Accepting request 906400 from home:gary_lin:branches:Base:System

Update to 0.5.0 OBS-URL: https://build.opensuse.org/request/show/906400 OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=49
2021-07-15 06:53:54 +00:00 · 2021-07-15 06:53:54 +00:00 · 8fe0d95cd7
commit 8fe0d95cd7
parent 40de81a2f8
9 changed files with 104 additions and 1513 deletions
--- a/0.4.0.tar.gz
+++ b/0.4.0.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2e9c574e4a4fa63b2f23116cdcb389f448a28945548e232076f77947e35b7361
 size 33222
--- a/0.5.0.tar.gz
+++ b/0.5.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:af7616855f817e7eb54043071e51c8651bc8cc479ac455fbfe35203d98de8181
 size 37181
--- a/mokutil-bsc1173115-add-ca-and-keyring-checks.patch
+++ b/mokutil-bsc1173115-add-ca-and-keyring-checks.patch
--- a/mokutil-fix-missing-header.patch
+++ b/mokutil-fix-missing-header.patch
@ -0,0 +1,28 @@
 From b15e7c4d7a99f82edb68de1177198b17972682da Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Thu, 15 Jul 2021 14:41:56 +0800
 Subject: [PATCH] util: add the missing stdio.h
 The header, stdio.h, was missing when moving functions to util.c and
 some compiler would complain implicit declaration.
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 src/util.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/util.c b/src/util.c
 index d875144..621869f 100644
 --- a/src/util.c
 +++ b/src/util.c
@@ -29,6 +29,7 @@
  * files in the program, then also delete it here.
  */
 +#include <stdio.h>
 #include <stdlib.h>
 #include <termios.h>
 -- 
 2.31.1
--- a/mokutil-remove-libkeyutils-check.patch
+++ b/mokutil-remove-libkeyutils-check.patch
@ -11,10 +11,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
 src/Makefile.am | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)
-diff --git a/configure.ac b/configure.ac
+Index: mokutil-0.5.0/configure.ac
-index b0b0376..d74fd21 100644
+===================================================================
--- a/configure.ac
+--- mokutil-0.5.0.orig/configure.ac
-+++ b/configure.ac
+++ mokutil-0.5.0/configure.ac
@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset])
 PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
@ -23,16 +23,17 @@ index b0b0376..d74fd21 100644
 AC_ARG_WITH([bash-completion-dir],
     AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
-diff --git a/src/Makefile.am b/src/Makefile.am
+Index: mokutil-0.5.0/src/Makefile.am
-index f616b90..664b80a 100644
+===================================================================
--- a/src/Makefile.am
+--- mokutil-0.5.0.orig/src/Makefile.am
-+++ b/src/Makefile.am
+++ mokutil-0.5.0/src/Makefile.am
-@@ -2,12 +2,11 @@ bin_PROGRAMS    = mokutil
+@@ -2,13 +2,12 @@ bin_PROGRAMS    = mokutil
 mokutil_CFLAGS  = $(OPENSSL_CFLAGS)	\
 		  $(EFIVAR_CFLAGS)	\
 -		  $(LIBKEYUTILS_CFLAGS)	\
- 		  $(WARNINGFLAGS_C)
+ 		  $(WARNINGFLAGS_C)	\
 		  -DVERSION="\"$(VERSION)\""
 mokutil_LDADD   = $(OPENSSL_LIBS)	\
 		  $(EFIVAR_LIBS)	\
@ -41,6 +42,3 @@ index f616b90..664b80a 100644
 		  -lcrypt
 mokutil_SOURCES = signature.h \
 -- 
 2.28.0
--- a/mokutil-remove-shebang-from-bash-completion-file.patch
+++ b/mokutil-remove-shebang-from-bash-completion-file.patch
@ -1,23 +0,0 @@
 From e27b85622fcb1cc59e0fd4e7d630fc62f89dd225 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Tue, 28 May 2019 12:33:32 +0800
 Subject: [PATCH] Remove shebang from bash-completion/mokutil
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 data/mokutil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/data/mokutil b/data/mokutil
 index 800b039..cf50606 100755
 --- a/data/mokutil
 +++ b/data/mokutil
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +# mokutil(1) completion
 _mokutil()
 {
 -- 
 2.21.0
--- a/mokutil-support-revoke-builtin-cert.patch
+++ b/mokutil-support-revoke-builtin-cert.patch
@ -1,306 +0,0 @@
 From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 21 Feb 2014 17:56:55 +0800
 Subject: [PATCH 1/4] Add the option to revoke the built-in certificate
 This is an openSUSE-only patch.
 This commit adds an option to create ClearVerify which contains
 the password hash to notify MokManager to show the option to
 revoke the built-in certificate.
 ---
 src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 02ed21f..d95a2eb 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -86,6 +86,7 @@
 #define DELETE_HASH        (1 << 22)
 #define VERBOSITY          (1 << 23)
 #define TIMEOUT            (1 << 24)
 +#define REVOKE_CERT        (1 << 25)
 #define DEFAULT_CRYPT_METHOD SHA512_BASED
 #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
@@ -180,6 +181,7 @@ print_help ()
 	printf ("  --db\t\t\t\t\tList the keys in db\n");
 	printf ("  --dbx\t\t\t\t\tList the keys in dbx\n");
 	printf ("  --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
 +	printf ("  --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
 	printf ("\n");
 	printf ("Supplimentary Options:\n");
 	printf ("  --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity)
 	return 0;
 }
 +static int
 +revoke_builtin_cert (void)
 +{
 +	efi_variable_t var;
 +	pw_crypt_t pw_crypt;
 +	uint8_t auth[SHA256_DIGEST_LENGTH];
 +	char *password = NULL;
 +	int pw_len;
 +	int auth_ret;
 +	int ret = -1;
 +
 +	/* Check use_openSUSE_cert */
 +	memset (&var, 0, sizeof(var));
 +	var.VariableName = "use_openSUSE_cert";
 +	var.VendorGuid = SHIM_LOCK_GUID;
 +
 +	if (read_variable (&var) != EFI_SUCCESS)
 +		return 0;
 +
 +	if ((uint8_t)*var.Data != 1) {
 +		free (var.Data);
 +		fprintf (stderr, "The built-in certificate is already revoked.\n");
 +		return 0;
 +	}
 +	free (var.Data);
 +
 +	memset (&pw_crypt, 0, sizeof(pw_crypt_t));
 +	memset (auth, 0, SHA256_DIGEST_LENGTH);
 +
 +	if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
 +		fprintf (stderr, "Abort\n");
 +		goto error;
 +	}
 +
 +	if (!use_simple_hash) {
 +		pw_crypt.method = DEFAULT_CRYPT_METHOD;
 +		auth_ret = generate_hash (&pw_crypt, password, pw_len);
 +	} else {
 +		auth_ret = generate_auth (NULL, 0, password, pw_len,
 +					  auth);
 +	}
 +	if (auth_ret < 0) {
 +		fprintf (stderr, "Couldn't generate hash\n");
 +		goto error;
 +	}
 +
 +	if (!use_simple_hash) {
 +		var.Data = (void *)&pw_crypt;
 +		var.DataSize = PASSWORD_CRYPT_SIZE;
 +	} else {
 +		var.Data = (void *)auth;
 +		var.DataSize = SHA256_DIGEST_LENGTH;
 +	}
 +	var.VariableName = "ClearVerify";
 +
 +	var.VendorGuid = SHIM_LOCK_GUID;
 +	var.Attributes = EFI_VARIABLE_NON_VOLATILE
 +			 | EFI_VARIABLE_BOOTSERVICE_ACCESS
 +			 | EFI_VARIABLE_RUNTIME_ACCESS;
 +
 +	if (edit_protected_variable (&var) != EFI_SUCCESS) {
 +		fprintf (stderr, "Failed to write ClearVerify\n");
 +		goto error;
 +	}
 +
 +	ret = 0;
 +error:
 +	if (password)
 +		free (password);
 +
 +	return ret;
 +}
 +
 static inline int
 list_db (DBName db_name)
 {
@@ -2480,6 +2555,7 @@ main (int argc, char *argv[])
 			{"timeout",            required_argument, 0, 0  },
 			{"ca-check",           no_argument,       0, 0  },
 			{"ignore-keyring",     no_argument,       0, 0  },
 +			{"revoke-cert",        no_argument,       0, 0  },
 			{0, 0, 0, 0}
 		};
@@ -2570,6 +2646,8 @@ main (int argc, char *argv[])
 				force_ca_check = 1;
 			} else if (strcmp (option, "ignore-keyring") == 0) {
 				check_keyring = 0;
 +			} else if (strcmp (option, "revoke-cert") == 0) {
 +				command |= REVOKE_CERT;
 			}
 			break;
@@ -2839,6 +2917,10 @@ main (int argc, char *argv[])
 		case TIMEOUT:
 			ret = set_timeout (timeout);
 			break;
 +		case REVOKE_CERT:
 +		case REVOKE_CERT | SIMPLE_HASH:
 +			ret = revoke_builtin_cert ();
 +			break;
 		default:
 			print_help ();
 			break;
 -- 
 2.28.0
 From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 4 Nov 2014 14:50:36 +0800
 Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables
 This is an openSUSE-only patch.
 Adapt the changes in the mainline.
 ---
 src/mokutil.c | 45 +++++++++++++++++++++++++--------------------
 1 file changed, 25 insertions(+), 20 deletions(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index d95a2eb..8be0b77 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity)
 static int
 revoke_builtin_cert (void)
 {
 -	efi_variable_t var;
 +	uint32_t attributes;
 +	size_t data_size;
 +	uint8_t *data;
 	pw_crypt_t pw_crypt;
 	uint8_t auth[SHA256_DIGEST_LENGTH];
 	char *password = NULL;
 -	int pw_len;
 +	unsigned int pw_len;
 	int auth_ret;
 	int ret = -1;
 	/* Check use_openSUSE_cert */
 -	memset (&var, 0, sizeof(var));
 -	var.VariableName = "use_openSUSE_cert";
 -	var.VendorGuid = SHIM_LOCK_GUID;
 +	if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert",
 +			      &data, &data_size, &attributes) < 0) {
 +		fprintf (stderr, "Failed to get use_openSUSE_cert\n");
 +		return 0;
 +	}
 -	if (read_variable (&var) != EFI_SUCCESS)
 +	if (data_size != 1) {
 +		free (data);
 +		fprintf (stderr, "Invalid variable: use_openSUSE_cert\n");
 		return 0;
 +	}
 -	if ((uint8_t)*var.Data != 1) {
 -		free (var.Data);
 +	if (*data != 1) {
 +		free (data);
 		fprintf (stderr, "The built-in certificate is already revoked.\n");
 		return 0;
 	}
 -	free (var.Data);
 +	free (data);
 	memset (&pw_crypt, 0, sizeof(pw_crypt_t));
 	memset (auth, 0, SHA256_DIGEST_LENGTH);
@@ -2446,20 +2453,18 @@ revoke_builtin_cert (void)
 	}
 	if (!use_simple_hash) {
 -		var.Data = (void *)&pw_crypt;
 -		var.DataSize = PASSWORD_CRYPT_SIZE;
 +		data = (uint8_t *)&pw_crypt;
 +		data_size = PASSWORD_CRYPT_SIZE;
 	} else {
 -		var.Data = (void *)auth;
 -		var.DataSize = SHA256_DIGEST_LENGTH;
 +		data = auth;
 +		data_size = SHA256_DIGEST_LENGTH;
 	}
 -	var.VariableName = "ClearVerify";
 -
 -	var.VendorGuid = SHIM_LOCK_GUID;
 -	var.Attributes = EFI_VARIABLE_NON_VOLATILE
 -			 | EFI_VARIABLE_BOOTSERVICE_ACCESS
 -			 | EFI_VARIABLE_RUNTIME_ACCESS;
 +	attributes = EFI_VARIABLE_NON_VOLATILE
 +		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
 +		     | EFI_VARIABLE_RUNTIME_ACCESS;
 -	if (edit_protected_variable (&var) != EFI_SUCCESS) {
 +	if (efi_set_variable (efi_guid_shim, "ClearVerify",
 +			      data, data_size, attributes) < 0) {
 		fprintf (stderr, "Failed to write ClearVerify\n");
 		goto error;
 	}
 -- 
 2.28.0
 From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Wed, 13 Jul 2016 14:58:15 +0800
 Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24
 This is an openSUSE-only patch.
 ---
 src/mokutil.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/mokutil.c b/src/mokutil.c
 index 8be0b77..f27bba0 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
@@ -2464,7 +2464,8 @@ revoke_builtin_cert (void)
 		     | EFI_VARIABLE_RUNTIME_ACCESS;
 	if (efi_set_variable (efi_guid_shim, "ClearVerify",
 -			      data, data_size, attributes) < 0) {
 +			      data, data_size, attributes,
 +			      S_IRUSR | S_IWUSR) < 0) {
 		fprintf (stderr, "Failed to write ClearVerify\n");
 		goto error;
 	}
 -- 
 2.28.0
 From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Fri, 14 Aug 2020 14:57:23 +0800
 Subject: [PATCH 4/4] man: add "--revoke-cert"
 The argument "--revoke-cert" was not addressed in the man page.
 This is an openSUSE-only patch.
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 man/mokutil.1 | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/man/mokutil.1 b/man/mokutil.1
 index cbea367..1c18d7a 100644
 --- a/man/mokutil.1
 +++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
 .br
 \fBmokutil\fR [--dbx]
 .br
 +\fBmokutil\fR [--revoke-cert]
 +.br
 .SH DESCRIPTION
 \fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -180,3 +182,6 @@ databases.
 \fB--ignore-keyring\fR
 Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
 .TP
 +\fB--revoke-cert\fR
 +Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic)
 +.TP
 -- 
 2.28.0
--- a/mokutil.changes
+++ b/mokutil.changes
@ -1,3 +1,59 @@
 -------------------------------------------------------------------
 Thu Jul 15 06:39:26 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 - Update to 0.5.0
  + mokutil: delete key/hash from the reverse request
  + efi_x509: fix an error handling in is_immediate_ca()
  + efi_x509: fix certificates fingerprint calculation
  + efi_x509: use EVP_Digest()* functions instead of the deprecated
    SHA1_*()
  + src/util.c: fix NULL pointer dereference in mok_get_variable
  + mokutil: Read the SbatLevelRT variable to get the SBAT entries
  + mokutil: add mok-variables parsing support
  + mokutil: Add option to print the UEFI SBAT variable content
  + mokutil: only check for Secure Boot support in options that
    need it
  + efi_x509: add the function to fetch SKID
  + keyring: add the function to check kernel keyring
  + mokutil: initialize data for efi_get_variable()
  + mokutil: correct the data for efi_set_variable() in
    set_password()
  + mokutil: improve the readability of issue_mok_request()
  + mokutil: drop the checks for PK and KEK
  + mokutil: check the blocklists before enrolling a key
  + mokutil: adjust the command bits
  + mokutil: remove "--simple-hash"
  + make CA check non-fatal
  + mokutil: close file in the error path
  + mokutil: do the CA check
  + efi_x509: add the function to check immediate CA
  + efi_x509: use d2i_X509() to create X509 handling
  + mokutil: rename hash_file as pw_hash_file
  + password-crypt: update the function names
  + password-crypt: fix the types of several functions
  + mokutil: fix the error message in sb_state()
  + mokutil: move x509 functions to efi_x509.c
  + mokutil: move the hash functions to efi_hash.c
  + util: add functions for db_var_name and db_friendly_name
  + Remove the SHA1 code from identify_hash_type()
  + Map the UEFI variable names with a function
  + Fix -Wcast-align warnings
  + Fix 32 bit build
  + Add --timeout to manpage and other corrections.
  + mokutil.c: fix typo enrollement -> enrollment
  + Avoid taking pointer to packed struct
  + Fix name of --enable-validation in the description
  + Remove shebang from bash-completion/mokutil
 - Add mokutil-fix-missing-header.patch to fix the compilation error
  due to the missing header
 - Refresh mokutil-remove-libkeyutils-check.patch and only apply
  it to openSUSE Leap 15.*
 - Drop upstreamed patches:
  + mokutil-remove-shebang-from-bash-completion-file.patch
  + mokutil-bsc1173115-add-ca-and-keyring-checks.patch
 - Drop mokutil-support-revoke-builtin-cert.patch since we don't use
  the builtin cert prompt patch in shim anymore.
 -------------------------------------------------------------------
 Tue May  4 06:52:03 UTC 2021 - Dirk Müller <dmueller@suse.com>
--- a/mokutil.spec
+++ b/mokutil.spec
@ -17,7 +17,7 @@
 Name:           mokutil
-Version:        0.4.0
+Version:        0.5.0
 Release:        0
 Summary:        Tools for manipulating machine owner keys
 License:        GPL-3.0-only
@ -25,13 +25,10 @@ Group:          Productivity/Security
 URL:            https://github.com/lcp/mokutil
 Source:         https://github.com/lcp/%{name}/archive/%{version}.tar.gz
 Source1:        modhash
 # PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch glin@suse.com -- Remove shebang from bash-completion/mokutil
 Patch1:         mokutil-remove-shebang-from-bash-completion-file.patch
 # PATCH-FIX-UPSTREAM mokutil-bsc1173115-add-ca-and-keyring-checks.patch bsc#1173115 glin@suse.com -- Add options for CA and kernel keyring checks
 Patch2:         mokutil-bsc1173115-add-ca-and-keyring-checks.patch
 # PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch glin@suse.com -- Disable the check of libkeyutils version
-Patch3:         mokutil-remove-libkeyutils-check.patch
+Patch1:         mokutil-remove-libkeyutils-check.patch
-Patch100:       mokutil-support-revoke-builtin-cert.patch
+# PATCH-FIX-UPSTREAM mokutil-fix-missing-header.patch glin@suse.com -- Fix the compilation error due to the missing header
 Patch2:         mokutil-fix-missing-header.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  efivar-devel >= 0.12
@ -47,10 +44,10 @@ keys (MOK) stored in the database of shim.
 %prep
 %setup -q
 %if 0%{?suse_version} <= 1500
 %patch1 -p1
 %endif
 %patch2 -p1
 %patch3 -p1
 %patch100 -p1
 %build
 ./autogen.sh