Accepting request 223733 from Base:System

add an option to revoke the built-in certificate in shim (forwarded request 223348 from gary_lin) OBS-URL: https://build.opensuse.org/request/show/223733 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mokutil?expand=0&rev=11
2014-02-25 06:33:40 +00:00 · 2014-02-25 06:33:40 +00:00 · f9f076002a
commit f9f076002a
parent 2ff838f4cb c2f76ab77d
3 changed files with 154 additions and 0 deletions
--- a/mokutil-support-revoke-builtin-cert.patch
+++ b/mokutil-support-revoke-builtin-cert.patch
@ -0,0 +1,145 @@
+From 0ebfada39e35d3366dfce45158a33f7624907d1f Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 21 Feb 2014 17:56:55 +0800
+Subject: [PATCH] Add the option to revoke the built-in certificate
+
+This is an openSUSE-only patch.
+
+This commit adds an option to create ClearVerify which contains
+the password hash to notify MokManager to show the option to
+revoke the built-in certificate.
+---
+ src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 82 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 1c32313..14adae7 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -83,6 +83,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
+ #define IMPORT_HASH        (1 << 21)
+ #define DELETE_HASH        (1 << 22)
+ #define VERBOSITY          (1 << 23)
+#define REVOKE_CERT        (1 << 24)
+ 
+ #define DEFAULT_CRYPT_METHOD SHA512_BASED
+ #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
+@@ -151,6 +152,7 @@ print_help ()
+ 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
+ 	printf ("  --db\t\t\t\t\tList the keys in db\n");
+ 	printf ("  --dbx\t\t\t\t\tList the keys in dbx\n");
+	printf ("  --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
+ 	printf ("\n");
+ 	printf ("Supplimentary Options:\n");
+ 	printf ("  --hash-file <hash file>\t\tUse the specific password hash\n");
+@@ -1903,6 +1905,79 @@ set_verbosity (uint8_t verbosity)
+ 	return 0;
+ }
+ 
+static int
+revoke_builtin_cert (void)
+{
+	efi_variable_t var;
+	pw_crypt_t pw_crypt;
+	uint8_t auth[SHA256_DIGEST_LENGTH];
+	char *password = NULL;
+	int pw_len;
+	int auth_ret;
+	int ret = -1;
+
+	/* Check use_openSUSE_cert */
+	memset (&var, 0, sizeof(var));
+	var.VariableName = "use_openSUSE_cert";
+	var.VendorGuid = SHIM_LOCK_GUID;
+
+	if (read_variable (&var) != EFI_SUCCESS)
+		return 0;
+
+	if ((uint8_t)*var.Data != 1) {
+		free (var.Data);
+		fprintf (stderr, "The built-in certificate is already revoked.\n");
+		return 0;
+	}
+	free (var.Data);
+
+	memset (&pw_crypt, 0, sizeof(pw_crypt_t));
+	memset (auth, 0, SHA256_DIGEST_LENGTH);
+
+	if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
+		fprintf (stderr, "Abort\n");
+		goto error;
+	}
+
+	if (!use_simple_hash) {
+		pw_crypt.method = DEFAULT_CRYPT_METHOD;
+		auth_ret = generate_hash (&pw_crypt, password, pw_len);
+	} else {
+		auth_ret = generate_auth (NULL, 0, password, pw_len,
+					  auth);
+	}
+	if (auth_ret < 0) {
+		fprintf (stderr, "Couldn't generate hash\n");
+		goto error;
+	}
+
+	if (!use_simple_hash) {
+		var.Data = (void *)&pw_crypt;
+		var.DataSize = PASSWORD_CRYPT_SIZE;
+	} else {
+		var.Data = (void *)auth;
+		var.DataSize = SHA256_DIGEST_LENGTH;
+	}
+	var.VariableName = "ClearVerify";
+
+	var.VendorGuid = SHIM_LOCK_GUID;
+	var.Attributes = EFI_VARIABLE_NON_VOLATILE
+			 | EFI_VARIABLE_BOOTSERVICE_ACCESS
+			 | EFI_VARIABLE_RUNTIME_ACCESS;
+
+	if (edit_protected_variable (&var) != EFI_SUCCESS) {
+		fprintf (stderr, "Failed to write ClearVerify\n");
+		goto error;
+	}
+
+	ret = 0;
+error:
+	if (password)
+		free (password);
+
+	return ret;
+}
+
+ static inline int
+ list_db (DBName db_name)
+ {
+@@ -1974,6 +2049,7 @@ main (int argc, char *argv[])
+ 			{"kek",                no_argument,       0, 0  },
+ 			{"db",                 no_argument,       0, 0  },
+ 			{"dbx",                no_argument,       0, 0  },
+			{"revoke-cert",        no_argument,       0, 0  },
+ 			{0, 0, 0, 0}
+ 		};
+ 
+@@ -2061,6 +2137,8 @@ main (int argc, char *argv[])
+ 					command |= LIST_ENROLLED;
+ 					db_name = DBX;
+ 				}
+			} else if (strcmp (option, "revoke-cert") == 0) {
+				command |= REVOKE_CERT;
+ 			}
+ 
+ 			break;
+@@ -2303,6 +2381,10 @@ main (int argc, char *argv[])
+ 		case VERBOSITY:
+ 			ret = set_verbosity (verbosity);
+ 			break;
+		case REVOKE_CERT:
+		case REVOKE_CERT | SIMPLE_HASH:
+			ret = revoke_builtin_cert ();
+			break;
+ 		default:
+ 			print_help ();
+ 			break;
+-- 
+1.8.4.5
+
--- a/mokutil.changes
+++ b/mokutil.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Feb 21 10:10:15 UTC 2014 - glin@suse.com
+
+- Add mokutil-support-revoke-builtin-cert.patch to add an option to
+  revoke the built-in certificate in shim
+
 -------------------------------------------------------------------
 Wed Feb 12 10:06:31 UTC 2014 - glin@suse.com

--- a/mokutil.spec
+++ b/mokutil.spec
@ -32,6 +32,8 @@ Patch2:         mokutil-mokx-support.patch
 Patch3:         mokutil-fix-hash-list-size.patch
 # PATCH-FIX-UPSTREAM mokutil-clean-request.patch glin@suse.com -- Clear the request if all keys are removed
 Patch4:         mokutil-clean-request.patch
+# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
+Patch100:       mokutil-support-revoke-builtin-cert.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libopenssl-devel >= 0.9.8
@ -55,6 +57,7 @@ Authors:
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch100 -p1

 %build
 %configure