Hello community, here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2014-02-25 07:33:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mokutil (Old) and /work/SRC/openSUSE:Factory/.mokutil.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil" Changes: -------- --- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2014-02-13 15:01:57.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mokutil.new/mokutil.changes 2014-02-25 07:33:41.000000000 +0100 @@ -1,0 +2,6 @@ +Fri Feb 21 10:10:15 UTC 2014 - [email protected] + +- Add mokutil-support-revoke-builtin-cert.patch to add an option to + revoke the built-in certificate in shim + +------------------------------------------------------------------- New: ---- mokutil-support-revoke-builtin-cert.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ --- /var/tmp/diff_new_pack.U3huTO/_old 2014-02-25 07:33:42.000000000 +0100 +++ /var/tmp/diff_new_pack.U3huTO/_new 2014-02-25 07:33:42.000000000 +0100 @@ -32,6 +32,8 @@ Patch3: mokutil-fix-hash-list-size.patch # PATCH-FIX-UPSTREAM mokutil-clean-request.patch [email protected] -- Clear the request if all keys are removed Patch4: mokutil-clean-request.patch +# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch [email protected] -- Add an option to revoke the built-in certificate +Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libopenssl-devel >= 0.9.8 @@ -55,6 +57,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch100 -p1 %build %configure ++++++ mokutil-support-revoke-builtin-cert.patch ++++++ >From 0ebfada39e35d3366dfce45158a33f7624907d1f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Fri, 21 Feb 2014 17:56:55 +0800 Subject: [PATCH] Add the option to revoke the built-in certificate This is an openSUSE-only patch. This commit adds an option to create ClearVerify which contains the password hash to notify MokManager to show the option to revoke the built-in certificate. --- src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index 1c32313..14adae7 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -83,6 +83,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, #define IMPORT_HASH (1 << 21) #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) +#define REVOKE_CERT (1 << 24) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -151,6 +152,7 @@ print_help () printf (" --kek\t\t\t\t\tList the keys in KEK\n"); printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); + printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); @@ -1903,6 +1905,79 @@ set_verbosity (uint8_t verbosity) return 0; } +static int +revoke_builtin_cert (void) +{ + efi_variable_t var; + pw_crypt_t pw_crypt; + uint8_t auth[SHA256_DIGEST_LENGTH]; + char *password = NULL; + int pw_len; + int auth_ret; + int ret = -1; + + /* Check use_openSUSE_cert */ + memset (&var, 0, sizeof(var)); + var.VariableName = "use_openSUSE_cert"; + var.VendorGuid = SHIM_LOCK_GUID; + + if (read_variable (&var) != EFI_SUCCESS) + return 0; + + if ((uint8_t)*var.Data != 1) { + free (var.Data); + fprintf (stderr, "The built-in certificate is already revoked.\n"); + return 0; + } + free (var.Data); + + memset (&pw_crypt, 0, sizeof(pw_crypt_t)); + memset (auth, 0, SHA256_DIGEST_LENGTH); + + if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { + fprintf (stderr, "Abort\n"); + goto error; + } + + if (!use_simple_hash) { + pw_crypt.method = DEFAULT_CRYPT_METHOD; + auth_ret = generate_hash (&pw_crypt, password, pw_len); + } else { + auth_ret = generate_auth (NULL, 0, password, pw_len, + auth); + } + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; + } + + if (!use_simple_hash) { + var.Data = (void *)&pw_crypt; + var.DataSize = PASSWORD_CRYPT_SIZE; + } else { + var.Data = (void *)auth; + var.DataSize = SHA256_DIGEST_LENGTH; + } + var.VariableName = "ClearVerify"; + + var.VendorGuid = SHIM_LOCK_GUID; + var.Attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + + if (edit_protected_variable (&var) != EFI_SUCCESS) { + fprintf (stderr, "Failed to write ClearVerify\n"); + goto error; + } + + ret = 0; +error: + if (password) + free (password); + + return ret; +} + static inline int list_db (DBName db_name) { @@ -1974,6 +2049,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, + {"revoke-cert", no_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2061,6 +2137,8 @@ main (int argc, char *argv[]) command |= LIST_ENROLLED; db_name = DBX; } + } else if (strcmp (option, "revoke-cert") == 0) { + command |= REVOKE_CERT; } break; @@ -2303,6 +2381,10 @@ main (int argc, char *argv[]) case VERBOSITY: ret = set_verbosity (verbosity); break; + case REVOKE_CERT: + case REVOKE_CERT | SIMPLE_HASH: + ret = revoke_builtin_cert (); + break; default: print_help (); break; -- 1.8.4.5 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
