pool/mokutil
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
016c355cf7
mokutil/mokutil-support-revoke-builtin-cert.patch

307 lines
8.1 KiB
Diff
Raw Blame History

From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH 1/4] Add the option to revoke the built-in certificate
This is an openSUSE-only patch.
This commit adds an option to create ClearVerify which contains
the password hash to notify MokManager to show the option to
revoke the built-in certificate.
---
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index 02ed21f..d95a2eb 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -86,6 +86,7 @@
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
#define TIMEOUT (1 << 24)
+#define REVOKE_CERT (1 << 25)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -180,6 +181,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity)
return 0;
}
+static int
+revoke_builtin_cert (void)
+{
+ efi_variable_t var;
+ pw_crypt_t pw_crypt;
+ uint8_t auth[SHA256_DIGEST_LENGTH];
+ char *password = NULL;
+ int pw_len;
+ int auth_ret;
+ int ret = -1;
+
+ /* Check use_openSUSE_cert */
+ memset (&var, 0, sizeof(var));
+ var.VariableName = "use_openSUSE_cert";
+ var.VendorGuid = SHIM_LOCK_GUID;
+
+ if (read_variable (&var) != EFI_SUCCESS)
+ return 0;
+
+ if ((uint8_t)*var.Data != 1) {
+ free (var.Data);
+ fprintf (stderr, "The built-in certificate is already revoked.\n");
+ return 0;
+ }
+ free (var.Data);
+
+ memset (&pw_crypt, 0, sizeof(pw_crypt_t));
+ memset (auth, 0, SHA256_DIGEST_LENGTH);
+
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
+ fprintf (stderr, "Abort\n");
+ goto error;
+ }
+
+ if (!use_simple_hash) {
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
+ } else {
+ auth_ret = generate_auth (NULL, 0, password, pw_len,
+ auth);
+ }
+ if (auth_ret < 0) {
+ fprintf (stderr, "Couldn't generate hash\n");
+ goto error;
+ }
+
+ if (!use_simple_hash) {
+ var.Data = (void *)&pw_crypt;
+ var.DataSize = PASSWORD_CRYPT_SIZE;
+ } else {
+ var.Data = (void *)auth;
+ var.DataSize = SHA256_DIGEST_LENGTH;
+ }
+ var.VariableName = "ClearVerify";
+
+ var.VendorGuid = SHIM_LOCK_GUID;
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
+ fprintf (stderr, "Failed to write ClearVerify\n");
+ goto error;
+ }
+
+ ret = 0;
+error:
+ if (password)
+ free (password);
+
+ return ret;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -2480,6 +2555,7 @@ main (int argc, char *argv[])
{"timeout", required_argument, 0, 0 },
{"ca-check", no_argument, 0, 0 },
{"ignore-keyring", no_argument, 0, 0 },
+ {"revoke-cert", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2570,6 +2646,8 @@ main (int argc, char *argv[])
force_ca_check = 1;
} else if (strcmp (option, "ignore-keyring") == 0) {
check_keyring = 0;
+ } else if (strcmp (option, "revoke-cert") == 0) {
+ command |= REVOKE_CERT;
}
break;
@@ -2839,6 +2917,10 @@ main (int argc, char *argv[])
case TIMEOUT:
ret = set_timeout (timeout);
break;
+ case REVOKE_CERT:
+ case REVOKE_CERT | SIMPLE_HASH:
+ ret = revoke_builtin_cert ();
+ break;
default:
print_help ();
break;
--
2.28.0
From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 14:50:36 +0800
Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables
This is an openSUSE-only patch.
Adapt the changes in the mainline.
---
src/mokutil.c | 45 +++++++++++++++++++++++++--------------------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index d95a2eb..8be0b77 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity)
static int
revoke_builtin_cert (void)
{
- efi_variable_t var;
+ uint32_t attributes;
+ size_t data_size;
+ uint8_t *data;
pw_crypt_t pw_crypt;
uint8_t auth[SHA256_DIGEST_LENGTH];
char *password = NULL;
- int pw_len;
+ unsigned int pw_len;
int auth_ret;
int ret = -1;
/* Check use_openSUSE_cert */
- memset (&var, 0, sizeof(var));
- var.VariableName = "use_openSUSE_cert";
- var.VendorGuid = SHIM_LOCK_GUID;
+ if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert",
+ &data, &data_size, &attributes) < 0) {
+ fprintf (stderr, "Failed to get use_openSUSE_cert\n");
+ return 0;
+ }
- if (read_variable (&var) != EFI_SUCCESS)
+ if (data_size != 1) {
+ free (data);
+ fprintf (stderr, "Invalid variable: use_openSUSE_cert\n");
return 0;
+ }
- if ((uint8_t)*var.Data != 1) {
- free (var.Data);
+ if (*data != 1) {
+ free (data);
fprintf (stderr, "The built-in certificate is already revoked.\n");
return 0;
}
- free (var.Data);
+ free (data);
memset (&pw_crypt, 0, sizeof(pw_crypt_t));
memset (auth, 0, SHA256_DIGEST_LENGTH);
@@ -2446,20 +2453,18 @@ revoke_builtin_cert (void)
}
if (!use_simple_hash) {
- var.Data = (void *)&pw_crypt;
- var.DataSize = PASSWORD_CRYPT_SIZE;
+ data = (uint8_t *)&pw_crypt;
+ data_size = PASSWORD_CRYPT_SIZE;
} else {
- var.Data = (void *)auth;
- var.DataSize = SHA256_DIGEST_LENGTH;
+ data = auth;
+ data_size = SHA256_DIGEST_LENGTH;
}
- var.VariableName = "ClearVerify";
-
- var.VendorGuid = SHIM_LOCK_GUID;
- var.Attributes = EFI_VARIABLE_NON_VOLATILE
- | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_RUNTIME_ACCESS;
+ attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
- if (edit_protected_variable (&var) != EFI_SUCCESS) {
+ if (efi_set_variable (efi_guid_shim, "ClearVerify",
+ data, data_size, attributes) < 0) {
fprintf (stderr, "Failed to write ClearVerify\n");
goto error;
}
--
2.28.0
From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jul 2016 14:58:15 +0800
Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24
This is an openSUSE-only patch.
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 8be0b77..f27bba0 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2464,7 +2464,8 @@ revoke_builtin_cert (void)
| EFI_VARIABLE_RUNTIME_ACCESS;
if (efi_set_variable (efi_guid_shim, "ClearVerify",
- data, data_size, attributes) < 0) {
+ data, data_size, attributes,
+ S_IRUSR | S_IWUSR) < 0) {
fprintf (stderr, "Failed to write ClearVerify\n");
goto error;
}
--
2.28.0
From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 14 Aug 2020 14:57:23 +0800
Subject: [PATCH 4/4] man: add "--revoke-cert"
The argument "--revoke-cert" was not addressed in the man page.
This is an openSUSE-only patch.
Signed-off-by: Gary Lin <glin@suse.com>
---
man/mokutil.1 | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/man/mokutil.1 b/man/mokutil.1
index cbea367..1c18d7a 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--revoke-cert]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -180,3 +182,6 @@ databases.
\fB--ignore-keyring\fR
Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
.TP
+\fB--revoke-cert\fR
+Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic)
+.TP
--
2.28.0
Reference in New Issue View Git Blame Copy Permalink