Accepting request 707344 from Base:System
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/707344 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mokutil?expand=0&rev=22
This commit is contained in:
commit
63ef0ee4d8
3
0.4.0.tar.gz
Normal file
3
0.4.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:2e9c574e4a4fa63b2f23116cdcb389f448a28945548e232076f77947e35b7361
|
||||||
|
size 33222
|
149
modhash
Normal file
149
modhash
Normal file
@ -0,0 +1,149 @@
|
|||||||
|
#!/usr/bin/perl
|
||||||
|
#
|
||||||
|
# Calculate the digest of the kernel module
|
||||||
|
# It will strip kernel modules signature before calculation.
|
||||||
|
#
|
||||||
|
# Based on modsign-verify, written by Michal Marek
|
||||||
|
# Authors:
|
||||||
|
# Gary Lin <GLin@suse.com>
|
||||||
|
# Joey Lee <JLee@suse.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n";
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use IPC::Open2;
|
||||||
|
use Getopt::Long;
|
||||||
|
use File::Temp qw(tempfile);
|
||||||
|
|
||||||
|
my $verbose = 1;
|
||||||
|
my $dgst = "sha256";
|
||||||
|
GetOptions(
|
||||||
|
"d=s" => \$dgst,
|
||||||
|
"q|quiet" => sub { $verbose-- if $verbose; },
|
||||||
|
"v|verbose" => sub { $verbose++; },
|
||||||
|
"h|help" => sub {
|
||||||
|
print $USAGE;
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
) or die($USAGE);
|
||||||
|
|
||||||
|
sub _verbose {
|
||||||
|
my $level = shift;
|
||||||
|
|
||||||
|
return if $verbose < $level;
|
||||||
|
print STDERR @_;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub info { _verbose(1, @_); }
|
||||||
|
sub verbose { _verbose(2, @_); }
|
||||||
|
sub debug { _verbose(3, @_); }
|
||||||
|
|
||||||
|
if (@ARGV > 1) {
|
||||||
|
print STDERR "Excess arguments\n";
|
||||||
|
die($USAGE);
|
||||||
|
} elsif (@ARGV < 1) {
|
||||||
|
print STDERR "No module supplied\n";
|
||||||
|
die($USAGE);
|
||||||
|
}
|
||||||
|
my $module_name = shift(@ARGV);
|
||||||
|
|
||||||
|
if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and
|
||||||
|
$dgst ne "sha384" and $dgst ne "sha512") {
|
||||||
|
die("unsupported algorithm: $dgst");
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function to read the contents of a file into a variable.
|
||||||
|
#
|
||||||
|
sub read_file($)
|
||||||
|
{
|
||||||
|
my ($file) = @_;
|
||||||
|
my $contents;
|
||||||
|
my $len;
|
||||||
|
|
||||||
|
open(FD, "<$file") || die $file;
|
||||||
|
binmode FD;
|
||||||
|
my @st = stat(FD);
|
||||||
|
die $file if (!@st);
|
||||||
|
$len = read(FD, $contents, $st[7]) || die $file;
|
||||||
|
close(FD) || die $file;
|
||||||
|
die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
|
||||||
|
if ($len != $st[7]);
|
||||||
|
return $contents;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub openssl_pipe($$) {
|
||||||
|
my ($input, $cmd) = @_;
|
||||||
|
my ($pid, $res);
|
||||||
|
|
||||||
|
$pid = open2(*read_from, *write_to, $cmd) || die $cmd;
|
||||||
|
binmode write_to;
|
||||||
|
if (defined($input) && $input ne "") {
|
||||||
|
print write_to $input || die "$cmd: $!";
|
||||||
|
}
|
||||||
|
close(write_to) || die "$cmd: $!";
|
||||||
|
|
||||||
|
binmode read_from;
|
||||||
|
read(read_from, $res, 4096) || die "$cmd: $!";
|
||||||
|
close(read_from) || die "$cmd: $!";
|
||||||
|
waitpid($pid, 0) || die;
|
||||||
|
die "$cmd died: $?" if ($? >> 8);
|
||||||
|
return $res;
|
||||||
|
}
|
||||||
|
|
||||||
|
my $module = read_file($module_name);
|
||||||
|
my $module_len = length($module);
|
||||||
|
my $magic_number = "~Module signature appended~\n";
|
||||||
|
my $magic_len = length($magic_number);
|
||||||
|
my $info_len = 12;
|
||||||
|
|
||||||
|
if ($module_len < $magic_len) {
|
||||||
|
die "Module size too short\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
sub eat
|
||||||
|
{
|
||||||
|
my $length = shift;
|
||||||
|
if ($module_len < $length) {
|
||||||
|
die "Module size too short\n";
|
||||||
|
}
|
||||||
|
my $res = substr($module, -$length);
|
||||||
|
$module = substr($module, 0, $module_len - $length);
|
||||||
|
$module_len -= $length;
|
||||||
|
return $res;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (substr($module, -$magic_len) eq $magic_number) {
|
||||||
|
$module = substr($module, 0, $module_len - $magic_len);
|
||||||
|
$module_len -= $magic_len;
|
||||||
|
my $info = eat($info_len);
|
||||||
|
my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) =
|
||||||
|
unpack("CCCCCxxxN", $info);
|
||||||
|
my $signature = eat($sig_len);
|
||||||
|
if ($id_type == 1) {
|
||||||
|
if (unpack("n", $signature) == $sig_len - 2) {
|
||||||
|
verbose ("signed module (X.509)\n");
|
||||||
|
} else {
|
||||||
|
die "Invalid signature format\n";
|
||||||
|
}
|
||||||
|
if ($algo != 1) {
|
||||||
|
die "Unsupported signature algorithm\n";
|
||||||
|
}
|
||||||
|
$signature = substr($signature, 2);
|
||||||
|
my $key_id = eat($key_len);
|
||||||
|
my $name = eat($name_len);
|
||||||
|
} elsif ($id_type == 2) {
|
||||||
|
verbose ("signed module (PKCS#7)\n");
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
verbose ("unsigned module\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
verbose("Hash algorithm: $dgst\n");
|
||||||
|
|
||||||
|
my $digest = openssl_pipe($module, "openssl dgst -$dgst");
|
||||||
|
$digest =~ s/\(stdin\)= //;
|
||||||
|
|
||||||
|
print "$module_name: $digest"
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:1955888d275ece95ef88919ea6c9ae5153ddff9a64a7aac371d874d626be3bb0
|
|
||||||
size 105228
|
|
@ -1,87 +0,0 @@
|
|||||||
From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gary Lin <glin@suse.com>
|
|
||||||
Date: Wed, 13 Jan 2016 16:05:21 +0800
|
|
||||||
Subject: [PATCH] Make all efi_guid_t const
|
|
||||||
|
|
||||||
All UEFI GUIDs defined in efivar are const. Declare all of them const
|
|
||||||
to make gcc happy.
|
|
||||||
|
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
|
||||||
---
|
|
||||||
src/mokutil.c | 18 +++++++++---------
|
|
||||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index 1fb34f9..d2c52b4 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint32_t
|
|
||||||
-efi_hash_size (efi_guid_t *hash_type)
|
|
||||||
+efi_hash_size (const efi_guid_t *hash_type)
|
|
||||||
{
|
|
||||||
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
|
|
||||||
return SHA_DIGEST_LENGTH;
|
|
||||||
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint32_t
|
|
||||||
-signature_size (efi_guid_t *hash_type)
|
|
||||||
+signature_size (const efi_guid_t *hash_type)
|
|
||||||
{
|
|
||||||
uint32_t hash_size;
|
|
||||||
|
|
||||||
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
|
|
||||||
|
|
||||||
/* match the hash in the hash array and return the index if matched */
|
|
||||||
static int
|
|
||||||
-match_hash_array (efi_guid_t *hash_type, const void *hash,
|
|
||||||
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
|
|
||||||
const void *hash_array, const uint32_t array_size)
|
|
||||||
{
|
|
||||||
uint32_t hash_size, hash_count;
|
|
||||||
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
|
|
||||||
- efi_guid_t *type, void *data, uint32_t data_size)
|
|
||||||
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
|
||||||
+ const efi_guid_t *type, void *data, uint32_t data_size)
|
|
||||||
{
|
|
||||||
uint8_t *var_data = NULL;
|
|
||||||
size_t var_data_size = 0;
|
|
||||||
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
|
|
||||||
- efi_guid_t *vendor, const char *db_name)
|
|
||||||
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
|
|
||||||
+ const efi_guid_t *vendor, const char *db_name)
|
|
||||||
{
|
|
||||||
uint8_t *var_data;
|
|
||||||
size_t var_data_size;
|
|
||||||
@@ -1059,7 +1059,7 @@ done:
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
|
|
||||||
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
|
|
||||||
MokRequest req)
|
|
||||||
{
|
|
||||||
switch (req) {
|
|
||||||
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
|
|
||||||
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
|
|
||||||
MokRequest req)
|
|
||||||
{
|
|
||||||
uint8_t *authvar_data;
|
|
||||||
--
|
|
||||||
2.9.0
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
||||||
Date: Tue, 4 Nov 2014 15:50:03 +0800
|
|
||||||
Subject: [PATCH] Fix the potential buffer overflow
|
|
||||||
|
|
||||||
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
|
||||||
---
|
|
||||||
src/mokutil.c | 5 ++---
|
|
||||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index 5b34f22..93fb6fa 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
|
|
||||||
MokToggleVar tvar;
|
|
||||||
char *password = NULL;
|
|
||||||
unsigned int pw_len;
|
|
||||||
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
|
|
||||||
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
|
|
||||||
int ret = -1;
|
|
||||||
|
|
||||||
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
|
|
||||||
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
|
|
||||||
efichar_from_char (efichar_pass, password,
|
|
||||||
SB_PASSWORD_MAX * sizeof(efi_char16_t));
|
|
||||||
|
|
||||||
- memcpy(tvar.password, efichar_pass,
|
|
||||||
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
|
|
||||||
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
|
|
||||||
|
|
||||||
tvar.mok_toggle_state = state;
|
|
||||||
|
|
||||||
--
|
|
||||||
1.8.4.5
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Fri, 19 Jun 2015 16:53:36 -0400
|
|
||||||
Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
|
|
||||||
|
|
||||||
This source tree uses:
|
|
||||||
|
|
||||||
typedef wchar_t efi_char16_t;
|
|
||||||
|
|
||||||
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
|
|
||||||
32-bits by default. As a result, efichar_from_char winds up writing
|
|
||||||
4-byte characters instead of 2-byte characters. In the case where we
|
|
||||||
hash the password in mokutil, this works fine, because the same datatype
|
|
||||||
is used, and the values are the same. But for our feature toggles,
|
|
||||||
where we store the raw data and shim is interpretting the character
|
|
||||||
array, every other character winds up being L'\0', and verification
|
|
||||||
fails.
|
|
||||||
|
|
||||||
So always build with -fshort-wchar to ensure we get 2-byte character
|
|
||||||
storage.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
configure.ac | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index fe28fb9..69d412a 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -37,7 +37,7 @@ else
|
|
||||||
default_strict=no
|
|
||||||
fi
|
|
||||||
|
|
||||||
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
|
|
||||||
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
|
|
||||||
|
|
||||||
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
|
|
||||||
enable_strict=$default_strict)
|
|
||||||
--
|
|
||||||
2.1.4
|
|
||||||
|
|
23
mokutil-remove-shebang-from-bash-completion-file.patch
Normal file
23
mokutil-remove-shebang-from-bash-completion-file.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
From e27b85622fcb1cc59e0fd4e7d630fc62f89dd225 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Tue, 28 May 2019 12:33:32 +0800
|
||||||
|
Subject: [PATCH] Remove shebang from bash-completion/mokutil
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
data/mokutil | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/data/mokutil b/data/mokutil
|
||||||
|
index 800b039..cf50606 100755
|
||||||
|
--- a/data/mokutil
|
||||||
|
+++ b/data/mokutil
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/bin/bash
|
||||||
|
+# mokutil(1) completion
|
||||||
|
|
||||||
|
_mokutil()
|
||||||
|
{
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 Jun 2016 10:19:43 -0400
|
|
||||||
Subject: [PATCH] mokutil: be explicit about file modes in all cases.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/mokutil.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
||||||
index d2c52b4..d554f6c 100644
|
|
||||||
--- a/src/mokutil.c
|
|
||||||
+++ b/src/mokutil.c
|
|
||||||
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
|
|
||||||
| EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
||||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
|
||||||
ret = efi_set_variable (*var_guid, var_name,
|
|
||||||
- var_data, total, attributes);
|
|
||||||
+ var_data, total, attributes,
|
|
||||||
+ S_IRUSR | S_IWUSR);
|
|
||||||
if (ret < 0) {
|
|
||||||
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
|
|
||||||
var_name);
|
|
||||||
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
|
|
||||||
data_size = list_len;
|
|
||||||
|
|
||||||
if (efi_set_variable (efi_guid_shim, req_name,
|
|
||||||
- data, data_size, attributes) < 0) {
|
|
||||||
+ data, data_size, attributes,
|
|
||||||
+ S_IRUSR | S_IWUSR) < 0) {
|
|
||||||
switch (req) {
|
|
||||||
case ENROLL_MOK:
|
|
||||||
fprintf (stderr, "Failed to enroll new keys\n");
|
|
||||||
--
|
|
||||||
2.9.0
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001
|
From 93ded288224a18f336f9e3654a33a48bcb748b11 Mon Sep 17 00:00:00 2001
|
||||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||||
Date: Fri, 21 Feb 2014 17:56:55 +0800
|
Date: Fri, 21 Feb 2014 17:56:55 +0800
|
||||||
Subject: [PATCH 1/3] Add the option to revoke the built-in certificate
|
Subject: [PATCH 1/3] Add the option to revoke the built-in certificate
|
||||||
@ -9,30 +9,30 @@ This commit adds an option to create ClearVerify which contains
|
|||||||
the password hash to notify MokManager to show the option to
|
the password hash to notify MokManager to show the option to
|
||||||
revoke the built-in certificate.
|
revoke the built-in certificate.
|
||||||
---
|
---
|
||||||
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
1 file changed, 82 insertions(+)
|
1 file changed, 82 insertions(+)
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
index 5b34f22..ab3d04f 100644
|
index e2d567d..1ada2a0 100644
|
||||||
--- a/src/mokutil.c
|
--- a/src/mokutil.c
|
||||||
+++ b/src/mokutil.c
|
+++ b/src/mokutil.c
|
||||||
@@ -83,6 +83,7 @@
|
@@ -84,6 +84,7 @@
|
||||||
#define IMPORT_HASH (1 << 21)
|
|
||||||
#define DELETE_HASH (1 << 22)
|
#define DELETE_HASH (1 << 22)
|
||||||
#define VERBOSITY (1 << 23)
|
#define VERBOSITY (1 << 23)
|
||||||
+#define REVOKE_CERT (1 << 24)
|
#define TIMEOUT (1 << 24)
|
||||||
|
+#define REVOKE_CERT (1 << 25)
|
||||||
|
|
||||||
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
||||||
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
||||||
@@ -156,6 +157,7 @@ print_help ()
|
@@ -176,6 +177,7 @@ print_help ()
|
||||||
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
|
||||||
printf (" --db\t\t\t\t\tList the keys in db\n");
|
printf (" --db\t\t\t\t\tList the keys in db\n");
|
||||||
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
||||||
|
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
|
||||||
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
|
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
|
||||||
printf ("\n");
|
printf ("\n");
|
||||||
printf ("Supplimentary Options:\n");
|
printf ("Supplimentary Options:\n");
|
||||||
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
||||||
@@ -1994,6 +1996,79 @@ set_verbosity (uint8_t verbosity)
|
@@ -2103,6 +2105,79 @@ set_verbosity (uint8_t verbosity)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -112,26 +112,26 @@ index 5b34f22..ab3d04f 100644
|
|||||||
static inline int
|
static inline int
|
||||||
list_db (DBName db_name)
|
list_db (DBName db_name)
|
||||||
{
|
{
|
||||||
@@ -2070,6 +2145,7 @@ main (int argc, char *argv[])
|
@@ -2182,6 +2257,7 @@ main (int argc, char *argv[])
|
||||||
{"kek", no_argument, 0, 0 },
|
|
||||||
{"db", no_argument, 0, 0 },
|
{"db", no_argument, 0, 0 },
|
||||||
{"dbx", no_argument, 0, 0 },
|
{"dbx", no_argument, 0, 0 },
|
||||||
|
{"timeout", required_argument, 0, 0 },
|
||||||
+ {"revoke-cert", no_argument, 0, 0 },
|
+ {"revoke-cert", no_argument, 0, 0 },
|
||||||
{0, 0, 0, 0}
|
{0, 0, 0, 0}
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -2157,6 +2233,8 @@ main (int argc, char *argv[])
|
@@ -2268,6 +2344,8 @@ main (int argc, char *argv[])
|
||||||
command |= LIST_ENROLLED;
|
} else if (strcmp (option, "timeout") == 0) {
|
||||||
db_name = DBX;
|
command |= TIMEOUT;
|
||||||
}
|
timeout = strdup (optarg);
|
||||||
+ } else if (strcmp (option, "revoke-cert") == 0) {
|
+ } else if (strcmp (option, "revoke-cert") == 0) {
|
||||||
+ command |= REVOKE_CERT;
|
+ command |= REVOKE_CERT;
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
@@ -2416,6 +2494,10 @@ main (int argc, char *argv[])
|
@@ -2537,6 +2615,10 @@ main (int argc, char *argv[])
|
||||||
case VERBOSITY:
|
case TIMEOUT:
|
||||||
ret = set_verbosity (verbosity);
|
ret = set_timeout (timeout);
|
||||||
break;
|
break;
|
||||||
+ case REVOKE_CERT:
|
+ case REVOKE_CERT:
|
||||||
+ case REVOKE_CERT | SIMPLE_HASH:
|
+ case REVOKE_CERT | SIMPLE_HASH:
|
||||||
@ -141,10 +141,10 @@ index 5b34f22..ab3d04f 100644
|
|||||||
print_help ();
|
print_help ();
|
||||||
break;
|
break;
|
||||||
--
|
--
|
||||||
2.9.0
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
From 09ac7c76b0c313abc664fe104bc32d89df0e0976 Mon Sep 17 00:00:00 2001
|
From 17f9850edce4dd40f96107c97d3d720406bf9f09 Mon Sep 17 00:00:00 2001
|
||||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||||
Date: Tue, 4 Nov 2014 14:50:36 +0800
|
Date: Tue, 4 Nov 2014 14:50:36 +0800
|
||||||
Subject: [PATCH 2/3] Use the efivar functions to access UEFI variables
|
Subject: [PATCH 2/3] Use the efivar functions to access UEFI variables
|
||||||
@ -157,10 +157,10 @@ Adapt the changes in the mainline.
|
|||||||
1 file changed, 25 insertions(+), 20 deletions(-)
|
1 file changed, 25 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
index ab3d04f..9dcf4f1 100644
|
index 1ada2a0..dcf55dc 100644
|
||||||
--- a/src/mokutil.c
|
--- a/src/mokutil.c
|
||||||
+++ b/src/mokutil.c
|
+++ b/src/mokutil.c
|
||||||
@@ -1999,28 +1999,35 @@ set_verbosity (uint8_t verbosity)
|
@@ -2108,28 +2108,35 @@ set_verbosity (uint8_t verbosity)
|
||||||
static int
|
static int
|
||||||
revoke_builtin_cert (void)
|
revoke_builtin_cert (void)
|
||||||
{
|
{
|
||||||
@ -205,7 +205,7 @@ index ab3d04f..9dcf4f1 100644
|
|||||||
|
|
||||||
memset (&pw_crypt, 0, sizeof(pw_crypt_t));
|
memset (&pw_crypt, 0, sizeof(pw_crypt_t));
|
||||||
memset (auth, 0, SHA256_DIGEST_LENGTH);
|
memset (auth, 0, SHA256_DIGEST_LENGTH);
|
||||||
@@ -2043,20 +2050,18 @@ revoke_builtin_cert (void)
|
@@ -2152,20 +2159,18 @@ revoke_builtin_cert (void)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!use_simple_hash) {
|
if (!use_simple_hash) {
|
||||||
@ -236,10 +236,10 @@ index ab3d04f..9dcf4f1 100644
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.9.0
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
From 05c64b7b7d44f1c2a106e7273a33f83e57452d92 Mon Sep 17 00:00:00 2001
|
From 1ab85ee4d98a5436c4612b8f893c3c73f113a6e0 Mon Sep 17 00:00:00 2001
|
||||||
From: Gary Lin <glin@suse.com>
|
From: Gary Lin <glin@suse.com>
|
||||||
Date: Wed, 13 Jul 2016 14:58:15 +0800
|
Date: Wed, 13 Jul 2016 14:58:15 +0800
|
||||||
Subject: [PATCH 3/3] Use efi_set_variable from efivar 0.24
|
Subject: [PATCH 3/3] Use efi_set_variable from efivar 0.24
|
||||||
@ -250,10 +250,10 @@ This is an openSUSE-only patch.
|
|||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/src/mokutil.c b/src/mokutil.c
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
||||||
index 9dcf4f1..1a8ccc9 100644
|
index dcf55dc..0160c06 100644
|
||||||
--- a/src/mokutil.c
|
--- a/src/mokutil.c
|
||||||
+++ b/src/mokutil.c
|
+++ b/src/mokutil.c
|
||||||
@@ -2061,7 +2061,8 @@ revoke_builtin_cert (void)
|
@@ -2170,7 +2170,8 @@ revoke_builtin_cert (void)
|
||||||
| EFI_VARIABLE_RUNTIME_ACCESS;
|
| EFI_VARIABLE_RUNTIME_ACCESS;
|
||||||
|
|
||||||
if (efi_set_variable (efi_guid_shim, "ClearVerify",
|
if (efi_set_variable (efi_guid_shim, "ClearVerify",
|
||||||
@ -264,5 +264,5 @@ index 9dcf4f1..1a8ccc9 100644
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.9.0
|
2.21.0
|
||||||
|
|
||||||
|
@ -1,3 +1,45 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 28 04:38:14 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to 0.4.0
|
||||||
|
+ Rename export_moks as export_db_keys
|
||||||
|
+ Add support for exporting other keys
|
||||||
|
+ add new --mok argument
|
||||||
|
+ set list-enrolled command as default for some arguments
|
||||||
|
+ Add more info to --sb-state: show when we're in SetupMode or
|
||||||
|
with shim validation disabled
|
||||||
|
+ Correct help: --set-timeout is really --timeout
|
||||||
|
+ generate_hash() / generate_pw_hash(): don't use strlen() for
|
||||||
|
strncpy bounds
|
||||||
|
+ Add the type casting to silence the warning
|
||||||
|
+ Add a way for mokutil to configure a timeout for MokManager's
|
||||||
|
prompt
|
||||||
|
+ list_keys_in_var(): check errno correctly, not ret twice
|
||||||
|
+ Fix typo in error message when the system lacks Secure Boot
|
||||||
|
support
|
||||||
|
+ Add bash completion file
|
||||||
|
+ mokutil: be explicit about file modes in all cases
|
||||||
|
+ Make all efi_guid_t const
|
||||||
|
+ Don't allow sha1 on the mokutil command line
|
||||||
|
+ Build with -fshort-wchar so toggle passwords work right
|
||||||
|
+ Fix the 32bit signedness comparison
|
||||||
|
+ Fix the potential buffer overflow
|
||||||
|
- Add mokutil-remove-shebang-from-bash-completion-file.patch to
|
||||||
|
remove shebang from bash-completion/mokutil
|
||||||
|
- Drop upstreamed patches
|
||||||
|
+ mokutil-constify-efi-guid.patch
|
||||||
|
+ mokutil-fix-overflow.patch
|
||||||
|
+ mokutil-fshort-wchar.patch
|
||||||
|
+ mokutil-set-efi-variable-file-mode.patch
|
||||||
|
- Refresh mokutil-support-revoke-builtin-cert.patch
|
||||||
|
- Install bash-completion/mokutil
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 21 02:39:46 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add modhash to calculate the hash of kernel module (SLE-5661)
|
||||||
|
+ Also add openssl to Requires since the script needs it
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Nov 23 08:58:24 UTC 2018 - glin@suse.com
|
Fri Nov 23 08:58:24 UTC 2018 - glin@suse.com
|
||||||
|
|
||||||
|
27
mokutil.spec
27
mokutil.spec
@ -17,29 +17,23 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: mokutil
|
Name: mokutil
|
||||||
Version: 0.3.0
|
Version: 0.4.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Tools for manipulating machine owner keys
|
Summary: Tools for manipulating machine owner keys
|
||||||
License: GPL-3.0-only
|
License: GPL-3.0-only
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Url: https://github.com/lcp/mokutil
|
Url: https://github.com/lcp/mokutil
|
||||||
Source: %{name}-%{version}.tar.bz2
|
Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz
|
||||||
# PATCH-FIX-UPSTREAM mokutil-fix-overflow.patch glin@suse.com -- Fix the potential buffer overflow
|
Source1: modhash
|
||||||
Patch1: mokutil-fix-overflow.patch
|
# PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch glin@suse.com -- Remove shebang from bash-completion/mokutil
|
||||||
# PATCH-FIX-UPSTREAM mokutil-fshort-wchar.patch glin@suse.com -- Add "-fshort-wchar" to make sure the UEFI strings are UCS-2 encoding
|
Patch1: mokutil-remove-shebang-from-bash-completion-file.patch
|
||||||
Patch2: mokutil-fshort-wchar.patch
|
|
||||||
# PATCH-FIX-UPSTREAM mokutil-set-efi-variable-file-mode.patch glin@suse.com -- Be explicit about file modes in all cases
|
|
||||||
Patch3: mokutil-set-efi-variable-file-mode.patch
|
|
||||||
# PATCH-FIX-UPSTREAM mokutil-constify-efi-guid.patch glin@suse.com -- Make all efi_guild_t variables const
|
|
||||||
Patch4: mokutil-constify-efi-guid.patch
|
|
||||||
# OPENSUSE ONLY
|
|
||||||
# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
|
|
||||||
Patch100: mokutil-support-revoke-builtin-cert.patch
|
Patch100: mokutil-support-revoke-builtin-cert.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: efivar-devel >= 0.12
|
BuildRequires: efivar-devel >= 0.12
|
||||||
BuildRequires: libopenssl-devel >= 0.9.8
|
BuildRequires: libopenssl-devel >= 0.9.8
|
||||||
BuildRequires: pkg-config
|
BuildRequires: pkg-config
|
||||||
|
Requires: openssl
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
ExclusiveArch: x86_64 aarch64
|
ExclusiveArch: x86_64 aarch64
|
||||||
|
|
||||||
@ -56,18 +50,16 @@ Authors:
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf
|
./autogen.sh
|
||||||
%configure
|
%configure
|
||||||
make
|
make
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%makeinstall
|
%makeinstall
|
||||||
|
install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash
|
||||||
|
|
||||||
%clean
|
%clean
|
||||||
%{?buildroot:%__rm -rf "%{buildroot}"}
|
%{?buildroot:%__rm -rf "%{buildroot}"}
|
||||||
@ -76,6 +68,9 @@ make
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%{_bindir}/mokutil
|
%{_bindir}/mokutil
|
||||||
|
%{_bindir}/modhash
|
||||||
%{_mandir}/man?/*
|
%{_mandir}/man?/*
|
||||||
|
%dir %{_datadir}/bash-completion/completions/
|
||||||
|
%{_datadir}/bash-completion/completions/mokutil
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user