From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 21 Feb 2014 17:56:55 +0800 Subject: [PATCH 1/4] Add the option to revoke the built-in certificate This is an openSUSE-only patch. This commit adds an option to create ClearVerify which contains the password hash to notify MokManager to show the option to revoke the built-in certificate. --- src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index 02ed21f..d95a2eb 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -86,6 +86,7 @@ #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) #define TIMEOUT (1 << 24) +#define REVOKE_CERT (1 << 25) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -180,6 +181,7 @@ print_help () printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); + printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file \t\tUse the specific password hash\n"); @@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity) return 0; } +static int +revoke_builtin_cert (void) +{ + efi_variable_t var; + pw_crypt_t pw_crypt; + uint8_t auth[SHA256_DIGEST_LENGTH]; + char *password = NULL; + int pw_len; + int auth_ret; + int ret = -1; + + /* Check use_openSUSE_cert */ + memset (&var, 0, sizeof(var)); + var.VariableName = "use_openSUSE_cert"; + var.VendorGuid = SHIM_LOCK_GUID; + + if (read_variable (&var) != EFI_SUCCESS) + return 0; + + if ((uint8_t)*var.Data != 1) { + free (var.Data); + fprintf (stderr, "The built-in certificate is already revoked.\n"); + return 0; + } + free (var.Data); + + memset (&pw_crypt, 0, sizeof(pw_crypt_t)); + memset (auth, 0, SHA256_DIGEST_LENGTH); + + if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { + fprintf (stderr, "Abort\n"); + goto error; + } + + if (!use_simple_hash) { + pw_crypt.method = DEFAULT_CRYPT_METHOD; + auth_ret = generate_hash (&pw_crypt, password, pw_len); + } else { + auth_ret = generate_auth (NULL, 0, password, pw_len, + auth); + } + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; + } + + if (!use_simple_hash) { + var.Data = (void *)&pw_crypt; + var.DataSize = PASSWORD_CRYPT_SIZE; + } else { + var.Data = (void *)auth; + var.DataSize = SHA256_DIGEST_LENGTH; + } + var.VariableName = "ClearVerify"; + + var.VendorGuid = SHIM_LOCK_GUID; + var.Attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + + if (edit_protected_variable (&var) != EFI_SUCCESS) { + fprintf (stderr, "Failed to write ClearVerify\n"); + goto error; + } + + ret = 0; +error: + if (password) + free (password); + + return ret; +} + static inline int list_db (DBName db_name) { @@ -2480,6 +2555,7 @@ main (int argc, char *argv[]) {"timeout", required_argument, 0, 0 }, {"ca-check", no_argument, 0, 0 }, {"ignore-keyring", no_argument, 0, 0 }, + {"revoke-cert", no_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2570,6 +2646,8 @@ main (int argc, char *argv[]) force_ca_check = 1; } else if (strcmp (option, "ignore-keyring") == 0) { check_keyring = 0; + } else if (strcmp (option, "revoke-cert") == 0) { + command |= REVOKE_CERT; } break; @@ -2839,6 +2917,10 @@ main (int argc, char *argv[]) case TIMEOUT: ret = set_timeout (timeout); break; + case REVOKE_CERT: + case REVOKE_CERT | SIMPLE_HASH: + ret = revoke_builtin_cert (); + break; default: print_help (); break; -- 2.28.0 From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 4 Nov 2014 14:50:36 +0800 Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables This is an openSUSE-only patch. Adapt the changes in the mainline. --- src/mokutil.c | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index d95a2eb..8be0b77 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity) static int revoke_builtin_cert (void) { - efi_variable_t var; + uint32_t attributes; + size_t data_size; + uint8_t *data; pw_crypt_t pw_crypt; uint8_t auth[SHA256_DIGEST_LENGTH]; char *password = NULL; - int pw_len; + unsigned int pw_len; int auth_ret; int ret = -1; /* Check use_openSUSE_cert */ - memset (&var, 0, sizeof(var)); - var.VariableName = "use_openSUSE_cert"; - var.VendorGuid = SHIM_LOCK_GUID; + if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert", + &data, &data_size, &attributes) < 0) { + fprintf (stderr, "Failed to get use_openSUSE_cert\n"); + return 0; + } - if (read_variable (&var) != EFI_SUCCESS) + if (data_size != 1) { + free (data); + fprintf (stderr, "Invalid variable: use_openSUSE_cert\n"); return 0; + } - if ((uint8_t)*var.Data != 1) { - free (var.Data); + if (*data != 1) { + free (data); fprintf (stderr, "The built-in certificate is already revoked.\n"); return 0; } - free (var.Data); + free (data); memset (&pw_crypt, 0, sizeof(pw_crypt_t)); memset (auth, 0, SHA256_DIGEST_LENGTH); @@ -2446,20 +2453,18 @@ revoke_builtin_cert (void) } if (!use_simple_hash) { - var.Data = (void *)&pw_crypt; - var.DataSize = PASSWORD_CRYPT_SIZE; + data = (uint8_t *)&pw_crypt; + data_size = PASSWORD_CRYPT_SIZE; } else { - var.Data = (void *)auth; - var.DataSize = SHA256_DIGEST_LENGTH; + data = auth; + data_size = SHA256_DIGEST_LENGTH; } - var.VariableName = "ClearVerify"; - - var.VendorGuid = SHIM_LOCK_GUID; - var.Attributes = EFI_VARIABLE_NON_VOLATILE - | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS; + attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; - if (edit_protected_variable (&var) != EFI_SUCCESS) { + if (efi_set_variable (efi_guid_shim, "ClearVerify", + data, data_size, attributes) < 0) { fprintf (stderr, "Failed to write ClearVerify\n"); goto error; } -- 2.28.0 From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 13 Jul 2016 14:58:15 +0800 Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24 This is an openSUSE-only patch. --- src/mokutil.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index 8be0b77..f27bba0 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -2464,7 +2464,8 @@ revoke_builtin_cert (void) | EFI_VARIABLE_RUNTIME_ACCESS; if (efi_set_variable (efi_guid_shim, "ClearVerify", - data, data_size, attributes) < 0) { + data, data_size, attributes, + S_IRUSR | S_IWUSR) < 0) { fprintf (stderr, "Failed to write ClearVerify\n"); goto error; } -- 2.28.0 From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 14 Aug 2020 14:57:23 +0800 Subject: [PATCH 4/4] man: add "--revoke-cert" The argument "--revoke-cert" was not addressed in the man page. This is an openSUSE-only patch. Signed-off-by: Gary Lin --- man/mokutil.1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/man/mokutil.1 b/man/mokutil.1 index cbea367..1c18d7a 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--dbx] .br +\fBmokutil\fR [--revoke-cert] +.br .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys @@ -180,3 +182,6 @@ databases. \fB--ignore-keyring\fR Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList .TP +\fB--revoke-cert\fR +Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic) +.TP -- 2.28.0