From 6c6317b4b471c68030d98830b0f7cf01d4a142e1 Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Tue, 5 Mar 2024 16:45:04 +0800 Subject: [PATCH] Initialize for mokutil --- .gitignore | 1 + .mokutil.metadata | 1 + modhash | 149 ++++++++++++ mokutil-SBAT-revocation-update-support.patch | 178 +++++++++++++++ ...etting-fallback-verbosity-and-norebo.patch | 199 ++++++++++++++++ mokutil-fix-missing-header.patch | 28 +++ mokutil-remove-libkeyutils-check.patch | 44 ++++ mokutil.changes | 213 ++++++++++++++++++ mokutil.spec | 63 ++++++ 9 files changed, 876 insertions(+) create mode 100644 .gitignore create mode 100644 .mokutil.metadata create mode 100644 modhash create mode 100644 mokutil-SBAT-revocation-update-support.patch create mode 100644 mokutil-enable-setting-fallback-verbosity-and-norebo.patch create mode 100644 mokutil-fix-missing-header.patch create mode 100644 mokutil-remove-libkeyutils-check.patch create mode 100644 mokutil.changes create mode 100644 mokutil.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dda0f2b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +0.5.0.tar.gz diff --git a/.mokutil.metadata b/.mokutil.metadata new file mode 100644 index 0000000..4bca46f --- /dev/null +++ b/.mokutil.metadata @@ -0,0 +1 @@ +ff902673fc9fed23d957442d73250528b3069200b4155ea10ba30833735b6650 0.5.0.tar.gz diff --git a/modhash b/modhash new file mode 100644 index 0000000..fb92ea9 --- /dev/null +++ b/modhash @@ -0,0 +1,149 @@ +#!/usr/bin/perl +# +# Calculate the digest of the kernel module +# It will strip kernel modules signature before calculation. +# +# Based on modsign-verify, written by Michal Marek +# Authors: +# Gary Lin +# Joey Lee +# + +my $USAGE = "Usage: modhash [-v] [-q] [-d ] \n"; + +use strict; +use warnings; +use IPC::Open2; +use Getopt::Long; +use File::Temp qw(tempfile); + +my $verbose = 1; +my $dgst = "sha256"; +GetOptions( + "d=s" => \$dgst, + "q|quiet" => sub { $verbose-- if $verbose; }, + "v|verbose" => sub { $verbose++; }, + "h|help" => sub { + print $USAGE; + exit(0); + } +) or die($USAGE); + +sub _verbose { + my $level = shift; + + return if $verbose < $level; + print STDERR @_; +} + +sub info { _verbose(1, @_); } +sub verbose { _verbose(2, @_); } +sub debug { _verbose(3, @_); } + +if (@ARGV > 1) { + print STDERR "Excess arguments\n"; + die($USAGE); +} elsif (@ARGV < 1) { + print STDERR "No module supplied\n"; + die($USAGE); +} +my $module_name = shift(@ARGV); + +if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and + $dgst ne "sha384" and $dgst ne "sha512") { + die("unsupported algorithm: $dgst"); +} + +# +# Function to read the contents of a file into a variable. +# +sub read_file($) +{ + my ($file) = @_; + my $contents; + my $len; + + open(FD, "<$file") || die $file; + binmode FD; + my @st = stat(FD); + die $file if (!@st); + $len = read(FD, $contents, $st[7]) || die $file; + close(FD) || die $file; + die "$file: Wanted length ", $st[7], ", got ", $len, "\n" + if ($len != $st[7]); + return $contents; +} + +sub openssl_pipe($$) { + my ($input, $cmd) = @_; + my ($pid, $res); + + $pid = open2(*read_from, *write_to, $cmd) || die $cmd; + binmode write_to; + if (defined($input) && $input ne "") { + print write_to $input || die "$cmd: $!"; + } + close(write_to) || die "$cmd: $!"; + + binmode read_from; + read(read_from, $res, 4096) || die "$cmd: $!"; + close(read_from) || die "$cmd: $!"; + waitpid($pid, 0) || die; + die "$cmd died: $?" if ($? >> 8); + return $res; +} + +my $module = read_file($module_name); +my $module_len = length($module); +my $magic_number = "~Module signature appended~\n"; +my $magic_len = length($magic_number); +my $info_len = 12; + +if ($module_len < $magic_len) { + die "Module size too short\n"; +} + +sub eat +{ + my $length = shift; + if ($module_len < $length) { + die "Module size too short\n"; + } + my $res = substr($module, -$length); + $module = substr($module, 0, $module_len - $length); + $module_len -= $length; + return $res; +} + +if (substr($module, -$magic_len) eq $magic_number) { + $module = substr($module, 0, $module_len - $magic_len); + $module_len -= $magic_len; + my $info = eat($info_len); + my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) = + unpack("CCCCCxxxN", $info); + my $signature = eat($sig_len); + if ($id_type == 1) { + if (unpack("n", $signature) == $sig_len - 2) { + verbose ("signed module (X.509)\n"); + } else { + die "Invalid signature format\n"; + } + if ($algo != 1) { + die "Unsupported signature algorithm\n"; + } + $signature = substr($signature, 2); + my $key_id = eat($key_len); + my $name = eat($name_len); + } elsif ($id_type == 2) { + verbose ("signed module (PKCS#7)\n"); + } +} else { + verbose ("unsigned module\n"); +} + +verbose("Hash algorithm: $dgst\n"); + +my $digest = openssl_pipe($module, "openssl dgst -$dgst"); +$digest =~ s/\(stdin\)= //; + +print "$module_name: $digest" diff --git a/mokutil-SBAT-revocation-update-support.patch b/mokutil-SBAT-revocation-update-support.patch new file mode 100644 index 0000000..17c1791 --- /dev/null +++ b/mokutil-SBAT-revocation-update-support.patch @@ -0,0 +1,178 @@ +From 6c9890730063ff759040cb570d0e620f855f83ef Mon Sep 17 00:00:00 2001 +From: Jan Setje-Eilers +Date: Thu, 21 Apr 2022 17:28:07 -0700 +Subject: [PATCH] SBAT revocation update support + +Control how shim will apply SBAT revocations: + + mokutil --set-sbat-policy latest + + applies the latest SBAT revocations + (default behavior) + + mokutil --set-sbat-policy previous + + applies previous SBAT revocations to + allow falling back to an older release + + In both of the above cases shim will only apply SBAT revocations that +are newer than the ones currently installed. + + mokutil --set-sbat-policy delete + + resets SBAT revocations only if Secure + Boot is disabled. This setting does not + persist. + +Signed-off-by: Jan Setje-Eilers +Signed-off-by: Lee, Chun-Yi +--- + man/mokutil.1 | 14 ++++++++++++-- + src/mokutil.c | 42 +++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 53 insertions(+), 3 deletions(-) + +Index: mokutil-0.5.0/man/mokutil.1 +=================================================================== +--- mokutil-0.5.0.orig/man/mokutil.1 ++++ mokutil-0.5.0/man/mokutil.1 +@@ -75,7 +75,9 @@ mokutil \- utility to manipulate machine + .br + \fBmokutil\fR [--dbx] + .br +-\fBmokutil\fR [--sbat] ++\fBmokutil\fR [--list-sbat-revocations] ++.br ++\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)] + .br + \fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR] + .br +@@ -180,9 +182,17 @@ List the keys in the secure boot signatu + \fB--dbx\fR + List the keys in the secure boot blacklist signature store (dbx) + .TP +-\fB--sbat\fR ++\fB--list-sbat-revocations\fR + List the entries in the Secure Boot Advanced Targeting store (SBAT) + .TP ++\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR ++Set the SbatPolicy UEFI Variable to have shim apply either the latest ++or the previous SBAT revocations. If UEFI Secure Boot is disabled, then ++delete will reset the SBAT revocations to an empty revocation list. ++While latest and previous are persistent configuration, delete will be ++cleared by shim on the next boot whether or not it succeeds. The default ++behavior is for shim to apply the previous revocations. ++.TP + \fB--timeout\fR + Set the timeout for MOK prompt + .TP +Index: mokutil-0.5.0/src/mokutil.c +=================================================================== +--- mokutil-0.5.0.orig/src/mokutil.c ++++ mokutil-0.5.0/src/mokutil.c +@@ -85,6 +85,7 @@ + #define LIST_SBAT (1 << 24) + #define FB_VERBOSITY (1 << 25) + #define FB_NOREBOOT (1 << 26) ++#define SET_SBAT (1 << 27) + + #define DEFAULT_CRYPT_METHOD SHA512_BASED + #define DEFAULT_SALT_SIZE SHA512_SALT_MAX +@@ -131,12 +132,13 @@ print_help () + printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); + printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); + printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); ++ printf (" --set-sbat-policy \t\tApply Latest, Previous, or Blank SBAT revocations\n"); + printf (" --pk\t\t\t\t\tList the keys in PK\n"); + printf (" --kek\t\t\t\t\tList the keys in KEK\n"); + printf (" --db\t\t\t\t\tList the keys in db\n"); + printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); + printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); +- printf (" --sbat\t\t\t\tList the entries in SBAT\n"); ++ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n"); + printf ("\n"); + printf ("Supplimentary Options:\n"); + printf (" --hash-file \t\tUse the specific password hash\n"); +@@ -1737,6 +1739,26 @@ list_db (const DBName db_name) + return -1; + } + ++static int ++manage_sbat (const uint8_t sbat_policy) ++{ ++ if (sbat_policy) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "SbatPolicy", ++ (uint8_t *)&sbat_policy, ++ sizeof (sbat_policy), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set SbatPolicy\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_mok_var ("SbatPolicy"); ++ } ++ return 0; ++} ++ + int + main (int argc, char *argv[]) + { +@@ -1753,6 +1775,7 @@ main (int argc, char *argv[]) + uint8_t verbosity = 0; + uint8_t fb_verbosity = 0; + uint8_t fb_noreboot = 0; ++ uint8_t sbat_policy = 0; + DBName db_name = MOK_LIST_RT; + int ret = -1; + int sb_check; +@@ -1795,10 +1818,12 @@ main (int argc, char *argv[]) + {"set-verbosity", required_argument, 0, 0 }, + {"set-fallback-verbosity", required_argument, 0, 0 }, + {"set-fallback-noreboot", required_argument, 0, 0 }, ++ {"set-sbat-policy", required_argument, 0, 0 }, + {"pk", no_argument, 0, 0 }, + {"kek", no_argument, 0, 0 }, + {"db", no_argument, 0, 0 }, + {"dbx", no_argument, 0, 0 }, ++ {"list-sbat-revocations", no_argument, 0, 0 }, + {"sbat", no_argument, 0, 0 }, + {"timeout", required_argument, 0, 0 }, + {"ca-check", no_argument, 0, 0 }, +@@ -1879,6 +1904,16 @@ main (int argc, char *argv[]) + fb_noreboot = 0; + else + command |= HELP; ++ } else if (strcmp (option, "set-sbat-policy") == 0) { ++ command |= SET_SBAT; ++ if (strcmp (optarg, "latest") == 0) ++ sbat_policy = 1; ++ else if (strcmp (optarg, "previous") == 0) ++ sbat_policy = 2; ++ else if (strcmp (optarg, "delete") == 0) ++ sbat_policy = 3; ++ else ++ command |= HELP; + } else if (strcmp (option, "pk") == 0) { + if (db_name != MOK_LIST_RT) { + command |= HELP; +@@ -1903,6 +1938,8 @@ main (int argc, char *argv[]) + } else { + db_name = DBX; + } ++ } else if (strcmp (option, "list-sbat-revocations") == 0) { ++ command |= LIST_SBAT; + } else if (strcmp (option, "sbat") == 0) { + command |= LIST_SBAT; + } else if (strcmp (option, "timeout") == 0) { +@@ -2177,6 +2214,9 @@ main (int argc, char *argv[]) + case LIST_SBAT: + ret = print_var_content ("SbatLevelRT", efi_guid_shim); + break; ++ case SET_SBAT: ++ ret = manage_sbat(sbat_policy); ++ break; + default: + print_help (); + break; diff --git a/mokutil-enable-setting-fallback-verbosity-and-norebo.patch b/mokutil-enable-setting-fallback-verbosity-and-norebo.patch new file mode 100644 index 0000000..cfe5c91 --- /dev/null +++ b/mokutil-enable-setting-fallback-verbosity-and-norebo.patch @@ -0,0 +1,199 @@ +From 57bc385827e7c0e0c86f30bbfa2d48ca9505537e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Fri, 3 Dec 2021 14:18:31 +0100 +Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases +fallback debugging. + +Signed-off-by: Renaud Métrich +Signed-off-by: Lee, Chun-Yi +--- + data/mokutil | 8 ++++++ + man/mokutil.1 | 10 +++++++ + src/mokutil.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 90 insertions(+), 1 deletion(-) + +Index: mokutil-0.5.0/data/mokutil +=================================================================== +--- mokutil-0.5.0.orig/data/mokutil ++++ mokutil-0.5.0/data/mokutil +@@ -24,6 +24,14 @@ _mokutil() + COMPREPLY=( $( compgen -W "true false") ) + return 0 + ;; ++ --set-fallback-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --set-fallback-noreboot) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; + --generate-hash|-g) + COMPREPLY=( $( compgen -o nospace -P= -W "") ) + return 0 +Index: mokutil-0.5.0/man/mokutil.1 +=================================================================== +--- mokutil-0.5.0.orig/man/mokutil.1 ++++ mokutil-0.5.0/man/mokutil.1 +@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine + .br + \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] + .br ++\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)] ++.br ++\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)] ++.br + \fBmokutil\fR [--pk] + .br + \fBmokutil\fR [--kek] +@@ -158,6 +162,12 @@ this is not the password hash. + \fB--set-verbosity\fR + Set the SHIM_VERBOSE to make shim more or less verbose + .TP ++\fB--set-fallback-verbosity\fR ++Set the FALLBACK_VERBOSE to make fallback more or less verbose ++.TP ++\fB--set-fallback-noreboot\fR ++Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system ++.TP + \fB--pk\fR + List the keys in the public Platform Key (PK) + .TP +Index: mokutil-0.5.0/src/mokutil.c +=================================================================== +--- mokutil-0.5.0.orig/src/mokutil.c ++++ mokutil-0.5.0/src/mokutil.c +@@ -83,6 +83,8 @@ + #define VERBOSITY (1 << 22) + #define TIMEOUT (1 << 23) + #define LIST_SBAT (1 << 24) ++#define FB_VERBOSITY (1 << 25) ++#define FB_NOREBOOT (1 << 26) + + #define DEFAULT_CRYPT_METHOD SHA512_BASED + #define DEFAULT_SALT_SIZE SHA512_SALT_MAX +@@ -127,6 +129,8 @@ print_help () + printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); + printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); + printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); ++ printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); ++ printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); + printf (" --pk\t\t\t\t\tList the keys in PK\n"); + printf (" --kek\t\t\t\t\tList the keys in KEK\n"); + printf (" --db\t\t\t\t\tList the keys in db\n"); +@@ -1672,6 +1676,46 @@ set_verbosity (const uint8_t verbosity) + return 0; + } + ++static int ++set_fallback_verbosity (const uint8_t verbosity) ++{ ++ if (verbosity) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE", ++ (uint8_t *)&verbosity, sizeof (verbosity), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_mok_var ("FALLBACK_VERBOSE"); ++ } ++ ++ return 0; ++} ++ ++static int ++set_fallback_noreboot (const uint8_t noreboot) ++{ ++ if (noreboot) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT", ++ (uint8_t *)&noreboot, sizeof (noreboot), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set FB_NO_REBOOT\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_mok_var ("FB_NO_REBOOT"); ++ } ++ ++ return 0; ++} ++ + static inline int + list_db (const DBName db_name) + { +@@ -1707,6 +1751,8 @@ main (int argc, char *argv[]) + unsigned int command = 0; + int use_root_pw = 0; + uint8_t verbosity = 0; ++ uint8_t fb_verbosity = 0; ++ uint8_t fb_noreboot = 0; + DBName db_name = MOK_LIST_RT; + int ret = -1; + int sb_check; +@@ -1747,6 +1793,8 @@ main (int argc, char *argv[]) + {"import-hash", required_argument, 0, 0 }, + {"delete-hash", required_argument, 0, 0 }, + {"set-verbosity", required_argument, 0, 0 }, ++ {"set-fallback-verbosity", required_argument, 0, 0 }, ++ {"set-fallback-noreboot", required_argument, 0, 0 }, + {"pk", no_argument, 0, 0 }, + {"kek", no_argument, 0, 0 }, + {"db", no_argument, 0, 0 }, +@@ -1815,6 +1863,22 @@ main (int argc, char *argv[]) + verbosity = 0; + else + command |= HELP; ++ } else if (strcmp (option, "set-fallback-verbosity") == 0) { ++ command |= FB_VERBOSITY; ++ if (strcmp (optarg, "true") == 0) ++ fb_verbosity = 1; ++ else if (strcmp (optarg, "false") == 0) ++ fb_verbosity = 0; ++ else ++ command |= HELP; ++ } else if (strcmp (option, "set-fallback-noreboot") == 0) { ++ command |= FB_NOREBOOT; ++ if (strcmp (optarg, "true") == 0) ++ fb_noreboot = 1; ++ else if (strcmp (optarg, "false") == 0) ++ fb_noreboot = 0; ++ else ++ command |= HELP; + } else if (strcmp (option, "pk") == 0) { + if (db_name != MOK_LIST_RT) { + command |= HELP; +@@ -1978,7 +2042,8 @@ main (int argc, char *argv[]) + command |= LIST_ENROLLED; + + sb_check = !(command & HELP || command & TEST_KEY || +- command & VERBOSITY || command & TIMEOUT); ++ command & VERBOSITY || command & TIMEOUT || ++ command & FB_VERBOSITY || command & FB_NOREBOOT); + if (sb_check) { + /* Check whether the machine supports Secure Boot or not */ + int rc; +@@ -2100,6 +2165,12 @@ main (int argc, char *argv[]) + case VERBOSITY: + ret = set_verbosity (verbosity); + break; ++ case FB_VERBOSITY: ++ ret = set_fallback_verbosity (fb_verbosity); ++ break; ++ case FB_NOREBOOT: ++ ret = set_fallback_noreboot (fb_noreboot); ++ break; + case TIMEOUT: + ret = set_timeout (timeout); + break; diff --git a/mokutil-fix-missing-header.patch b/mokutil-fix-missing-header.patch new file mode 100644 index 0000000..5875e7d --- /dev/null +++ b/mokutil-fix-missing-header.patch @@ -0,0 +1,28 @@ +From b15e7c4d7a99f82edb68de1177198b17972682da Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 15 Jul 2021 14:41:56 +0800 +Subject: [PATCH] util: add the missing stdio.h + +The header, stdio.h, was missing when moving functions to util.c and +some compiler would complain implicit declaration. + +Signed-off-by: Gary Lin +--- + src/util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util.c b/src/util.c +index d875144..621869f 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -29,6 +29,7 @@ + * files in the program, then also delete it here. + */ + ++#include + #include + #include + +-- +2.31.1 + diff --git a/mokutil-remove-libkeyutils-check.patch b/mokutil-remove-libkeyutils-check.patch new file mode 100644 index 0000000..e7282a2 --- /dev/null +++ b/mokutil-remove-libkeyutils-check.patch @@ -0,0 +1,44 @@ +From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 16 Sep 2020 17:02:56 +0800 +Subject: [PATCH] Remove libkeyutils pkgconfig check + +keyutils didn't provide pkgconfig in 1.5.* + +Signed-off-by: Gary Lin +--- + configure.ac | 1 - + src/Makefile.am | 3 +-- + 2 files changed, 1 insertion(+), 3 deletions(-) + +Index: mokutil-0.5.0/configure.ac +=================================================================== +--- mokutil-0.5.0.orig/configure.ac ++++ mokutil-0.5.0/configure.ac +@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset]) + + PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) + PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) +-PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5]) + + AC_ARG_WITH([bash-completion-dir], + AS_HELP_STRING([--with-bash-completion-dir[=PATH]], +Index: mokutil-0.5.0/src/Makefile.am +=================================================================== +--- mokutil-0.5.0.orig/src/Makefile.am ++++ mokutil-0.5.0/src/Makefile.am +@@ -2,13 +2,12 @@ bin_PROGRAMS = mokutil + + mokutil_CFLAGS = $(OPENSSL_CFLAGS) \ + $(EFIVAR_CFLAGS) \ +- $(LIBKEYUTILS_CFLAGS) \ + $(WARNINGFLAGS_C) \ + -DVERSION="\"$(VERSION)\"" + + mokutil_LDADD = $(OPENSSL_LIBS) \ + $(EFIVAR_LIBS) \ +- $(LIBKEYUTILS_LIBS) \ ++ -lkeyutils \ + -lcrypt + + mokutil_SOURCES = signature.h \ diff --git a/mokutil.changes b/mokutil.changes new file mode 100644 index 0000000..5f5814a --- /dev/null +++ b/mokutil.changes @@ -0,0 +1,213 @@ +* Thu May 5 2022 jlee@suse.com +- Add the following patches against bsc#1198458 + mokutil-enable-setting-fallback-verbosity-and-norebo.patch + mokutil-SBAT-revocation-update-support.patch +* Thu Jul 15 2021 glin@suse.com +- Update to 0.5.0 + + mokutil: delete key/hash from the reverse request + + efi_x509: fix an error handling in is_immediate_ca() + + efi_x509: fix certificates fingerprint calculation + + efi_x509: use EVP_Digest()* functions instead of the deprecated + SHA1_*() + + src/util.c: fix NULL pointer dereference in mok_get_variable + + mokutil: Read the SbatLevelRT variable to get the SBAT entries + + mokutil: add mok-variables parsing support + + mokutil: Add option to print the UEFI SBAT variable content + + mokutil: only check for Secure Boot support in options that + need it + + efi_x509: add the function to fetch SKID + + keyring: add the function to check kernel keyring + + mokutil: initialize data for efi_get_variable() + + mokutil: correct the data for efi_set_variable() in + set_password() + + mokutil: improve the readability of issue_mok_request() + + mokutil: drop the checks for PK and KEK + + mokutil: check the blocklists before enrolling a key + + mokutil: adjust the command bits + + mokutil: remove "--simple-hash" + + make CA check non-fatal + + mokutil: close file in the error path + + mokutil: do the CA check + + efi_x509: add the function to check immediate CA + + efi_x509: use d2i_X509() to create X509 handling + + mokutil: rename hash_file as pw_hash_file + + password-crypt: update the function names + + password-crypt: fix the types of several functions + + mokutil: fix the error message in sb_state() + + mokutil: move x509 functions to efi_x509.c + + mokutil: move the hash functions to efi_hash.c + + util: add functions for db_var_name and db_friendly_name + + Remove the SHA1 code from identify_hash_type() + + Map the UEFI variable names with a function + + Fix -Wcast-align warnings + + Fix 32 bit build + + Add --timeout to manpage and other corrections. + + mokutil.c: fix typo enrollement -> enrollment + + Avoid taking pointer to packed struct + + Fix name of --enable-validation in the description + + Remove shebang from bash-completion/mokutil +- Add mokutil-fix-missing-header.patch to fix the compilation error + due to the missing header +- Refresh mokutil-remove-libkeyutils-check.patch and only apply + it to openSUSE Leap 15.* +- Drop upstreamed patches: + + mokutil-remove-shebang-from-bash-completion-file.patch + + mokutil-bsc1173115-add-ca-and-keyring-checks.patch +- Drop mokutil-support-revoke-builtin-cert.patch since we don't use + the builtin cert prompt patch in shim anymore. +* Tue May 4 2021 dmueller@suse.com +- spec file cleanup +* Wed Sep 16 2020 glin@suse.com +- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add + options for CA and kernel keyring checks (bsc#1173115) + + Add new BuildRequires: keyutils-devel + + Add mokutil-remove-libkeyutils-check.patch to disable the + version check of libkeyutils +- Refresh mokutil-support-revoke-builtin-cert.patch +* Fri Aug 14 2020 glin@suse.com +- Update mokutil-support-revoke-builtin-cert.patch + + Add "--revoke-cert" to the man page +* Fri Dec 13 2019 normand@linux.vnet.ibm.com +- Add build for ppc64/ppc64le +* Tue May 28 2019 glin@suse.com +- Update to 0.4.0 + + Rename export_moks as export_db_keys + + Add support for exporting other keys + + add new --mok argument + + set list-enrolled command as default for some arguments + + Add more info to --sb-state: show when we're in SetupMode or + with shim validation disabled + + Correct help: --set-timeout is really --timeout + + generate_hash() / generate_pw_hash(): don't use strlen() for + strncpy bounds + + Add the type casting to silence the warning + + Add a way for mokutil to configure a timeout for MokManager's + prompt + + list_keys_in_var(): check errno correctly, not ret twice + + Fix typo in error message when the system lacks Secure Boot + support + + Add bash completion file + + mokutil: be explicit about file modes in all cases + + Make all efi_guid_t const + + Don't allow sha1 on the mokutil command line + + Build with -fshort-wchar so toggle passwords work right + + Fix the 32bit signedness comparison + + Fix the potential buffer overflow +- Add mokutil-remove-shebang-from-bash-completion-file.patch to + remove shebang from bash-completion/mokutil +- Drop upstreamed patches + + mokutil-constify-efi-guid.patch + + mokutil-fix-overflow.patch + + mokutil-fshort-wchar.patch + + mokutil-set-efi-variable-file-mode.patch +- Refresh mokutil-support-revoke-builtin-cert.patch +- Install bash-completion/mokutil +* Thu Mar 21 2019 glin@suse.com +- Add modhash to calculate the hash of kernel module (SLE-5661) + + Also add openssl to Requires since the script needs it +* Fri Nov 23 2018 glin@suse.com +- Enable AArch64 build (bsc#1119769, fate#326541) +* Tue Mar 27 2018 kukuk@suse.de +- Use %%license instead of %%doc [bsc#1082318] +* Wed Jul 13 2016 glin@suse.com +- Patches for efivar 0.24 + + Add mokutil-set-efi-variable-file-mode.patch to set the file + mode explicitly. + + Add mokutil-constify-efi-guid.patch to make all efi_guild_t + variables const. + + Refresh mokutil-support-revoke-builtin-cert.patch for the + change of efi_set_variable() +* Tue Jun 30 2015 glin@suse.com +- Add mokutil-fshort-wchar.patch to make sure the UEFI strings are + UCS-2 encoding. +* Tue Nov 4 2014 glin@suse.com +- Update to 0.3.0 +- Add mokutil-fix-overflow.patch to fix the buffer overflow +- Drop upstreamed patches + + mokutil-upstream-fixes.patch + + mokutil-mokx-support.patch + + mokutil-check-corrupted-key-list.patch + + mokutil-check-secure-boot-support.patch + + mokutil-clean-request.patch + + mokutil-fix-hash-file-read.patch + + mokutil-fix-hash-list-size.patch + + mokutil-more-details-for-skipped-keys.patch + + mokutil-no-invalid-x509.patch +- Refresh mokutil-support-revoke-builtin-cert.patch +* Wed Apr 16 2014 glin@suse.com +- Add mokutil-fix-hash-file-read.patch to fix the error handling of + reading a hash file +* Thu Apr 10 2014 glin@suse.com +- Add mokutil-check-corrupted-key-list.patch to check whether the + key list is corrupted or not +- Add mokutil-no-invalid-x509.patch to avoid importing an invalid + x509 certificate +* Mon Mar 24 2014 glin@suse.com +- Add mokutil-more-details-for-skipped-keys.patch to show the + reason to skip the key +- Add mokutil-check-secure-boot-support.patch to check whether the + system supports Secure Boot or not +* Fri Feb 21 2014 glin@suse.com +- Add mokutil-support-revoke-builtin-cert.patch to add an option to + revoke the built-in certificate in shim +* Wed Feb 12 2014 glin@suse.com +- Add mokutil-fix-hash-list-size.patch to update the list size + after merging or deleting a hash +- Add mokutil-clean-request.patch to clean the request if all keys + are removed +* Wed Jan 22 2014 glin@suse.com +- Update mokutil-mokx-support.patch to fix the test-key request + check +* Thu Dec 5 2013 glin@suse.com +- Add mokutil-upstream-fixes.patch to include upstream fixes for + db signature check, gcc warnings, and error handling +- Add mokutil-mokx-support.patch to support the MOK blacklist + (FATE#316531) +* Thu Jul 25 2013 glin@suse.com +- Update to 0.2.0 + + Generate the password hash with crypt() by default instead of + the original sha256 password hash + + Add an option to import the root password hash + + Amend error messages, help, and man page +- Drop upstreamed patches + + mokutil-lcrypt-ldflag.patch + + mokutil-probe-secure-boot-state.patch + + mokutil-allow-password-from-pipe.patch + + mokutil-bnc809703-check-pending-request.patch + + mokutil-support-delete-keys.patch + + mokutil-support-crypt-hash-methods.patch + + mokutil-update-man-page.patch + + mokutil-bnc809215-improve-wording.patch + + mokutil-support-new-pw-hash.patch + + mokutil-no-duplicate-keys-imported.patch +* Tue Apr 2 2013 glin@suse.com +- Add mokutil-bnc809215-improve-wording.patch to make the messages + understandable (bnc#809215) +- Add mokutil-bnc809703-check-pending-request.patch to remove the + key from the pending request if necessary (bnc#809703) +* Wed Jan 30 2013 glin@suse.com +- Merge patches for FATE#314506 + + Add mokutil-support-crypt-hash-methods.patch to support the + password hashes from /etc/shadow + + Add mokutil-update-man-page.patch to update man page for the + new added options +- Add mokutil-lcrypt-ldflag.patch to correct LDFLAGS +* Fri Jan 18 2013 glin@suse.com +- Update mokutil-support-new-pw-hash.patch to extend the password + hash format +* Wed Jan 16 2013 glin@suse.com +- Merge patches for FATE#314506 + + Add mokutil-support-delete-keys.patch to delete specific keys + + Add mokutil-support-new-pw-hash.patch to support the new + password format + + Add mokutil-allow-password-from-pipe.patch to allow the + password to be generated in a script and be sent through + pipeline +- Install COPYING +* Tue Dec 11 2012 glin@suse.com +- Add mokutil-probe-secure-boot-state.patch to probe the state of + secure boot +- Add mokutil-no-duplicate-keys-imported.patch to avoid importing + duplicate keys +* Wed Nov 7 2012 glin@suse.com +- Add new package mokutil-0.1.0 (FATE#314510) diff --git a/mokutil.spec b/mokutil.spec new file mode 100644 index 0000000..bc83c43 --- /dev/null +++ b/mokutil.spec @@ -0,0 +1,63 @@ +# +# spec file for package mokutil +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +Name: mokutil +Version: 0.5.0 +Release: 150400.3.3.1 +Summary: Tools for manipulating machine owner keys +License: GPL-3.0-only +Group: Productivity/Security +URL: https://github.com/lcp/mokutil +Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz +Source1: modhash +# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch glin@suse.com -- Disable the check of libkeyutils version +Patch1: mokutil-remove-libkeyutils-check.patch +# PATCH-FIX-UPSTREAM mokutil-fix-missing-header.patch glin@suse.com -- Fix the compilation error due to the missing header +Patch2: mokutil-fix-missing-header.patch +# PATCH-FIX-UPSTREAM bsc#1198458 jlee@suse.com +Patch3: mokutil-enable-setting-fallback-verbosity-and-norebo.patch +Patch4: mokutil-SBAT-revocation-update-support.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: efivar-devel >= 0.12 +BuildRequires: keyutils-devel >= 1.5.0 +BuildRequires: libopenssl-devel >= 0.9.8 +BuildRequires: pkgconfig +Requires: openssl +ExclusiveArch: x86_64 aarch64 ppc64le ppc64 + +%description +This program provides the means to enroll and erase the machine owner +keys (MOK) stored in the database of shim. + +%prep +%setup -q +%if 0%{?suse_version} <= 1500 +%patch1 -p1 +%endif +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + +%build +./autogen.sh +%configure +%make_build + +%install +%make_install +install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash + +%files +%license COPYING +%{_bindir}/mokutil +%{_bindir}/modhash +%{_mandir}/man?/* +%dir %{_datadir}/bash-completion/completions/ +%{_datadir}/bash-completion/completions/mokutil + +%changelog