From 36241509b1c96c3103becae75dc6df72d794cce7 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 13 Dec 2012 17:09:34 +0800 Subject: [PATCH 1/7] Move fail check to get_password() --- src/mokutil.c | 83 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 46 insertions(+), 37 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index aba1cfb..eea2b6c 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -297,39 +297,60 @@ static int get_password (char **password, int *len, int min, int max) { char *password_1, *password_2; - int len_1, len_2; + int len_1, len_2, fail, ret = -1; size_t n; password_1 = password_2 = NULL; - printf ("input password (%d~%d characters): ", min, max); - len_1 = read_hidden_line (&password_1, &n); - printf ("\n"); + fail = 0; - if (len_1 > max || len_1 < min) { - free (password_1); - fprintf (stderr, "password should be %d~%d characters\n", - min, max); - return -1; + while (fail < 3) { + printf ("input password (%d~%d characters): ", min, max); + len_1 = read_hidden_line (&password_1, &n); + printf ("\n"); + + if (len_1 > max || len_1 < min) { + fail++; + fprintf (stderr, "password should be %d~%d characters\n", + min, max); + } else { + break; + } } - printf ("input password again: "); - len_2 = read_hidden_line (&password_2, &n); - printf ("\n"); + if (fail >= 3) { + if (password_1) + free (password_1); + goto error; + } - if (len_1 != len_2 || strcmp (password_1, password_2) != 0) { - free (password_1); - free (password_2); - fprintf (stderr, "password doesn't match\n"); - return -1; + fail = 0; + + while (fail < 3) { + printf ("input password again: "); + len_2 = read_hidden_line (&password_2, &n); + printf ("\n"); + + if (len_1 != len_2 || strcmp (password_1, password_2) != 0) { + fail++; + fprintf (stderr, "password doesn't match\n"); + } else { + break; + } } + if (fail >= 3) + goto error; + *password = password_1; *len = len_1; - free (password_2); + ret = 0; +error: + if (password_2) + free (password_2); - return 0; + return ret; } static int @@ -364,14 +385,10 @@ update_request (void *new_list, int list_len) efi_variable_t var; uint8_t auth[SHA256_DIGEST_LENGTH]; char *password = NULL; - int pw_len, fail = 0; + int pw_len; int ret = -1; - while (fail < 3 && - get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) - fail++; - - if (fail >= 3) { + if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { fprintf (stderr, "Abort\n"); goto error; } @@ -745,14 +762,10 @@ set_password () efi_variable_t var; uint8_t auth[SHA256_DIGEST_LENGTH]; char *password = NULL; - int pw_len, fail = 0; + int pw_len; int ret = -1; - while (fail < 3 && - get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) - fail++; - - if (fail >= 3) { + while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { fprintf (stderr, "Abort\n"); goto error; } @@ -789,15 +802,11 @@ set_validation (uint32_t state) efi_variable_t var; MokSBVar sbvar; char *password = NULL; - int pw_len, fail = 0; + int pw_len; efi_char16_t efichar_pass[PASSWORD_MAX]; int ret = -1; - while (fail < 3 && - get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) - fail++; - - if (fail >= 3) { + while (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { fprintf (stderr, "Abort\n"); goto error; } -- 1.7.10.4 From 2649dde769b563f55a85ea68eb1fc9ce5bc7c984 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 17 Dec 2012 16:22:41 +0800 Subject: [PATCH 2/7] Add "--test-key" to test if the key is enrolled or not --- src/mokutil.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index eea2b6c..68a25bc 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -41,6 +41,7 @@ enum Command { COMMAND_DISABLE_VALIDATION, COMMAND_ENABLE_VALIDATION, COMMAND_SB_STATE, + COMMAND_TEST_KEY, }; static void @@ -76,6 +77,9 @@ print_help () printf("SecureBoot State:\n"); printf(" mokutil --sb-state\n\n"); + + printf("Test if the key is enrolled or not:\n"); + printf(" mokutil --test-key\n\n"); } static int @@ -882,10 +886,57 @@ sb_state () return 0; } +static int +test_key (const char *key_file) +{ + struct stat buf; + void *key = NULL; + ssize_t read_size; + int fd, ret = -1; + + if (stat (key_file, &buf) != 0) { + fprintf (stderr, "Failed to get file status, %s\n", key_file); + return -1; + } + + key = malloc (buf.st_size); + + fd = open (key_file, O_RDONLY); + if (fd < 0) { + fprintf (stderr, "Failed to open %s\n", key_file); + goto error; + } + + read_size = read (fd, key, buf.st_size); + if (read_size < 0 || read_size != buf.st_size) { + fprintf (stderr, "Failed to read %s\n", key_file); + goto error; + } + + if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) && + !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) && + !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) && + !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) && + !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) { + printf ("%s is not enrolled\n", key_file); + ret = 0; + } else { + printf ("%s is already enrolled\n", key_file); + ret = 1; + } + +error: + if (key) + free (key); + + return ret; +} + int main (int argc, char *argv[]) { char **files = NULL; + char *key_file = NULL; int i, total; int command; @@ -962,6 +1013,17 @@ main (int argc, char *argv[]) command = COMMAND_SB_STATE; + } else if (strcmp (argv[1], "--test-key") == 0) { + + if (argc < 3) { + print_help (); + return -1; + } + + key_file = argv[2]; + + command = COMMAND_TEST_KEY; + } else { fprintf (stderr, "Unknown argument: %s\n\n", argv[1]); print_help (); @@ -999,6 +1061,9 @@ main (int argc, char *argv[]) case COMMAND_SB_STATE: sb_state (); break; + case COMMAND_TEST_KEY: + test_key (key_file); + break; default: fprintf (stderr, "Unknown command\n"); break; -- 1.7.10.4 From bba82fceec875ccf0d92eae1e9c7db54e92bcec9 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 17 Dec 2012 16:33:59 +0800 Subject: [PATCH 3/7] Handle the return values --- src/mokutil.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index 68a25bc..13ef69d 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -939,6 +939,7 @@ main (int argc, char *argv[]) char *key_file = NULL; int i, total; int command; + int ret = -1; if (argc < 2) { print_help (); @@ -1032,37 +1033,37 @@ main (int argc, char *argv[]) switch (command) { case COMMAND_LIST_ENROLLED: - list_enrolled_keys (); + ret = list_enrolled_keys (); break; case COMMAND_LIST_NEW: - list_new_keys (); + ret = list_new_keys (); break; case COMMAND_IMPORT: - import_moks (files, total); + ret = import_moks (files, total); break; case COMMAND_DELETE: - delete_all (); + ret = delete_all (); break; case COMMAND_REVOKE: - revoke_request (); + ret = revoke_request (); break; case COMMAND_EXPORT: - export_moks (); + ret = export_moks (); break; case COMMAND_PASSWORD: - set_password (); + ret = set_password (); break; case COMMAND_DISABLE_VALIDATION: - disable_validation (); + ret = disable_validation (); break; case COMMAND_ENABLE_VALIDATION: - enable_validation (); + ret = enable_validation (); break; case COMMAND_SB_STATE: - sb_state (); + ret = sb_state (); break; case COMMAND_TEST_KEY: - test_key (key_file); + ret = test_key (key_file); break; default: fprintf (stderr, "Unknown command\n"); @@ -1072,5 +1073,5 @@ main (int argc, char *argv[]) if (files) free (files); - return 0; + return ret; } -- 1.7.10.4 From fee5db0bd74fd7239832d435cdc653ade426c61c Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 24 Dec 2012 16:35:37 +0800 Subject: [PATCH 4/7] Correct the GUID of "db" --- src/efi.h | 2 ++ src/mokutil.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/efi.h b/src/efi.h index 7185179..d2640b4 100644 --- a/src/efi.h +++ b/src/efi.h @@ -86,6 +86,8 @@ EFI_GUID( 0x47c7b225, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, EFI_GUID( 0x47c7b227, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b) #define ESP_UNKNOWN_GUID \ EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b) +#define EFI_IMAGE_SECURITY_DATABASE_GUID \ +EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f) static inline int efi_guidcmp(efi_guid_t left, efi_guid_t right) diff --git a/src/mokutil.c b/src/mokutil.c index 13ef69d..6af5a9c 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -636,7 +636,7 @@ import_moks (char **files, uint32_t total) /* whether this key is already enrolled... */ if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) && !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) && - !is_duplicate (ptr, sizes[i], "db", EFI_GLOBAL_VARIABLE) && + !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) && !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) && !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) { ptr += sizes[i]; -- 1.7.10.4 From b1a6476307909b4c391b5cc632c0535ea43b08b1 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 24 Dec 2012 18:12:48 +0800 Subject: [PATCH 5/7] Initialize password array --- src/mokutil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index 6af5a9c..3d00df0 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -509,7 +509,7 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size) { efi_variable_t mok_auth; uint8_t auth[SHA256_DIGEST_LENGTH]; - char *password; + char *password = NULL; int pw_len, fail = 0; size_t n; int ret = 0; -- 1.7.10.4 From e772f72f23b4cf13c033292b55570a861281b71b Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 25 Dec 2012 15:53:56 +0800 Subject: [PATCH 6/7] Add support for deleting specific keys --- src/mokutil.c | 179 +++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 128 insertions(+), 51 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index 3d00df0..e6807da 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -42,6 +42,7 @@ enum Command { COMMAND_ENABLE_VALIDATION, COMMAND_SB_STATE, COMMAND_TEST_KEY, + COMMAND_RESET, }; static void @@ -57,8 +58,8 @@ print_help () printf("Import keys:\n"); printf(" mokutil --import ...\n\n"); - printf("Request to delete all keys\n"); - printf(" mokutil --delete-all\n\n"); + printf("Request to delete specific keys\n"); + printf(" mokutil --delete ...\n\n"); printf("Revoke the request:\n"); printf(" mokutil --revoke\n\n"); @@ -80,6 +81,9 @@ print_help () printf("Test if the key is enrolled or not:\n"); printf(" mokutil --test-key\n\n"); + + printf("Reset MOK list:\n"); + printf(" mokutil --reset\n\n"); } static int @@ -384,14 +388,23 @@ generate_auth (void *new_list, unsigned long list_len, char *password, } static int -update_request (void *new_list, int list_len) +update_request (void *new_list, int list_len, uint8_t import) { efi_variable_t var; + const char *req_name, *auth_name; uint8_t auth[SHA256_DIGEST_LENGTH]; char *password = NULL; int pw_len; int ret = -1; + if (import) { + req_name = "MokNew"; + auth_name = "MokAuth"; + } else { + req_name = "MokDel"; + auth_name = "MokDelAuth"; + } + if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { fprintf (stderr, "Abort\n"); goto error; @@ -403,7 +416,7 @@ update_request (void *new_list, int list_len) /* Write MokNew*/ var.Data = new_list; var.DataSize = list_len; - var.VariableName = "MokNew"; + var.VariableName = req_name; var.VendorGuid = SHIM_LOCK_GUID; var.Attributes = EFI_VARIABLE_NON_VOLATILE @@ -411,17 +424,18 @@ update_request (void *new_list, int list_len) | EFI_VARIABLE_RUNTIME_ACCESS; if (edit_variable (&var) != EFI_SUCCESS) { - fprintf (stderr, "Failed to enroll new keys\n"); + fprintf (stderr, "Failed to %s keys\n", + import ? "enroll new" : "delete"); goto error; } } else { - test_and_delete_var ("MokNew"); + test_and_delete_var (req_name); } /* Write MokAuth */ var.Data = auth; var.DataSize = SHA256_DIGEST_LENGTH; - var.VariableName = "MokAuth"; + var.VariableName = auth_name; var.VendorGuid = SHIM_LOCK_GUID; var.Attributes = EFI_VARIABLE_NON_VOLATILE @@ -429,8 +443,8 @@ update_request (void *new_list, int list_len) | EFI_VARIABLE_RUNTIME_ACCESS; if (edit_variable (&var) != EFI_SUCCESS) { - fprintf (stderr, "Failed to write MokAuth\n"); - test_and_delete_var ("MokNew"); + fprintf (stderr, "Failed to write %s\n", auth_name); + test_and_delete_var (req_name); goto error; } @@ -505,20 +519,47 @@ done: } static int -verify_mok_new (void *mok_new, unsigned long mok_new_size) +is_valid_request (void *mok, uint32_t mok_size, uint8_t import) { - efi_variable_t mok_auth; + if (import) { + if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) || + is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) || + is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) || + is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) || + is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) { + return 0; + } + } else { + if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) || + is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) { + return 0; + } + } + + return 1; +} + +static int +verify_old_req (void *old_req, unsigned long old_req_size, uint8_t import) +{ + efi_variable_t req_auth; + const char *auth_name; uint8_t auth[SHA256_DIGEST_LENGTH]; char *password = NULL; int pw_len, fail = 0; size_t n; int ret = 0; - memset (&mok_auth, 0, sizeof(mok_auth)); - mok_auth.VariableName = "MokAuth"; - mok_auth.VendorGuid = SHIM_LOCK_GUID; - if (read_variable (&mok_auth) != EFI_SUCCESS) { - fprintf (stderr, "Failed to read MokAuth\n"); + if (import) + auth_name = "MokAuth"; + else + auth_name = "MokDelAuth"; + + memset (&req_auth, 0, sizeof(req_auth)); + req_auth.VariableName = auth_name; + req_auth.VendorGuid = SHIM_LOCK_GUID; + if (read_variable (&req_auth) != EFI_SUCCESS) { + fprintf (stderr, "Failed to read %s\n", auth_name); return 0; } @@ -534,8 +575,8 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size) continue; } - generate_auth (mok_new, mok_new_size, password, pw_len, auth); - if (memcmp (auth, mok_auth.Data, SHA256_DIGEST_LENGTH) == 0) { + generate_auth (old_req, old_req_size, password, pw_len, auth); + if (memcmp (auth, req_auth.Data, SHA256_DIGEST_LENGTH) == 0) { ret = 1; break; } @@ -543,16 +584,17 @@ verify_mok_new (void *mok_new, unsigned long mok_new_size) fail++; } - if (mok_auth.Data) - free (mok_auth.Data); + if (req_auth.Data) + free (req_auth.Data); return ret; } static int -import_moks (char **files, uint32_t total) +issue_mok_request (char **files, uint32_t total, uint8_t import) { - efi_variable_t mok_new; + efi_variable_t old_req; + const char *req_name; void *new_list = NULL; void *ptr; struct stat buf; @@ -568,6 +610,11 @@ import_moks (char **files, uint32_t total) if (!files) return -1; + if (import) + req_name = "MokNew"; + else + req_name = "MokDel"; + sizes = malloc (total * sizeof(uint32_t)); if (!sizes) { @@ -589,15 +636,15 @@ import_moks (char **files, uint32_t total) list_size += sizeof(EFI_SIGNATURE_LIST) * total; list_size += sizeof(efi_guid_t) * total; - memset (&mok_new, 0, sizeof(mok_new)); - mok_new.VariableName = "MokNew"; - mok_new.VendorGuid = SHIM_LOCK_GUID; - if (read_variable (&mok_new) == EFI_SUCCESS) - list_size += mok_new.DataSize; + memset (&old_req, 0, sizeof(old_req)); + old_req.VariableName = req_name; + old_req.VendorGuid = SHIM_LOCK_GUID; + if (read_variable (&old_req) == EFI_SUCCESS) + list_size += old_req.DataSize; new_list = malloc (list_size); if (!new_list) { - fprintf (stderr, "Failed to allocate space for MokNew\n"); + fprintf (stderr, "Failed to allocate space for %s\n", req_name); goto error; } ptr = new_list; @@ -633,15 +680,11 @@ import_moks (char **files, uint32_t total) files[i]); } - /* whether this key is already enrolled... */ - if (!is_duplicate (ptr, sizes[i], "PK", EFI_GLOBAL_VARIABLE) && - !is_duplicate (ptr, sizes[i], "KEK", EFI_GLOBAL_VARIABLE) && - !is_duplicate (ptr, sizes[i], "db", EFI_IMAGE_SECURITY_DATABASE_GUID) && - !is_duplicate (ptr, sizes[i], "MokListRT", SHIM_LOCK_GUID) && - !is_duplicate (ptr, sizes[i], "MokNew", SHIM_LOCK_GUID)) { + if (is_valid_request (ptr, sizes[i], import)) { ptr += sizes[i]; real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); } else { + printf ("Skip %s\n", files[i]); ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); } @@ -654,25 +697,25 @@ import_moks (char **files, uint32_t total) goto error; } - /* append the keys in MokNew */ - if (mok_new.Data) { + /* append the keys to the previous request */ + if (old_req.Data) { /* request the previous password to verify the keys */ - if (!verify_mok_new (mok_new.Data, mok_new.DataSize)) { + if (!verify_old_req (old_req.Data, old_req.DataSize, import)) { goto error; } - memcpy (new_list + real_size, mok_new.Data, mok_new.DataSize); - real_size += mok_new.DataSize; + memcpy (new_list + real_size, old_req.Data, old_req.DataSize); + real_size += old_req.DataSize; } - if (update_request (new_list, real_size) < 0) { + if (update_request (new_list, real_size, import) < 0) { goto error; } ret = 0; error: - if (mok_new.Data) - free (mok_new.Data); + if (old_req.Data) + free (old_req.Data); if (sizes) free (sizes); if (new_list) @@ -682,14 +725,15 @@ error: } static int -delete_all () +import_moks (char **files, uint32_t total) { - if (update_request (NULL, 0)) { - fprintf (stderr, "Failed to issue an delete request\n"); - return -1; - } + return issue_mok_request (files, total, 1); +} - return 0; +static int +delete_moks (char **files, uint32_t total) +{ + return issue_mok_request (files, total, 0); } static int @@ -932,6 +976,17 @@ error: return ret; } +static int +reset_moks () +{ + if (update_request (NULL, 0, 1)) { + fprintf (stderr, "Failed to issue a reset request\n"); + return -1; + } + + return 0; +} + int main (int argc, char *argv[]) { @@ -982,8 +1037,23 @@ main (int argc, char *argv[]) command = COMMAND_IMPORT; - } else if (strcmp (argv[1], "-D") == 0 || - strcmp (argv[1], "--delete-all") == 0) { + } else if (strcmp (argv[1], "-d") == 0 || + strcmp (argv[1], "--delete") == 0) { + + if (argc < 3) { + print_help (); + return -1; + } + total = argc - 2; + + files = malloc (total * sizeof(char *)); + if (!files) { + fprintf (stderr, "Failed to allocate file list\n"); + return -1; + } + + for (i = 0; i < total; i++) + files[i] = argv[i+2]; command = COMMAND_DELETE; @@ -1025,6 +1095,10 @@ main (int argc, char *argv[]) command = COMMAND_TEST_KEY; + } else if (strcmp (argv[1], "--reset") == 0) { + + command = COMMAND_RESET; + } else { fprintf (stderr, "Unknown argument: %s\n\n", argv[1]); print_help (); @@ -1042,7 +1116,7 @@ main (int argc, char *argv[]) ret = import_moks (files, total); break; case COMMAND_DELETE: - ret = delete_all (); + ret = delete_moks (files, total); break; case COMMAND_REVOKE: ret = revoke_request (); @@ -1065,6 +1139,9 @@ main (int argc, char *argv[]) case COMMAND_TEST_KEY: ret = test_key (key_file); break; + case COMMAND_RESET: + ret = reset_moks (); + break; default: fprintf (stderr, "Unknown command\n"); break; -- 1.7.10.4 From 799d37815f470739ed079e2fea49077decaee3d3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 2 Jan 2013 17:09:35 +0800 Subject: [PATCH 7/7] Initialize the variable to prevent a potential crash In issue_mok_request(), old_req.Data must be intialized before "goto error", or the process would segfault when freeing old_req.Data. --- src/mokutil.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index e6807da..a99e355 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -617,6 +617,8 @@ issue_mok_request (char **files, uint32_t total, uint8_t import) sizes = malloc (total * sizeof(uint32_t)); + memset (&old_req, 0, sizeof(old_req)); + if (!sizes) { fprintf (stderr, "Failed to allocate space for sizes\n"); goto error; @@ -636,7 +638,6 @@ issue_mok_request (char **files, uint32_t total, uint8_t import) list_size += sizeof(EFI_SIGNATURE_LIST) * total; list_size += sizeof(efi_guid_t) * total; - memset (&old_req, 0, sizeof(old_req)); old_req.VariableName = req_name; old_req.VendorGuid = SHIM_LOCK_GUID; if (read_variable (&old_req) == EFI_SUCCESS) -- 1.7.10.4