Accepting request 223348 from home:gary_lin:branches:Base:System

add an option to revoke the built-in certificate in shim

OBS-URL: https://build.opensuse.org/request/show/223348
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=18
This commit is contained in:
Marcus Meissner 2014-02-24 16:32:32 +00:00 committed by Git OBS Bridge
parent 9e957ec20e
commit c2f76ab77d
3 changed files with 154 additions and 0 deletions

View File

@ -0,0 +1,145 @@
From 0ebfada39e35d3366dfce45158a33f7624907d1f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH] Add the option to revoke the built-in certificate
This is an openSUSE-only patch.
This commit adds an option to create ClearVerify which contains
the password hash to notify MokManager to show the option to
revoke the built-in certificate.
---
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 1c32313..14adae7 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
#define IMPORT_HASH (1 << 21)
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
+#define REVOKE_CERT (1 << 24)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -151,6 +152,7 @@ print_help ()
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1903,6 +1905,79 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static int
+revoke_builtin_cert (void)
+{
+ efi_variable_t var;
+ pw_crypt_t pw_crypt;
+ uint8_t auth[SHA256_DIGEST_LENGTH];
+ char *password = NULL;
+ int pw_len;
+ int auth_ret;
+ int ret = -1;
+
+ /* Check use_openSUSE_cert */
+ memset (&var, 0, sizeof(var));
+ var.VariableName = "use_openSUSE_cert";
+ var.VendorGuid = SHIM_LOCK_GUID;
+
+ if (read_variable (&var) != EFI_SUCCESS)
+ return 0;
+
+ if ((uint8_t)*var.Data != 1) {
+ free (var.Data);
+ fprintf (stderr, "The built-in certificate is already revoked.\n");
+ return 0;
+ }
+ free (var.Data);
+
+ memset (&pw_crypt, 0, sizeof(pw_crypt_t));
+ memset (auth, 0, SHA256_DIGEST_LENGTH);
+
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
+ fprintf (stderr, "Abort\n");
+ goto error;
+ }
+
+ if (!use_simple_hash) {
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
+ } else {
+ auth_ret = generate_auth (NULL, 0, password, pw_len,
+ auth);
+ }
+ if (auth_ret < 0) {
+ fprintf (stderr, "Couldn't generate hash\n");
+ goto error;
+ }
+
+ if (!use_simple_hash) {
+ var.Data = (void *)&pw_crypt;
+ var.DataSize = PASSWORD_CRYPT_SIZE;
+ } else {
+ var.Data = (void *)auth;
+ var.DataSize = SHA256_DIGEST_LENGTH;
+ }
+ var.VariableName = "ClearVerify";
+
+ var.VendorGuid = SHIM_LOCK_GUID;
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to write ClearVerify\n");
+ goto error;
+ }
+
+ ret = 0;
+error:
+ if (password)
+ free (password);
+
+ return ret;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -1974,6 +2049,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"revoke-cert", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2061,6 +2137,8 @@ main (int argc, char *argv[])
command |= LIST_ENROLLED;
db_name = DBX;
}
+ } else if (strcmp (option, "revoke-cert") == 0) {
+ command |= REVOKE_CERT;
}
break;
@@ -2303,6 +2381,10 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case REVOKE_CERT:
+ case REVOKE_CERT | SIMPLE_HASH:
+ ret = revoke_builtin_cert ();
+ break;
default:
print_help ();
break;
--
1.8.4.5

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Feb 21 10:10:15 UTC 2014 - glin@suse.com
- Add mokutil-support-revoke-builtin-cert.patch to add an option to
revoke the built-in certificate in shim
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 12 10:06:31 UTC 2014 - glin@suse.com Wed Feb 12 10:06:31 UTC 2014 - glin@suse.com

View File

@ -32,6 +32,8 @@ Patch2: mokutil-mokx-support.patch
Patch3: mokutil-fix-hash-list-size.patch Patch3: mokutil-fix-hash-list-size.patch
# PATCH-FIX-UPSTREAM mokutil-clean-request.patch glin@suse.com -- Clear the request if all keys are removed # PATCH-FIX-UPSTREAM mokutil-clean-request.patch glin@suse.com -- Clear the request if all keys are removed
Patch4: mokutil-clean-request.patch Patch4: mokutil-clean-request.patch
# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
Patch100: mokutil-support-revoke-builtin-cert.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: libopenssl-devel >= 0.9.8
@ -55,6 +57,7 @@ Authors:
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch100 -p1
%build %build
%configure %configure