3f236fd3e4
Update mokutil-mokx-support.patch to fix the test-key request check OBS-URL: https://build.opensuse.org/request/show/214658 OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=14
2969 lines
85 KiB
Diff
2969 lines
85 KiB
Diff
From 65c8d2eb32beda5e90af891de3e5bda41a8aa6f1 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Mon, 21 Oct 2013 17:49:33 +0800
|
|
Subject: [PATCH 01/20] Update TODO
|
|
|
|
---
|
|
TODO | 16 ++--------------
|
|
1 file changed, 2 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/TODO b/TODO
|
|
index 373e48d..465835a 100644
|
|
--- a/TODO
|
|
+++ b/TODO
|
|
@@ -1,17 +1,5 @@
|
|
-* Validate the DER file [DONE]
|
|
* Show the detail of the DER file when enrolling (?)
|
|
* Add an option to slience the output (?)
|
|
-* Show the current value of MokNew and MokListRT [DONE]
|
|
-* Request the user to input a password before enrolling [DONE]
|
|
-* Read the list from a volatile RT variable [DONE]
|
|
-* Export keys in MokListRT [DONE]
|
|
* List hashes in MokListRT
|
|
-* Add a new command to probe the state of SecureBoot
|
|
- - SecureBoot, EFI_GLOBAL_VARIABLE
|
|
-* Do not to enroll duplicate key
|
|
- - compare the keys in MokListRT before enrolling the new keys
|
|
- - compare the keys in MokNew
|
|
- - add a new command to check duplicate
|
|
-* Add a new command to append the new key request to the old one
|
|
- - use the old password to verify the old request
|
|
-* Delete a specific key
|
|
+* Support MokX
|
|
+* Import hash into MokNew, NokDel, MokXNew
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 012d82be0468e876a10691fbabab2ed11b7a4954 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 22 Oct 2013 14:24:13 +0800
|
|
Subject: [PATCH 02/20] Show the hashes in the database
|
|
|
|
---
|
|
src/efi.h | 2 +-
|
|
src/mokutil.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
|
|
src/signature.h | 14 ++++++--
|
|
3 files changed, 113 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/src/efi.h b/src/efi.h
|
|
index a622a2b..33579c5 100644
|
|
--- a/src/efi.h
|
|
+++ b/src/efi.h
|
|
@@ -102,7 +102,7 @@ EFI_GUID( 0x47c7b226, 0xc42a, 0x11d2, 0x8e, 0x57, 0x00, 0xa0, 0xc9, 0x69, 0x72,
|
|
EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
|
|
|
|
static inline int
|
|
-efi_guidcmp(efi_guid_t left, efi_guid_t right)
|
|
+efi_guidcmp(const efi_guid_t left, const efi_guid_t right)
|
|
{
|
|
return memcmp(&left, &right, sizeof (efi_guid_t));
|
|
}
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index e4e247c..62690ef 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -157,14 +157,29 @@ test_and_delete_var (const char *var_name)
|
|
return 0;
|
|
}
|
|
|
|
+static uint32_t
|
|
+signature_size (efi_guid_t hash_type)
|
|
+{
|
|
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0)
|
|
+ return (SHA_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
+ else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0)
|
|
+ return (SHA224_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
+ else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0)
|
|
+ return (SHA256_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
+ else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0)
|
|
+ return (SHA384_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
+ else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0)
|
|
+ return (SHA512_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
static MokListNode*
|
|
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
|
{
|
|
MokListNode *list;
|
|
EFI_SIGNATURE_LIST *CertList = data;
|
|
EFI_SIGNATURE_DATA *Cert;
|
|
- efi_guid_t CertType = EfiCertX509Guid;
|
|
- efi_guid_t HashType = EfiHashSha256Guid;
|
|
unsigned long dbsize = data_size;
|
|
unsigned long count = 0;
|
|
|
|
@@ -176,16 +191,20 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
|
}
|
|
|
|
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
|
|
- if ((efi_guidcmp (CertList->SignatureType, CertType) != 0) &&
|
|
- (efi_guidcmp (CertList->SignatureType, HashType) != 0)) {
|
|
+ if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
|
|
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) &&
|
|
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha224Guid) != 0) &&
|
|
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha256Guid) != 0) &&
|
|
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha384Guid) != 0) &&
|
|
+ (efi_guidcmp (CertList->SignatureType, EfiHashSha512Guid) != 0)) {
|
|
dbsize -= CertList->SignatureListSize;
|
|
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
|
CertList->SignatureListSize);
|
|
continue;
|
|
}
|
|
|
|
- if ((efi_guidcmp (CertList->SignatureType, HashType) == 0) &&
|
|
- (CertList->SignatureSize != 48)) {
|
|
+ if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
|
|
+ (CertList->SignatureSize != signature_size (CertList->SignatureType))) {
|
|
dbsize -= CertList->SignatureListSize;
|
|
CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList +
|
|
CertList->SignatureListSize);
|
|
@@ -203,8 +222,18 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
|
}
|
|
|
|
list[count].header = CertList;
|
|
- list[count].mok_size = CertList->SignatureSize - sizeof(efi_guid_t);
|
|
- list[count].mok = (void *)Cert->SignatureData;
|
|
+ if (efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) == 0) {
|
|
+ /* X509 certificate */
|
|
+ list[count].mok_size = CertList->SignatureSize -
|
|
+ sizeof(efi_guid_t);
|
|
+ list[count].mok = (void *)Cert->SignatureData;
|
|
+ } else {
|
|
+ /* hash array */
|
|
+ list[count].mok_size = CertList->SignatureListSize -
|
|
+ sizeof(EFI_SIGNATURE_LIST) -
|
|
+ CertList->SignatureHeaderSize;
|
|
+ list[count].mok = (void *)Cert;
|
|
+ }
|
|
|
|
count++;
|
|
dbsize -= CertList->SignatureListSize;
|
|
@@ -258,6 +287,64 @@ print_x509 (char *cert, int cert_size)
|
|
}
|
|
|
|
static int
|
|
+print_hash_array (efi_guid_t hash_type, void *hash_array, uint32_t array_size)
|
|
+{
|
|
+ uint32_t hash_size, remain;
|
|
+ uint32_t sig_size;
|
|
+ uint8_t *hash;
|
|
+ const char *name;
|
|
+ int i;
|
|
+
|
|
+ if (!hash_array || array_size == 0) {
|
|
+ fprintf (stderr, "invalid hash array\n");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
|
|
+ name = "SHA1";
|
|
+ hash_size = SHA_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
|
|
+ name = "SHA224";
|
|
+ hash_size = SHA224_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
|
|
+ name = "SHA256";
|
|
+ hash_size = SHA256_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
|
|
+ name = "SHA384";
|
|
+ hash_size = SHA384_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
|
|
+ name = "SHA512";
|
|
+ hash_size = SHA512_DIGEST_LENGTH;
|
|
+ } else {
|
|
+ fprintf (stderr, "unknown hash type\n");
|
|
+ return -1;
|
|
+ }
|
|
+ sig_size = hash_size + sizeof(efi_guid_t);
|
|
+
|
|
+ printf (" [%s]\n", name);
|
|
+
|
|
+ remain = array_size;
|
|
+ hash = (uint8_t *)hash_array;
|
|
+
|
|
+ while (remain > 0) {
|
|
+ if (remain < sig_size) {
|
|
+ fprintf (stderr, "invalid array size\n");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ printf (" ");
|
|
+ hash += sizeof(efi_guid_t);
|
|
+ for (i = 0; i<hash_size; i++)
|
|
+ printf ("%02x", *(hash + i));
|
|
+ printf ("\n");
|
|
+ hash += hash_size;
|
|
+ remain -= sig_size;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int
|
|
list_keys (efi_variable_t *var)
|
|
{
|
|
uint32_t mok_num;
|
|
@@ -271,7 +358,12 @@ list_keys (efi_variable_t *var)
|
|
|
|
for (i = 0; i < mok_num; i++) {
|
|
printf ("[key %d]\n", i+1);
|
|
- print_x509 ((char *)list[i].mok, list[i].mok_size);
|
|
+ if (efi_guidcmp (list[i].header->SignatureType, EfiCertX509Guid) == 0) {
|
|
+ print_x509 ((char *)list[i].mok, list[i].mok_size);
|
|
+ } else {
|
|
+ print_hash_array (list[i].header->SignatureType,
|
|
+ list[i].mok, list[i].mok_size);
|
|
+ }
|
|
if (i < mok_num - 1)
|
|
printf ("\n");
|
|
}
|
|
diff --git a/src/signature.h b/src/signature.h
|
|
index df88e98..02f0211 100644
|
|
--- a/src/signature.h
|
|
+++ b/src/signature.h
|
|
@@ -28,11 +28,17 @@
|
|
* version. If you delete this exception statement from all source
|
|
* files in the program, then also delete it here.
|
|
*/
|
|
-#define SHA256_DIGEST_SIZE 32
|
|
+#ifndef SIGNATURE_H
|
|
+#define SIGNATURE_H
|
|
|
|
-#define EfiHashSha1Guid EFI_GUID (0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd)
|
|
+#include "efi.h"
|
|
+
|
|
+#define EfiHashSha1Guid EFI_GUID (0x826ca512, 0xcf10, 0x4ac9, 0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd)
|
|
+#define EfiHashSha224Guid EFI_GUID (0xb6e5233, 0xa65c, 0x44c9, 0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd)
|
|
#define EfiHashSha256Guid EFI_GUID (0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
|
|
-#define EfiCertX509Guid EFI_GUID (0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
|
|
+#define EfiHashSha384Guid EFI_GUID (0xff3e5307, 0x9fd0, 0x48c9, 0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1)
|
|
+#define EfiHashSha512Guid EFI_GUID (0x93e0fae, 0xa6c4, 0x4f50, 0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a)
|
|
+#define EfiCertX509Guid EFI_GUID (0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
|
|
|
|
typedef struct {
|
|
///
|
|
@@ -71,3 +77,5 @@ typedef struct {
|
|
/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
|
|
///
|
|
} __attribute__ ((packed)) EFI_SIGNATURE_LIST;
|
|
+
|
|
+#endif /* SIGNATURE_H */
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 77a215f86139b21fd55dca4d032b7269f62b51c1 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 22 Oct 2013 14:34:21 +0800
|
|
Subject: [PATCH 03/20] Don't allocate the MOK list until there is a node
|
|
|
|
---
|
|
src/mokutil.c | 9 +--------
|
|
1 file changed, 1 insertion(+), 8 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 62690ef..ec476dd 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -177,19 +177,12 @@ signature_size (efi_guid_t hash_type)
|
|
static MokListNode*
|
|
build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
|
|
{
|
|
- MokListNode *list;
|
|
+ MokListNode *list = NULL;
|
|
EFI_SIGNATURE_LIST *CertList = data;
|
|
EFI_SIGNATURE_DATA *Cert;
|
|
unsigned long dbsize = data_size;
|
|
unsigned long count = 0;
|
|
|
|
- list = malloc(sizeof(MokListNode));
|
|
-
|
|
- if (!list) {
|
|
- fprintf(stderr, "Unable to allocate MOK list\n");
|
|
- return NULL;
|
|
- }
|
|
-
|
|
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
|
|
if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
|
|
(efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) &&
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From befae0e92ea24e35208b07786857d195ce8aa086 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 22 Oct 2013 14:40:58 +0800
|
|
Subject: [PATCH 04/20] Skip hashes while exporting MokListRT
|
|
|
|
---
|
|
src/mokutil.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index ec476dd..04f7655 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1119,6 +1119,10 @@ export_moks ()
|
|
/* mode 644 */
|
|
mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
|
|
for (i = 0; i < mok_num; i++) {
|
|
+ if (efi_guidcmp (list[i].header->SignatureType, EfiCertX509Guid) != 0)
|
|
+ continue;
|
|
+
|
|
+ /* Dump X509 certificate to files */
|
|
snprintf (filename, PATH_MAX, "MOK-%04d.der", i+1);
|
|
fd = open (filename, O_CREAT | O_WRONLY, mode);
|
|
if (fd == -1) {
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 9cfc5f93e15e05dabf46a86e4f8e899e32443176 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 22 Oct 2013 16:05:33 +0800
|
|
Subject: [PATCH 05/20] Match the hashes in the database
|
|
|
|
---
|
|
src/mokutil.c | 162 +++++++++++++++++++++++++++++++++++++++-------------------
|
|
1 file changed, 109 insertions(+), 53 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 04f7655..fa5d668 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -157,19 +157,50 @@ test_and_delete_var (const char *var_name)
|
|
return 0;
|
|
}
|
|
|
|
+static const char*
|
|
+efi_hash_to_string (efi_guid_t hash_type)
|
|
+{
|
|
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
|
|
+ return "SHA1";
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
|
|
+ return "SHA224";
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
|
|
+ return "SHA256";
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
|
|
+ return "SHA384";
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
|
|
+ return "SHA512";
|
|
+ }
|
|
+
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+static uint32_t
|
|
+efi_hash_size (efi_guid_t hash_type)
|
|
+{
|
|
+ if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
|
|
+ return SHA_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
|
|
+ return SHA224_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
|
|
+ return SHA256_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
|
|
+ return SHA384_DIGEST_LENGTH;
|
|
+ } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
|
|
+ return SHA512_DIGEST_LENGTH;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
static uint32_t
|
|
signature_size (efi_guid_t hash_type)
|
|
{
|
|
- if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0)
|
|
- return (SHA_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
- else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0)
|
|
- return (SHA224_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
- else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0)
|
|
- return (SHA256_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
- else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0)
|
|
- return (SHA384_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
- else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0)
|
|
- return (SHA512_DIGEST_LENGTH + sizeof(efi_guid_t));
|
|
+ uint32_t hash_size;
|
|
+
|
|
+ hash_size = efi_hash_size (hash_type);
|
|
+ if (hash_size)
|
|
+ return (hash_size + sizeof(efi_guid_t));
|
|
|
|
return 0;
|
|
}
|
|
@@ -293,29 +324,16 @@ print_hash_array (efi_guid_t hash_type, void *hash_array, uint32_t array_size)
|
|
return -1;
|
|
}
|
|
|
|
- if (efi_guidcmp (hash_type, EfiHashSha1Guid) == 0) {
|
|
- name = "SHA1";
|
|
- hash_size = SHA_DIGEST_LENGTH;
|
|
- } else if (efi_guidcmp (hash_type, EfiHashSha224Guid) == 0) {
|
|
- name = "SHA224";
|
|
- hash_size = SHA224_DIGEST_LENGTH;
|
|
- } else if (efi_guidcmp (hash_type, EfiHashSha256Guid) == 0) {
|
|
- name = "SHA256";
|
|
- hash_size = SHA256_DIGEST_LENGTH;
|
|
- } else if (efi_guidcmp (hash_type, EfiHashSha384Guid) == 0) {
|
|
- name = "SHA384";
|
|
- hash_size = SHA384_DIGEST_LENGTH;
|
|
- } else if (efi_guidcmp (hash_type, EfiHashSha512Guid) == 0) {
|
|
- name = "SHA512";
|
|
- hash_size = SHA512_DIGEST_LENGTH;
|
|
- } else {
|
|
+ name = efi_hash_to_string (hash_type);
|
|
+ hash_size = efi_hash_size (hash_type);
|
|
+ sig_size = hash_size + sizeof(efi_guid_t);
|
|
+
|
|
+ if (!name) {
|
|
fprintf (stderr, "unknown hash type\n");
|
|
return -1;
|
|
}
|
|
- sig_size = hash_size + sizeof(efi_guid_t);
|
|
|
|
printf (" [%s]\n", name);
|
|
-
|
|
remain = array_size;
|
|
hash = (uint8_t *)hash_array;
|
|
|
|
@@ -829,36 +847,78 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
|
}
|
|
|
|
static int
|
|
-is_duplicate (const void *cert, const uint32_t cert_size, const char *db_name,
|
|
- efi_guid_t guid)
|
|
+match_hash_array (efi_guid_t hash_type, const void *hash,
|
|
+ const void *hash_array, const uint32_t array_size)
|
|
+{
|
|
+ uint32_t hash_size, hash_count;
|
|
+ uint32_t sig_size;
|
|
+ int i;
|
|
+ void *ptr;
|
|
+
|
|
+ hash_size = efi_hash_size (hash_type);
|
|
+ if (!hash_size)
|
|
+ return 0;
|
|
+
|
|
+ sig_size = hash_size + sizeof(efi_guid_t);
|
|
+ if ((array_size % sig_size) != 0) {
|
|
+ fprintf (stderr, "invalid hash array size\n");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ ptr = (void *)hash_array;
|
|
+ hash_count = array_size / sig_size;
|
|
+ for (i = 0; i < hash_count; i++) {
|
|
+ ptr += sizeof(efi_guid_t);
|
|
+ if (memcmp (ptr, hash, hash_size) == 0)
|
|
+ return 1;
|
|
+ ptr += hash_size;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int
|
|
+is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
|
|
+ efi_guid_t vendor, const char *db_name)
|
|
{
|
|
efi_variable_t var;
|
|
- uint32_t mok_num;
|
|
+ uint32_t node_num;
|
|
MokListNode *list;
|
|
int i, ret = 0;
|
|
|
|
- if (!cert || cert_size == 0 || !db_name)
|
|
+ if (!data || data_size == 0 || !db_name)
|
|
return 0;
|
|
|
|
memset (&var, 0, sizeof(var));
|
|
var.VariableName = db_name;
|
|
- var.VendorGuid = guid;
|
|
+ var.VendorGuid = vendor;
|
|
|
|
if (read_variable (&var) != EFI_SUCCESS)
|
|
return 0;
|
|
|
|
- list = build_mok_list (var.Data, var.DataSize, &mok_num);
|
|
+ list = build_mok_list (var.Data, var.DataSize, &node_num);
|
|
if (list == NULL) {
|
|
goto done;
|
|
}
|
|
|
|
- for (i = 0; i < mok_num; i++) {
|
|
- if (list[i].mok_size != cert_size)
|
|
+ for (i = 0; i < node_num; i++) {
|
|
+ if (efi_guidcmp (list[i].header->SignatureType, type) != 0)
|
|
continue;
|
|
|
|
- if (memcmp (list[i].mok, cert, cert_size) == 0) {
|
|
- ret = 1;
|
|
- break;
|
|
+ if (efi_guidcmp (type, EfiCertX509Guid) == 0) {
|
|
+ if (list[i].mok_size != data_size)
|
|
+ continue;
|
|
+
|
|
+ if (memcmp (list[i].mok, data, data_size) == 0) {
|
|
+ ret = 1;
|
|
+ break;
|
|
+ }
|
|
+ } else {
|
|
+ if (match_hash_array (type, data, list[i].mok,
|
|
+ list[i].mok_size)) {
|
|
+ ret = 1;
|
|
+ break;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -870,19 +930,19 @@ done:
|
|
}
|
|
|
|
static int
|
|
-is_valid_request (void *mok, uint32_t mok_size, uint8_t import)
|
|
+is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, uint8_t import)
|
|
{
|
|
if (import) {
|
|
- if (is_duplicate (mok, mok_size, "PK", EFI_GLOBAL_VARIABLE) ||
|
|
- is_duplicate (mok, mok_size, "KEK", EFI_GLOBAL_VARIABLE) ||
|
|
- is_duplicate (mok, mok_size, "db", EFI_IMAGE_SECURITY_DATABASE_GUID) ||
|
|
- is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
|
|
- is_duplicate (mok, mok_size, "MokNew", SHIM_LOCK_GUID)) {
|
|
+ if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "PK") ||
|
|
+ is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "KEK") ||
|
|
+ is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "db") ||
|
|
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") ||
|
|
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) {
|
|
return 0;
|
|
}
|
|
} else {
|
|
- if (!is_duplicate (mok, mok_size, "MokListRT", SHIM_LOCK_GUID) ||
|
|
- is_duplicate (mok, mok_size, "MokDel", SHIM_LOCK_GUID)) {
|
|
+ if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") ||
|
|
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokDel")) {
|
|
return 0;
|
|
}
|
|
}
|
|
@@ -1008,7 +1068,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
|
files[i]);
|
|
}
|
|
|
|
- if (is_valid_request (ptr, sizes[i], import)) {
|
|
+ if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], import)) {
|
|
ptr += sizes[i];
|
|
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
|
} else if (in_pending_request (ptr, sizes[i], import)) {
|
|
@@ -1359,11 +1419,7 @@ test_key (const char *key_file)
|
|
goto error;
|
|
}
|
|
|
|
- if (!is_duplicate (key, read_size, "PK", EFI_GLOBAL_VARIABLE) &&
|
|
- !is_duplicate (key, read_size, "KEK", EFI_GLOBAL_VARIABLE) &&
|
|
- !is_duplicate (key, read_size, "db", EFI_GLOBAL_VARIABLE) &&
|
|
- !is_duplicate (key, read_size, "MokListRT", SHIM_LOCK_GUID) &&
|
|
- !is_duplicate (key, read_size, "MokNew", SHIM_LOCK_GUID)) {
|
|
+ if (!is_valid_request (EfiCertX509Guid, key, read_size, 1)) {
|
|
printf ("%s is not enrolled\n", key_file);
|
|
ret = 0;
|
|
} else {
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 9ec6f6836a386d527cf62d6583c3ea5e394f62a5 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 22 Oct 2013 18:01:11 +0800
|
|
Subject: [PATCH 06/20] Support MOK blacklist
|
|
|
|
---
|
|
src/mokutil.c | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
|
|
1 file changed, 195 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index fa5d668..f10e6e8 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -79,6 +79,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
|
|
#define SIMPLE_HASH (1 << 17)
|
|
#define IGNORE_DB (1 << 18)
|
|
#define USE_DB (1 << 19)
|
|
+#define MOKX (1 << 20)
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
@@ -86,6 +87,13 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
|
|
|
|
static int use_simple_hash;
|
|
|
|
+typedef enum {
|
|
+ DELETE_MOK = 0,
|
|
+ ENROLL_MOK,
|
|
+ DELETE_BLACKLIST,
|
|
+ ENROLL_BLACKLIST
|
|
+} MokRequest;
|
|
+
|
|
typedef struct {
|
|
EFI_SIGNATURE_LIST *header;
|
|
uint32_t mok_size;
|
|
@@ -135,6 +143,10 @@ print_help ()
|
|
printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
|
|
printf (" \t\t\t\t(For --import, --delete, --password,\n");
|
|
printf (" \t\t\t\t --clear-password and --reset)\n");
|
|
+ printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
|
|
+ printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
|
|
+ printf (" \t\t\t\t --list-delete, --import, --delete,\n");
|
|
+ printf (" \t\t\t\t --revoke-import, and --revoke-delete)\n");
|
|
}
|
|
|
|
static int
|
|
@@ -724,7 +736,7 @@ get_password_from_shadow (pw_crypt_t *pw_crypt)
|
|
}
|
|
|
|
static int
|
|
-update_request (void *new_list, int list_len, uint8_t import,
|
|
+update_request (void *new_list, int list_len, MokRequest req,
|
|
const char *hash_file, const int root_pw)
|
|
{
|
|
efi_variable_t var;
|
|
@@ -739,12 +751,25 @@ update_request (void *new_list, int list_len, uint8_t import,
|
|
bzero (&pw_crypt, sizeof(pw_crypt_t));
|
|
pw_crypt.method = DEFAULT_CRYPT_METHOD;
|
|
|
|
- if (import) {
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
req_name = "MokNew";
|
|
auth_name = "MokAuth";
|
|
- } else {
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
req_name = "MokDel";
|
|
auth_name = "MokDelAuth";
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ req_name = "MokXNew";
|
|
+ auth_name = "MokXAuth";
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ req_name = "MokXDel";
|
|
+ auth_name = "MokXDelAuth";
|
|
+ break;
|
|
+ default:
|
|
+ return -1;
|
|
}
|
|
|
|
if (hash_file) {
|
|
@@ -776,7 +801,7 @@ update_request (void *new_list, int list_len, uint8_t import,
|
|
}
|
|
|
|
if (new_list) {
|
|
- /* Write MokNew*/
|
|
+ /* Write MokNew, MokDel, MokXNew, or MokXDel*/
|
|
var.Data = new_list;
|
|
var.DataSize = list_len;
|
|
var.VariableName = req_name;
|
|
@@ -787,15 +812,27 @@ update_request (void *new_list, int list_len, uint8_t import,
|
|
| EFI_VARIABLE_RUNTIME_ACCESS;
|
|
|
|
if (edit_variable (&var) != EFI_SUCCESS) {
|
|
- fprintf (stderr, "Failed to %s keys\n",
|
|
- import ? "enroll new" : "delete");
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
+ fprintf (stderr, "Failed to enroll new keys\n");
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ fprintf (stderr, "Failed to enroll blacklist\n");
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
+ fprintf (stderr, "Failed to delete keys\n");
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ fprintf (stderr, "Failed to delete blacklist\n");
|
|
+ break;
|
|
+ }
|
|
goto error;
|
|
}
|
|
} else {
|
|
test_and_delete_var (req_name);
|
|
}
|
|
|
|
- /* Write MokAuth or MokDelAuth */
|
|
+ /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */
|
|
if (!use_simple_hash) {
|
|
var.Data = (void *)&pw_crypt;
|
|
var.DataSize = PASSWORD_CRYPT_SIZE;
|
|
@@ -930,9 +967,10 @@ done:
|
|
}
|
|
|
|
static int
|
|
-is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, uint8_t import)
|
|
+is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, MokRequest req)
|
|
{
|
|
- if (import) {
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "PK") ||
|
|
is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "KEK") ||
|
|
is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "db") ||
|
|
@@ -940,29 +978,63 @@ is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, uint8_t import)
|
|
is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) {
|
|
return 0;
|
|
}
|
|
- } else {
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") ||
|
|
is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokDel")) {
|
|
return 0;
|
|
}
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT") ||
|
|
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXNew")) {
|
|
+ return 0;
|
|
+ }
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT") ||
|
|
+ is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXDel")) {
|
|
+ return 0;
|
|
+ }
|
|
+ break;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int
|
|
-in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
|
|
+in_pending_request (void *mok, uint32_t mok_size, MokRequest req)
|
|
{
|
|
efi_variable_t authvar;
|
|
- const char *var_name = import ? "MokDel" : "MokNew";
|
|
+ const char *var_name;
|
|
|
|
if (!mok || mok_size == 0)
|
|
return 0;
|
|
|
|
memset (&authvar, 0, sizeof(authvar));
|
|
- authvar.VariableName = import ? "MokDelAuth" : "MokAuth";
|
|
authvar.VendorGuid = SHIM_LOCK_GUID;
|
|
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
+ var_name = "MokDel";
|
|
+ authvar.VariableName = "MokDelAuth";
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
+ var_name = "MokNew";
|
|
+ authvar.VariableName = "MokAuth";
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ var_name = "MokXDel";
|
|
+ authvar.VariableName = "MokXDelAuth";
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ var_name = "MokXNew";
|
|
+ authvar.VariableName = "MokXAuth";
|
|
+ break;
|
|
+ default:
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (read_variable (&authvar) != EFI_SUCCESS) {
|
|
return 0;
|
|
}
|
|
@@ -979,7 +1051,7 @@ in_pending_request (void *mok, uint32_t mok_size, uint8_t import)
|
|
}
|
|
|
|
static int
|
|
-issue_mok_request (char **files, uint32_t total, uint8_t import,
|
|
+issue_mok_request (char **files, uint32_t total, MokRequest req,
|
|
const char *hash_file, const int root_pw)
|
|
{
|
|
efi_variable_t old_req;
|
|
@@ -999,7 +1071,22 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
|
if (!files)
|
|
return -1;
|
|
|
|
- req_name = import ? "MokNew" : "MokDel";
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
+ req_name = "MokNew";
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
+ req_name = "MokDel";
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ req_name = "MokXNew";
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ req_name = "MokXDel";
|
|
+ break;
|
|
+ default:
|
|
+ return -1;
|
|
+ }
|
|
|
|
sizes = malloc (total * sizeof(uint32_t));
|
|
|
|
@@ -1068,11 +1155,29 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
|
files[i]);
|
|
}
|
|
|
|
- if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], import)) {
|
|
+ if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) {
|
|
ptr += sizes[i];
|
|
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
|
- } else if (in_pending_request (ptr, sizes[i], import)) {
|
|
- printf ("Removed %s from %s\n", files[i], import ? "MokDel" : "MokNew");
|
|
+ } else if (in_pending_request (ptr, sizes[i], req)) {
|
|
+ const char *pending;
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
+ pending = "MokDel";
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
+ pending = "MokNew";
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ pending = "MokXDel";
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ pending = "MokXNew";
|
|
+ break;
|
|
+ default:
|
|
+ pending = "";
|
|
+ break;
|
|
+ }
|
|
+ printf ("Removed %s from %s\n", files[i], pending);
|
|
|
|
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
|
} else {
|
|
@@ -1095,7 +1200,7 @@ issue_mok_request (char **files, uint32_t total, uint8_t import,
|
|
real_size += old_req.DataSize;
|
|
}
|
|
|
|
- if (update_request (new_list, real_size, import, hash_file, root_pw) < 0) {
|
|
+ if (update_request (new_list, real_size, req, hash_file, root_pw) < 0) {
|
|
goto error;
|
|
}
|
|
|
|
@@ -1115,29 +1220,58 @@ static int
|
|
import_moks (char **files, uint32_t total, const char *hash_file,
|
|
const int root_pw)
|
|
{
|
|
- return issue_mok_request (files, total, 1, hash_file, root_pw);
|
|
+ return issue_mok_request (files, total, ENROLL_MOK, hash_file, root_pw);
|
|
}
|
|
|
|
static int
|
|
delete_moks (char **files, uint32_t total, const char *hash_file,
|
|
const int root_pw)
|
|
{
|
|
- return issue_mok_request (files, total, 0, hash_file, root_pw);
|
|
+ return issue_mok_request (files, total, DELETE_MOK, hash_file, root_pw);
|
|
}
|
|
|
|
static int
|
|
-revoke_request (uint8_t import)
|
|
+import_blacklist (char **files, uint32_t total, const char *hash_file,
|
|
+ const int root_pw)
|
|
{
|
|
- if (import == 1) {
|
|
+ return issue_mok_request (files, total, ENROLL_BLACKLIST, hash_file, root_pw);
|
|
+}
|
|
+
|
|
+static int
|
|
+delete_blacklist (char **files, uint32_t total, const char *hash_file,
|
|
+ const int root_pw)
|
|
+{
|
|
+ return issue_mok_request (files, total, DELETE_BLACKLIST, hash_file, root_pw);
|
|
+}
|
|
+
|
|
+static int
|
|
+revoke_request (MokRequest req)
|
|
+{
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
if (test_and_delete_var ("MokNew") < 0)
|
|
return -1;
|
|
if (test_and_delete_var ("MokAuth") < 0)
|
|
return -1;
|
|
- } else {
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
if (test_and_delete_var ("MokDel") < 0)
|
|
return -1;
|
|
if (test_and_delete_var ("MokDelAuth") < 0)
|
|
return -1;
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ if (test_and_delete_var ("MokXNew") < 0)
|
|
+ return -1;
|
|
+ if (test_and_delete_var ("MokXAuth") < 0)
|
|
+ return -1;
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ if (test_and_delete_var ("MokXDel") < 0)
|
|
+ return -1;
|
|
+ if (test_and_delete_var ("MokXDelAuth") < 0)
|
|
+ return -1;
|
|
+ break;
|
|
}
|
|
|
|
return 0;
|
|
@@ -1419,7 +1553,7 @@ test_key (const char *key_file)
|
|
goto error;
|
|
}
|
|
|
|
- if (!is_valid_request (EfiCertX509Guid, key, read_size, 1)) {
|
|
+ if (!is_valid_request (EfiCertX509Guid, key, read_size, ENROLL_MOK)) {
|
|
printf ("%s is not enrolled\n", key_file);
|
|
ret = 0;
|
|
} else {
|
|
@@ -1440,7 +1574,7 @@ error:
|
|
static int
|
|
reset_moks (const char *hash_file, const int root_pw)
|
|
{
|
|
- if (update_request (NULL, 0, 1, hash_file, root_pw)) {
|
|
+ if (update_request (NULL, 0, ENROLL_MOK, hash_file, root_pw)) {
|
|
fprintf (stderr, "Failed to issue a reset request\n");
|
|
return -1;
|
|
}
|
|
@@ -1539,6 +1673,7 @@ main (int argc, char *argv[])
|
|
{"simple-hash", no_argument, 0, 's'},
|
|
{"ignore-db", no_argument, 0, 0 },
|
|
{"use-db", no_argument, 0, 0 },
|
|
+ {"mokx", no_argument, 0, 0 },
|
|
{0, 0, 0, 0}
|
|
};
|
|
|
|
@@ -1574,6 +1709,8 @@ main (int argc, char *argv[])
|
|
command |= IGNORE_DB;
|
|
} else if (strcmp (option, "use-db") == 0) {
|
|
command |= USE_DB;
|
|
+ } else if (strcmp (option, "mokx") == 0) {
|
|
+ command |= MOKX;
|
|
}
|
|
break;
|
|
case 'd':
|
|
@@ -1683,10 +1820,10 @@ main (int argc, char *argv[])
|
|
ret = delete_moks (files, total, hash_file, 0);
|
|
break;
|
|
case REVOKE_IMPORT:
|
|
- ret = revoke_request (1);
|
|
+ ret = revoke_request (ENROLL_MOK);
|
|
break;
|
|
case REVOKE_DELETE:
|
|
- ret = revoke_request (0);
|
|
+ ret = revoke_request (DELETE_MOK);
|
|
break;
|
|
case EXPORT:
|
|
ret = export_moks ();
|
|
@@ -1730,6 +1867,36 @@ main (int argc, char *argv[])
|
|
case USE_DB:
|
|
ret = enable_db ();
|
|
break;
|
|
+ case LIST_ENROLLED | MOKX:
|
|
+ ret = list_keys_in_var ("MokListXRT");
|
|
+ break;
|
|
+ case LIST_NEW | MOKX:
|
|
+ ret = list_keys_in_var ("MokXNew");
|
|
+ break;
|
|
+ case LIST_DELETE | MOKX:
|
|
+ ret = list_keys_in_var ("MokXDel");
|
|
+ break;
|
|
+ case IMPORT | MOKX:
|
|
+ case IMPORT | SIMPLE_HASH | MOKX:
|
|
+ if (use_root_pw)
|
|
+ ret = import_blacklist (files, total, NULL, 1);
|
|
+ else
|
|
+ ret = import_blacklist (files, total, hash_file, 0);
|
|
+ break;
|
|
+ case DELETE | MOKX:
|
|
+ case DELETE | SIMPLE_HASH | MOKX:
|
|
+ if (use_root_pw)
|
|
+ ret = delete_blacklist (files, total, NULL, 1);
|
|
+ else
|
|
+ ret = delete_blacklist (files, total, hash_file, 0);
|
|
+ break;
|
|
+ case REVOKE_IMPORT | MOKX:
|
|
+ ret = revoke_request (ENROLL_BLACKLIST);
|
|
+ break;
|
|
+ case REVOKE_DELETE | MOKX:
|
|
+ ret = revoke_request (DELETE_BLACKLIST);
|
|
+ break;
|
|
+
|
|
default:
|
|
print_help ();
|
|
break;
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 73c2a558b6fa9fb42526d4d2ac5c7db40d402c8f Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 23 Oct 2013 10:41:58 +0800
|
|
Subject: [PATCH 07/20] Fix the memory leakage
|
|
|
|
---
|
|
src/mokutil.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index f10e6e8..bcc12ca 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1746,10 +1746,18 @@ main (int argc, char *argv[])
|
|
|
|
break;
|
|
case 'f':
|
|
+ if (hash_file) {
|
|
+ command |= HELP;
|
|
+ break;
|
|
+ }
|
|
hash_file = strdup (optarg);
|
|
|
|
break;
|
|
case 'g':
|
|
+ if (input_pw) {
|
|
+ command |= HELP;
|
|
+ break;
|
|
+ }
|
|
if (optarg)
|
|
input_pw = strdup (optarg);
|
|
|
|
@@ -1765,6 +1773,10 @@ main (int argc, char *argv[])
|
|
use_root_pw = 1;
|
|
break;
|
|
case 't':
|
|
+ if (key_file) {
|
|
+ command |= HELP;
|
|
+ break;
|
|
+ }
|
|
key_file = strdup (optarg);
|
|
if (key_file == NULL) {
|
|
fprintf (stderr, "Could not allocate space: %m\n");
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 62162fc5a5c33c987e4b8106a9e98c3abf8288ae Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 23 Oct 2013 17:29:53 +0800
|
|
Subject: [PATCH 08/20] Support import and delete a hash
|
|
|
|
---
|
|
src/mokutil.c | 424 ++++++++++++++++++++++++++++++++++++++++++++--------------
|
|
1 file changed, 322 insertions(+), 102 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index bcc12ca..b8edf74 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -80,6 +80,8 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
|
|
#define IGNORE_DB (1 << 18)
|
|
#define USE_DB (1 << 19)
|
|
#define MOKX (1 << 20)
|
|
+#define IMPORT_HASH (1 << 21)
|
|
+#define DELETE_HASH (1 << 22)
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
@@ -132,21 +134,27 @@ print_help ()
|
|
printf (" --generate-hash[=password]\t\tGenerate the password hash\n");
|
|
printf (" --ignore-db\t\t\t\tIgnore DB for validation\n");
|
|
printf (" --use-db\t\t\t\tUse DB for validation\n");
|
|
+ printf (" --import-hash <hash>\t\t\tImport a hash\n");
|
|
+ printf (" --delete-hash <hash>\t\t\tDelete a specific hash\n");
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
printf (" \t\t(For --import, --delete, --password,\n");
|
|
- printf (" \t\t and --reset)\n");
|
|
+ printf (" \t\t --reset, --import-hash,\n");
|
|
+ printf (" \t\t and --delete-hash)\n");
|
|
printf (" --root-pw\t\t\t\tUse the root password\n");
|
|
printf (" \t\t\t\t(For --import, --delete, --password,\n");
|
|
- printf (" \t\t\t\t and --reset)\n");
|
|
+ printf (" \t\t\t\t --reset, --import-hash,\n");
|
|
+ printf (" \t\t\t\t and --delete-hash)\n");
|
|
printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
|
|
printf (" \t\t\t\t(For --import, --delete, --password,\n");
|
|
- printf (" \t\t\t\t --clear-password and --reset)\n");
|
|
+ printf (" \t\t\t\t --clear-password, --reset,\n");
|
|
+ printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
|
|
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
|
|
printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
|
|
printf (" \t\t\t\t --list-delete, --import, --delete,\n");
|
|
- printf (" \t\t\t\t --revoke-import, and --revoke-delete)\n");
|
|
+ printf (" \t\t\t\t --revoke-import, --revoke-delete,\n");
|
|
+ printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
|
|
}
|
|
|
|
static int
|
|
@@ -396,17 +404,50 @@ list_keys (efi_variable_t *var)
|
|
return 0;
|
|
}
|
|
|
|
+/* match the hash in the hash array and return the index if matched */
|
|
static int
|
|
-delete_key_from_list (void *mok, uint32_t mok_size,
|
|
- const char *var_name, efi_guid_t guid)
|
|
+match_hash_array (efi_guid_t hash_type, const void *hash,
|
|
+ const void *hash_array, const uint32_t array_size)
|
|
+{
|
|
+ uint32_t hash_size, hash_count;
|
|
+ uint32_t sig_size;
|
|
+ int i;
|
|
+ void *ptr;
|
|
+
|
|
+ hash_size = efi_hash_size (hash_type);
|
|
+ if (!hash_size)
|
|
+ return -1;
|
|
+
|
|
+ sig_size = hash_size + sizeof(efi_guid_t);
|
|
+ if ((array_size % sig_size) != 0) {
|
|
+ fprintf (stderr, "invalid hash array size\n");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ ptr = (void *)hash_array;
|
|
+ hash_count = array_size / sig_size;
|
|
+ for (i = 0; i < hash_count; i++) {
|
|
+ ptr += sizeof(efi_guid_t);
|
|
+ if (memcmp (ptr, hash, hash_size) == 0)
|
|
+ return i;
|
|
+ ptr += hash_size;
|
|
+ }
|
|
+
|
|
+ return -1;
|
|
+}
|
|
+
|
|
+static int
|
|
+delete_data_from_list (efi_guid_t type, void *data, uint32_t data_size,
|
|
+ const char *var_name, efi_guid_t guid)
|
|
{
|
|
efi_variable_t var;
|
|
MokListNode *list;
|
|
uint32_t mok_num, total, remain;
|
|
- void *ptr, *data = NULL;
|
|
+ void *end, *start = NULL;
|
|
int i, del_ind, ret = 0;
|
|
+ uint32_t sig_list_size, sig_size;
|
|
|
|
- if (!var_name || !mok || mok_size == 0)
|
|
+ if (!var_name || !data || data_size == 0)
|
|
return 0;
|
|
|
|
memset (&var, 0, sizeof(var));
|
|
@@ -422,30 +463,56 @@ delete_key_from_list (void *mok, uint32_t mok_size,
|
|
if (list == NULL)
|
|
goto done;
|
|
|
|
+ remain = total;
|
|
for (i = 0; i < mok_num; i++) {
|
|
- if (list[i].mok_size != mok_size)
|
|
+ remain -= list[i].header->SignatureListSize;
|
|
+ if (efi_guidcmp (list[i].header->SignatureType, type) != 0)
|
|
continue;
|
|
|
|
- if (memcmp (list[i].mok, mok, mok_size) == 0) {
|
|
- /* Remove this key */
|
|
- del_ind = i;
|
|
- data = (void *)list[i].header;
|
|
- ptr = data + list[i].header->SignatureListSize;
|
|
- total -= list[i].header->SignatureListSize;
|
|
+ sig_list_size = list[i].header->SignatureListSize;
|
|
+
|
|
+ if (efi_guidcmp (type, EfiCertX509Guid) == 0) {
|
|
+ if (list[i].mok_size != data_size)
|
|
+ continue;
|
|
+
|
|
+ if (memcmp (list[i].mok, data, data_size) == 0) {
|
|
+ /* Remove this key */
|
|
+ start = (void *)list[i].header;
|
|
+ end = start + sig_list_size;
|
|
+ total -= sig_list_size;
|
|
+ break;
|
|
+ }
|
|
+ } else {
|
|
+ del_ind = match_hash_array (type, data, list[i].mok,
|
|
+ list[i].mok_size);
|
|
+ if (del_ind < 0)
|
|
+ continue;
|
|
+
|
|
+ start = (void *)list[i].header;
|
|
+ sig_size = signature_size (type);
|
|
+ if (sig_list_size == (sizeof(EFI_SIGNATURE_LIST) + sig_size)) {
|
|
+ /* Only one hash in the list */
|
|
+ end = start + sig_list_size;
|
|
+ total -= sig_list_size;
|
|
+ } else {
|
|
+ /* More than one hash in the list */
|
|
+ start += sizeof(EFI_SIGNATURE_LIST) + sig_size * del_ind;
|
|
+ end = start + sig_size;
|
|
+ total -= sig_size;
|
|
+ remain += sig_list_size - sizeof(EFI_SIGNATURE_LIST) -
|
|
+ (del_ind + 1) * sig_size;
|
|
+ }
|
|
break;
|
|
}
|
|
}
|
|
|
|
- /* the key is not in this list */
|
|
- if (data == NULL)
|
|
+ /* the key or hash is not in this list */
|
|
+ if (start == NULL)
|
|
return 0;
|
|
|
|
- /* Move the rest of the keys */
|
|
- remain = 0;
|
|
- for (i = del_ind + 1; i < mok_num; i++)
|
|
- remain += list[i].header->SignatureListSize;
|
|
+ /* remove the key or hash */
|
|
if (remain > 0)
|
|
- memmove (data, ptr, remain);
|
|
+ memmove (start, end, remain);
|
|
|
|
var.DataSize = total;
|
|
var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
|
@@ -459,7 +526,8 @@ delete_key_from_list (void *mok, uint32_t mok_size,
|
|
|
|
ret = 1;
|
|
done:
|
|
- free (list);
|
|
+ if (list)
|
|
+ free (list);
|
|
free (var.Data);
|
|
|
|
return ret;
|
|
@@ -884,37 +952,6 @@ is_valid_cert (void *cert, uint32_t cert_size)
|
|
}
|
|
|
|
static int
|
|
-match_hash_array (efi_guid_t hash_type, const void *hash,
|
|
- const void *hash_array, const uint32_t array_size)
|
|
-{
|
|
- uint32_t hash_size, hash_count;
|
|
- uint32_t sig_size;
|
|
- int i;
|
|
- void *ptr;
|
|
-
|
|
- hash_size = efi_hash_size (hash_type);
|
|
- if (!hash_size)
|
|
- return 0;
|
|
-
|
|
- sig_size = hash_size + sizeof(efi_guid_t);
|
|
- if ((array_size % sig_size) != 0) {
|
|
- fprintf (stderr, "invalid hash array size\n");
|
|
- return 0;
|
|
- }
|
|
-
|
|
- ptr = (void *)hash_array;
|
|
- hash_count = array_size / sig_size;
|
|
- for (i = 0; i < hash_count; i++) {
|
|
- ptr += sizeof(efi_guid_t);
|
|
- if (memcmp (ptr, hash, hash_size) == 0)
|
|
- return 1;
|
|
- ptr += hash_size;
|
|
- }
|
|
-
|
|
- return 0;
|
|
-}
|
|
-
|
|
-static int
|
|
is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
|
|
efi_guid_t vendor, const char *db_name)
|
|
{
|
|
@@ -952,7 +989,7 @@ is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
|
|
}
|
|
} else {
|
|
if (match_hash_array (type, data, list[i].mok,
|
|
- list[i].mok_size)) {
|
|
+ list[i].mok_size) >= 0) {
|
|
ret = 1;
|
|
break;
|
|
}
|
|
@@ -960,7 +997,8 @@ is_duplicate (efi_guid_t type, const void *data, const uint32_t data_size,
|
|
}
|
|
|
|
done:
|
|
- free (list);
|
|
+ if (list)
|
|
+ free (list);
|
|
free (var.Data);
|
|
|
|
return ret;
|
|
@@ -1003,12 +1041,13 @@ is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, MokRequest req)
|
|
}
|
|
|
|
static int
|
|
-in_pending_request (void *mok, uint32_t mok_size, MokRequest req)
|
|
+in_pending_request (efi_guid_t type, void *data, uint32_t data_size,
|
|
+ MokRequest req)
|
|
{
|
|
efi_variable_t authvar;
|
|
const char *var_name;
|
|
|
|
- if (!mok || mok_size == 0)
|
|
+ if (!data || data_size == 0)
|
|
return 0;
|
|
|
|
memset (&authvar, 0, sizeof(authvar));
|
|
@@ -1044,8 +1083,9 @@ in_pending_request (void *mok, uint32_t mok_size, MokRequest req)
|
|
if (authvar.DataSize == SHA256_DIGEST_LENGTH)
|
|
return 0;
|
|
|
|
- if (delete_key_from_list (mok, mok_size, var_name, SHIM_LOCK_GUID))
|
|
- return 1;
|
|
+ if (delete_data_from_list (type, data, data_size, var_name,
|
|
+ SHIM_LOCK_GUID))
|
|
+ return 1;
|
|
|
|
return 0;
|
|
}
|
|
@@ -1158,7 +1198,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
|
|
if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) {
|
|
ptr += sizes[i];
|
|
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
|
- } else if (in_pending_request (ptr, sizes[i], req)) {
|
|
+ } else if (in_pending_request (EfiCertX509Guid, ptr, sizes[i], req)) {
|
|
const char *pending;
|
|
switch (req) {
|
|
case ENROLL_MOK:
|
|
@@ -1217,31 +1257,186 @@ error:
|
|
}
|
|
|
|
static int
|
|
-import_moks (char **files, uint32_t total, const char *hash_file,
|
|
- const int root_pw)
|
|
+identify_hash_type (const char *hash_str, efi_guid_t *type)
|
|
{
|
|
- return issue_mok_request (files, total, ENROLL_MOK, hash_file, root_pw);
|
|
-}
|
|
+ int len = strlen (hash_str);
|
|
+ int hash_size;
|
|
+ int i;
|
|
|
|
-static int
|
|
-delete_moks (char **files, uint32_t total, const char *hash_file,
|
|
- const int root_pw)
|
|
-{
|
|
- return issue_mok_request (files, total, DELETE_MOK, hash_file, root_pw);
|
|
+ for (i = 0; i < len; i++) {
|
|
+ if ((hash_str[i] > '9' || hash_str[i] < '0') &&
|
|
+ (hash_str[i] > 'f' || hash_str[i] < 'a') &&
|
|
+ (hash_str[i] > 'F' || hash_str[i] < 'A'))
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ switch (len) {
|
|
+ case SHA_DIGEST_LENGTH*2:
|
|
+ *type = EfiHashSha1Guid;
|
|
+ hash_size = SHA_DIGEST_LENGTH;
|
|
+ break;
|
|
+ case SHA224_DIGEST_LENGTH*2:
|
|
+ *type = EfiHashSha224Guid;
|
|
+ hash_size = SHA224_DIGEST_LENGTH;
|
|
+ break;
|
|
+ case SHA256_DIGEST_LENGTH*2:
|
|
+ *type = EfiHashSha256Guid;
|
|
+ hash_size = SHA256_DIGEST_LENGTH;
|
|
+ break;
|
|
+ case SHA384_DIGEST_LENGTH*2:
|
|
+ *type = EfiHashSha384Guid;
|
|
+ hash_size = SHA384_DIGEST_LENGTH;
|
|
+ break;
|
|
+ case SHA512_DIGEST_LENGTH*2:
|
|
+ *type = EfiHashSha512Guid;
|
|
+ hash_size = SHA512_DIGEST_LENGTH;
|
|
+ break;
|
|
+ default:
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ return hash_size;
|
|
}
|
|
|
|
static int
|
|
-import_blacklist (char **files, uint32_t total, const char *hash_file,
|
|
- const int root_pw)
|
|
+hex_str_to_binary (const char *hex_str, uint8_t *array, int len)
|
|
{
|
|
- return issue_mok_request (files, total, ENROLL_BLACKLIST, hash_file, root_pw);
|
|
+ char *pos;
|
|
+ int i;
|
|
+
|
|
+ if (!hex_str || !array)
|
|
+ return -1;
|
|
+
|
|
+ pos = (char *)hex_str;
|
|
+ for (i = 0; i < len; i++) {
|
|
+ sscanf (pos, "%2hhx", &array[i]);
|
|
+ pos += 2;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
}
|
|
|
|
static int
|
|
-delete_blacklist (char **files, uint32_t total, const char *hash_file,
|
|
- const int root_pw)
|
|
+issue_hash_request (const char *hash_str, MokRequest req,
|
|
+ const char *hash_file, const int root_pw)
|
|
{
|
|
- return issue_mok_request (files, total, DELETE_BLACKLIST, hash_file, root_pw);
|
|
+ efi_variable_t old_req;
|
|
+ const char *req_name;
|
|
+ void *new_list = NULL;
|
|
+ void *ptr;
|
|
+ unsigned long list_size = 0;
|
|
+ uint32_t sig_list_size;
|
|
+ int ret = -1;
|
|
+ EFI_SIGNATURE_LIST *CertList;
|
|
+ EFI_SIGNATURE_DATA *CertData;
|
|
+ efi_guid_t hash_type;
|
|
+ uint8_t db_hash[SHA512_DIGEST_LENGTH];
|
|
+ int hash_size;
|
|
+ uint8_t valid = 0;
|
|
+
|
|
+ if (!hash_str)
|
|
+ return -1;
|
|
+
|
|
+ hash_size = identify_hash_type (hash_str, &hash_type);
|
|
+ if (hash_size < 0)
|
|
+ return -1;
|
|
+
|
|
+ if (hex_str_to_binary (hash_str, db_hash, hash_size) < 0)
|
|
+ return -1;
|
|
+
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
+ req_name = "MokNew";
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
+ req_name = "MokDel";
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ req_name = "MokXNew";
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ req_name = "MokXDel";
|
|
+ break;
|
|
+ default:
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ sig_list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
|
|
+ list_size += sig_list_size;
|
|
+
|
|
+ memset (&old_req, 0, sizeof(old_req));
|
|
+
|
|
+ old_req.VariableName = req_name;
|
|
+ old_req.VendorGuid = SHIM_LOCK_GUID;
|
|
+ if (read_variable (&old_req) == EFI_SUCCESS)
|
|
+ list_size += old_req.DataSize;
|
|
+
|
|
+ new_list = malloc (list_size);
|
|
+ if (!new_list) {
|
|
+ fprintf (stderr, "Failed to allocate space for %s\n", req_name);
|
|
+ goto error;
|
|
+ }
|
|
+ ptr = new_list;
|
|
+
|
|
+ CertList = ptr;
|
|
+ CertList->SignatureType = hash_type;
|
|
+ CertList->SignatureListSize = sig_list_size;
|
|
+ CertList->SignatureHeaderSize = 0;
|
|
+ CertList->SignatureSize = hash_size + sizeof(efi_guid_t);
|
|
+
|
|
+ CertData = (EFI_SIGNATURE_DATA *)(((uint8_t *)ptr) +
|
|
+ sizeof(EFI_SIGNATURE_LIST));
|
|
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
+ memcpy (CertData->SignatureData, db_hash, hash_size);
|
|
+
|
|
+ if (is_valid_request (hash_type, db_hash, hash_size, req)) {
|
|
+ valid = 1;
|
|
+ } else if (in_pending_request (hash_type, db_hash, hash_size, req)) {
|
|
+ const char *pending;
|
|
+ switch (req) {
|
|
+ case ENROLL_MOK:
|
|
+ pending = "MokDel";
|
|
+ break;
|
|
+ case DELETE_MOK:
|
|
+ pending = "MokNew";
|
|
+ break;
|
|
+ case ENROLL_BLACKLIST:
|
|
+ pending = "MokXDel";
|
|
+ break;
|
|
+ case DELETE_BLACKLIST:
|
|
+ pending = "MokXNew";
|
|
+ break;
|
|
+ default:
|
|
+ pending = "";
|
|
+ break;
|
|
+ }
|
|
+ printf ("Removed hash from %s\n", pending);
|
|
+ } else {
|
|
+ printf ("Skip hash\n");
|
|
+ }
|
|
+
|
|
+ if (!valid) {
|
|
+ ret = 0;
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
+ /* append the keys to the previous request */
|
|
+ if (old_req.Data) {
|
|
+ memcpy (new_list + sig_list_size, old_req.Data, old_req.DataSize);
|
|
+ }
|
|
+
|
|
+ if (update_request (new_list, list_size, req, hash_file, root_pw) < 0) {
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
+ ret = 0;
|
|
+error:
|
|
+ if (old_req.Data)
|
|
+ free (old_req.Data);
|
|
+ if (new_list)
|
|
+ free (new_list);
|
|
+
|
|
+ return ret;
|
|
}
|
|
|
|
static int
|
|
@@ -1641,6 +1836,7 @@ main (int argc, char *argv[])
|
|
char *key_file = NULL;
|
|
char *hash_file = NULL;
|
|
char *input_pw = NULL;
|
|
+ char *hash_str = NULL;
|
|
const char *option;
|
|
int c, i, f_ind, total = 0;
|
|
unsigned int command = 0;
|
|
@@ -1674,6 +1870,8 @@ main (int argc, char *argv[])
|
|
{"ignore-db", no_argument, 0, 0 },
|
|
{"use-db", no_argument, 0, 0 },
|
|
{"mokx", no_argument, 0, 0 },
|
|
+ {"import-hash", required_argument, 0, 0 },
|
|
+ {"delete-hash", required_argument, 0, 0 },
|
|
{0, 0, 0, 0}
|
|
};
|
|
|
|
@@ -1711,6 +1909,20 @@ main (int argc, char *argv[])
|
|
command |= USE_DB;
|
|
} else if (strcmp (option, "mokx") == 0) {
|
|
command |= MOKX;
|
|
+ } else if (strcmp (option, "import-hash") == 0) {
|
|
+ command |= IMPORT_HASH;
|
|
+ if (hash_str) {
|
|
+ command |= HELP;
|
|
+ break;
|
|
+ }
|
|
+ hash_str = strdup (optarg);
|
|
+ } else if (strcmp (option, "delete-hash") == 0) {
|
|
+ command |= DELETE_HASH;
|
|
+ if (hash_str) {
|
|
+ command |= HELP;
|
|
+ break;
|
|
+ }
|
|
+ hash_str = strdup (optarg);
|
|
}
|
|
break;
|
|
case 'd':
|
|
@@ -1802,7 +2014,7 @@ main (int argc, char *argv[])
|
|
}
|
|
|
|
if (use_root_pw == 1 && use_simple_hash == 1)
|
|
- use_simple_hash = 0;;
|
|
+ use_simple_hash = 0;
|
|
|
|
if (hash_file && use_root_pw)
|
|
command |= HELP;
|
|
@@ -1819,17 +2031,23 @@ main (int argc, char *argv[])
|
|
break;
|
|
case IMPORT:
|
|
case IMPORT | SIMPLE_HASH:
|
|
- if (use_root_pw)
|
|
- ret = import_moks (files, total, NULL, 1);
|
|
- else
|
|
- ret = import_moks (files, total, hash_file, 0);
|
|
+ ret = issue_mok_request (files, total, ENROLL_MOK,
|
|
+ hash_file, use_root_pw);
|
|
break;
|
|
case DELETE:
|
|
case DELETE | SIMPLE_HASH:
|
|
- if (use_root_pw)
|
|
- ret = delete_moks (files, total, NULL, 1);
|
|
- else
|
|
- ret = delete_moks (files, total, hash_file, 0);
|
|
+ ret = issue_mok_request (files, total, DELETE_MOK,
|
|
+ hash_file, use_root_pw);
|
|
+ break;
|
|
+ case IMPORT_HASH:
|
|
+ case IMPORT_HASH | SIMPLE_HASH:
|
|
+ ret = issue_hash_request (hash_str, ENROLL_MOK,
|
|
+ hash_file, use_root_pw);
|
|
+ break;
|
|
+ case DELETE_HASH:
|
|
+ case DELETE_HASH | SIMPLE_HASH:
|
|
+ ret = issue_hash_request (hash_str, DELETE_MOK,
|
|
+ hash_file, use_root_pw);
|
|
break;
|
|
case REVOKE_IMPORT:
|
|
ret = revoke_request (ENROLL_MOK);
|
|
@@ -1842,10 +2060,7 @@ main (int argc, char *argv[])
|
|
break;
|
|
case PASSWORD:
|
|
case PASSWORD | SIMPLE_HASH:
|
|
- if (use_root_pw)
|
|
- ret = set_password (NULL, 1, 0);
|
|
- else
|
|
- ret = set_password (hash_file, 0, 0);
|
|
+ ret = set_password (hash_file, use_root_pw, 0);
|
|
break;
|
|
case CLEAR_PASSWORD:
|
|
case CLEAR_PASSWORD | SIMPLE_HASH:
|
|
@@ -1865,10 +2080,7 @@ main (int argc, char *argv[])
|
|
break;
|
|
case RESET:
|
|
case RESET | SIMPLE_HASH:
|
|
- if (use_root_pw)
|
|
- ret = reset_moks (NULL, 1);
|
|
- else
|
|
- ret = reset_moks (hash_file, 0);
|
|
+ ret = reset_moks (hash_file, use_root_pw);
|
|
break;
|
|
case GENERATE_PW_HASH:
|
|
ret = generate_pw_hash (input_pw);
|
|
@@ -1890,17 +2102,23 @@ main (int argc, char *argv[])
|
|
break;
|
|
case IMPORT | MOKX:
|
|
case IMPORT | SIMPLE_HASH | MOKX:
|
|
- if (use_root_pw)
|
|
- ret = import_blacklist (files, total, NULL, 1);
|
|
- else
|
|
- ret = import_blacklist (files, total, hash_file, 0);
|
|
+ ret = issue_mok_request (files, total, ENROLL_BLACKLIST,
|
|
+ hash_file, use_root_pw);
|
|
break;
|
|
case DELETE | MOKX:
|
|
case DELETE | SIMPLE_HASH | MOKX:
|
|
- if (use_root_pw)
|
|
- ret = delete_blacklist (files, total, NULL, 1);
|
|
- else
|
|
- ret = delete_blacklist (files, total, hash_file, 0);
|
|
+ ret = issue_mok_request (files, total, DELETE_BLACKLIST,
|
|
+ hash_file, use_root_pw);
|
|
+ break;
|
|
+ case IMPORT_HASH | MOKX:
|
|
+ case IMPORT_HASH | SIMPLE_HASH | MOKX:
|
|
+ ret = issue_hash_request (hash_str, ENROLL_BLACKLIST,
|
|
+ hash_file, use_root_pw);
|
|
+ break;
|
|
+ case DELETE_HASH | MOKX:
|
|
+ case DELETE_HASH | SIMPLE_HASH | MOKX:
|
|
+ ret = issue_hash_request (hash_str, DELETE_BLACKLIST,
|
|
+ hash_file, use_root_pw);
|
|
break;
|
|
case REVOKE_IMPORT | MOKX:
|
|
ret = revoke_request (ENROLL_BLACKLIST);
|
|
@@ -1908,7 +2126,6 @@ main (int argc, char *argv[])
|
|
case REVOKE_DELETE | MOKX:
|
|
ret = revoke_request (DELETE_BLACKLIST);
|
|
break;
|
|
-
|
|
default:
|
|
print_help ();
|
|
break;
|
|
@@ -1929,5 +2146,8 @@ main (int argc, char *argv[])
|
|
if (input_pw)
|
|
free (input_pw);
|
|
|
|
+ if (hash_str)
|
|
+ free (hash_str);
|
|
+
|
|
return ret;
|
|
}
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From e852519aad00c669716c76db8908b89c6b5583e1 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 23 Oct 2013 17:42:05 +0800
|
|
Subject: [PATCH 09/20] Reorganize issue_*_request
|
|
|
|
---
|
|
src/mokutil.c | 75 +++++++++++++++++++----------------------------------------
|
|
1 file changed, 24 insertions(+), 51 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index b8edf74..862cfbf 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1096,6 +1096,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
|
|
{
|
|
efi_variable_t old_req;
|
|
const char *req_name;
|
|
+ const char *reverse_req;
|
|
void *new_list = NULL;
|
|
void *ptr;
|
|
struct stat buf;
|
|
@@ -1114,15 +1115,19 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
|
|
switch (req) {
|
|
case ENROLL_MOK:
|
|
req_name = "MokNew";
|
|
+ reverse_req = "MokDel";
|
|
break;
|
|
case DELETE_MOK:
|
|
req_name = "MokDel";
|
|
+ reverse_req = "MokNew";
|
|
break;
|
|
case ENROLL_BLACKLIST:
|
|
req_name = "MokXNew";
|
|
+ reverse_req = "MokXDel";
|
|
break;
|
|
case DELETE_BLACKLIST:
|
|
req_name = "MokXDel";
|
|
+ reverse_req = "MokXNew";
|
|
break;
|
|
default:
|
|
return -1;
|
|
@@ -1199,26 +1204,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
|
|
ptr += sizes[i];
|
|
real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
|
} else if (in_pending_request (EfiCertX509Guid, ptr, sizes[i], req)) {
|
|
- const char *pending;
|
|
- switch (req) {
|
|
- case ENROLL_MOK:
|
|
- pending = "MokDel";
|
|
- break;
|
|
- case DELETE_MOK:
|
|
- pending = "MokNew";
|
|
- break;
|
|
- case ENROLL_BLACKLIST:
|
|
- pending = "MokXDel";
|
|
- break;
|
|
- case DELETE_BLACKLIST:
|
|
- pending = "MokXNew";
|
|
- break;
|
|
- default:
|
|
- pending = "";
|
|
- break;
|
|
- }
|
|
- printf ("Removed %s from %s\n", files[i], pending);
|
|
-
|
|
+ printf ("Removed %s from %s\n", files[i], reverse_req);
|
|
ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t);
|
|
} else {
|
|
printf ("Skip %s\n", files[i]);
|
|
@@ -1322,6 +1308,7 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
{
|
|
efi_variable_t old_req;
|
|
const char *req_name;
|
|
+ const char *reverse_req;
|
|
void *new_list = NULL;
|
|
void *ptr;
|
|
unsigned long list_size = 0;
|
|
@@ -1347,20 +1334,37 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
switch (req) {
|
|
case ENROLL_MOK:
|
|
req_name = "MokNew";
|
|
+ reverse_req = "MokDel";
|
|
break;
|
|
case DELETE_MOK:
|
|
req_name = "MokDel";
|
|
+ reverse_req = "MokNew";
|
|
break;
|
|
case ENROLL_BLACKLIST:
|
|
req_name = "MokXNew";
|
|
+ reverse_req = "MokXDel";
|
|
break;
|
|
case DELETE_BLACKLIST:
|
|
req_name = "MokXDel";
|
|
+ reverse_req = "MokXNew";
|
|
break;
|
|
default:
|
|
return -1;
|
|
}
|
|
|
|
+ if (is_valid_request (hash_type, db_hash, hash_size, req)) {
|
|
+ valid = 1;
|
|
+ } else if (in_pending_request (hash_type, db_hash, hash_size, req)) {
|
|
+ printf ("Removed hash from %s\n", reverse_req);
|
|
+ } else {
|
|
+ printf ("Skip hash\n");
|
|
+ }
|
|
+
|
|
+ if (!valid) {
|
|
+ ret = 0;
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
sig_list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
|
|
list_size += sig_list_size;
|
|
|
|
@@ -1389,37 +1393,6 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
memcpy (CertData->SignatureData, db_hash, hash_size);
|
|
|
|
- if (is_valid_request (hash_type, db_hash, hash_size, req)) {
|
|
- valid = 1;
|
|
- } else if (in_pending_request (hash_type, db_hash, hash_size, req)) {
|
|
- const char *pending;
|
|
- switch (req) {
|
|
- case ENROLL_MOK:
|
|
- pending = "MokDel";
|
|
- break;
|
|
- case DELETE_MOK:
|
|
- pending = "MokNew";
|
|
- break;
|
|
- case ENROLL_BLACKLIST:
|
|
- pending = "MokXDel";
|
|
- break;
|
|
- case DELETE_BLACKLIST:
|
|
- pending = "MokXNew";
|
|
- break;
|
|
- default:
|
|
- pending = "";
|
|
- break;
|
|
- }
|
|
- printf ("Removed hash from %s\n", pending);
|
|
- } else {
|
|
- printf ("Skip hash\n");
|
|
- }
|
|
-
|
|
- if (!valid) {
|
|
- ret = 0;
|
|
- goto error;
|
|
- }
|
|
-
|
|
/* append the keys to the previous request */
|
|
if (old_req.Data) {
|
|
memcpy (new_list + sig_list_size, old_req.Data, old_req.DataSize);
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 8603b648095d847fbed56b956b0b5aeaa62f091a Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 23 Oct 2013 18:29:09 +0800
|
|
Subject: [PATCH 10/20] Merge the hash into an existed signature list
|
|
|
|
---
|
|
src/mokutil.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++------------
|
|
1 file changed, 70 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 862cfbf..f87ae7a 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1312,14 +1312,17 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
void *new_list = NULL;
|
|
void *ptr;
|
|
unsigned long list_size = 0;
|
|
- uint32_t sig_list_size;
|
|
+ uint32_t sig_size, sig_list_size;
|
|
int ret = -1;
|
|
EFI_SIGNATURE_LIST *CertList;
|
|
EFI_SIGNATURE_DATA *CertData;
|
|
efi_guid_t hash_type;
|
|
uint8_t db_hash[SHA512_DIGEST_LENGTH];
|
|
int hash_size;
|
|
+ int merge_ind = -1;
|
|
uint8_t valid = 0;
|
|
+ MokListNode *mok_list = NULL;
|
|
+ uint32_t mok_num;
|
|
|
|
if (!hash_str)
|
|
return -1;
|
|
@@ -1365,16 +1368,31 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
goto error;
|
|
}
|
|
|
|
- sig_list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
|
|
- list_size += sig_list_size;
|
|
-
|
|
memset (&old_req, 0, sizeof(old_req));
|
|
|
|
old_req.VariableName = req_name;
|
|
old_req.VendorGuid = SHIM_LOCK_GUID;
|
|
- if (read_variable (&old_req) == EFI_SUCCESS)
|
|
+ if (read_variable (&old_req) == EFI_SUCCESS) {
|
|
+ int i;
|
|
list_size += old_req.DataSize;
|
|
|
|
+ mok_list = build_mok_list (old_req.Data, old_req.DataSize,
|
|
+ &mok_num);
|
|
+ if (mok_list == NULL)
|
|
+ goto error;
|
|
+
|
|
+ /* Check if there is a signature list with the same type */
|
|
+ for (i = 0; i < mok_num; i++) {
|
|
+ if (efi_guidcmp (mok_list[i].header->SignatureType,
|
|
+ hash_type) == 0) {
|
|
+ merge_ind = i;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ list_size += sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size;
|
|
+
|
|
new_list = malloc (list_size);
|
|
if (!new_list) {
|
|
fprintf (stderr, "Failed to allocate space for %s\n", req_name);
|
|
@@ -1382,20 +1400,53 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
}
|
|
ptr = new_list;
|
|
|
|
- CertList = ptr;
|
|
- CertList->SignatureType = hash_type;
|
|
- CertList->SignatureListSize = sig_list_size;
|
|
- CertList->SignatureHeaderSize = 0;
|
|
- CertList->SignatureSize = hash_size + sizeof(efi_guid_t);
|
|
+ if (merge_ind < 0) {
|
|
+ /* Create a new signature list for the hash */
|
|
+ sig_list_size = sizeof(EFI_SIGNATURE_LIST) +
|
|
+ sizeof(efi_guid_t) + hash_size;
|
|
+ CertList = ptr;
|
|
+ CertList->SignatureType = hash_type;
|
|
+ CertList->SignatureListSize = sig_list_size;
|
|
+ CertList->SignatureHeaderSize = 0;
|
|
+ CertList->SignatureSize = hash_size + sizeof(efi_guid_t);
|
|
|
|
- CertData = (EFI_SIGNATURE_DATA *)(((uint8_t *)ptr) +
|
|
- sizeof(EFI_SIGNATURE_LIST));
|
|
- CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
- memcpy (CertData->SignatureData, db_hash, hash_size);
|
|
+ CertData = (EFI_SIGNATURE_DATA *)(((uint8_t *)ptr) +
|
|
+ sizeof(EFI_SIGNATURE_LIST));
|
|
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
|
|
+ memcpy (CertData->SignatureData, db_hash, hash_size);
|
|
|
|
- /* append the keys to the previous request */
|
|
- if (old_req.Data) {
|
|
- memcpy (new_list + sig_list_size, old_req.Data, old_req.DataSize);
|
|
+ /* prepend the hash to the previous request */
|
|
+ ptr += sig_list_size;
|
|
+ if (old_req.Data) {
|
|
+ memcpy (ptr, old_req.Data, old_req.DataSize);
|
|
+ }
|
|
+ } else {
|
|
+ /* Merge the hash into an existed signature list */
|
|
+ int i;
|
|
+
|
|
+ for (i = 0; i < merge_ind; i++) {
|
|
+ sig_list_size = mok_list[i].header->SignatureListSize;
|
|
+ memcpy (ptr, (void *)mok_list[i].header, sig_list_size);
|
|
+ ptr += sig_list_size;
|
|
+ }
|
|
+
|
|
+ /* Append the hash to the list */
|
|
+ i = merge_ind;
|
|
+ sig_list_size = mok_list[i].header->SignatureListSize;
|
|
+ sig_size = hash_size + sizeof(efi_guid_t);
|
|
+ mok_list[i].header->SignatureListSize += sig_size;
|
|
+ memcpy (ptr, (void *)mok_list[i].header, sig_list_size);
|
|
+ ptr += sig_list_size;
|
|
+ memcpy (ptr, (void *)&hash_type, sizeof(efi_guid_t));
|
|
+ ptr += sizeof(efi_guid_t);
|
|
+ memcpy (ptr, db_hash, hash_size);
|
|
+ ptr += hash_size;
|
|
+
|
|
+ for (i = merge_ind + 1; i < mok_num; i++) {
|
|
+ sig_list_size = mok_list[i].header->SignatureListSize;
|
|
+ memcpy (ptr, (void *)mok_list[i].header, sig_list_size);
|
|
+ ptr += sig_list_size;
|
|
+ }
|
|
}
|
|
|
|
if (update_request (new_list, list_size, req, hash_file, root_pw) < 0) {
|
|
@@ -1406,6 +1457,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
error:
|
|
if (old_req.Data)
|
|
free (old_req.Data);
|
|
+ if (mok_list)
|
|
+ free (mok_list);
|
|
if (new_list)
|
|
free (new_list);
|
|
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From d933eba21ebad708d85ff23a715a14a7d67f51a9 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Thu, 24 Oct 2013 17:54:18 +0800
|
|
Subject: [PATCH 11/20] Initialize the request variable to avoid the potential
|
|
crash
|
|
|
|
---
|
|
src/mokutil.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index f87ae7a..880c38f 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1334,6 +1334,8 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
if (hex_str_to_binary (hash_str, db_hash, hash_size) < 0)
|
|
return -1;
|
|
|
|
+ memset (&old_req, 0, sizeof(old_req));
|
|
+
|
|
switch (req) {
|
|
case ENROLL_MOK:
|
|
req_name = "MokNew";
|
|
@@ -1368,8 +1370,6 @@ issue_hash_request (const char *hash_str, MokRequest req,
|
|
goto error;
|
|
}
|
|
|
|
- memset (&old_req, 0, sizeof(old_req));
|
|
-
|
|
old_req.VariableName = req_name;
|
|
old_req.VendorGuid = SHIM_LOCK_GUID;
|
|
if (read_variable (&old_req) == EFI_SUCCESS) {
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 6c9d5519172ca5f87a08d1a46105c2a68b9f4db7 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Fri, 25 Oct 2013 18:29:07 +0800
|
|
Subject: [PATCH 12/20] Make test-key and reset support MOK blacklist
|
|
|
|
---
|
|
src/mokutil.c | 22 +++++++++++++++-------
|
|
1 file changed, 15 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 880c38f..8ff4b41 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -154,7 +154,8 @@ print_help ()
|
|
printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
|
|
printf (" \t\t\t\t --list-delete, --import, --delete,\n");
|
|
printf (" \t\t\t\t --revoke-import, --revoke-delete,\n");
|
|
- printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
|
|
+ printf (" \t\t\t\t --import-hash, --delete-hash,\n");
|
|
+ printf (" \t\t\t\t --reset, and --test-key)\n");
|
|
}
|
|
|
|
static int
|
|
@@ -1756,7 +1757,7 @@ read_file(int fd, void **bufp, size_t *lenptr) {
|
|
}
|
|
|
|
static int
|
|
-test_key (const char *key_file)
|
|
+test_key (MokRequest req, const char *key_file)
|
|
{
|
|
void *key = NULL;
|
|
size_t read_size;
|
|
@@ -1774,7 +1775,7 @@ test_key (const char *key_file)
|
|
goto error;
|
|
}
|
|
|
|
- if (!is_valid_request (EfiCertX509Guid, key, read_size, ENROLL_MOK)) {
|
|
+ if (!is_valid_request (EfiCertX509Guid, key, read_size, req)) {
|
|
printf ("%s is not enrolled\n", key_file);
|
|
ret = 0;
|
|
} else {
|
|
@@ -1793,9 +1794,9 @@ error:
|
|
}
|
|
|
|
static int
|
|
-reset_moks (const char *hash_file, const int root_pw)
|
|
+reset_moks (MokRequest req, const char *hash_file, const int root_pw)
|
|
{
|
|
- if (update_request (NULL, 0, ENROLL_MOK, hash_file, root_pw)) {
|
|
+ if (update_request (NULL, 0, req, hash_file, root_pw)) {
|
|
fprintf (stderr, "Failed to issue a reset request\n");
|
|
return -1;
|
|
}
|
|
@@ -2102,11 +2103,11 @@ main (int argc, char *argv[])
|
|
ret = sb_state ();
|
|
break;
|
|
case TEST_KEY:
|
|
- ret = test_key (key_file);
|
|
+ ret = test_key (ENROLL_MOK, key_file);
|
|
break;
|
|
case RESET:
|
|
case RESET | SIMPLE_HASH:
|
|
- ret = reset_moks (hash_file, use_root_pw);
|
|
+ ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw);
|
|
break;
|
|
case GENERATE_PW_HASH:
|
|
ret = generate_pw_hash (input_pw);
|
|
@@ -2152,6 +2153,13 @@ main (int argc, char *argv[])
|
|
case REVOKE_DELETE | MOKX:
|
|
ret = revoke_request (DELETE_BLACKLIST);
|
|
break;
|
|
+ case RESET | MOKX:
|
|
+ case RESET | SIMPLE_HASH | MOKX:
|
|
+ ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw);
|
|
+ break;
|
|
+ case TEST_KEY | MOKX:
|
|
+ ret = test_key (ENROLL_BLACKLIST, key_file);
|
|
+ break;
|
|
default:
|
|
print_help ();
|
|
break;
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 0fdc023cf98addb23ae511b91c963619ec1e8e2d Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 30 Oct 2013 10:29:25 +0800
|
|
Subject: [PATCH 13/20] Set the verbosity for shim and MokManager
|
|
|
|
---
|
|
src/mokutil.c | 40 ++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 40 insertions(+)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 8ff4b41..cd3b622 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -82,6 +82,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
|
|
#define MOKX (1 << 20)
|
|
#define IMPORT_HASH (1 << 21)
|
|
#define DELETE_HASH (1 << 22)
|
|
+#define VERBOSITY (1 << 23)
|
|
|
|
#define DEFAULT_CRYPT_METHOD SHA512_BASED
|
|
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
|
|
@@ -136,6 +137,7 @@ print_help ()
|
|
printf (" --use-db\t\t\t\tUse DB for validation\n");
|
|
printf (" --import-hash <hash>\t\t\tImport a hash\n");
|
|
printf (" --delete-hash <hash>\t\t\tDelete a specific hash\n");
|
|
+ printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
@@ -1856,6 +1858,31 @@ generate_pw_hash (const char *input_pw)
|
|
return 0;
|
|
}
|
|
|
|
+static int
|
|
+set_verbosity (uint8_t verbosity)
|
|
+{
|
|
+ efi_variable_t var;
|
|
+
|
|
+ if (verbosity) {
|
|
+ var.VariableName = "SHIM_VERBOSE";
|
|
+ var.VendorGuid = SHIM_LOCK_GUID;
|
|
+ var.Data = (void *)&verbosity;
|
|
+ var.DataSize = sizeof(uint8_t);
|
|
+ var.Attributes = EFI_VARIABLE_NON_VOLATILE
|
|
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
|
+ | EFI_VARIABLE_RUNTIME_ACCESS;
|
|
+
|
|
+ if (edit_protected_variable (&var) != EFI_SUCCESS) {
|
|
+ fprintf (stderr, "Failed to set SHIM_VERBOSE\n");
|
|
+ return -1;
|
|
+ }
|
|
+ } else {
|
|
+ return test_and_delete_var ("SHIM_VERBOSE");
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
int
|
|
main (int argc, char *argv[])
|
|
{
|
|
@@ -1868,6 +1895,7 @@ main (int argc, char *argv[])
|
|
int c, i, f_ind, total = 0;
|
|
unsigned int command = 0;
|
|
int use_root_pw = 0;
|
|
+ uint8_t verbosity = 0;
|
|
int ret = -1;
|
|
|
|
use_simple_hash = 0;
|
|
@@ -1899,6 +1927,7 @@ main (int argc, char *argv[])
|
|
{"mokx", no_argument, 0, 0 },
|
|
{"import-hash", required_argument, 0, 0 },
|
|
{"delete-hash", required_argument, 0, 0 },
|
|
+ {"set-verbosity", required_argument, 0, 0 },
|
|
{0, 0, 0, 0}
|
|
};
|
|
|
|
@@ -1950,6 +1979,14 @@ main (int argc, char *argv[])
|
|
break;
|
|
}
|
|
hash_str = strdup (optarg);
|
|
+ } else if (strcmp (option, "set-verbosity") == 0) {
|
|
+ command |= VERBOSITY;
|
|
+ if (strcmp (optarg, "true") == 0)
|
|
+ verbosity = 1;
|
|
+ else if (strcmp (optarg, "false") == 0)
|
|
+ verbosity = 0;
|
|
+ else
|
|
+ command |= HELP;
|
|
}
|
|
break;
|
|
case 'd':
|
|
@@ -2160,6 +2197,9 @@ main (int argc, char *argv[])
|
|
case TEST_KEY | MOKX:
|
|
ret = test_key (ENROLL_BLACKLIST, key_file);
|
|
break;
|
|
+ case VERBOSITY:
|
|
+ ret = set_verbosity (verbosity);
|
|
+ break;
|
|
default:
|
|
print_help ();
|
|
break;
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 96dfa331c2067c3a44d6086ec86e6abb87f3c30f Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 26 Nov 2013 12:36:12 +0800
|
|
Subject: [PATCH 14/20] Update the help and manpage
|
|
|
|
---
|
|
man/mokutil.1 | 30 +++++++++++++++++++++++++++---
|
|
src/mokutil.c | 4 ++--
|
|
2 files changed, 29 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index abfdebb..fa990e5 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -5,22 +5,27 @@ mokutil \- utility to manipulate machine owner keys
|
|
|
|
.SH SYNOPSIS
|
|
\fBmokutil\fR [--list-enrolled]
|
|
+ ([--mokx])
|
|
.br
|
|
\fBmokutil\fR [--list-new]
|
|
+ ([--mokx])
|
|
.br
|
|
\fBmokutil\fR [--list-delete]
|
|
+ ([--mokx])
|
|
.br
|
|
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
- [--simple-hash | -s])
|
|
+ [--simple-hash | -s] | [--mokx])
|
|
.br
|
|
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
- [--simple-hash | -s])
|
|
+ [--simple-hash | -s] | [--mokx])
|
|
.br
|
|
\fBmokutil\fR [--revoke-import]
|
|
+ ([--mokx])
|
|
.br
|
|
\fBmokutil\fR [--revoke-delete]
|
|
+ ([--mokx])
|
|
.br
|
|
\fBmokutil\fR [--export | -x]
|
|
.br
|
|
@@ -41,10 +46,16 @@ mokutil \- utility to manipulate machine owner keys
|
|
.br
|
|
\fBmokutil\fR [--reset]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
- [--simple-hash | -s])
|
|
+ [--simple-hash | -s] | [--mok])
|
|
.br
|
|
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
|
|
.br
|
|
+\fBmokutil\fR [--ignore-db]
|
|
+.br
|
|
+\fBmokutil\fR [--use-db]
|
|
+.br
|
|
+\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
|
|
+.br
|
|
|
|
.SH DESCRIPTION
|
|
\fBmokutil\fR is a tool to import or delete the machines owner keys
|
|
@@ -108,3 +119,16 @@ Use the root password hash from /etc/shadow
|
|
Use the old SHA256 password hash method to hash the password
|
|
.br
|
|
Note: --root-pw invalidates --simple-hash
|
|
+.TP
|
|
+\fB--ignore-db\fR
|
|
+Tell shim to not use the keys in db to verify EFI images
|
|
+.TP
|
|
+\fB--use-db\fR
|
|
+Tell shim to use the keys in db to verify EFI images (default)
|
|
+.TP
|
|
+\fB--mokx\fR
|
|
+Manipulate the MOK blacklist (MOKX) instead of the MOK list
|
|
+.TP
|
|
+\fB--set-verbosity\fR
|
|
+Set the SHIM_VERBOSE to make shim more or less verbose
|
|
+.TP
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index cd3b622..a1f1213 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -135,8 +135,8 @@ print_help ()
|
|
printf (" --generate-hash[=password]\t\tGenerate the password hash\n");
|
|
printf (" --ignore-db\t\t\t\tIgnore DB for validation\n");
|
|
printf (" --use-db\t\t\t\tUse DB for validation\n");
|
|
- printf (" --import-hash <hash>\t\t\tImport a hash\n");
|
|
- printf (" --delete-hash <hash>\t\t\tDelete a specific hash\n");
|
|
+ printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
|
|
+ printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
|
|
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From e2ea0acb875247d70626545d5f3837f2a422af2f Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 26 Nov 2013 12:40:57 +0800
|
|
Subject: [PATCH 15/20] Make the help less verbose
|
|
|
|
It's all in the manpage anyway.
|
|
---
|
|
src/mokutil.c | 14 --------------
|
|
1 file changed, 14 deletions(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index a1f1213..628df7d 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -141,23 +141,9 @@ print_help ()
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
- printf (" \t\t(For --import, --delete, --password,\n");
|
|
- printf (" \t\t --reset, --import-hash,\n");
|
|
- printf (" \t\t and --delete-hash)\n");
|
|
printf (" --root-pw\t\t\t\tUse the root password\n");
|
|
- printf (" \t\t\t\t(For --import, --delete, --password,\n");
|
|
- printf (" \t\t\t\t --reset, --import-hash,\n");
|
|
- printf (" \t\t\t\t and --delete-hash)\n");
|
|
printf (" --simple-hash\t\t\t\tUse the old password hash method\n");
|
|
- printf (" \t\t\t\t(For --import, --delete, --password,\n");
|
|
- printf (" \t\t\t\t --clear-password, --reset,\n");
|
|
- printf (" \t\t\t\t --import-hash, and --delete-hash)\n");
|
|
printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n");
|
|
- printf (" \t\t\t\t(For --list-enrolled, --list-new,\n");
|
|
- printf (" \t\t\t\t --list-delete, --import, --delete,\n");
|
|
- printf (" \t\t\t\t --revoke-import, --revoke-delete,\n");
|
|
- printf (" \t\t\t\t --import-hash, --delete-hash,\n");
|
|
- printf (" \t\t\t\t --reset, and --test-key)\n");
|
|
}
|
|
|
|
static int
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 72dd17981660747bc84b7ce643451110529ece38 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 26 Nov 2013 16:26:16 +0800
|
|
Subject: [PATCH 16/20] New options to list the firmware keys
|
|
|
|
---
|
|
man/mokutil.1 | 20 +++++++++++++
|
|
src/mokutil.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
|
|
2 files changed, 102 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index fa990e5..86846b4 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -56,6 +56,14 @@ mokutil \- utility to manipulate machine owner keys
|
|
.br
|
|
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
|
|
.br
|
|
+\fBmokutil\fR [--pk]
|
|
+.br
|
|
+\fBmokutil\fR [--kek]
|
|
+.br
|
|
+\fBmokutil\fR [--db]
|
|
+.br
|
|
+\fBmokutil\fR [--dbx]
|
|
+.br
|
|
|
|
.SH DESCRIPTION
|
|
\fBmokutil\fR is a tool to import or delete the machines owner keys
|
|
@@ -132,3 +140,15 @@ Manipulate the MOK blacklist (MOKX) instead of the MOK list
|
|
\fB--set-verbosity\fR
|
|
Set the SHIM_VERBOSE to make shim more or less verbose
|
|
.TP
|
|
+\fB--pk\fR
|
|
+List the keys in the public Platform Key (PK)
|
|
+.TP
|
|
+\fB--kek\fR
|
|
+List the keys in the Key Exchange Key Signature database (KEK)
|
|
+.TP
|
|
+\fB--db\fR
|
|
+List the keys in the secure boot signature store (db)
|
|
+.TP
|
|
+\fB--dbx\fR
|
|
+List the keys in the secure boot blacklist signature store (dbx)
|
|
+.TP
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 628df7d..6f5aec4 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -97,6 +97,15 @@ typedef enum {
|
|
ENROLL_BLACKLIST
|
|
} MokRequest;
|
|
|
|
+typedef enum {
|
|
+ MOK_LIST_RT = 0,
|
|
+ MOK_LIST_X_RT,
|
|
+ PK,
|
|
+ KEK,
|
|
+ DB,
|
|
+ DBX,
|
|
+} DBName;
|
|
+
|
|
typedef struct {
|
|
EFI_SIGNATURE_LIST *header;
|
|
uint32_t mok_size;
|
|
@@ -138,6 +147,10 @@ print_help ()
|
|
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
|
|
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
|
|
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
|
|
+ printf (" --pk\t\t\t\t\tList the keys in PK\n");
|
|
+ printf (" --kek\t\t\t\t\tList the keys in KEK\n");
|
|
+ printf (" --db\t\t\t\t\tList the keys in db\n");
|
|
+ printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
|
|
printf ("\n");
|
|
printf ("Supplimentary Options:\n");
|
|
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
|
|
@@ -523,7 +536,7 @@ done:
|
|
}
|
|
|
|
static int
|
|
-list_keys_in_var (const char *var_name)
|
|
+list_keys_in_var (const char *var_name, const efi_guid_t guid)
|
|
{
|
|
efi_variable_t var;
|
|
efi_status_t status;
|
|
@@ -531,7 +544,7 @@ list_keys_in_var (const char *var_name)
|
|
|
|
memset (&var, 0, sizeof(var));
|
|
var.VariableName = var_name;
|
|
- var.VendorGuid = SHIM_LOCK_GUID;
|
|
+ var.VendorGuid = guid;
|
|
|
|
status = read_variable (&var);
|
|
if (status != EFI_SUCCESS) {
|
|
@@ -1869,6 +1882,27 @@ set_verbosity (uint8_t verbosity)
|
|
return 0;
|
|
}
|
|
|
|
+static inline int
|
|
+list_db (DBName db_name)
|
|
+{
|
|
+ switch (db_name) {
|
|
+ case MOK_LIST_RT:
|
|
+ return list_keys_in_var ("MokListRT", SHIM_LOCK_GUID);
|
|
+ case MOK_LIST_X_RT:
|
|
+ return list_keys_in_var ("MokListXRT", SHIM_LOCK_GUID);
|
|
+ case PK:
|
|
+ return list_keys_in_var ("PK", EFI_GLOBAL_VARIABLE);
|
|
+ case KEK:
|
|
+ return list_keys_in_var ("KEK", EFI_GLOBAL_VARIABLE);
|
|
+ case DB:
|
|
+ return list_keys_in_var ("db", EFI_IMAGE_SECURITY_DATABASE_GUID);
|
|
+ case DBX:
|
|
+ return list_keys_in_var ("dbx", EFI_IMAGE_SECURITY_DATABASE_GUID);
|
|
+ }
|
|
+
|
|
+ return -1;
|
|
+}
|
|
+
|
|
int
|
|
main (int argc, char *argv[])
|
|
{
|
|
@@ -1882,6 +1916,7 @@ main (int argc, char *argv[])
|
|
unsigned int command = 0;
|
|
int use_root_pw = 0;
|
|
uint8_t verbosity = 0;
|
|
+ DBName db_name = MOK_LIST_RT;
|
|
int ret = -1;
|
|
|
|
use_simple_hash = 0;
|
|
@@ -1914,6 +1949,10 @@ main (int argc, char *argv[])
|
|
{"import-hash", required_argument, 0, 0 },
|
|
{"delete-hash", required_argument, 0, 0 },
|
|
{"set-verbosity", required_argument, 0, 0 },
|
|
+ {"pk", no_argument, 0, 0 },
|
|
+ {"kek", no_argument, 0, 0 },
|
|
+ {"db", no_argument, 0, 0 },
|
|
+ {"dbx", no_argument, 0, 0 },
|
|
{0, 0, 0, 0}
|
|
};
|
|
|
|
@@ -1950,7 +1989,12 @@ main (int argc, char *argv[])
|
|
} else if (strcmp (option, "use-db") == 0) {
|
|
command |= USE_DB;
|
|
} else if (strcmp (option, "mokx") == 0) {
|
|
- command |= MOKX;
|
|
+ if (db_name != MOK_LIST_RT) {
|
|
+ command |= HELP;
|
|
+ } else {
|
|
+ command |= MOKX;
|
|
+ db_name = MOK_LIST_X_RT;
|
|
+ }
|
|
} else if (strcmp (option, "import-hash") == 0) {
|
|
command |= IMPORT_HASH;
|
|
if (hash_str) {
|
|
@@ -1973,7 +2017,36 @@ main (int argc, char *argv[])
|
|
verbosity = 0;
|
|
else
|
|
command |= HELP;
|
|
+ } else if (strcmp (option, "pk") == 0) {
|
|
+ if (db_name != MOK_LIST_RT) {
|
|
+ command |= HELP;
|
|
+ } else {
|
|
+ command |= LIST_ENROLLED;
|
|
+ db_name = PK;
|
|
+ }
|
|
+ } else if (strcmp (option, "kek") == 0) {
|
|
+ if (db_name != MOK_LIST_RT) {
|
|
+ command |= HELP;
|
|
+ } else {
|
|
+ command |= LIST_ENROLLED;
|
|
+ db_name = KEK;
|
|
+ }
|
|
+ } else if (strcmp (option, "db") == 0) {
|
|
+ if (db_name != MOK_LIST_RT) {
|
|
+ command |= HELP;
|
|
+ } else {
|
|
+ command |= LIST_ENROLLED;
|
|
+ db_name = DB;
|
|
+ }
|
|
+ } else if (strcmp (option, "dbx") == 0) {
|
|
+ if (db_name != MOK_LIST_RT) {
|
|
+ command |= HELP;
|
|
+ } else {
|
|
+ command |= LIST_ENROLLED;
|
|
+ db_name = DBX;
|
|
+ }
|
|
}
|
|
+
|
|
break;
|
|
case 'd':
|
|
case 'i':
|
|
@@ -2071,13 +2144,14 @@ main (int argc, char *argv[])
|
|
|
|
switch (command) {
|
|
case LIST_ENROLLED:
|
|
- ret = list_keys_in_var ("MokListRT");
|
|
+ case LIST_ENROLLED | MOKX:
|
|
+ ret = list_db (db_name);
|
|
break;
|
|
case LIST_NEW:
|
|
- ret = list_keys_in_var ("MokNew");
|
|
+ ret = list_keys_in_var ("MokNew", SHIM_LOCK_GUID);
|
|
break;
|
|
case LIST_DELETE:
|
|
- ret = list_keys_in_var ("MokDel");
|
|
+ ret = list_keys_in_var ("MokDel", SHIM_LOCK_GUID);
|
|
break;
|
|
case IMPORT:
|
|
case IMPORT | SIMPLE_HASH:
|
|
@@ -2141,14 +2215,11 @@ main (int argc, char *argv[])
|
|
case USE_DB:
|
|
ret = enable_db ();
|
|
break;
|
|
- case LIST_ENROLLED | MOKX:
|
|
- ret = list_keys_in_var ("MokListXRT");
|
|
- break;
|
|
case LIST_NEW | MOKX:
|
|
- ret = list_keys_in_var ("MokXNew");
|
|
+ ret = list_keys_in_var ("MokXNew", SHIM_LOCK_GUID);
|
|
break;
|
|
case LIST_DELETE | MOKX:
|
|
- ret = list_keys_in_var ("MokXDel");
|
|
+ ret = list_keys_in_var ("MokXDel", SHIM_LOCK_GUID);
|
|
break;
|
|
case IMPORT | MOKX:
|
|
case IMPORT | SIMPLE_HASH | MOKX:
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 9820c083e2a9b605a59aae7bdf56992f63abf7b8 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 26 Nov 2013 16:49:14 +0800
|
|
Subject: [PATCH 17/20] Add more short options
|
|
|
|
---
|
|
man/mokutil.1 | 54 +++++++++++++++++++++++++++++-------------------------
|
|
src/mokutil.c | 42 +++++++++++++++++++++++-------------------
|
|
2 files changed, 52 insertions(+), 44 deletions(-)
|
|
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index 86846b4..02b346f 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -4,28 +4,28 @@
|
|
mokutil \- utility to manipulate machine owner keys
|
|
|
|
.SH SYNOPSIS
|
|
-\fBmokutil\fR [--list-enrolled]
|
|
- ([--mokx])
|
|
+\fBmokutil\fR [--list-enrolled | -l]
|
|
+ ([--mokx | -X])
|
|
.br
|
|
-\fBmokutil\fR [--list-new]
|
|
- ([--mokx])
|
|
+\fBmokutil\fR [--list-new | -N]
|
|
+ ([--mokx | -X])
|
|
.br
|
|
-\fBmokutil\fR [--list-delete]
|
|
- ([--mokx])
|
|
+\fBmokutil\fR [--list-delete | -D]
|
|
+ ([--mokx | -X])
|
|
.br
|
|
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
- [--simple-hash | -s] | [--mokx])
|
|
+ [--simple-hash | -s] | [--mokx | -X])
|
|
.br
|
|
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
- [--simple-hash | -s] | [--mokx])
|
|
+ [--simple-hash | -s] | [--mokx |- X])
|
|
.br
|
|
\fBmokutil\fR [--revoke-import]
|
|
- ([--mokx])
|
|
+ ([--mokx | -X])
|
|
.br
|
|
\fBmokutil\fR [--revoke-delete]
|
|
- ([--mokx])
|
|
+ ([--mokx | -X])
|
|
.br
|
|
\fBmokutil\fR [--export | -x]
|
|
.br
|
|
@@ -42,11 +42,11 @@ mokutil \- utility to manipulate machine owner keys
|
|
.br
|
|
\fBmokutil\fR [--sb-state]
|
|
.br
|
|
-\fBmokutil\fR [--test-key | -t] ...
|
|
+\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
|
|
.br
|
|
\fBmokutil\fR [--reset]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
- [--simple-hash | -s] | [--mok])
|
|
+ [--simple-hash | -s] | [--mok | -X])
|
|
.br
|
|
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
|
|
.br
|
|
@@ -71,18 +71,22 @@ mokutil \- utility to manipulate machine owner keys
|
|
|
|
.SH OPTIONS
|
|
.TP
|
|
-\fB--list-enrolled\fR
|
|
+\fB-l, --list-enrolled\fR
|
|
List the keys the already stored in the database
|
|
.TP
|
|
-\fB--list-new\fR
|
|
+\fB-N, --list-new\fR
|
|
List the keys to be enrolled
|
|
.TP
|
|
-\fB--list-delete\fR
|
|
+\fB-D, --list-delete\fR
|
|
List the keys to be deleted
|
|
.TP
|
|
-\fB--import\fR
|
|
-Collect the followed files and form a request to shim. The files must be in DER
|
|
-format.
|
|
+\fB-i, --import\fR
|
|
+Collect the followed files and form a enrolling request to shim. The files must
|
|
+be in DER format.
|
|
+.TP
|
|
+\fB-d, --delete\fR
|
|
+Collect the followed files and form a deleting request to shim. The files must be
|
|
+in DER format.
|
|
.TP
|
|
\fB--revoke-import\fR
|
|
Revoke the current import request (MokNew)
|
|
@@ -90,13 +94,13 @@ Revoke the current import request (MokNew)
|
|
\fB--revoke-delete\fR
|
|
Revoke the current delete request (MokDel)
|
|
.TP
|
|
-\fB--export\fR
|
|
+\fB-x, --export\fR
|
|
Export the keys stored in MokListRT
|
|
.TP
|
|
-\fB--password\fR
|
|
+\fB-p, --password\fR
|
|
Setup the password for MokManager (MokPW)
|
|
.TP
|
|
-\fB--clear-password\fR
|
|
+\fB-c, --clear-password\fR
|
|
Clear the password for MokManager (MokPW)
|
|
.TP
|
|
\fB--disable-validation\fR
|
|
@@ -108,7 +112,7 @@ Enable the validation process in shim
|
|
\fB--sb-state\fR
|
|
Show SecureBoot State
|
|
.TP
|
|
-\fB--test-key\fR
|
|
+\fB-t, --test-key\fR
|
|
Test if the key is enrolled or not
|
|
.TP
|
|
\fB--reset\fR
|
|
@@ -120,10 +124,10 @@ Generate the password hash
|
|
\fB--hash-file\fR
|
|
Use the password hash from a specific file
|
|
.TP
|
|
-\fB--root-pw\fR
|
|
+\fB-P, --root-pw\fR
|
|
Use the root password hash from /etc/shadow
|
|
.TP
|
|
-\fB--simple-hash\fR
|
|
+\fB-s, --simple-hash\fR
|
|
Use the old SHA256 password hash method to hash the password
|
|
.br
|
|
Note: --root-pw invalidates --simple-hash
|
|
@@ -134,7 +138,7 @@ Tell shim to not use the keys in db to verify EFI images
|
|
\fB--use-db\fR
|
|
Tell shim to use the keys in db to verify EFI images (default)
|
|
.TP
|
|
-\fB--mokx\fR
|
|
+\fB-X, --mokx\fR
|
|
Manipulate the MOK blacklist (MOKX) instead of the MOK list
|
|
.TP
|
|
\fB--set-verbosity\fR
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 6f5aec4..6fe8ae2 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1924,9 +1924,9 @@ main (int argc, char *argv[])
|
|
while (1) {
|
|
static struct option long_options[] = {
|
|
{"help", no_argument, 0, 'h'},
|
|
- {"list-enrolled", no_argument, 0, 0 },
|
|
- {"list-new", no_argument, 0, 0 },
|
|
- {"list-delete", no_argument, 0, 0 },
|
|
+ {"list-enrolled", no_argument, 0, 'l'},
|
|
+ {"list-new", no_argument, 0, 'N'},
|
|
+ {"list-delete", no_argument, 0, 'D'},
|
|
{"import", required_argument, 0, 'i'},
|
|
{"delete", required_argument, 0, 'd'},
|
|
{"revoke-import", no_argument, 0, 0 },
|
|
@@ -1945,7 +1945,7 @@ main (int argc, char *argv[])
|
|
{"simple-hash", no_argument, 0, 's'},
|
|
{"ignore-db", no_argument, 0, 0 },
|
|
{"use-db", no_argument, 0, 0 },
|
|
- {"mokx", no_argument, 0, 0 },
|
|
+ {"mokx", no_argument, 0, 'X'},
|
|
{"import-hash", required_argument, 0, 0 },
|
|
{"delete-hash", required_argument, 0, 0 },
|
|
{"set-verbosity", required_argument, 0, 0 },
|
|
@@ -1957,7 +1957,7 @@ main (int argc, char *argv[])
|
|
};
|
|
|
|
int option_index = 0;
|
|
- c = getopt_long (argc, argv, "cd:f:g::hi:pst:xP",
|
|
+ c = getopt_long (argc, argv, "cd:f:g::hi:lpst:xDNPX",
|
|
long_options, &option_index);
|
|
|
|
if (c == -1)
|
|
@@ -1966,13 +1966,7 @@ main (int argc, char *argv[])
|
|
switch (c) {
|
|
case 0:
|
|
option = long_options[option_index].name;
|
|
- if (strcmp (option, "list-enrolled") == 0) {
|
|
- command |= LIST_ENROLLED;
|
|
- } else if (strcmp (option, "list-new") == 0) {
|
|
- command |= LIST_NEW;
|
|
- } else if (strcmp (option, "list-delete") == 0) {
|
|
- command |= LIST_DELETE;
|
|
- } else if (strcmp (option, "revoke-import") == 0) {
|
|
+ if (strcmp (option, "revoke-import") == 0) {
|
|
command |= REVOKE_IMPORT;
|
|
} else if (strcmp (option, "revoke-delete") == 0) {
|
|
command |= REVOKE_DELETE;
|
|
@@ -1988,13 +1982,6 @@ main (int argc, char *argv[])
|
|
command |= IGNORE_DB;
|
|
} else if (strcmp (option, "use-db") == 0) {
|
|
command |= USE_DB;
|
|
- } else if (strcmp (option, "mokx") == 0) {
|
|
- if (db_name != MOK_LIST_RT) {
|
|
- command |= HELP;
|
|
- } else {
|
|
- command |= MOKX;
|
|
- db_name = MOK_LIST_X_RT;
|
|
- }
|
|
} else if (strcmp (option, "import-hash") == 0) {
|
|
command |= IMPORT_HASH;
|
|
if (hash_str) {
|
|
@@ -2048,6 +2035,15 @@ main (int argc, char *argv[])
|
|
}
|
|
|
|
break;
|
|
+ case 'l':
|
|
+ command |= LIST_ENROLLED;
|
|
+ break;
|
|
+ case 'N':
|
|
+ command |= LIST_NEW;
|
|
+ break;
|
|
+ case 'D':
|
|
+ command |= LIST_DELETE;
|
|
+ break;
|
|
case 'd':
|
|
case 'i':
|
|
if (c == 'd')
|
|
@@ -2127,6 +2123,14 @@ main (int argc, char *argv[])
|
|
command |= SIMPLE_HASH;
|
|
use_simple_hash = 1;
|
|
break;
|
|
+ case 'X':
|
|
+ if (db_name != MOK_LIST_RT) {
|
|
+ command |= HELP;
|
|
+ } else {
|
|
+ command |= MOKX;
|
|
+ db_name = MOK_LIST_X_RT;
|
|
+ }
|
|
+ break;
|
|
case 'h':
|
|
case '?':
|
|
command |= HELP;
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 0ff8112146c355c1bc4eec57cdeb0aed4cc4065c Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Tue, 26 Nov 2013 18:13:20 +0800
|
|
Subject: [PATCH 18/20] Catch the error from strdup()
|
|
|
|
---
|
|
src/mokutil.c | 23 ++++++++++++++++++++++-
|
|
1 file changed, 22 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 6fe8ae2..27b9585 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1989,6 +1989,10 @@ main (int argc, char *argv[])
|
|
break;
|
|
}
|
|
hash_str = strdup (optarg);
|
|
+ if (hash_str == NULL) {
|
|
+ fprintf (stderr, "Could not allocate space: %m\n");
|
|
+ exit(1);
|
|
+ }
|
|
} else if (strcmp (option, "delete-hash") == 0) {
|
|
command |= DELETE_HASH;
|
|
if (hash_str) {
|
|
@@ -1996,6 +2000,10 @@ main (int argc, char *argv[])
|
|
break;
|
|
}
|
|
hash_str = strdup (optarg);
|
|
+ if (hash_str == NULL) {
|
|
+ fprintf (stderr, "Could not allocate space: %m\n");
|
|
+ exit(1);
|
|
+ }
|
|
} else if (strcmp (option, "set-verbosity") == 0) {
|
|
command |= VERBOSITY;
|
|
if (strcmp (optarg, "true") == 0)
|
|
@@ -2069,6 +2077,10 @@ main (int argc, char *argv[])
|
|
}
|
|
|
|
files = malloc (total * sizeof (char *));
|
|
+ if (files == NULL) {
|
|
+ fprintf (stderr, "Could not allocate space: %m\n");
|
|
+ exit(1);
|
|
+ }
|
|
for (i = 0; i < total; i++) {
|
|
f_ind = i + optind - 1;
|
|
files[i] = malloc (strlen(argv[f_ind]) + 1);
|
|
@@ -2082,6 +2094,10 @@ main (int argc, char *argv[])
|
|
break;
|
|
}
|
|
hash_file = strdup (optarg);
|
|
+ if (hash_file == NULL) {
|
|
+ fprintf (stderr, "Could not allocate space: %m\n");
|
|
+ exit(1);
|
|
+ }
|
|
|
|
break;
|
|
case 'g':
|
|
@@ -2089,8 +2105,13 @@ main (int argc, char *argv[])
|
|
command |= HELP;
|
|
break;
|
|
}
|
|
- if (optarg)
|
|
+ if (optarg) {
|
|
input_pw = strdup (optarg);
|
|
+ if (input_pw == NULL) {
|
|
+ fprintf (stderr, "Could not allocate space: %m\n");
|
|
+ exit(1);
|
|
+ }
|
|
+ }
|
|
|
|
command |= GENERATE_PW_HASH;
|
|
break;
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From f77d5e52b0318dbf8f92b2bd89aab0a3d5d77078 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 22 Jan 2014 13:46:24 +0800
|
|
Subject: [PATCH 19/20] Fix the test-key request check
|
|
|
|
---
|
|
src/mokutil.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/mokutil.c b/src/mokutil.c
|
|
index 27b9585..dbec25b 100644
|
|
--- a/src/mokutil.c
|
|
+++ b/src/mokutil.c
|
|
@@ -1776,7 +1776,7 @@ test_key (MokRequest req, const char *key_file)
|
|
goto error;
|
|
}
|
|
|
|
- if (!is_valid_request (EfiCertX509Guid, key, read_size, req)) {
|
|
+ if (is_valid_request (EfiCertX509Guid, key, read_size, req)) {
|
|
printf ("%s is not enrolled\n", key_file);
|
|
ret = 0;
|
|
} else {
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From d921883b2f8ce4e9e9304af5d9b44aac1e701e51 Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
Date: Wed, 22 Jan 2014 13:51:36 +0800
|
|
Subject: [PATCH 20/20] Update manpage for --test-key
|
|
|
|
---
|
|
man/mokutil.1 | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/man/mokutil.1 b/man/mokutil.1
|
|
index 02b346f..ca9380d 100644
|
|
--- a/man/mokutil.1
|
|
+++ b/man/mokutil.1
|
|
@@ -43,6 +43,7 @@ mokutil \- utility to manipulate machine owner keys
|
|
\fBmokutil\fR [--sb-state]
|
|
.br
|
|
\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
|
|
+ ([--mokx | -X])
|
|
.br
|
|
\fBmokutil\fR [--reset]
|
|
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
|
|
--
|
|
1.8.4
|
|
|