429,8 +443,8 @@ update_request (void *new_list, int list_len)
|
||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||||
|
||||
if (edit_variable (&var) != EFI_SUCCESS) {
|
||||
- fprintf (stderr, "Failed to write MokAuth\n");
|
||||
- test_and_delete_var ("MokNew");
|
||||
+ fprintf (stderr, "Failed to write %s\n", auth_name);
|
||||
+ test_and_delete_var (req_name);
|
||||
goto error;
|
||||
}
|
||||
|
||||
@@ -505,20 +519,47 @@ done:
|
||||
}
|
||||
|
||||
static int
|
||||
-verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||||
+is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
|
||||
{
|
||||
- efi_variable_t mok_auth;
|
||||
+ if (import) {
|
||||
+ if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
|
||||
+ is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
|
||||
+ is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
|
||||
+ is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
|
||||
+ is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
|
||||
+ is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+verify_old_req (void *old_req, unsigned long old_req_size, uint8_t import)
|
||||
+{
|
||||
+ efi_variable_t req_auth;
|
||||
+ const char *auth_name;
|
||||
uint8_t auth[SHA256_DIGEST_LENGTH];
|
||||
char *password = NULL;
|
||||
int pw_len, fail = 0;
|
||||
size_t n;
|
||||
int ret = 0;
|
||||
|
||||
- memset (&mok_auth, 0, sizeof(mok_auth));
|
||||
- mok_auth.VariableName = "MokAuth";
|
||||
- mok_auth.VendorGuid = SHIM_LOCK_GUID;
|
||||
- if (read_variable (&mok_auth) != EFI_SUCCESS) {
|
||||
- fprintf (stderr, "Failed to read MokAuth\n");
|
||||
+ if (import)
|
||||
+ auth_name = "MokAuth";
|
||||
+ else
|
||||
+ auth_name = "MokDelAuth";
|
||||
+
|
||||
+ memset (&req_auth, 0, sizeof(req_auth));
|
||||
+ req_auth.VariableName = auth_name;
|
||||
+ req_auth.VendorGuid = SHIM_LOCK_GUID;
|
||||
+ if (read_variable (&req_auth) != EFI_SUCCESS) {
|
||||
+ fprintf (stderr, "Failed to read %s\n", auth_name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -534,8 +575,8 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||||
continue;
|
||||
}
|
||||
|
||||
- generate_auth (mok_new, mok_new_size, password, pw_len, auth);
|
||||
- if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
|
||||
+ generate_auth (old_req, old_req_size, password, pw_len, auth);
|
||||
+ if (memcmp (auth, req_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
|
||||
ret = 1;
|
||||
break;
|
||||
}
|
||||
@@ -543,16 +584,17 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
|
||||
fail++;
|
||||
}
|
||||
|
||||
- if (mok_auth.Data)
|
||||
- free (mok_auth.Data);
|
||||
+ if (req_auth.Data)
|
||||
+ free (req_auth.Data);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
-import_moks (char **files, uint32_t total)
|
||||
+issue_mok_request (char **files, uint32_t total, uint8_t import)
|
||||
{
|
||||
- efi_variable_t mok_new;
|
||||
+ efi_variable_t old_req;
|
||||
+ const char *req_name;
|
||||
void *new_list = NULL;
|
||||
void *ptr;
|
||||
struct stat buf;
|
||||
@@ -568,6 +610,11 @@ import_moks (char **files, uint32_t total)
|
||||
if (!files)
|
||||
return -1;
|
||||
|
||||
+ if (import)
|
||||
+ req_name = "MokNew";
|
||||
+ else
|
||||
+ req_name = "MokDel";
|
||||
+
|
||||
sizes = malloc (total * sizeof(uint32_t));
|
||||
|
||||
if (!sizes) {
|
||||
@@ -589,15 +636,15 @@ import_moks (char **files, uint32_t total)
|
||||
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
|
||||
list_size += sizeof(efi_guid_t) * total;
|
||||
|
||||
- memset (&mok_new, 0, sizeof(mok_new));
|
||||
- mok_new.VariableName = "MokNew";
|
||||
- mok_new.VendorGuid = SHIM_LOCK_GUID;
|
||||
- if (read_variable (&mok_new) == EFI_SUCCESS)
|
||||
- list_size += mok_new.DataSize;
|
||||
+ memset (&old_req, 0, sizeof(old_req));
|
||||
+ old_req.VariableName = req_name;
|
||||
+ old_req.VendorGuid = SHIM_LOCK_GUID;
|
||||
+ if (read_variable (&old_req) == EFI_SUCCESS)
|
||||
+ list_size += old_req.DataSize;
|
||||
|
||||
new_list = malloc (list_size);
|
||||
if (!new_list) {
|
||||
- fprintf (stderr, "Failed to allocate space for MokNew\n");
|
||||
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
|
||||
goto error;
|
||||
}
|
||||
ptr = new_list;
|
||||
@@ -633,15 +680,11 @@ import_moks (char **files, uint32_t total)
|
||||
files[i]);
|
||||
}
|
||||
|
||||
- /* whether this key is already enrolled... */
|
||||
- if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
|
||||
- !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
|
||||
- !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
|
||||
- !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
|
||||
- !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
|
||||
+ if (is_valid_request (ptr, sizes[i], import)) {
|
||||
ptr += sizes[i];
|
||||
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
} else {
|
||||
+ printf ("Skip %s\n", files[i]);
|
||||
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
||||
}
|
||||
|
||||
@@ -654,25 +697,25 @@ import_moks (char **files, uint32_t total)
|
||||
goto error;
|
||||
}
|
||||
|
||||
- /* append the keys in MokNew */
|
||||
- if (mok_new.Data) {
|
||||
+ /* append the keys to the previous request */
|
||||
+ if (old_req.Data) {
|
||||
/* request the previous password to verify the keys */
|
||||
- if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
|
||||
+ if (!verify_old_req (old_req.Data, old_req.DataSize, import)) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
- memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
|
||||
- real_size += mok_new.DataSize;
|
||||
+ memcpy (new_list + real_size, old_req.Data, old_req.DataSize);
|
||||
+ real_size += old_req.DataSize;
|
||||
}
|
||||
|
||||
- if (update_request (new_list, real_size) < 0) {
|
||||
+ if (update_request (new_list, real_size, import) < 0) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
error:
|
||||
- if (mok_new.Data)
|
||||
- free (mok_new.Data);
|
||||
+ if (old_req.Data)
|
||||
+ free (old_req.Data);
|
||||
if (sizes)
|
||||
free (sizes);
|
||||
if (new_list)
|
||||
@@ -682,14 +725,15 @@ error:
|
||||
}
|
||||
|
||||
static int
|
||||
-delete_all ()
|
||||
+import_moks (char **files, uint32_t total)
|
||||
{
|
||||
- if (update_request (NULL, 0)) {
|
||||
- fprintf (stderr, "Failed to issue an delete request\n");
|
||||
- return -1;
|
||||
- }
|
||||
+ return issue_mok_request (files, total, 1);
|
||||
+}
|
||||
|
||||
- return 0;
|
||||
+static int
|
||||
+delete_moks (char **files, uint32_t total)
|
||||
+{
|
||||
+ return issue_mok_request (files, total, 0);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -932,6 +976,17 @@ error:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int
|
||||
+reset_moks ()
|
||||
+{
|
||||
+ if (update_request (NULL, 0, 1)) {
|
||||
+ fprintf (stderr, "Failed to issue a reset request\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int
|
||||
main (int argc, char *argv[])
|
||||
{
|
||||
@@ -982,8 +1037,23 @@ main (int argc, char *argv[])
|
||||
|
||||
command = COMMAND_IMPORT;
|
||||
|
||||
- } else if (strcmp (argv[1], "-D") == 0 ||
|
||||
- strcmp (argv[1], "--delete-all") == 0) {
|
||||
+ } else if (strcmp (argv[1], "-d") == 0 ||
|
||||
+ strcmp (argv[1], "--delete") == 0) {
|
||||
+
|
||||
+ if (argc < 3) {
|
||||
+ print_help ();
|
||||
+ return -1;
|
||||
+ }
|
||||
+ total = argc - 2;
|
||||
+
|
||||
+ files = malloc (total * sizeof(char *));
|
||||
+ if (!files) {
|
||||
+ fprintf (stderr, "Failed to allocate file list\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < total; i++)
|
||||
+ files[i] = argv[i+2];
|
||||
|
||||
command = COMMAND_DELETE;
|
||||
|
||||
@@ -1025,6 +1095,10 @@ main (int argc, char *argv[])
|
||||
|
||||
command = COMMAND_TEST_KEY;
|
||||
|
||||
+ } else if (strcmp (argv[1], "--reset") == 0) {
|
||||
+
|
||||
+ command = COMMAND_RESET;
|
||||
+
|
||||
} else {
|
||||
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
|
||||
print_help ();
|
||||
@@ -1042,7 +1116,7 @@ main (int argc, char *argv[])
|
||||
ret = import_moks (files, total);
|
||||
break;
|
||||
case COMMAND_DELETE:
|
||||
- ret = delete_all ();
|
||||
+ ret = delete_moks (files, total);
|
||||
break;
|
||||
case COMMAND_REVOKE:
|
||||
ret = revoke_request ();
|
||||
@@ -1065,6 +1139,9 @@ main (int argc, char *argv[])
|
||||
case COMMAND_TEST_KEY:
|
||||
ret = test_key (key_file);
|
||||
break;
|
||||
+ case COMMAND_RESET:
|
||||
+ ret = reset_moks ();
|
||||
+ break;
|
||||
default:
|
||||
fprintf (stderr, "Unknown command\n");
|
||||
break;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
From 799d37815f470739ed079e2fea49077decaee3d3 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Wed, 2 Jan 2013 17:09:35 +0800
|
||||
Subject: [PATCH 7/7] Initialize the variable to prevent a potential crash
|
||||
|
||||
In issue_mok_request(), old_req.Data must be intialized before
|
||||
"goto error", or the process would segfault when freeing old_req.Data.
|
||||
---
|
||||
src/mokutil.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||
index e6807da..a99e355 100644
|
||||
--- a/src/mokutil.c
|
||||
+++ b/src/mokutil.c
|
||||
@@ -617,6 +617,8 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
|
||||
|
||||
sizes = malloc (total * sizeof(uint32_t));
|
||||
|
||||
+ memset (&old_req, 0, sizeof(old_req));
|
||||
+
|
||||
if (!sizes) {
|
||||
fprintf (stderr, "Failed to allocate space for sizes\n");
|
||||
goto error;
|
||||
@@ -636,7 +638,6 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
|
||||
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
|
||||
list_size += sizeof(efi_guid_t) * total;
|
||||
|
||||
- memset (&old_req, 0, sizeof(old_req));
|
||||
old_req.VariableName = req_name;
|
||||
old_req.VendorGuid = SHIM_LOCK_GUID;
|
||||
if (read_variable (&old_req) == EFI_SUCCESS)
|
||||
--
|
||||
1.7.10.4
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,124 +0,0 @@
|
||||
From 53a40965390cfa3b99d636874c6b9d968380f312 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Wed, 30 Jan 2013 14:16:16 +0800
|
||||
Subject: [PATCH] Update man page
|
||||
|
||||
---
|
||||
man/mokutil.1 | 59 +++++++++++++++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 43 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/man/mokutil.1 b/man/mokutil.1
|
||||
index 7a70d3e..fabd7a9 100644
|
||||
--- a/man/mokutil.1
|
||||
+++ b/man/mokutil.1
|
||||
@@ -1,27 +1,41 @@
|
||||
-.TH MOKUTIL 1 "Wed Nov 07 2012"
|
||||
+.TH MOKUTIL 1 "Wed Jan 30 2013"
|
||||
.SH NAME
|
||||
|
||||
mokutil \- utility to manipulate machine owner keys
|
||||
|
||||
.SH SYNOPSIS
|
||||
-\fBmokutil\fR [--list-enrolled | -le]
|
||||
+\fBmokutil\fR [--list-enrolled]
|
||||
.br
|
||||
-\fBmokutil\fR [--list-new | -ln]
|
||||
+\fBmokutil\fR [--list-new]
|
||||
.br
|
||||
-\fBmokutil\fR [--import | -i] ...
|
||||
+\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
|
||||
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
|
||||
.br
|
||||
-\fBmokutil\fR [--delete-all | -D]
|
||||
+\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
|
||||
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
|
||||
.br
|
||||
-\fBmokutil\fR [--revoke | -r]
|
||||
+\fBmokutil\fR [--revoke-import]
|
||||
+.br
|
||||
+\fBmokutil\fR [--revoke-delete]
|
||||
.br
|
||||
\fBmokutil\fR [--export | -x]
|
||||
.br
|
||||
\fBmokutil\fR [--password | -p]
|
||||
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
|
||||
.br
|
||||
\fBmokutil\fR [--disable-validation]
|
||||
.br
|
||||
\fBmokutil\fR [--enable-validation]
|
||||
.br
|
||||
+\fBmokutil\fR [--sb-state]
|
||||
+.br
|
||||
+\fBmokutil\fR [--test-key | -t] ...
|
||||
+.br
|
||||
+\fBmokutil\fR [--reset]
|
||||
+ ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
|
||||
+.br
|
||||
+\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
|
||||
+.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
\fBmokutil\fR is a tool to import or delete the machines owner keys
|
||||
@@ -31,36 +45,49 @@ mokutil \- utility to manipulate machine owner keys
|
||||
.TP
|
||||
\fB--list-enrolled\fR
|
||||
List the keys the already stored in the database
|
||||
-
|
||||
.TP
|
||||
\fB--list-new\fR
|
||||
List the keys to be enrolled
|
||||
-
|
||||
.TP
|
||||
\fB--import\fR
|
||||
Collect the followed files and form a request to shim. The files must be in DER
|
||||
format.
|
||||
-
|
||||
.TP
|
||||
\fB--delete-all\fR
|
||||
Request shim to delete all stored keys
|
||||
-
|
||||
.TP
|
||||
-\fB--revoke\fR
|
||||
-Revoke the current request
|
||||
-
|
||||
+\fB--revoke-import\fR
|
||||
+Revoke the current import request (MokNew)
|
||||
+.TP
|
||||
+\fB--revoke-delete\fR
|
||||
+Revoke the current delete request (MokDel)
|
||||
.TP
|
||||
\fB--export\fR
|
||||
Export the keys stored in MokListRT
|
||||
-
|
||||
.TP
|
||||
\fB--password\fR
|
||||
Setup the password for MokManager
|
||||
-
|
||||
.TP
|
||||
\fB--disable-validation\fR
|
||||
Disable the validation process in shim
|
||||
-
|
||||
.TP
|
||||
\fB--enrolled-validation\fR
|
||||
Enable the validation process in shim
|
||||
+.TP
|
||||
+\fB--sb-state\fR
|
||||
+Show SecureBoot State
|
||||
+.TP
|
||||
+\fB--test-key\fR
|
||||
+Test if the key is enrolled or not
|
||||
+.TP
|
||||
+\fB--reset\fR
|
||||
+Reset MOK list
|
||||
+.TP
|
||||
+\fB--generate-hash\fR
|
||||
+Generate the password hash
|
||||
+.TP
|
||||
+\fB--hash-file\fR
|
||||
+Use the password hash from a specific file
|
||||
+.TP
|
||||
+\fB--root-pw\fR
|
||||
+Use the root password hash from /etc/shadow
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -1,3 +1,23 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com
|
||||
|
||||
- Update to 0.2.0
|
||||
+ Generate the password hash with crypt() by default instead of
|
||||
the original sha256 password hash
|
||||
+ Add an option to import the root password hash
|
||||
+ Amend error messages, help, and man page
|
||||
- Drop upstreamed patches
|
||||
+ mokutil-lcrypt-ldflag.patch
|
||||
+ mokutil-probe-secure-boot-state.patch
|
||||
+ mokutil-allow-password-from-pipe.patch
|
||||
+ mokutil-bnc809703-check-pending-request.patch
|
||||
+ mokutil-support-delete-keys.patch
|
||||
+ mokutil-support-crypt-hash-methods.patch
|
||||
+ mokutil-update-man-page.patch
|
||||
+ mokutil-bnc809215-improve-wording.patch
|
||||
+ mokutil-support-new-pw-hash.patch
|
||||
+ mokutil-no-duplicate-keys-imported.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 2 04:43:59 UTC 2013 - glin@suse.com
|
||||
|
||||
|
33
mokutil.spec
33
mokutil.spec
@ -17,33 +17,13 @@
|
||||
|
||||
|
||||
Name: mokutil
|
||||
Version: 0.1.0
|
||||
Version: 0.2.0
|
||||
Release: 0
|
||||
Summary: Tools for manipulating machine owner keys
|
||||
License: GPL-3.0
|
||||
Group: Productivity/Security
|
||||
Url: https://github.com/lcp/mokutil
|
||||
Source: %{name}-%{version}.tar.bz2
|
||||
# PATCH-FIX-UPSTREAM mokutil-probe-secure-boot-state.patch glin@suse.com -- Probe the state of secure boot
|
||||
Patch1: mokutil-probe-secure-boot-state.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-no-duplicate-keys-imported.patch glin@suse.com -- Do not import duplicate keys
|
||||
Patch2: mokutil-no-duplicate-keys-imported.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-accept-password-from-pipe.patch glin@suse.com -- Allow the password to be sent through pipeline
|
||||
Patch3: mokutil-allow-password-from-pipe.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-support-delete-keys.patch glin@suse.com -- Add support for deleting specific keys
|
||||
Patch4: mokutil-support-delete-keys.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-support-new-pw-hash.patch glin@suse.com -- Support the new password hash format
|
||||
Patch5: mokutil-support-new-pw-hash.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-support-crypt-hash-methods.patch glin@suse.com -- Support the hash methods used for /etc/shadow
|
||||
Patch6: mokutil-support-crypt-hash-methods.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-update-man-page.patch glin@suse.com -- Update man page
|
||||
Patch7: mokutil-update-man-page.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-lcrypt-ldflag.patch glin@suse.com -- Add -lcrpyt correctly
|
||||
Patch8: mokutil-lcrypt-ldflag.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-bnc809215-improve-wording.patch bnc#809215 glin@suse.com -- Improve the wording of error messages
|
||||
Patch9: mokutil-bnc809215-improve-wording.patch
|
||||
# PATCH-FIX-UPSTREAM mokutil-bnc809703-check-pending-request.patch bnc#809703 glin@suse.com -- Remove the key from the pending requests if necessary
|
||||
Patch10: mokutil-bnc809703-check-pending-request.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libopenssl-devel >= 0.9.8
|
||||
@ -63,19 +43,8 @@ Authors:
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
%build
|
||||
autoreconf -i -f
|
||||
%configure
|
||||
make
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user