From c2f76ab77dbbf10c708d4d6ab8365acde82eac48256e308e2000fd9d841d001f Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 24 Feb 2014 16:32:32 +0000 Subject: [PATCH] Accepting request 223348 from home:gary_lin:branches:Base:System add an option to revoke the built-in certificate in shim OBS-URL: https://build.opensuse.org/request/show/223348 OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=18 --- mokutil-support-revoke-builtin-cert.patch | 145 ++++++++++++++++++++++ mokutil.changes | 6 + mokutil.spec | 3 + 3 files changed, 154 insertions(+) create mode 100644 mokutil-support-revoke-builtin-cert.patch diff --git a/mokutil-support-revoke-builtin-cert.patch b/mokutil-support-revoke-builtin-cert.patch new file mode 100644 index 0000000..570ace8 --- /dev/null +++ b/mokutil-support-revoke-builtin-cert.patch @@ -0,0 +1,145 @@ +From 0ebfada39e35d3366dfce45158a33f7624907d1f Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Fri, 21 Feb 2014 17:56:55 +0800 +Subject: [PATCH] Add the option to revoke the built-in certificate + +This is an openSUSE-only patch. + +This commit adds an option to create ClearVerify which contains +the password hash to notify MokManager to show the option to +revoke the built-in certificate. +--- + src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 82 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 1c32313..14adae7 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -83,6 +83,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, + #define IMPORT_HASH (1 << 21) + #define DELETE_HASH (1 << 22) + #define VERBOSITY (1 << 23) ++#define REVOKE_CERT (1 << 24) + + #define DEFAULT_CRYPT_METHOD SHA512_BASED + #define DEFAULT_SALT_SIZE SHA512_SALT_MAX +@@ -151,6 +152,7 @@ print_help () + printf (" --kek\t\t\t\t\tList the keys in KEK\n"); + printf (" --db\t\t\t\t\tList the keys in db\n"); + printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); ++ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n"); + printf ("\n"); + printf ("Supplimentary Options:\n"); + printf (" --hash-file \t\tUse the specific password hash\n"); +@@ -1903,6 +1905,79 @@ set_verbosity (uint8_t verbosity) + return 0; + } + ++static int ++revoke_builtin_cert (void) ++{ ++ efi_variable_t var; ++ pw_crypt_t pw_crypt; ++ uint8_t auth[SHA256_DIGEST_LENGTH]; ++ char *password = NULL; ++ int pw_len; ++ int auth_ret; ++ int ret = -1; ++ ++ /* Check use_openSUSE_cert */ ++ memset (&var, 0, sizeof(var)); ++ var.VariableName = "use_openSUSE_cert"; ++ var.VendorGuid = SHIM_LOCK_GUID; ++ ++ if (read_variable (&var) != EFI_SUCCESS) ++ return 0; ++ ++ if ((uint8_t)*var.Data != 1) { ++ free (var.Data); ++ fprintf (stderr, "The built-in certificate is already revoked.\n"); ++ return 0; ++ } ++ free (var.Data); ++ ++ memset (&pw_crypt, 0, sizeof(pw_crypt_t)); ++ memset (auth, 0, SHA256_DIGEST_LENGTH); ++ ++ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { ++ fprintf (stderr, "Abort\n"); ++ goto error; ++ } ++ ++ if (!use_simple_hash) { ++ pw_crypt.method = DEFAULT_CRYPT_METHOD; ++ auth_ret = generate_hash (&pw_crypt, password, pw_len); ++ } else { ++ auth_ret = generate_auth (NULL, 0, password, pw_len, ++ auth); ++ } ++ if (auth_ret < 0) { ++ fprintf (stderr, "Couldn't generate hash\n"); ++ goto error; ++ } ++ ++ if (!use_simple_hash) { ++ var.Data = (void *)&pw_crypt; ++ var.DataSize = PASSWORD_CRYPT_SIZE; ++ } else { ++ var.Data = (void *)auth; ++ var.DataSize = SHA256_DIGEST_LENGTH; ++ } ++ var.VariableName = "ClearVerify"; ++ ++ var.VendorGuid = SHIM_LOCK_GUID; ++ var.Attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ ++ if (edit_protected_variable (&var) != EFI_SUCCESS) { ++ fprintf (stderr, "Failed to write ClearVerify\n"); ++ goto error; ++ } ++ ++ ret = 0; ++error: ++ if (password) ++ free (password); ++ ++ return ret; ++} ++ + static inline int + list_db (DBName db_name) + { +@@ -1974,6 +2049,7 @@ main (int argc, char *argv[]) + {"kek", no_argument, 0, 0 }, + {"db", no_argument, 0, 0 }, + {"dbx", no_argument, 0, 0 }, ++ {"revoke-cert", no_argument, 0, 0 }, + {0, 0, 0, 0} + }; + +@@ -2061,6 +2137,8 @@ main (int argc, char *argv[]) + command |= LIST_ENROLLED; + db_name = DBX; + } ++ } else if (strcmp (option, "revoke-cert") == 0) { ++ command |= REVOKE_CERT; + } + + break; +@@ -2303,6 +2381,10 @@ main (int argc, char *argv[]) + case VERBOSITY: + ret = set_verbosity (verbosity); + break; ++ case REVOKE_CERT: ++ case REVOKE_CERT | SIMPLE_HASH: ++ ret = revoke_builtin_cert (); ++ break; + default: + print_help (); + break; +-- +1.8.4.5 + diff --git a/mokutil.changes b/mokutil.changes index 891c209..cfe742a 100644 --- a/mokutil.changes +++ b/mokutil.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 21 10:10:15 UTC 2014 - glin@suse.com + +- Add mokutil-support-revoke-builtin-cert.patch to add an option to + revoke the built-in certificate in shim + ------------------------------------------------------------------- Wed Feb 12 10:06:31 UTC 2014 - glin@suse.com diff --git a/mokutil.spec b/mokutil.spec index 5014504..798d516 100644 --- a/mokutil.spec +++ b/mokutil.spec @@ -32,6 +32,8 @@ Patch2: mokutil-mokx-support.patch Patch3: mokutil-fix-hash-list-size.patch # PATCH-FIX-UPSTREAM mokutil-clean-request.patch glin@suse.com -- Clear the request if all keys are removed Patch4: mokutil-clean-request.patch +# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate +Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libopenssl-devel >= 0.9.8 @@ -55,6 +57,7 @@ Authors: %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch100 -p1 %build %configure