Hello community,

here is the log from the commit of package mokutil.14549 for 
openSUSE:Leap:15.2:Update checked in at 2020-10-18 06:22:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/mokutil.14549 (Old)
 and      /work/SRC/openSUSE:Leap:15.2:Update/.mokutil.14549.new.3486 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mokutil.14549"

Sun Oct 18 06:22:26 2020 rev:1 rq:841826 version:0.4.0

Changes:
--------
New Changes file:

--- /dev/null   2020-10-12 00:46:48.009358834 +0200
+++ /work/SRC/openSUSE:Leap:15.2:Update/.mokutil.14549.new.3486/mokutil.changes 
2020-10-18 06:22:29.396430239 +0200
@@ -0,0 +1,220 @@
+-------------------------------------------------------------------
+Wed Sep 16 09:06:02 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add
+  options for CA and kernel keyring checks (bsc#1173115)
+  + Add new BuildRequires: keyutils-devel
+  + Add mokutil-remove-libkeyutils-check.patch to disable the
+    version check of libkeyutils
+- Refresh mokutil-support-revoke-builtin-cert.patch
+
+-------------------------------------------------------------------
+Fri Dec 13 10:38:44 UTC 2019 - Michel Normand <norm...@linux.vnet.ibm.com>
+
+- Add build for ppc64/ppc64le
+
+-------------------------------------------------------------------
+Tue May 28 04:38:14 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to 0.4.0
+  + Rename export_moks as export_db_keys
+  + Add support for exporting other keys
+  + add new --mok argument
+  + set list-enrolled command as default for some arguments
+  + Add more info to --sb-state: show when we're in SetupMode or
+    with shim validation disabled
+  + Correct help: --set-timeout is really --timeout
+  + generate_hash() / generate_pw_hash(): don't use strlen() for
+    strncpy bounds
+  + Add the type casting to silence the warning
+  + Add a way for mokutil to configure a timeout for MokManager's
+    prompt
+  + list_keys_in_var(): check errno correctly, not ret twice
+  + Fix typo in error message when the system lacks Secure Boot
+    support
+  + Add bash completion file
+  + mokutil: be explicit about file modes in all cases
+  + Make all efi_guid_t const
+  + Don't allow sha1 on the mokutil command line
+  + Build with -fshort-wchar so toggle passwords work right
+  + Fix the 32bit signedness comparison
+  + Fix the potential buffer overflow
+- Add mokutil-remove-shebang-from-bash-completion-file.patch to
+  remove shebang from bash-completion/mokutil
+- Drop upstreamed patches
+  + mokutil-constify-efi-guid.patch
+  + mokutil-fix-overflow.patch
+  + mokutil-fshort-wchar.patch
+  + mokutil-set-efi-variable-file-mode.patch
+- Refresh mokutil-support-revoke-builtin-cert.patch
+- Install bash-completion/mokutil
+
+-------------------------------------------------------------------
+Thu Mar 21 02:39:46 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add modhash to calculate the hash of kernel module (SLE-5661)
+  + Also add openssl to Requires since the script needs it
+
+-------------------------------------------------------------------
+Fri Nov 23 08:58:24 UTC 2018 - g...@suse.com
+
+- Enable AArch64 build (bsc#1119769, fate#326541)
+
+-------------------------------------------------------------------
+Tue Mar 27 09:54:10 CEST 2018 - ku...@suse.de
+
+- Use %license instead of %doc [bsc#1082318]
+
+-------------------------------------------------------------------
+Wed Jul 13 04:52:23 UTC 2016 - g...@suse.com
+
+- Patches for efivar 0.24
+  + Add mokutil-set-efi-variable-file-mode.patch to set the file
+    mode explicitly.
+  + Add mokutil-constify-efi-guid.patch to make all efi_guild_t
+    variables const.
+  + Refresh mokutil-support-revoke-builtin-cert.patch for the
+    change of efi_set_variable()
+
+-------------------------------------------------------------------
+Tue Jun 30 08:43:45 UTC 2015 - g...@suse.com
+
+- Add mokutil-fshort-wchar.patch to make sure the UEFI strings are
+  UCS-2 encoding.
+
+-------------------------------------------------------------------
+Tue Nov  4 07:52:54 UTC 2014 - g...@suse.com
+
+- Update to 0.3.0
+- Add mokutil-fix-overflow.patch to fix the buffer overflow
+- Drop upstreamed patches
+  + mokutil-upstream-fixes.patch
+  + mokutil-mokx-support.patch
+  + mokutil-check-corrupted-key-list.patch
+  + mokutil-check-secure-boot-support.patch
+  + mokutil-clean-request.patch
+  + mokutil-fix-hash-file-read.patch
+  + mokutil-fix-hash-list-size.patch
+  + mokutil-more-details-for-skipped-keys.patch
+  + mokutil-no-invalid-x509.patch
+- Refresh mokutil-support-revoke-builtin-cert.patch
+
+-------------------------------------------------------------------
+Wed Apr 16 04:11:50 UTC 2014 - g...@suse.com
+
+- Add mokutil-fix-hash-file-read.patch to fix the error handling of
+  reading a hash file
+
+-------------------------------------------------------------------
+Thu Apr 10 04:44:22 UTC 2014 - g...@suse.com
+
+- Add mokutil-check-corrupted-key-list.patch to check whether the
+  key list is corrupted or not
+- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
+  x509 certificate
+
+-------------------------------------------------------------------
+Mon Mar 24 07:37:39 UTC 2014 - g...@suse.com
+
+- Add mokutil-more-details-for-skipped-keys.patch to show the
+  reason to skip the key
+- Add mokutil-check-secure-boot-support.patch to check whether the
+  system supports Secure Boot or not
+
+-------------------------------------------------------------------
+Fri Feb 21 10:10:15 UTC 2014 - g...@suse.com
+
+- Add mokutil-support-revoke-builtin-cert.patch to add an option to
+  revoke the built-in certificate in shim
+
+-------------------------------------------------------------------
+Wed Feb 12 10:06:31 UTC 2014 - g...@suse.com
+
+- Add mokutil-fix-hash-list-size.patch to update the list size
+  after merging or deleting a hash
+- Add mokutil-clean-request.patch to clean the request if all keys
+  are removed
+
+-------------------------------------------------------------------
+Wed Jan 22 05:55:45 UTC 2014 - g...@suse.com
+
+- Update mokutil-mokx-support.patch to fix the test-key request
+  check
+
+-------------------------------------------------------------------
+Thu Dec  5 02:11:40 UTC 2013 - g...@suse.com
+
+- Add mokutil-upstream-fixes.patch to include upstream fixes for
+  db signature check, gcc warnings, and error handling
+- Add mokutil-mokx-support.patch to support the MOK blacklist
+  (FATE#316531)
+
+-------------------------------------------------------------------
+Thu Jul 25 09:13:44 UTC 2013 - g...@suse.com
+
+- Update to 0.2.0
+  + Generate the password hash with crypt() by default instead of
+    the original sha256 password hash
+  + Add an option to import the root password hash
+  + Amend error messages, help, and man page
+- Drop upstreamed patches
+  + mokutil-lcrypt-ldflag.patch
+  + mokutil-probe-secure-boot-state.patch
+  + mokutil-allow-password-from-pipe.patch
+  + mokutil-bnc809703-check-pending-request.patch
+  + mokutil-support-delete-keys.patch
+  + mokutil-support-crypt-hash-methods.patch
+  + mokutil-update-man-page.patch
+  + mokutil-bnc809215-improve-wording.patch
+  + mokutil-support-new-pw-hash.patch
+  + mokutil-no-duplicate-keys-imported.patch
+
+-------------------------------------------------------------------
+Tue Apr  2 04:43:59 UTC 2013 - g...@suse.com
+
+- Add mokutil-bnc809215-improve-wording.patch to make the messages
+  understandable (bnc#809215)
+- Add mokutil-bnc809703-check-pending-request.patch to remove the
+  key from the pending request if necessary (bnc#809703)
+
+-------------------------------------------------------------------
+Wed Jan 30 08:00:22 UTC 2013 - g...@suse.com
+
+- Merge patches for FATE#314506
+  + Add mokutil-support-crypt-hash-methods.patch to support the
+    password hashes from /etc/shadow
+  + Add mokutil-update-man-page.patch to update man page for the
+    new added options
+- Add mokutil-lcrypt-ldflag.patch to correct LDFLAGS
+
+-------------------------------------------------------------------
+Fri Jan 18 10:05:27 UTC 2013 - g...@suse.com
+
+- Update mokutil-support-new-pw-hash.patch to extend the password
+  hash format
+
+-------------------------------------------------------------------
+Wed Jan 16 08:41:15 UTC 2013 - g...@suse.com
++++ 23 more lines (skipped)
++++ between /dev/null
++++ and 
/work/SRC/openSUSE:Leap:15.2:Update/.mokutil.14549.new.3486/mokutil.changes

New:
----
  0.4.0.tar.gz
  modhash
  mokutil-bsc1173115-add-ca-and-keyring-checks.patch
  mokutil-remove-libkeyutils-check.patch
  mokutil-remove-shebang-from-bash-completion-file.patch
  mokutil-support-revoke-builtin-cert.patch
  mokutil.changes
  mokutil.spec

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mokutil.spec ++++++
#
# spec file for package mokutil
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


Name:           mokutil
Version:        0.4.0
Release:        0
Summary:        Tools for manipulating machine owner keys
License:        GPL-3.0-only
Group:          Productivity/Security
Url:            https://github.com/lcp/mokutil
Source:         https://github.com/lcp/%{name}/archive/%{version}.tar.gz
Source1:        modhash
# PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch 
g...@suse.com -- Remove shebang from bash-completion/mokutil
Patch1:         mokutil-remove-shebang-from-bash-completion-file.patch
# PATCH-FIX-UPSTREAM mokutil-bsc1173115-add-ca-and-keyring-checks.patch 
bsc#1173115 g...@suse.com -- Add options for CA and kernel keyring checks
Patch2:         mokutil-bsc1173115-add-ca-and-keyring-checks.patch
# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch g...@suse.com -- 
Disable the check of libkeyutils version
Patch3:         mokutil-remove-libkeyutils-check.patch
Patch100:       mokutil-support-revoke-builtin-cert.patch
BuildRequires:  autoconf
BuildRequires:  automake
BuildRequires:  efivar-devel >= 0.12
BuildRequires:  libopenssl-devel >= 0.9.8
BuildRequires:  keyutils-devel >= 1.5.0
BuildRequires:  pkg-config
Requires:       openssl
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
ExclusiveArch:  x86_64 aarch64 ppc64le ppc64

%description
This program provides the means to enroll and erase the machine owner
keys (MOK) stored in the database of shim.



Authors:
--------
    Gary Lin <g...@suse.com>

%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch100 -p1

%build
./autogen.sh
%configure
make

%install
%makeinstall
install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash

%clean
%{?buildroot:%__rm -rf "%{buildroot}"}

%files
%defattr(-,root,root)
%license COPYING
%{_bindir}/mokutil
%{_bindir}/modhash
%{_mandir}/man?/*
%dir %{_datadir}/bash-completion/completions/
%{_datadir}/bash-completion/completions/mokutil

%changelog
++++++ modhash ++++++
#!/usr/bin/perl
# 
# Calculate the digest of the kernel module
# It will strip kernel modules signature before calculation.
# 
# Based on modsign-verify, written by Michal Marek
# Authors:
#       Gary Lin <g...@suse.com>
#       Joey Lee <j...@suse.com>
#

my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n";

use strict;
use warnings;
use IPC::Open2;
use Getopt::Long;
use File::Temp qw(tempfile);

my $verbose = 1;
my $dgst = "sha256";
GetOptions(
        "d=s" => \$dgst,
        "q|quiet" => sub { $verbose-- if $verbose; },
        "v|verbose" => sub { $verbose++; },
        "h|help" => sub {
                print $USAGE;
                exit(0);
        }
) or die($USAGE);

sub _verbose {
        my $level = shift;

        return if $verbose < $level;
        print STDERR @_;
}

sub info    { _verbose(1, @_); }
sub verbose { _verbose(2, @_); }
sub debug   { _verbose(3, @_); }

if (@ARGV > 1) {
        print STDERR "Excess arguments\n";
        die($USAGE);
} elsif (@ARGV < 1) {
        print STDERR "No module supplied\n";
        die($USAGE);
}
my $module_name = shift(@ARGV);

if ($dgst ne "sha"    and $dgst ne "sha1"   and $dgst ne "sha256" and
    $dgst ne "sha384" and $dgst ne "sha512") {
        die("unsupported algorithm: $dgst");
}

#
# Function to read the contents of a file into a variable.
#
sub read_file($)
{
    my ($file) = @_;
    my $contents;
    my $len;

    open(FD, "<$file") || die $file;
    binmode FD;
    my @st = stat(FD);
    die $file if (!@st);
    $len = read(FD, $contents, $st[7]) || die $file;
    close(FD) || die $file;
    die "$file: Wanted length ", $st[7], ", got ", $len, "\n"
        if ($len != $st[7]);
    return $contents;
}

sub openssl_pipe($$) {
        my ($input, $cmd) = @_;
        my ($pid, $res);

        $pid = open2(*read_from, *write_to, $cmd) || die $cmd;
        binmode write_to;
        if (defined($input) && $input ne "") {
                print write_to $input || die "$cmd: $!";
        }
        close(write_to) || die "$cmd: $!";

        binmode read_from;
        read(read_from, $res, 4096) || die "$cmd: $!";
        close(read_from) || die "$cmd: $!";
        waitpid($pid, 0) || die;
        die "$cmd died: $?" if ($? >> 8);
        return $res;
}

my $module = read_file($module_name);
my $module_len = length($module);
my $magic_number = "~Module signature appended~\n";
my $magic_len = length($magic_number);
my $info_len = 12;

if ($module_len < $magic_len) {
        die "Module size too short\n";
}

sub eat
{
        my $length = shift;
        if ($module_len < $length) {
                die "Module size too short\n";
        }
        my $res = substr($module, -$length);
        $module = substr($module, 0, $module_len - $length);
        $module_len -= $length;
        return $res;
}

if (substr($module, -$magic_len) eq $magic_number) {
        $module = substr($module, 0, $module_len - $magic_len);
        $module_len -= $magic_len;
        my $info = eat($info_len);
        my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) =
                unpack("CCCCCxxxN", $info);
        my $signature = eat($sig_len);
        if ($id_type == 1) {
                if (unpack("n", $signature) == $sig_len - 2) {
                        verbose ("signed module (X.509)\n");
                } else {
                        die "Invalid signature format\n";
                }
                if ($algo != 1) {
                        die "Unsupported signature algorithm\n";
                }
                $signature = substr($signature, 2);
                my $key_id = eat($key_len);
                my $name = eat($name_len);
        } elsif ($id_type == 2) {
                verbose ("signed module (PKCS#7)\n");
        }
} else {
        verbose ("unsigned module\n");
}

verbose("Hash algorithm: $dgst\n");

my $digest = openssl_pipe($module, "openssl dgst -$dgst");
$digest =~ s/\(stdin\)= //;

print "$module_name: $digest"
++++++ mokutil-bsc1173115-add-ca-and-keyring-checks.patch ++++++
++++ 1159 lines (skipped)

++++++ mokutil-remove-libkeyutils-check.patch ++++++
>From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Wed, 16 Sep 2020 17:02:56 +0800
Subject: [PATCH] Remove libkeyutils pkgconfig check

keyutils didn't provide pkgconfig in 1.5.*

Signed-off-by: Gary Lin <g...@suse.com>
---
 configure.ac    | 1 -
 src/Makefile.am | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index b0b0376..d74fd21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset])
 
 PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
 PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
-PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5])
 
 AC_ARG_WITH([bash-completion-dir],
     AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
diff --git a/src/Makefile.am b/src/Makefile.am
index f616b90..664b80a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -2,12 +2,11 @@ bin_PROGRAMS    = mokutil
 
 mokutil_CFLAGS  = $(OPENSSL_CFLAGS)    \
                  $(EFIVAR_CFLAGS)      \
-                 $(LIBKEYUTILS_CFLAGS) \
                  $(WARNINGFLAGS_C)
 
 mokutil_LDADD   = $(OPENSSL_LIBS)      \
                  $(EFIVAR_LIBS)        \
-                 $(LIBKEYUTILS_LIBS)   \
+                 -lkeyutils \
                  -lcrypt
 
 mokutil_SOURCES = signature.h \
-- 
2.28.0

++++++ mokutil-remove-shebang-from-bash-completion-file.patch ++++++
>From e27b85622fcb1cc59e0fd4e7d630fc62f89dd225 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Tue, 28 May 2019 12:33:32 +0800
Subject: [PATCH] Remove shebang from bash-completion/mokutil

Signed-off-by: Gary Lin <g...@suse.com>
---
 data/mokutil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/mokutil b/data/mokutil
index 800b039..cf50606 100755
--- a/data/mokutil
+++ b/data/mokutil
@@ -1,4 +1,4 @@
-#!/bin/bash
+# mokutil(1) completion
 
 _mokutil()
 {
-- 
2.21.0

++++++ mokutil-support-revoke-builtin-cert.patch ++++++
>From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH 1/4] Add the option to revoke the built-in certificate

This is an openSUSE-only patch.

This commit adds an option to create ClearVerify which contains
the password hash to notify MokManager to show the option to
revoke the built-in certificate.
---
 src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/src/mokutil.c b/src/mokutil.c
index 02ed21f..d95a2eb 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -86,6 +86,7 @@
 #define DELETE_HASH        (1 << 22)
 #define VERBOSITY          (1 << 23)
 #define TIMEOUT            (1 << 24)
+#define REVOKE_CERT        (1 << 25)
 
 #define DEFAULT_CRYPT_METHOD SHA512_BASED
 #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
@@ -180,6 +181,7 @@ print_help ()
        printf ("  --db\t\t\t\t\tList the keys in db\n");
        printf ("  --dbx\t\t\t\t\tList the keys in dbx\n");
        printf ("  --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK 
prompt\n");
+       printf ("  --revoke-cert\t\t\t\tRevoke the built-in certificate in 
shim\n");
        printf ("\n");
        printf ("Supplimentary Options:\n");
        printf ("  --hash-file <hash file>\t\tUse the specific password 
hash\n");
@@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity)
        return 0;
 }
 
+static int
+revoke_builtin_cert (void)
+{
+       efi_variable_t var;
+       pw_crypt_t pw_crypt;
+       uint8_t auth[SHA256_DIGEST_LENGTH];
+       char *password = NULL;
+       int pw_len;
+       int auth_ret;
+       int ret = -1;
+
+       /* Check use_openSUSE_cert */
+       memset (&var, 0, sizeof(var));
+       var.VariableName = "use_openSUSE_cert";
+       var.VendorGuid = SHIM_LOCK_GUID;
+
+       if (read_variable (&var) != EFI_SUCCESS)
+               return 0;
+
+       if ((uint8_t)*var.Data != 1) {
+               free (var.Data);
+               fprintf (stderr, "The built-in certificate is already 
revoked.\n");
+               return 0;
+       }
+       free (var.Data);
+
+       memset (&pw_crypt, 0, sizeof(pw_crypt_t));
+       memset (auth, 0, SHA256_DIGEST_LENGTH);
+
+       if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
+               fprintf (stderr, "Abort\n");
+               goto error;
+       }
+
+       if (!use_simple_hash) {
+               pw_crypt.method = DEFAULT_CRYPT_METHOD;
+               auth_ret = generate_hash (&pw_crypt, password, pw_len);
+       } else {
+               auth_ret = generate_auth (NULL, 0, password, pw_len,
+                                         auth);
+       }
+       if (auth_ret < 0) {
+               fprintf (stderr, "Couldn't generate hash\n");
+               goto error;
+       }
+
+       if (!use_simple_hash) {
+               var.Data = (void *)&pw_crypt;
+               var.DataSize = PASSWORD_CRYPT_SIZE;
+       } else {
+               var.Data = (void *)auth;
+               var.DataSize = SHA256_DIGEST_LENGTH;
+       }
+       var.VariableName = "ClearVerify";
+
+       var.VendorGuid = SHIM_LOCK_GUID;
+       var.Attributes = EFI_VARIABLE_NON_VOLATILE
+                        | EFI_VARIABLE_BOOTSERVICE_ACCESS
+                        | EFI_VARIABLE_RUNTIME_ACCESS;
+
+       if (edit_protected_variable (&var) != EFI_SUCCESS) {
+               fprintf (stderr, "Failed to write ClearVerify\n");
+               goto error;
+       }
+
+       ret = 0;
+error:
+       if (password)
+               free (password);
+
+       return ret;
+}
+
 static inline int
 list_db (DBName db_name)
 {
@@ -2480,6 +2555,7 @@ main (int argc, char *argv[])
                        {"timeout",            required_argument, 0, 0  },
                        {"ca-check",           no_argument,       0, 0  },
                        {"ignore-keyring",     no_argument,       0, 0  },
+                       {"revoke-cert",        no_argument,       0, 0  },
                        {0, 0, 0, 0}
                };
 
@@ -2570,6 +2646,8 @@ main (int argc, char *argv[])
                                force_ca_check = 1;
                        } else if (strcmp (option, "ignore-keyring") == 0) {
                                check_keyring = 0;
+                       } else if (strcmp (option, "revoke-cert") == 0) {
+                               command |= REVOKE_CERT;
                        }
 
                        break;
@@ -2839,6 +2917,10 @@ main (int argc, char *argv[])
                case TIMEOUT:
                        ret = set_timeout (timeout);
                        break;
+               case REVOKE_CERT:
+               case REVOKE_CERT | SIMPLE_HASH:
+                       ret = revoke_builtin_cert ();
+                       break;
                default:
                        print_help ();
                        break;
-- 
2.28.0


>From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Tue, 4 Nov 2014 14:50:36 +0800
Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables

This is an openSUSE-only patch.

Adapt the changes in the mainline.
---
 src/mokutil.c | 45 +++++++++++++++++++++++++--------------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/src/mokutil.c b/src/mokutil.c
index d95a2eb..8be0b77 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity)
 static int
 revoke_builtin_cert (void)
 {
-       efi_variable_t var;
+       uint32_t attributes;
+       size_t data_size;
+       uint8_t *data;
        pw_crypt_t pw_crypt;
        uint8_t auth[SHA256_DIGEST_LENGTH];
        char *password = NULL;
-       int pw_len;
+       unsigned int pw_len;
        int auth_ret;
        int ret = -1;
 
        /* Check use_openSUSE_cert */
-       memset (&var, 0, sizeof(var));
-       var.VariableName = "use_openSUSE_cert";
-       var.VendorGuid = SHIM_LOCK_GUID;
+       if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert",
+                             &data, &data_size, &attributes) < 0) {
+               fprintf (stderr, "Failed to get use_openSUSE_cert\n");
+               return 0;
+       }
 
-       if (read_variable (&var) != EFI_SUCCESS)
+       if (data_size != 1) {
+               free (data);
+               fprintf (stderr, "Invalid variable: use_openSUSE_cert\n");
                return 0;
+       }
 
-       if ((uint8_t)*var.Data != 1) {
-               free (var.Data);
+       if (*data != 1) {
+               free (data);
                fprintf (stderr, "The built-in certificate is already 
revoked.\n");
                return 0;
        }
-       free (var.Data);
+       free (data);
 
        memset (&pw_crypt, 0, sizeof(pw_crypt_t));
        memset (auth, 0, SHA256_DIGEST_LENGTH);
@@ -2446,20 +2453,18 @@ revoke_builtin_cert (void)
        }
 
        if (!use_simple_hash) {
-               var.Data = (void *)&pw_crypt;
-               var.DataSize = PASSWORD_CRYPT_SIZE;
+               data = (uint8_t *)&pw_crypt;
+               data_size = PASSWORD_CRYPT_SIZE;
        } else {
-               var.Data = (void *)auth;
-               var.DataSize = SHA256_DIGEST_LENGTH;
+               data = auth;
+               data_size = SHA256_DIGEST_LENGTH;
        }
-       var.VariableName = "ClearVerify";
-
-       var.VendorGuid = SHIM_LOCK_GUID;
-       var.Attributes = EFI_VARIABLE_NON_VOLATILE
-                        | EFI_VARIABLE_BOOTSERVICE_ACCESS
-                        | EFI_VARIABLE_RUNTIME_ACCESS;
+       attributes = EFI_VARIABLE_NON_VOLATILE
+                    | EFI_VARIABLE_BOOTSERVICE_ACCESS
+                    | EFI_VARIABLE_RUNTIME_ACCESS;
 
-       if (edit_protected_variable (&var) != EFI_SUCCESS) {
+       if (efi_set_variable (efi_guid_shim, "ClearVerify",
+                             data, data_size, attributes) < 0) {
                fprintf (stderr, "Failed to write ClearVerify\n");
                goto error;
        }
-- 
2.28.0


>From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Wed, 13 Jul 2016 14:58:15 +0800
Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24

This is an openSUSE-only patch.
---
 src/mokutil.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mokutil.c b/src/mokutil.c
index 8be0b77..f27bba0 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2464,7 +2464,8 @@ revoke_builtin_cert (void)
                     | EFI_VARIABLE_RUNTIME_ACCESS;
 
        if (efi_set_variable (efi_guid_shim, "ClearVerify",
-                             data, data_size, attributes) < 0) {
+                             data, data_size, attributes,
+                             S_IRUSR | S_IWUSR) < 0) {
                fprintf (stderr, "Failed to write ClearVerify\n");
                goto error;
        }
-- 
2.28.0


>From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 14 Aug 2020 14:57:23 +0800
Subject: [PATCH 4/4] man: add "--revoke-cert"

The argument "--revoke-cert" was not addressed in the man page.

This is an openSUSE-only patch.

Signed-off-by: Gary Lin <g...@suse.com>
---
 man/mokutil.1 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/man/mokutil.1 b/man/mokutil.1
index cbea367..1c18d7a 100644
--- a/man/mokutil.1
+++ b/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys
 .br
 \fBmokutil\fR [--dbx]
 .br
+\fBmokutil\fR [--revoke-cert]
+.br
 
 .SH DESCRIPTION
 \fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -180,3 +182,6 @@ databases.
 \fB--ignore-keyring\fR
 Ignore the kernel builtin trusted keys keyring check when enrolling a key into 
MokList
 .TP
+\fB--revoke-cert\fR
+Revoke the agreement of using the built-in certificate in shim (openSUSE 
Specfic)
+.TP
-- 
2.28.0


Reply via email to