pool/mokutil
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 148683 from home:gary_lin:branches:Base:System

Browse Source 
- Merge patches for FATE#314506
  + Add mokutil-support-delete-keys.patch to delete specific keys
  + Add mokutil-support-new-pw-hash.patch to support the new
    password format
  + Add mokutil-allow-password-from-pipe.patch to allow the
    password to be generated in a script and be sent through
    pipeline
- Install COPYING

OBS-URL: https://build.opensuse.org/request/show/148683
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=2
This commit is contained in:
Gary Ching-Pang Lin 2013-01-16 09:28:17 +00:00 committed by Git OBS Bridge
parent cb345da9fe
commit 7363fb09df
5 changed files with 2254 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
mokutil-allow-password-from-pipe.patch Normal file
View File

@ -0,0 +1,50 @@
commit adce7208ddcb65daac83ea3429aa8586d9cc4ea5
Author: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed Jan 2 17:30:07 2013 +0800
Only change terminal settings
tcgetattr() will fail if we send password through a pipeline instead
of a TTY.
diff --git a/src/mokutil.c b/src/mokutil.c
index a99e355..ea8481a 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -278,22 +278,27 @@ read_hidden_line (char **line, size_t *n)
{
struct termios old, new;
int nread;
+ int isTTY = isatty(fileno (stdin));
- /* Turn echoing off and fail if we can't. */
- if (tcgetattr (fileno (stdin), &old) != 0)
- return -1;
+ if (isTTY) {
+ /* Turn echoing off and fail if we can't. */
+ if (tcgetattr (fileno (stdin), &old) != 0)
+ return -1;
- new = old;
- new.c_lflag &= ~ECHO;
+ new = old;
+ new.c_lflag &= ~ECHO;
- if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
- return -1;
+ if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0)
+ return -1;
+ }
/* Read the password. */
nread = getline (line, n, stdin);
- /* Restore terminal. */
- (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
+ if (isTTY) {
+ /* Restore terminal. */
+ (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old);
+ }
/* Remove the newline */
(*line)[nread-1] = '\0';

835
mokutil-support-delete-keys.patch Normal file
View File

@ -0,0 +1,835 @@
From 36241509b1c96c3103becae75dc6df72d794cce7 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 13 Dec 2012 17:09:34 +0800
Subject: [PATCH 1/7] Move fail check to get_password()
---
src/mokutil.c | 83 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 46 insertions(+), 37 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index aba1cfb..eea2b6c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -297,39 +297,60 @@ static int
get_password (char **password, int *len, int min, int max)
{
char *password_1, *password_2;
- int len_1, len_2;
+ int len_1, len_2, fail, ret = -1;
size_t n;
password_1 = password_2 = NULL;
- printf ("input password (%d~%d characters): ", min, max);
- len_1 = read_hidden_line (&password_1, &n);
- printf ("\n");
+ fail = 0;
- if (len_1 > max || len_1 < min) {
- free (password_1);
- fprintf (stderr, "password should be %d~%d characters\n",
- min, max);
- return -1;
+ while (fail < 3) {
+ printf ("input password (%d~%d characters): ", min, max);
+ len_1 = read_hidden_line (&password_1, &n);
+ printf ("\n");
+
+ if (len_1 > max || len_1 < min) {
+ fail++;
+ fprintf (stderr, "password should be %d~%d characters\n",
+ min, max);
+ } else {
+ break;
+ }
}
- printf ("input password again: ");
- len_2 = read_hidden_line (&password_2, &n);
- printf ("\n");
+ if (fail >= 3) {
+ if (password_1)
+ free (password_1);
+ goto error;
+ }
- if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
- free (password_1);
- free (password_2);
- fprintf (stderr, "password doesn't match\n");
- return -1;
+ fail = 0;
+
+ while (fail < 3) {
+ printf ("input password again: ");
+ len_2 = read_hidden_line (&password_2, &n);
+ printf ("\n");
+
+ if (len_1 != len_2 || strcmp (password_1, password_2) != 0) {
+ fail++;
+ fprintf (stderr, "password doesn't match\n");
+ } else {
+ break;
+ }
}
+ if (fail >= 3)
+ goto error;
+
*password = password_1;
*len = len_1;
- free (password_2);
+ ret = 0;
+error:
+ if (password_2)
+ free (password_2);
- return 0;
+ return ret;
}
static int
@@ -364,14 +385,10 @@ update_request (void *new_list, int list_len)
efi_variable_t var;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
@@ -745,14 +762,10 @@ set_password ()
efi_variable_t var;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
@@ -789,15 +802,11 @@ set_validation (uint32_t state)
efi_variable_t var;
MokSBVar sbvar;
char *password = NULL;
- int pw_len, fail = 0;
+ int pw_len;
efi_char16_t efichar_pass[PASSWORD_MAX];
int ret = -1;
- while (fail < 3 &&
- get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0)
- fail++;
-
- if (fail >= 3) {
+ while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
}
--
1.7.10.4
From 2649dde769b563f55a85ea68eb1fc9ce5bc7c984 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Dec 2012 16:22:41 +0800
Subject: [PATCH 2/7] Add "--test-key" to test if the key is enrolled or not
---
src/mokutil.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index eea2b6c..68a25bc 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -41,6 +41,7 @@ enum Command {
COMMAND_DISABLE_VALIDATION,
COMMAND_ENABLE_VALIDATION,
COMMAND_SB_STATE,
+ COMMAND_TEST_KEY,
};
static void
@@ -76,6 +77,9 @@ print_help ()
printf("SecureBoot State:\n");
printf(" mokutil --sb-state\n\n");
+
+ printf("Test if the key is enrolled or not:\n");
+ printf(" mokutil --test-key\n\n");
}
static int
@@ -882,10 +886,57 @@ sb_state ()
return 0;
}
+static int
+test_key (const char *key_file)
+{
+ struct stat buf;
+ void *key = NULL;
+ ssize_t read_size;
+ int fd, ret = -1;
+
+ if (stat (key_file, &buf) != 0) {
+ fprintf (stderr, "Failed to get file status, %s\n", key_file);
+ return -1;
+ }
+
+ key = malloc (buf.st_size);
+
+ fd = open (key_file, O_RDONLY);
+ if (fd < 0) {
+ fprintf (stderr, "Failed to open %s\n", key_file);
+ goto error;
+ }
+
+ read_size = read (fd, key, buf.st_size);
+ if (read_size < 0 || read_size != buf.st_size) {
+ fprintf (stderr, "Failed to read %s\n", key_file);
+ goto error;
+ }
+
+ if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
+ !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
+ printf ("%s is not enrolled\n", key_file);
+ ret = 0;
+ } else {
+ printf ("%s is already enrolled\n", key_file);
+ ret = 1;
+ }
+
+error:
+ if (key)
+ free (key);
+
+ return ret;
+}
+
int
main (int argc, char *argv[])
{
char **files = NULL;
+ char *key_file = NULL;
int i, total;
int command;
@@ -962,6 +1013,17 @@ main (int argc, char *argv[])
command = COMMAND_SB_STATE;
+ } else if (strcmp (argv[1], "--test-key") == 0) {
+
+ if (argc < 3) {
+ print_help ();
+ return -1;
+ }
+
+ key_file = argv[2];
+
+ command = COMMAND_TEST_KEY;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -999,6 +1061,9 @@ main (int argc, char *argv[])
case COMMAND_SB_STATE:
sb_state ();
break;
+ case COMMAND_TEST_KEY:
+ test_key (key_file);
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;
--
1.7.10.4
From bba82fceec875ccf0d92eae1e9c7db54e92bcec9 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 17 Dec 2012 16:33:59 +0800
Subject: [PATCH 3/7] Handle the return values
---
src/mokutil.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 68a25bc..13ef69d 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -939,6 +939,7 @@ main (int argc, char *argv[])
char *key_file = NULL;
int i, total;
int command;
+ int ret = -1;
if (argc < 2) {
print_help ();
@@ -1032,37 +1033,37 @@ main (int argc, char *argv[])
switch (command) {
case COMMAND_LIST_ENROLLED:
- list_enrolled_keys ();
+ ret = list_enrolled_keys ();
break;
case COMMAND_LIST_NEW:
- list_new_keys ();
+ ret = list_new_keys ();
break;
case COMMAND_IMPORT:
- import_moks (files, total);
+ ret = import_moks (files, total);
break;
case COMMAND_DELETE:
- delete_all ();
+ ret = delete_all ();
break;
case COMMAND_REVOKE:
- revoke_request ();
+ ret = revoke_request ();
break;
case COMMAND_EXPORT:
- export_moks ();
+ ret = export_moks ();
break;
case COMMAND_PASSWORD:
- set_password ();
+ ret = set_password ();
break;
case COMMAND_DISABLE_VALIDATION:
- disable_validation ();
+ ret = disable_validation ();
break;
case COMMAND_ENABLE_VALIDATION:
- enable_validation ();
+ ret = enable_validation ();
break;
case COMMAND_SB_STATE:
- sb_state ();
+ ret = sb_state ();
break;
case COMMAND_TEST_KEY:
- test_key (key_file);
+ ret = test_key (key_file);
break;
default:
fprintf (stderr, "Unknown command\n");
@@ -1072,5 +1073,5 @@ main (int argc, char *argv[])
if (files)
free (files);
- return 0;
+ return ret;
}
--
1.7.10.4
From fee5db0bd74fd7239832d435cdc653ade426c61c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Dec 2012 16:35:37 +0800
Subject: [PATCH 4/7] Correct the GUID of "db"
---
src/efi.h | 2 ++
src/mokutil.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/efi.h b/src/efi.h
index 7185179..d2640b4 100644
--- a/src/efi.h
+++ b/src/efi.h
@@ -86,6 +86,8 @@ EFI_GUID( 0x47c7b225, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
EFI_GUID( 0x47c7b227, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
#define ESP_UNKNOWN_GUID \
EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b)
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
static inline int
efi_guidcmp(efi_guid_t left, efi_guid_t right)
diff --git a/src/mokutil.c b/src/mokutil.c
index 13ef69d..6af5a9c 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -636,7 +636,7 @@ import_moks (char **files, uint32_t total)
/* whether this key is already enrolled... */
if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
!is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) &&
+ !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
!is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
!is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
ptr += sizes[i];
--
1.7.10.4
From b1a6476307909b4c391b5cc632c0535ea43b08b1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Dec 2012 18:12:48 +0800
Subject: [PATCH 5/7] Initialize password array
---
src/mokutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6af5a9c..3d00df0 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -509,7 +509,7 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
{
efi_variable_t mok_auth;
uint8_t auth[SHA256_DIGEST_LENGTH];
- char *password;
+ char *password = NULL;
int pw_len, fail = 0;
size_t n;
int ret = 0;
--
1.7.10.4
From e772f72f23b4cf13c033292b55570a861281b71b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 25 Dec 2012 15:53:56 +0800
Subject: [PATCH 6/7] Add support for deleting specific keys
---
src/mokutil.c | 179 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 128 insertions(+), 51 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 3d00df0..e6807da 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -42,6 +42,7 @@ enum Command {
COMMAND_ENABLE_VALIDATION,
COMMAND_SB_STATE,
COMMAND_TEST_KEY,
+ COMMAND_RESET,
};
static void
@@ -57,8 +58,8 @@ print_help ()
printf("Import keys:\n");
printf(" mokutil --import <der file>...\n\n");
- printf("Request to delete all keys\n");
- printf(" mokutil --delete-all\n\n");
+ printf("Request to delete specific keys\n");
+ printf(" mokutil --delete <der file>...\n\n");
printf("Revoke the request:\n");
printf(" mokutil --revoke\n\n");
@@ -80,6 +81,9 @@ print_help ()
printf("Test if the key is enrolled or not:\n");
printf(" mokutil --test-key\n\n");
+
+ printf("Reset MOK list:\n");
+ printf(" mokutil --reset\n\n");
}
static int
@@ -384,14 +388,23 @@ generate_auth (void *new_list, unsigned long list_len, char *password,
}
static int
-update_request (void *new_list, int list_len)
+update_request (void *new_list, int list_len, uint8_t import)
{
efi_variable_t var;
+ const char *req_name, *auth_name;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
int pw_len;
int ret = -1;
+ if (import) {
+ req_name = "MokNew";
+ auth_name = "MokAuth";
+ } else {
+ req_name = "MokDel";
+ auth_name = "MokDelAuth";
+ }
+
if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
fprintf (stderr, "Abort\n");
goto error;
@@ -403,7 +416,7 @@ update_request (void *new_list, int list_len)
/* Write MokNew*/
var.Data = new_list;
var.DataSize = list_len;
- var.VariableName = "MokNew";
+ var.VariableName = req_name;
var.VendorGuid = SHIM_LOCK_GUID;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -411,17 +424,18 @@ update_request (void *new_list, int list_len)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to enroll new keys\n");
+ fprintf (stderr, "Failed to %s keys\n",
+ import ? "enroll new" : "delete");
goto error;
}
} else {
- test_and_delete_var ("MokNew");
+ test_and_delete_var (req_name);
}
/* Write MokAuth */
var.Data = auth;
var.DataSize = SHA256_DIGEST_LENGTH;
- var.VariableName = "MokAuth";
+ var.VariableName = auth_name;
var.VendorGuid = SHIM_LOCK_GUID;
var.Attributes = EFI_VARIABLE_NON_VOLATILE
@@ -429,8 +443,8 @@ update_request (void *new_list, int list_len)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (edit_variable (&var) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to write MokAuth\n");
- test_and_delete_var ("MokNew");
+ fprintf (stderr, "Failed to write %s\n", auth_name);
+ test_and_delete_var (req_name);
goto error;
}
@@ -505,20 +519,47 @@ done:
}
static int
-verify_mok_new (void *mok_new, unsigned long mok_new_size)
+is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
{
- efi_variable_t mok_auth;
+ if (import) {
+ if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
+ is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
+ is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
+ is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
+ is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
+ return 0;
+ }
+ } else {
+ if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
+ is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static int
+verify_old_req (void *old_req, unsigned long old_req_size, uint8_t import)
+{
+ efi_variable_t req_auth;
+ const char *auth_name;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
int pw_len, fail = 0;
size_t n;
int ret = 0;
- memset (&mok_auth, 0, sizeof(mok_auth));
- mok_auth.VariableName = "MokAuth";
- mok_auth.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_auth) != EFI_SUCCESS) {
- fprintf (stderr, "Failed to read MokAuth\n");
+ if (import)
+ auth_name = "MokAuth";
+ else
+ auth_name = "MokDelAuth";
+
+ memset (&req_auth, 0, sizeof(req_auth));
+ req_auth.VariableName = auth_name;
+ req_auth.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&req_auth) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to read %s\n", auth_name);
return 0;
}
@@ -534,8 +575,8 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
continue;
}
- generate_auth (mok_new, mok_new_size, password, pw_len, auth);
- if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
+ generate_auth (old_req, old_req_size, password, pw_len, auth);
+ if (memcmp (auth, req_auth.Data, SHA256_DIGEST_LENGTH) == 0) {
ret = 1;
break;
}
@@ -543,16 +584,17 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size)
fail++;
}
- if (mok_auth.Data)
- free (mok_auth.Data);
+ if (req_auth.Data)
+ free (req_auth.Data);
return ret;
}
static int
-import_moks (char **files, uint32_t total)
+issue_mok_request (char **files, uint32_t total, uint8_t import)
{
- efi_variable_t mok_new;
+ efi_variable_t old_req;
+ const char *req_name;
void *new_list = NULL;
void *ptr;
struct stat buf;
@@ -568,6 +610,11 @@ import_moks (char **files, uint32_t total)
if (!files)
return -1;
+ if (import)
+ req_name = "MokNew";
+ else
+ req_name = "MokDel";
+
sizes = malloc (total * sizeof(uint32_t));
if (!sizes) {
@@ -589,15 +636,15 @@ import_moks (char **files, uint32_t total)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
- memset (&mok_new, 0, sizeof(mok_new));
- mok_new.VariableName = "MokNew";
- mok_new.VendorGuid = SHIM_LOCK_GUID;
- if (read_variable (&mok_new) == EFI_SUCCESS)
- list_size += mok_new.DataSize;
+ memset (&old_req, 0, sizeof(old_req));
+ old_req.VariableName = req_name;
+ old_req.VendorGuid = SHIM_LOCK_GUID;
+ if (read_variable (&old_req) == EFI_SUCCESS)
+ list_size += old_req.DataSize;
new_list = malloc (list_size);
if (!new_list) {
- fprintf (stderr, "Failed to allocate space for MokNew\n");
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
goto error;
}
ptr = new_list;
@@ -633,15 +680,11 @@ import_moks (char **files, uint32_t total)
files[i]);
}
- /* whether this key is already enrolled... */
- if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) &&
- !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) &&
- !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) &&
- !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) {
+ if (is_valid_request (ptr, sizes[i], import)) {
ptr += sizes[i];
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
} else {
+ printf ("Skip %s\n", files[i]);
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
}
@@ -654,25 +697,25 @@ import_moks (char **files, uint32_t total)
goto error;
}
- /* append the keys in MokNew */
- if (mok_new.Data) {
+ /* append the keys to the previous request */
+ if (old_req.Data) {
/* request the previous password to verify the keys */
- if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) {
+ if (!verify_old_req (old_req.Data, old_req.DataSize, import)) {
goto error;
}
- memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize);
- real_size += mok_new.DataSize;
+ memcpy (new_list + real_size, old_req.Data, old_req.DataSize);
+ real_size += old_req.DataSize;
}
- if (update_request (new_list, real_size) < 0) {
+ if (update_request (new_list, real_size, import) < 0) {
goto error;
}
ret = 0;
error:
- if (mok_new.Data)
- free (mok_new.Data);
+ if (old_req.Data)
+ free (old_req.Data);
if (sizes)
free (sizes);
if (new_list)
@@ -682,14 +725,15 @@ error:
}
static int
-delete_all ()
+import_moks (char **files, uint32_t total)
{
- if (update_request (NULL, 0)) {
- fprintf (stderr, "Failed to issue an delete request\n");
- return -1;
- }
+ return issue_mok_request (files, total, 1);
+}
- return 0;
+static int
+delete_moks (char **files, uint32_t total)
+{
+ return issue_mok_request (files, total, 0);
}
static int
@@ -932,6 +976,17 @@ error:
return ret;
}
+static int
+reset_moks ()
+{
+ if (update_request (NULL, 0, 1)) {
+ fprintf (stderr, "Failed to issue a reset request\n");
+ return -1;
+ }
+
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -982,8 +1037,23 @@ main (int argc, char *argv[])
command = COMMAND_IMPORT;
- } else if (strcmp (argv[1], "-D") == 0 ||
- strcmp (argv[1], "--delete-all") == 0) {
+ } else if (strcmp (argv[1], "-d") == 0 ||
+ strcmp (argv[1], "--delete") == 0) {
+
+ if (argc < 3) {
+ print_help ();
+ return -1;
+ }
+ total = argc - 2;
+
+ files = malloc (total * sizeof(char *));
+ if (!files) {
+ fprintf (stderr, "Failed to allocate file list\n");
+ return -1;
+ }
+
+ for (i = 0; i < total; i++)
+ files[i] = argv[i+2];
command = COMMAND_DELETE;
@@ -1025,6 +1095,10 @@ main (int argc, char *argv[])
command = COMMAND_TEST_KEY;
+ } else if (strcmp (argv[1], "--reset") == 0) {
+
+ command = COMMAND_RESET;
+
} else {
fprintf (stderr, "Unknown argument: %s\n\n", argv[1]);
print_help ();
@@ -1042,7 +1116,7 @@ main (int argc, char *argv[])
ret = import_moks (files, total);
break;
case COMMAND_DELETE:
- ret = delete_all ();
+ ret = delete_moks (files, total);
break;
case COMMAND_REVOKE:
ret = revoke_request ();
@@ -1065,6 +1139,9 @@ main (int argc, char *argv[])
case COMMAND_TEST_KEY:
ret = test_key (key_file);
break;
+ case COMMAND_RESET:
+ ret = reset_moks ();
+ break;
default:
fprintf (stderr, "Unknown command\n");
break;
--
1.7.10.4
From 799d37815f470739ed079e2fea49077decaee3d3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 2 Jan 2013 17:09:35 +0800
Subject: [PATCH 7/7] Initialize the variable to prevent a potential crash
In issue_mok_request(), old_req.Data must be intialized before
"goto error", or the process would segfault when freeing old_req.Data.
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index e6807da..a99e355 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -617,6 +617,8 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
sizes = malloc (total * sizeof(uint32_t));
+ memset (&old_req, 0, sizeof(old_req));
+
if (!sizes) {
fprintf (stderr, "Failed to allocate space for sizes\n");
goto error;
@@ -636,7 +638,6 @@ issue_mok_request (char **files, uint32_t total, uint8_t import)
list_size += sizeof(EFI_SIGNATURE_LIST) * total;
list_size += sizeof(efi_guid_t) * total;
- memset (&old_req, 0, sizeof(old_req));
old_req.VariableName = req_name;
old_req.VendorGuid = SHIM_LOCK_GUID;
if (read_variable (&old_req) == EFI_SUCCESS)
--
1.7.10.4

1342
mokutil-support-new-pw-hash.patch Normal file
View File

File diff suppressed because it is too large Load Diff

12
mokutil.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Jan 16 08:41:15 UTC 2013 - glin@suse.com
- Merge patches for FATE#314506
+ Add mokutil-support-delete-keys.patch to delete specific keys
+ Add mokutil-support-new-pw-hash.patch to support the new
password format
+ Add mokutil-allow-password-from-pipe.patch to allow the
password to be generated in a script and be sent through
pipeline
- Install COPYING
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 11 08:07:32 UTC 2012 - glin@suse.com Tue Dec 11 08:07:32 UTC 2012 - glin@suse.com

21
mokutil.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package mokutil # spec file for package mokutil
# #
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -16,21 +16,26 @@
# #
Name: mokutil Name: mokutil
Version: 0.1.0 Version: 0.1.0
Release: 1 Release: 0
License: GPL-3.0
Summary: Tools for manipulating machine owner keys Summary: Tools for manipulating machine owner keys
Url: https://github.com/lcp/mokutil License: GPL-3.0
Group: Productivity/Security Group: Productivity/Security
Url: https://github.com/lcp/mokutil
Source: %{name}-%{version}.tar.bz2 Source: %{name}-%{version}.tar.bz2
# PATCH-FIX-UPSTREAM mokutil-probe-secure-boot-state.patch glin@suse.com -- Probe the state of secure boot # PATCH-FIX-UPSTREAM mokutil-probe-secure-boot-state.patch glin@suse.com -- Probe the state of secure boot
Patch1: mokutil-probe-secure-boot-state.patch Patch1: mokutil-probe-secure-boot-state.patch
# PATCH-FIX-UPSTREAM mokutil-no-duplicate-keys-imported.patch glin@suse.com -- Do not import duplicate keys # PATCH-FIX-UPSTREAM mokutil-no-duplicate-keys-imported.patch glin@suse.com -- Do not import duplicate keys
Patch2: mokutil-no-duplicate-keys-imported.patch Patch2: mokutil-no-duplicate-keys-imported.patch
BuildRequires: pkg-config # PATCH-FIX-UPSTREAM mokutil-accept-password-from-pipe.patch glin@suse.com -- Allow the password to be sent through pipeline
Patch3: mokutil-allow-password-from-pipe.patch
# PATCH-FIX-UPSTREAM mokutil-support-delete-keys.patch glin@suse.com -- Add support for deleting specific keys
Patch4: mokutil-support-delete-keys.patch
# PATCH-FIX-UPSTREAM mokutil-support-new-pw-hash.patch glin@suse.com -- Support the new password hash format
Patch5: mokutil-support-new-pw-hash.patch
BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: libopenssl-devel >= 0.9.8
BuildRequires: pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: x86_64 ExclusiveArch: x86_64
@ -48,6 +53,9 @@ Authors:
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
%configure %configure
@ -61,6 +69,7 @@ make
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc COPYING
%{_bindir}/mokutil %{_bindir}/mokutil
%{_mandir}/man?/* %{_mandir}/man?/*