pool/mokutil
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 705781 from home:gary_lin:branches:Base:System

Browse Source 
- Update to 0.4.0

OBS-URL: https://build.opensuse.org/request/show/705781
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=39
This commit is contained in:
Gary Ching-Pang Lin 2019-05-28 06:42:29 +00:00 committed by Git OBS Bridge
parent 6b8cd38690
commit 6de4f60a64
10 changed files with 97 additions and 249 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
0.4.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2e9c574e4a4fa63b2f23116cdcb389f448a28945548e232076f77947e35b7361
size 33222

3
mokutil-0.3.0.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1955888d275ece95ef88919ea6c9ae5153ddff9a64a7aac371d874d626be3bb0
size 105228

87
mokutil-constify-efi-guid.patch
View File

@ -1,87 +0,0 @@
From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jan 2016 16:05:21 +0800
Subject: [PATCH] Make all efi_guid_t const
All UEFI GUIDs defined in efivar are const. Declare all of them const
to make gcc happy.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/mokutil.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1fb34f9..d2c52b4 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
}
static uint32_t
-efi_hash_size (efi_guid_t *hash_type)
+efi_hash_size (const efi_guid_t *hash_type)
{
if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
return SHA_DIGEST_LENGTH;
@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
}
static uint32_t
-signature_size (efi_guid_t *hash_type)
+signature_size (const efi_guid_t *hash_type)
{
uint32_t hash_size;
@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
/* match the hash in the hash array and return the index if matched */
static int
-match_hash_array (efi_guid_t *hash_type, const void *hash,
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
const void *hash_array, const uint32_t array_size)
{
uint32_t hash_size, hash_count;
@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
}
static int
-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
- efi_guid_t *type, void *data, uint32_t data_size)
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ const efi_guid_t *type, void *data, uint32_t data_size)
{
uint8_t *var_data = NULL;
size_t var_data_size = 0;
@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
}
static int
-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
- efi_guid_t *vendor, const char *db_name)
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+ const efi_guid_t *vendor, const char *db_name)
{
uint8_t *var_data;
size_t var_data_size;
@@ -1059,7 +1059,7 @@ done:
}
static int
-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
MokRequest req)
{
switch (req) {
@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
}
static int
-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
MokRequest req)
{
uint8_t *authvar_data;
--
2.9.0

36
mokutil-fix-overflow.patch
View File

@ -1,36 +0,0 @@
From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 15:50:03 +0800
Subject: [PATCH] Fix the potential buffer overflow
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/mokutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22..93fb6fa 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
MokToggleVar tvar;
char *password = NULL;
unsigned int pw_len;
- efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
int ret = -1;
printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
efichar_from_char (efichar_pass, password,
SB_PASSWORD_MAX * sizeof(efi_char16_t));
- memcpy(tvar.password, efichar_pass,
- SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
tvar.mok_toggle_state = state;
--
1.8.4.5

42
mokutil-fshort-wchar.patch
View File

@ -1,42 +0,0 @@
From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Jun 2015 16:53:36 -0400
Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
This source tree uses:
typedef wchar_t efi_char16_t;
to define UEFI's UCS-2 character type. On many platforms, wchar_t is
32-bits by default. As a result, efichar_from_char winds up writing
4-byte characters instead of 2-byte characters. In the case where we
hash the password in mokutil, this works fine, because the same datatype
is used, and the values are the same. But for our feature toggles,
where we store the raw data and shim is interpretting the character
array, every other character winds up being L'\0', and verification
fails.
So always build with -fshort-wchar to ensure we get 2-byte character
storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index fe28fb9..69d412a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ else
default_strict=no
fi
-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
enable_strict=$default_strict)
--
2.1.4

23
mokutil-remove-shebang-from-bash-completion-file.patch Normal file
View File

@ -0,0 +1,23 @@
From e27b85622fcb1cc59e0fd4e7d630fc62f89dd225 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 28 May 2019 12:33:32 +0800
Subject: [PATCH] Remove shebang from bash-completion/mokutil
Signed-off-by: Gary Lin <glin@suse.com>
---
data/mokutil | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/mokutil b/data/mokutil
index 800b039..cf50606 100755
--- a/data/mokutil
+++ b/data/mokutil
@@ -1,4 +1,4 @@
-#!/bin/bash
+# mokutil(1) completion
_mokutil()
{
--
2.21.0

37
mokutil-set-efi-variable-file-mode.patch
View File

@ -1,37 +0,0 @@
From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:19:43 -0400
Subject: [PATCH] mokutil: be explicit about file modes in all cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/mokutil.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d2c52b4..d554f6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS;
ret = efi_set_variable (*var_guid, var_name,
- var_data, total, attributes);
+ var_data, total, attributes,
+ S_IRUSR | S_IWUSR);
if (ret < 0) {
fprintf (stderr, "Failed to write variable \"%s\": %m\n",
var_name);
@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
data_size = list_len;
if (efi_set_variable (efi_guid_shim, req_name,
- data, data_size, attributes) < 0) {
+ data, data_size, attributes,
+ S_IRUSR | S_IWUSR) < 0) {
switch (req) {
case ENROLL_MOK:
fprintf (stderr, "Failed to enroll new keys\n");
--
2.9.0

56
mokutil-support-revoke-builtin-cert.patch
View File

@ -1,4 +1,4 @@
From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001
From 93ded288224a18f336f9e3654a33a48bcb748b11 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH 1/3] Add the option to revoke the built-in certificate
@ -9,30 +9,30 @@ This commit adds an option to create ClearVerify which contains
the password hash to notify MokManager to show the option to
revoke the built-in certificate.
---
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22..ab3d04f 100644
index e2d567d..1ada2a0 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,7 @@
#define IMPORT_HASH (1 << 21)
@@ -84,6 +84,7 @@
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
+#define REVOKE_CERT (1 << 24)
#define TIMEOUT (1 << 24)
+#define REVOKE_CERT (1 << 25)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -156,6 +157,7 @@ print_help ()
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
@@ -176,6 +177,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1994,6 +1996,79 @@ set_verbosity (uint8_t verbosity)
@@ -2103,6 +2105,79 @@ set_verbosity (uint8_t verbosity)
return 0;
}
@ -112,26 +112,26 @@ index 5b34f22..ab3d04f 100644
static inline int
list_db (DBName db_name)
{
@@ -2070,6 +2145,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 },
@@ -2182,6 +2257,7 @@ main (int argc, char *argv[])
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
+ {"revoke-cert", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2157,6 +2233,8 @@ main (int argc, char *argv[])
command |= LIST_ENROLLED;
db_name = DBX;
}
@@ -2268,6 +2344,8 @@ main (int argc, char *argv[])
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
+ } else if (strcmp (option, "revoke-cert") == 0) {
+ command |= REVOKE_CERT;
}
break;
@@ -2416,6 +2494,10 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
@@ -2537,6 +2615,10 @@ main (int argc, char *argv[])
case TIMEOUT:
ret = set_timeout (timeout);
break;
+ case REVOKE_CERT:
+ case REVOKE_CERT | SIMPLE_HASH:
@ -141,10 +141,10 @@ index 5b34f22..ab3d04f 100644
print_help ();
break;
--
2.9.0
2.21.0
From 09ac7c76b0c313abc664fe104bc32d89df0e0976 Mon Sep 17 00:00:00 2001
From 17f9850edce4dd40f96107c97d3d720406bf9f09 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 14:50:36 +0800
Subject: [PATCH 2/3] Use the efivar functions to access UEFI variables
@ -157,10 +157,10 @@ Adapt the changes in the mainline.
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index ab3d04f..9dcf4f1 100644
index 1ada2a0..dcf55dc 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1999,28 +1999,35 @@ set_verbosity (uint8_t verbosity)
@@ -2108,28 +2108,35 @@ set_verbosity (uint8_t verbosity)
static int
revoke_builtin_cert (void)
{
@ -205,7 +205,7 @@ index ab3d04f..9dcf4f1 100644
memset (&pw_crypt, 0, sizeof(pw_crypt_t));
memset (auth, 0, SHA256_DIGEST_LENGTH);
@@ -2043,20 +2050,18 @@ revoke_builtin_cert (void)
@@ -2152,20 +2159,18 @@ revoke_builtin_cert (void)
}
if (!use_simple_hash) {
@ -236,10 +236,10 @@ index ab3d04f..9dcf4f1 100644
goto error;
}
--
2.9.0
2.21.0
From 05c64b7b7d44f1c2a106e7273a33f83e57452d92 Mon Sep 17 00:00:00 2001
From 1ab85ee4d98a5436c4612b8f893c3c73f113a6e0 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jul 2016 14:58:15 +0800
Subject: [PATCH 3/3] Use efi_set_variable from efivar 0.24
@ -250,10 +250,10 @@ This is an openSUSE-only patch.
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 9dcf4f1..1a8ccc9 100644
index dcf55dc..0160c06 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2061,7 +2061,8 @@ revoke_builtin_cert (void)
@@ -2170,7 +2170,8 @@ revoke_builtin_cert (void)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (efi_set_variable (efi_guid_shim, "ClearVerify",
@ -264,5 +264,5 @@ index 9dcf4f1..1a8ccc9 100644
goto error;
}
--
2.9.0
2.21.0

36
mokutil.changes
View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Tue May 28 04:38:14 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 0.4.0
+ Rename export_moks as export_db_keys
+ Add support for exporting other keys
+ add new --mok argument
+ set list-enrolled command as default for some arguments
+ Add more info to --sb-state: show when we're in SetupMode or
with shim validation disabled
+ Correct help: --set-timeout is really --timeout
+ generate_hash() / generate_pw_hash(): don't use strlen() for
strncpy bounds
+ Add the type casting to silence the warning
+ Add a way for mokutil to configure a timeout for MokManager's
prompt
+ list_keys_in_var(): check errno correctly, not ret twice
+ Fix typo in error message when the system lacks Secure Boot
support
+ Add bash completion file
+ mokutil: be explicit about file modes in all cases
+ Make all efi_guid_t const
+ Don't allow sha1 on the mokutil command line
+ Build with -fshort-wchar so toggle passwords work right
+ Fix the 32bit signedness comparison
+ Fix the potential buffer overflow
- Add mokutil-remove-shebang-from-bash-completion-file.patch to
remove shebang from bash-completion/mokutil
- Drop upstreamed patches
+ mokutil-constify-efi-guid.patch
+ mokutil-fix-overflow.patch
+ mokutil-fshort-wchar.patch
+ mokutil-set-efi-variable-file-mode.patch
- Refresh mokutil-support-revoke-builtin-cert.patch
- Install bash-completion/mokutil
-------------------------------------------------------------------
Thu Mar 21 02:39:46 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>

23
mokutil.spec
View File

@ -17,24 +17,16 @@
Name: mokutil
Version: 0.3.0
Version: 0.4.0
Release: 0
Summary: Tools for manipulating machine owner keys
License: GPL-3.0-only
Group: Productivity/Security
Url: https://github.com/lcp/mokutil
Source: %{name}-%{version}.tar.bz2
Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz
Source1: modhash
# PATCH-FIX-UPSTREAM mokutil-fix-overflow.patch glin@suse.com -- Fix the potential buffer overflow
Patch1: mokutil-fix-overflow.patch
# PATCH-FIX-UPSTREAM mokutil-fshort-wchar.patch glin@suse.com -- Add "-fshort-wchar" to make sure the UEFI strings are UCS-2 encoding
Patch2: mokutil-fshort-wchar.patch
# PATCH-FIX-UPSTREAM mokutil-set-efi-variable-file-mode.patch glin@suse.com -- Be explicit about file modes in all cases
Patch3: mokutil-set-efi-variable-file-mode.patch
# PATCH-FIX-UPSTREAM mokutil-constify-efi-guid.patch glin@suse.com -- Make all efi_guild_t variables const
Patch4: mokutil-constify-efi-guid.patch
# OPENSUSE ONLY
# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
# PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch glin@suse.com -- Remove shebang from bash-completion/mokutil
Patch1: mokutil-remove-shebang-from-bash-completion-file.patch
Patch100: mokutil-support-revoke-builtin-cert.patch
BuildRequires: autoconf
BuildRequires: automake
@ -58,13 +50,10 @@ Authors:
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch100 -p1
%build
autoreconf
./autogen.sh
%configure
make
@ -81,5 +70,7 @@ install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash
%{_bindir}/mokutil
%{_bindir}/modhash
%{_mandir}/man?/*
%dir %{_datadir}/bash-completion/completions/
%{_datadir}/bash-completion/completions/mokutil
%changelog