ZhuningOS/mokutil
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initialize for mokutil

Browse source
This commit is contained in:
zyppe 2024-03-05 16:45:04 +08:00
commit 6c6317b4b4
9 changed files with 876 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
0.5.0.tar.gz

1
.mokutil.metadata Normal file
View file

@ -0,0 +1 @@
ff902673fc9fed23d957442d73250528b3069200b4155ea10ba30833735b6650 0.5.0.tar.gz

149
modhash Normal file
View file

@ -0,0 +1,149 @@
#!/usr/bin/perl
#
# Calculate the digest of the kernel module
# It will strip kernel modules signature before calculation.
#
# Based on modsign-verify, written by Michal Marek
# Authors:
# Gary Lin <GLin@suse.com>
# Joey Lee <JLee@suse.com>
#
my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n";
use strict;
use warnings;
use IPC::Open2;
use Getopt::Long;
use File::Temp qw(tempfile);
my $verbose = 1;
my $dgst = "sha256";
GetOptions(
"d=s" => \$dgst,
"q|quiet" => sub { $verbose-- if $verbose; },
"v|verbose" => sub { $verbose++; },
"h|help" => sub {
print $USAGE;
exit(0);
}
) or die($USAGE);
sub _verbose {
my $level = shift;
return if $verbose < $level;
print STDERR @_;
}
sub info { _verbose(1, @_); }
sub verbose { _verbose(2, @_); }
sub debug { _verbose(3, @_); }
if (@ARGV > 1) {
print STDERR "Excess arguments\n";
die($USAGE);
} elsif (@ARGV < 1) {
print STDERR "No module supplied\n";
die($USAGE);
}
my $module_name = shift(@ARGV);
if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and
$dgst ne "sha384" and $dgst ne "sha512") {
die("unsupported algorithm: $dgst");
}
#
# Function to read the contents of a file into a variable.
#
sub read_file($)
{
my ($file) = @_;
my $contents;
my $len;
open(FD, "<$file") || die $file;
binmode FD;
my @st = stat(FD);
die $file if (!@st);
$len = read(FD, $contents, $st[7]) || die $file;
close(FD) || die $file;
die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
if ($len != $st[7]);
return $contents;
}
sub openssl_pipe($$) {
my ($input, $cmd) = @_;
my ($pid, $res);
$pid = open2(*read_from, *write_to, $cmd) || die $cmd;
binmode write_to;
if (defined($input) && $input ne "") {
print write_to $input || die "$cmd: $!";
}
close(write_to) || die "$cmd: $!";
binmode read_from;
read(read_from, $res, 4096) || die "$cmd: $!";
close(read_from) || die "$cmd: $!";
waitpid($pid, 0) || die;
die "$cmd died: $?" if ($? >> 8);
return $res;
}
my $module = read_file($module_name);
my $module_len = length($module);
my $magic_number = "~Module signature appended~\n";
my $magic_len = length($magic_number);
my $info_len = 12;
if ($module_len < $magic_len) {
die "Module size too short\n";
}
sub eat
{
my $length = shift;
if ($module_len < $length) {
die "Module size too short\n";
}
my $res = substr($module, -$length);
$module = substr($module, 0, $module_len - $length);
$module_len -= $length;
return $res;
}
if (substr($module, -$magic_len) eq $magic_number) {
$module = substr($module, 0, $module_len - $magic_len);
$module_len -= $magic_len;
my $info = eat($info_len);
my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) =
unpack("CCCCCxxxN", $info);
my $signature = eat($sig_len);
if ($id_type == 1) {
if (unpack("n", $signature) == $sig_len - 2) {
verbose ("signed module (X.509)\n");
} else {
die "Invalid signature format\n";
}
if ($algo != 1) {
die "Unsupported signature algorithm\n";
}
$signature = substr($signature, 2);
my $key_id = eat($key_len);
my $name = eat($name_len);
} elsif ($id_type == 2) {
verbose ("signed module (PKCS#7)\n");
}
} else {
verbose ("unsigned module\n");
}
verbose("Hash algorithm: $dgst\n");
my $digest = openssl_pipe($module, "openssl dgst -$dgst");
$digest =~ s/\(stdin\)= //;
print "$module_name: $digest"

178
mokutil-SBAT-revocation-update-support.patch Normal file
View file

@ -0,0 +1,178 @@
From 6c9890730063ff759040cb570d0e620f855f83ef Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Thu, 21 Apr 2022 17:28:07 -0700
Subject: [PATCH] SBAT revocation update support
Control how shim will apply SBAT revocations:
mokutil --set-sbat-policy latest
applies the latest SBAT revocations
(default behavior)
mokutil --set-sbat-policy previous
applies previous SBAT revocations to
allow falling back to an older release
In both of the above cases shim will only apply SBAT revocations that
are newer than the ones currently installed.
mokutil --set-sbat-policy delete
resets SBAT revocations only if Secure
Boot is disabled. This setting does not
persist.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
man/mokutil.1 | 14 ++++++++++++--
src/mokutil.c | 42 +++++++++++++++++++++++++++++++++++++++++-
2 files changed, 53 insertions(+), 3 deletions(-)
Index: mokutil-0.5.0/man/mokutil.1
===================================================================
--- mokutil-0.5.0.orig/man/mokutil.1
+++ mokutil-0.5.0/man/mokutil.1
@@ -75,7 +75,9 @@ mokutil \- utility to manipulate machine
.br
\fBmokutil\fR [--dbx]
.br
-\fBmokutil\fR [--sbat]
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
.br
\fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR]
.br
@@ -180,9 +182,17 @@ List the keys in the secure boot signatu
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
-\fB--sbat\fR
+\fB--list-sbat-revocations\fR
List the entries in the Secure Boot Advanced Targeting store (SBAT)
.TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP
\fB--timeout\fR
Set the timeout for MOK prompt
.TP
Index: mokutil-0.5.0/src/mokutil.c
===================================================================
--- mokutil-0.5.0.orig/src/mokutil.c
+++ mokutil-0.5.0/src/mokutil.c
@@ -85,6 +85,7 @@
#define LIST_SBAT (1 << 24)
#define FB_VERBOSITY (1 << 25)
#define FB_NOREBOOT (1 << 26)
+#define SET_SBAT (1 << 27)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -131,12 +132,13 @@ print_help ()
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
+ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
- printf (" --sbat\t\t\t\tList the entries in SBAT\n");
+ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1737,6 +1739,26 @@ list_db (const DBName db_name)
return -1;
}
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+ if (sbat_policy) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+ (uint8_t *)&sbat_policy,
+ sizeof (sbat_policy),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set SbatPolicy\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_mok_var ("SbatPolicy");
+ }
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -1753,6 +1775,7 @@ main (int argc, char *argv[])
uint8_t verbosity = 0;
uint8_t fb_verbosity = 0;
uint8_t fb_noreboot = 0;
+ uint8_t sbat_policy = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
int sb_check;
@@ -1795,10 +1818,12 @@ main (int argc, char *argv[])
{"set-verbosity", required_argument, 0, 0 },
{"set-fallback-verbosity", required_argument, 0, 0 },
{"set-fallback-noreboot", required_argument, 0, 0 },
+ {"set-sbat-policy", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"list-sbat-revocations", no_argument, 0, 0 },
{"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{"ca-check", no_argument, 0, 0 },
@@ -1879,6 +1904,16 @@ main (int argc, char *argv[])
fb_noreboot = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
+ command |= SET_SBAT;
+ if (strcmp (optarg, "latest") == 0)
+ sbat_policy = 1;
+ else if (strcmp (optarg, "previous") == 0)
+ sbat_policy = 2;
+ else if (strcmp (optarg, "delete") == 0)
+ sbat_policy = 3;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -1903,6 +1938,8 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
+ } else if (strcmp (option, "list-sbat-revocations") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "sbat") == 0) {
command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
@@ -2177,6 +2214,9 @@ main (int argc, char *argv[])
case LIST_SBAT:
ret = print_var_content ("SbatLevelRT", efi_guid_shim);
break;
+ case SET_SBAT:
+ ret = manage_sbat(sbat_policy);
+ break;
default:
print_help ();
break;

199
mokutil-enable-setting-fallback-verbosity-and-norebo.patch Normal file
View file

@ -0,0 +1,199 @@
From 57bc385827e7c0e0c86f30bbfa2d48ca9505537e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Fri, 3 Dec 2021 14:18:31 +0100
Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
fallback debugging.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
data/mokutil | 8 ++++++
man/mokutil.1 | 10 +++++++
src/mokutil.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 90 insertions(+), 1 deletion(-)
Index: mokutil-0.5.0/data/mokutil
===================================================================
--- mokutil-0.5.0.orig/data/mokutil
+++ mokutil-0.5.0/data/mokutil
@@ -24,6 +24,14 @@ _mokutil()
COMPREPLY=( $( compgen -W "true false") )
return 0
;;
+ --set-fallback-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --set-fallback-noreboot)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
--generate-hash|-g)
COMPREPLY=( $( compgen -o nospace -P= -W "") )
return 0
Index: mokutil-0.5.0/man/mokutil.1
===================================================================
--- mokutil-0.5.0.orig/man/mokutil.1
+++ mokutil-0.5.0/man/mokutil.1
@@ -63,6 +63,10 @@ mokutil \- utility to manipulate machine
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
@@ -158,6 +162,12 @@ this is not the password hash.
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP
Index: mokutil-0.5.0/src/mokutil.c
===================================================================
--- mokutil-0.5.0.orig/src/mokutil.c
+++ mokutil-0.5.0/src/mokutil.c
@@ -83,6 +83,8 @@
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
#define LIST_SBAT (1 << 24)
+#define FB_VERBOSITY (1 << 25)
+#define FB_NOREBOOT (1 << 26)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -127,6 +129,8 @@ print_help ()
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
@@ -1672,6 +1676,46 @@ set_verbosity (const uint8_t verbosity)
return 0;
}
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+ if (verbosity) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+ (uint8_t *)&verbosity, sizeof (verbosity),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_mok_var ("FALLBACK_VERBOSE");
+ }
+
+ return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+ if (noreboot) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+ (uint8_t *)&noreboot, sizeof (noreboot),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_mok_var ("FB_NO_REBOOT");
+ }
+
+ return 0;
+}
+
static inline int
list_db (const DBName db_name)
{
@@ -1707,6 +1751,8 @@ main (int argc, char *argv[])
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t fb_verbosity = 0;
+ uint8_t fb_noreboot = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
int sb_check;
@@ -1747,6 +1793,8 @@ main (int argc, char *argv[])
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-fallback-verbosity", required_argument, 0, 0 },
+ {"set-fallback-noreboot", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
@@ -1815,6 +1863,22 @@ main (int argc, char *argv[])
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-fallback-verbosity") == 0) {
+ command |= FB_VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ fb_verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_verbosity = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-fallback-noreboot") == 0) {
+ command |= FB_NOREBOOT;
+ if (strcmp (optarg, "true") == 0)
+ fb_noreboot = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_noreboot = 0;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -1978,7 +2042,8 @@ main (int argc, char *argv[])
command |= LIST_ENROLLED;
sb_check = !(command & HELP || command & TEST_KEY ||
- command & VERBOSITY || command & TIMEOUT);
+ command & VERBOSITY || command & TIMEOUT ||
+ command & FB_VERBOSITY || command & FB_NOREBOOT);
if (sb_check) {
/* Check whether the machine supports Secure Boot or not */
int rc;
@@ -2100,6 +2165,12 @@ main (int argc, char *argv[])
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case FB_VERBOSITY:
+ ret = set_fallback_verbosity (fb_verbosity);
+ break;
+ case FB_NOREBOOT:
+ ret = set_fallback_noreboot (fb_noreboot);
+ break;
case TIMEOUT:
ret = set_timeout (timeout);
break;

28
mokutil-fix-missing-header.patch Normal file
View file

@ -0,0 +1,28 @@
From b15e7c4d7a99f82edb68de1177198b17972682da Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 15 Jul 2021 14:41:56 +0800
Subject: [PATCH] util: add the missing stdio.h
The header, stdio.h, was missing when moving functions to util.c and
some compiler would complain implicit declaration.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/util.c b/src/util.c
index d875144..621869f 100644
--- a/src/util.c
+++ b/src/util.c
@@ -29,6 +29,7 @@
* files in the program, then also delete it here.
*/
+#include <stdio.h>
#include <stdlib.h>
#include <termios.h>
--
2.31.1

44
mokutil-remove-libkeyutils-check.patch Normal file
View file

@ -0,0 +1,44 @@
From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 16 Sep 2020 17:02:56 +0800
Subject: [PATCH] Remove libkeyutils pkgconfig check
keyutils didn't provide pkgconfig in 1.5.*
Signed-off-by: Gary Lin <glin@suse.com>
---
configure.ac | 1 -
src/Makefile.am | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
Index: mokutil-0.5.0/configure.ac
===================================================================
--- mokutil-0.5.0.orig/configure.ac
+++ mokutil-0.5.0/configure.ac
@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
-PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5])
AC_ARG_WITH([bash-completion-dir],
AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
Index: mokutil-0.5.0/src/Makefile.am
===================================================================
--- mokutil-0.5.0.orig/src/Makefile.am
+++ mokutil-0.5.0/src/Makefile.am
@@ -2,13 +2,12 @@ bin_PROGRAMS = mokutil
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
$(EFIVAR_CFLAGS) \
- $(LIBKEYUTILS_CFLAGS) \
$(WARNINGFLAGS_C) \
-DVERSION="\"$(VERSION)\""
mokutil_LDADD = $(OPENSSL_LIBS) \
$(EFIVAR_LIBS) \
- $(LIBKEYUTILS_LIBS) \
+ -lkeyutils \
-lcrypt
mokutil_SOURCES = signature.h \

213
mokutil.changes Normal file
View file

@ -0,0 +1,213 @@
* Thu May 5 2022 jlee@suse.com
- Add the following patches against bsc#1198458
mokutil-enable-setting-fallback-verbosity-and-norebo.patch
mokutil-SBAT-revocation-update-support.patch
* Thu Jul 15 2021 glin@suse.com
- Update to 0.5.0
+ mokutil: delete key/hash from the reverse request
+ efi_x509: fix an error handling in is_immediate_ca()
+ efi_x509: fix certificates fingerprint calculation
+ efi_x509: use EVP_Digest()* functions instead of the deprecated
SHA1_*()
+ src/util.c: fix NULL pointer dereference in mok_get_variable
+ mokutil: Read the SbatLevelRT variable to get the SBAT entries
+ mokutil: add mok-variables parsing support
+ mokutil: Add option to print the UEFI SBAT variable content
+ mokutil: only check for Secure Boot support in options that
need it
+ efi_x509: add the function to fetch SKID
+ keyring: add the function to check kernel keyring
+ mokutil: initialize data for efi_get_variable()
+ mokutil: correct the data for efi_set_variable() in
set_password()
+ mokutil: improve the readability of issue_mok_request()
+ mokutil: drop the checks for PK and KEK
+ mokutil: check the blocklists before enrolling a key
+ mokutil: adjust the command bits
+ mokutil: remove "--simple-hash"
+ make CA check non-fatal
+ mokutil: close file in the error path
+ mokutil: do the CA check
+ efi_x509: add the function to check immediate CA
+ efi_x509: use d2i_X509() to create X509 handling
+ mokutil: rename hash_file as pw_hash_file
+ password-crypt: update the function names
+ password-crypt: fix the types of several functions
+ mokutil: fix the error message in sb_state()
+ mokutil: move x509 functions to efi_x509.c
+ mokutil: move the hash functions to efi_hash.c
+ util: add functions for db_var_name and db_friendly_name
+ Remove the SHA1 code from identify_hash_type()
+ Map the UEFI variable names with a function
+ Fix -Wcast-align warnings
+ Fix 32 bit build
+ Add --timeout to manpage and other corrections.
+ mokutil.c: fix typo enrollement -> enrollment
+ Avoid taking pointer to packed struct
+ Fix name of --enable-validation in the description
+ Remove shebang from bash-completion/mokutil
- Add mokutil-fix-missing-header.patch to fix the compilation error
due to the missing header
- Refresh mokutil-remove-libkeyutils-check.patch and only apply
it to openSUSE Leap 15.*
- Drop upstreamed patches:
+ mokutil-remove-shebang-from-bash-completion-file.patch
+ mokutil-bsc1173115-add-ca-and-keyring-checks.patch
- Drop mokutil-support-revoke-builtin-cert.patch since we don't use
the builtin cert prompt patch in shim anymore.
* Tue May 4 2021 dmueller@suse.com
- spec file cleanup
* Wed Sep 16 2020 glin@suse.com
- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add
options for CA and kernel keyring checks (bsc#1173115)
+ Add new BuildRequires: keyutils-devel
+ Add mokutil-remove-libkeyutils-check.patch to disable the
version check of libkeyutils
- Refresh mokutil-support-revoke-builtin-cert.patch
* Fri Aug 14 2020 glin@suse.com
- Update mokutil-support-revoke-builtin-cert.patch
+ Add "--revoke-cert" to the man page
* Fri Dec 13 2019 normand@linux.vnet.ibm.com
- Add build for ppc64/ppc64le
* Tue May 28 2019 glin@suse.com
- Update to 0.4.0
+ Rename export_moks as export_db_keys
+ Add support for exporting other keys
+ add new --mok argument
+ set list-enrolled command as default for some arguments
+ Add more info to --sb-state: show when we're in SetupMode or
with shim validation disabled
+ Correct help: --set-timeout is really --timeout
+ generate_hash() / generate_pw_hash(): don't use strlen() for
strncpy bounds
+ Add the type casting to silence the warning
+ Add a way for mokutil to configure a timeout for MokManager's
prompt
+ list_keys_in_var(): check errno correctly, not ret twice
+ Fix typo in error message when the system lacks Secure Boot
support
+ Add bash completion file
+ mokutil: be explicit about file modes in all cases
+ Make all efi_guid_t const
+ Don't allow sha1 on the mokutil command line
+ Build with -fshort-wchar so toggle passwords work right
+ Fix the 32bit signedness comparison
+ Fix the potential buffer overflow
- Add mokutil-remove-shebang-from-bash-completion-file.patch to
remove shebang from bash-completion/mokutil
- Drop upstreamed patches
+ mokutil-constify-efi-guid.patch
+ mokutil-fix-overflow.patch
+ mokutil-fshort-wchar.patch
+ mokutil-set-efi-variable-file-mode.patch
- Refresh mokutil-support-revoke-builtin-cert.patch
- Install bash-completion/mokutil
* Thu Mar 21 2019 glin@suse.com
- Add modhash to calculate the hash of kernel module (SLE-5661)
+ Also add openssl to Requires since the script needs it
* Fri Nov 23 2018 glin@suse.com
- Enable AArch64 build (bsc#1119769, fate#326541)
* Tue Mar 27 2018 kukuk@suse.de
- Use %%license instead of %%doc [bsc#1082318]
* Wed Jul 13 2016 glin@suse.com
- Patches for efivar 0.24
+ Add mokutil-set-efi-variable-file-mode.patch to set the file
mode explicitly.
+ Add mokutil-constify-efi-guid.patch to make all efi_guild_t
variables const.
+ Refresh mokutil-support-revoke-builtin-cert.patch for the
change of efi_set_variable()
* Tue Jun 30 2015 glin@suse.com
- Add mokutil-fshort-wchar.patch to make sure the UEFI strings are
UCS-2 encoding.
* Tue Nov 4 2014 glin@suse.com
- Update to 0.3.0
- Add mokutil-fix-overflow.patch to fix the buffer overflow
- Drop upstreamed patches
+ mokutil-upstream-fixes.patch
+ mokutil-mokx-support.patch
+ mokutil-check-corrupted-key-list.patch
+ mokutil-check-secure-boot-support.patch
+ mokutil-clean-request.patch
+ mokutil-fix-hash-file-read.patch
+ mokutil-fix-hash-list-size.patch
+ mokutil-more-details-for-skipped-keys.patch
+ mokutil-no-invalid-x509.patch
- Refresh mokutil-support-revoke-builtin-cert.patch
* Wed Apr 16 2014 glin@suse.com
- Add mokutil-fix-hash-file-read.patch to fix the error handling of
reading a hash file
* Thu Apr 10 2014 glin@suse.com
- Add mokutil-check-corrupted-key-list.patch to check whether the
key list is corrupted or not
- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
x509 certificate
* Mon Mar 24 2014 glin@suse.com
- Add mokutil-more-details-for-skipped-keys.patch to show the
reason to skip the key
- Add mokutil-check-secure-boot-support.patch to check whether the
system supports Secure Boot or not
* Fri Feb 21 2014 glin@suse.com
- Add mokutil-support-revoke-builtin-cert.patch to add an option to
revoke the built-in certificate in shim
* Wed Feb 12 2014 glin@suse.com
- Add mokutil-fix-hash-list-size.patch to update the list size
after merging or deleting a hash
- Add mokutil-clean-request.patch to clean the request if all keys
are removed
* Wed Jan 22 2014 glin@suse.com
- Update mokutil-mokx-support.patch to fix the test-key request
check
* Thu Dec 5 2013 glin@suse.com
- Add mokutil-upstream-fixes.patch to include upstream fixes for
db signature check, gcc warnings, and error handling
- Add mokutil-mokx-support.patch to support the MOK blacklist
(FATE#316531)
* Thu Jul 25 2013 glin@suse.com
- Update to 0.2.0
+ Generate the password hash with crypt() by default instead of
the original sha256 password hash
+ Add an option to import the root password hash
+ Amend error messages, help, and man page
- Drop upstreamed patches
+ mokutil-lcrypt-ldflag.patch
+ mokutil-probe-secure-boot-state.patch
+ mokutil-allow-password-from-pipe.patch
+ mokutil-bnc809703-check-pending-request.patch
+ mokutil-support-delete-keys.patch
+ mokutil-support-crypt-hash-methods.patch
+ mokutil-update-man-page.patch
+ mokutil-bnc809215-improve-wording.patch
+ mokutil-support-new-pw-hash.patch
+ mokutil-no-duplicate-keys-imported.patch
* Tue Apr 2 2013 glin@suse.com
- Add mokutil-bnc809215-improve-wording.patch to make the messages
understandable (bnc#809215)
- Add mokutil-bnc809703-check-pending-request.patch to remove the
key from the pending request if necessary (bnc#809703)
* Wed Jan 30 2013 glin@suse.com
- Merge patches for FATE#314506
+ Add mokutil-support-crypt-hash-methods.patch to support the
password hashes from /etc/shadow
+ Add mokutil-update-man-page.patch to update man page for the
new added options
- Add mokutil-lcrypt-ldflag.patch to correct LDFLAGS
* Fri Jan 18 2013 glin@suse.com
- Update mokutil-support-new-pw-hash.patch to extend the password
hash format
* Wed Jan 16 2013 glin@suse.com
- Merge patches for FATE#314506
+ Add mokutil-support-delete-keys.patch to delete specific keys
+ Add mokutil-support-new-pw-hash.patch to support the new
password format
+ Add mokutil-allow-password-from-pipe.patch to allow the
password to be generated in a script and be sent through
pipeline
- Install COPYING
* Tue Dec 11 2012 glin@suse.com
- Add mokutil-probe-secure-boot-state.patch to probe the state of
secure boot
- Add mokutil-no-duplicate-keys-imported.patch to avoid importing
duplicate keys
* Wed Nov 7 2012 glin@suse.com
- Add new package mokutil-0.1.0 (FATE#314510)

63
mokutil.spec Normal file
View file

@ -0,0 +1,63 @@
#
# spec file for package mokutil
#
# Copyright (c) 2022-2023 ZhuningOS
#
Name: mokutil
Version: 0.5.0
Release: 150400.3.3.1
Summary: Tools for manipulating machine owner keys
License: GPL-3.0-only
Group: Productivity/Security
URL: https://github.com/lcp/mokutil
Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz
Source1: modhash
# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch glin@suse.com -- Disable the check of libkeyutils version
Patch1: mokutil-remove-libkeyutils-check.patch
# PATCH-FIX-UPSTREAM mokutil-fix-missing-header.patch glin@suse.com -- Fix the compilation error due to the missing header
Patch2: mokutil-fix-missing-header.patch
# PATCH-FIX-UPSTREAM bsc#1198458 jlee@suse.com
Patch3: mokutil-enable-setting-fallback-verbosity-and-norebo.patch
Patch4: mokutil-SBAT-revocation-update-support.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: efivar-devel >= 0.12
BuildRequires: keyutils-devel >= 1.5.0
BuildRequires: libopenssl-devel >= 0.9.8
BuildRequires: pkgconfig
Requires: openssl
ExclusiveArch: x86_64 aarch64 ppc64le ppc64
%description
This program provides the means to enroll and erase the machine owner
keys (MOK) stored in the database of shim.
%prep
%setup -q
%if 0%{?suse_version} <= 1500
%patch1 -p1
%endif
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
./autogen.sh
%configure
%make_build
%install
%make_install
install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash
%files
%license COPYING
%{_bindir}/mokutil
%{_bindir}/modhash
%{_mandir}/man?/*
%dir %{_datadir}/bash-completion/completions/
%{_datadir}/bash-completion/completions/mokutil
%changelog