Hello community, here is the log from the commit of package mokutil.14549 for openSUSE:Leap:15.2:Update checked in at 2020-10-18 06:22:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/mokutil.14549 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.mokutil.14549.new.3486 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil.14549" Sun Oct 18 06:22:26 2020 rev:1 rq:841826 version:0.4.0 Changes: -------- New Changes file: --- /dev/null 2020-10-12 00:46:48.009358834 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.mokutil.14549.new.3486/mokutil.changes 2020-10-18 06:22:29.396430239 +0200 @@ -0,0 +1,220 @@ +------------------------------------------------------------------- +Wed Sep 16 09:06:02 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com> + +- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add + options for CA and kernel keyring checks (bsc#1173115) + + Add new BuildRequires: keyutils-devel + + Add mokutil-remove-libkeyutils-check.patch to disable the + version check of libkeyutils +- Refresh mokutil-support-revoke-builtin-cert.patch + +------------------------------------------------------------------- +Fri Dec 13 10:38:44 UTC 2019 - Michel Normand <norm...@linux.vnet.ibm.com> + +- Add build for ppc64/ppc64le + +------------------------------------------------------------------- +Tue May 28 04:38:14 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to 0.4.0 + + Rename export_moks as export_db_keys + + Add support for exporting other keys + + add new --mok argument + + set list-enrolled command as default for some arguments + + Add more info to --sb-state: show when we're in SetupMode or + with shim validation disabled + + Correct help: --set-timeout is really --timeout + + generate_hash() / generate_pw_hash(): don't use strlen() for + strncpy bounds + + Add the type casting to silence the warning + + Add a way for mokutil to configure a timeout for MokManager's + prompt + + list_keys_in_var(): check errno correctly, not ret twice + + Fix typo in error message when the system lacks Secure Boot + support + + Add bash completion file + + mokutil: be explicit about file modes in all cases + + Make all efi_guid_t const + + Don't allow sha1 on the mokutil command line + + Build with -fshort-wchar so toggle passwords work right + + Fix the 32bit signedness comparison + + Fix the potential buffer overflow +- Add mokutil-remove-shebang-from-bash-completion-file.patch to + remove shebang from bash-completion/mokutil +- Drop upstreamed patches + + mokutil-constify-efi-guid.patch + + mokutil-fix-overflow.patch + + mokutil-fshort-wchar.patch + + mokutil-set-efi-variable-file-mode.patch +- Refresh mokutil-support-revoke-builtin-cert.patch +- Install bash-completion/mokutil + +------------------------------------------------------------------- +Thu Mar 21 02:39:46 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com> + +- Add modhash to calculate the hash of kernel module (SLE-5661) + + Also add openssl to Requires since the script needs it + +------------------------------------------------------------------- +Fri Nov 23 08:58:24 UTC 2018 - g...@suse.com + +- Enable AArch64 build (bsc#1119769, fate#326541) + +------------------------------------------------------------------- +Tue Mar 27 09:54:10 CEST 2018 - ku...@suse.de + +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Wed Jul 13 04:52:23 UTC 2016 - g...@suse.com + +- Patches for efivar 0.24 + + Add mokutil-set-efi-variable-file-mode.patch to set the file + mode explicitly. + + Add mokutil-constify-efi-guid.patch to make all efi_guild_t + variables const. + + Refresh mokutil-support-revoke-builtin-cert.patch for the + change of efi_set_variable() + +------------------------------------------------------------------- +Tue Jun 30 08:43:45 UTC 2015 - g...@suse.com + +- Add mokutil-fshort-wchar.patch to make sure the UEFI strings are + UCS-2 encoding. + +------------------------------------------------------------------- +Tue Nov 4 07:52:54 UTC 2014 - g...@suse.com + +- Update to 0.3.0 +- Add mokutil-fix-overflow.patch to fix the buffer overflow +- Drop upstreamed patches + + mokutil-upstream-fixes.patch + + mokutil-mokx-support.patch + + mokutil-check-corrupted-key-list.patch + + mokutil-check-secure-boot-support.patch + + mokutil-clean-request.patch + + mokutil-fix-hash-file-read.patch + + mokutil-fix-hash-list-size.patch + + mokutil-more-details-for-skipped-keys.patch + + mokutil-no-invalid-x509.patch +- Refresh mokutil-support-revoke-builtin-cert.patch + +------------------------------------------------------------------- +Wed Apr 16 04:11:50 UTC 2014 - g...@suse.com + +- Add mokutil-fix-hash-file-read.patch to fix the error handling of + reading a hash file + +------------------------------------------------------------------- +Thu Apr 10 04:44:22 UTC 2014 - g...@suse.com + +- Add mokutil-check-corrupted-key-list.patch to check whether the + key list is corrupted or not +- Add mokutil-no-invalid-x509.patch to avoid importing an invalid + x509 certificate + +------------------------------------------------------------------- +Mon Mar 24 07:37:39 UTC 2014 - g...@suse.com + +- Add mokutil-more-details-for-skipped-keys.patch to show the + reason to skip the key +- Add mokutil-check-secure-boot-support.patch to check whether the + system supports Secure Boot or not + +------------------------------------------------------------------- +Fri Feb 21 10:10:15 UTC 2014 - g...@suse.com + +- Add mokutil-support-revoke-builtin-cert.patch to add an option to + revoke the built-in certificate in shim + +------------------------------------------------------------------- +Wed Feb 12 10:06:31 UTC 2014 - g...@suse.com + +- Add mokutil-fix-hash-list-size.patch to update the list size + after merging or deleting a hash +- Add mokutil-clean-request.patch to clean the request if all keys + are removed + +------------------------------------------------------------------- +Wed Jan 22 05:55:45 UTC 2014 - g...@suse.com + +- Update mokutil-mokx-support.patch to fix the test-key request + check + +------------------------------------------------------------------- +Thu Dec 5 02:11:40 UTC 2013 - g...@suse.com + +- Add mokutil-upstream-fixes.patch to include upstream fixes for + db signature check, gcc warnings, and error handling +- Add mokutil-mokx-support.patch to support the MOK blacklist + (FATE#316531) + +------------------------------------------------------------------- +Thu Jul 25 09:13:44 UTC 2013 - g...@suse.com + +- Update to 0.2.0 + + Generate the password hash with crypt() by default instead of + the original sha256 password hash + + Add an option to import the root password hash + + Amend error messages, help, and man page +- Drop upstreamed patches + + mokutil-lcrypt-ldflag.patch + + mokutil-probe-secure-boot-state.patch + + mokutil-allow-password-from-pipe.patch + + mokutil-bnc809703-check-pending-request.patch + + mokutil-support-delete-keys.patch + + mokutil-support-crypt-hash-methods.patch + + mokutil-update-man-page.patch + + mokutil-bnc809215-improve-wording.patch + + mokutil-support-new-pw-hash.patch + + mokutil-no-duplicate-keys-imported.patch + +------------------------------------------------------------------- +Tue Apr 2 04:43:59 UTC 2013 - g...@suse.com + +- Add mokutil-bnc809215-improve-wording.patch to make the messages + understandable (bnc#809215) +- Add mokutil-bnc809703-check-pending-request.patch to remove the + key from the pending request if necessary (bnc#809703) + +------------------------------------------------------------------- +Wed Jan 30 08:00:22 UTC 2013 - g...@suse.com + +- Merge patches for FATE#314506 + + Add mokutil-support-crypt-hash-methods.patch to support the + password hashes from /etc/shadow + + Add mokutil-update-man-page.patch to update man page for the + new added options +- Add mokutil-lcrypt-ldflag.patch to correct LDFLAGS + +------------------------------------------------------------------- +Fri Jan 18 10:05:27 UTC 2013 - g...@suse.com + +- Update mokutil-support-new-pw-hash.patch to extend the password + hash format + +------------------------------------------------------------------- +Wed Jan 16 08:41:15 UTC 2013 - g...@suse.com ++++ 23 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.mokutil.14549.new.3486/mokutil.changes New: ---- 0.4.0.tar.gz modhash mokutil-bsc1173115-add-ca-and-keyring-checks.patch mokutil-remove-libkeyutils-check.patch mokutil-remove-shebang-from-bash-completion-file.patch mokutil-support-revoke-builtin-cert.patch mokutil.changes mokutil.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ # # spec file for package mokutil # # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: mokutil Version: 0.4.0 Release: 0 Summary: Tools for manipulating machine owner keys License: GPL-3.0-only Group: Productivity/Security Url: https://github.com/lcp/mokutil Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz Source1: modhash # PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch g...@suse.com -- Remove shebang from bash-completion/mokutil Patch1: mokutil-remove-shebang-from-bash-completion-file.patch # PATCH-FIX-UPSTREAM mokutil-bsc1173115-add-ca-and-keyring-checks.patch bsc#1173115 g...@suse.com -- Add options for CA and kernel keyring checks Patch2: mokutil-bsc1173115-add-ca-and-keyring-checks.patch # PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch g...@suse.com -- Disable the check of libkeyutils version Patch3: mokutil-remove-libkeyutils-check.patch Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: efivar-devel >= 0.12 BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: keyutils-devel >= 1.5.0 BuildRequires: pkg-config Requires: openssl BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: x86_64 aarch64 ppc64le ppc64 %description This program provides the means to enroll and erase the machine owner keys (MOK) stored in the database of shim. Authors: -------- Gary Lin <g...@suse.com> %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch100 -p1 %build ./autogen.sh %configure make %install %makeinstall install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash %clean %{?buildroot:%__rm -rf "%{buildroot}"} %files %defattr(-,root,root) %license COPYING %{_bindir}/mokutil %{_bindir}/modhash %{_mandir}/man?/* %dir %{_datadir}/bash-completion/completions/ %{_datadir}/bash-completion/completions/mokutil %changelog ++++++ modhash ++++++ #!/usr/bin/perl # # Calculate the digest of the kernel module # It will strip kernel modules signature before calculation. # # Based on modsign-verify, written by Michal Marek # Authors: # Gary Lin <g...@suse.com> # Joey Lee <j...@suse.com> # my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n"; use strict; use warnings; use IPC::Open2; use Getopt::Long; use File::Temp qw(tempfile); my $verbose = 1; my $dgst = "sha256"; GetOptions( "d=s" => \$dgst, "q|quiet" => sub { $verbose-- if $verbose; }, "v|verbose" => sub { $verbose++; }, "h|help" => sub { print $USAGE; exit(0); } ) or die($USAGE); sub _verbose { my $level = shift; return if $verbose < $level; print STDERR @_; } sub info { _verbose(1, @_); } sub verbose { _verbose(2, @_); } sub debug { _verbose(3, @_); } if (@ARGV > 1) { print STDERR "Excess arguments\n"; die($USAGE); } elsif (@ARGV < 1) { print STDERR "No module supplied\n"; die($USAGE); } my $module_name = shift(@ARGV); if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and $dgst ne "sha384" and $dgst ne "sha512") { die("unsupported algorithm: $dgst"); } # # Function to read the contents of a file into a variable. # sub read_file($) { my ($file) = @_; my $contents; my $len; open(FD, "<$file") || die $file; binmode FD; my @st = stat(FD); die $file if (!@st); $len = read(FD, $contents, $st[7]) || die $file; close(FD) || die $file; die "$file: Wanted length ", $st[7], ", got ", $len, "\n" if ($len != $st[7]); return $contents; } sub openssl_pipe($$) { my ($input, $cmd) = @_; my ($pid, $res); $pid = open2(*read_from, *write_to, $cmd) || die $cmd; binmode write_to; if (defined($input) && $input ne "") { print write_to $input || die "$cmd: $!"; } close(write_to) || die "$cmd: $!"; binmode read_from; read(read_from, $res, 4096) || die "$cmd: $!"; close(read_from) || die "$cmd: $!"; waitpid($pid, 0) || die; die "$cmd died: $?" if ($? >> 8); return $res; } my $module = read_file($module_name); my $module_len = length($module); my $magic_number = "~Module signature appended~\n"; my $magic_len = length($magic_number); my $info_len = 12; if ($module_len < $magic_len) { die "Module size too short\n"; } sub eat { my $length = shift; if ($module_len < $length) { die "Module size too short\n"; } my $res = substr($module, -$length); $module = substr($module, 0, $module_len - $length); $module_len -= $length; return $res; } if (substr($module, -$magic_len) eq $magic_number) { $module = substr($module, 0, $module_len - $magic_len); $module_len -= $magic_len; my $info = eat($info_len); my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) = unpack("CCCCCxxxN", $info); my $signature = eat($sig_len); if ($id_type == 1) { if (unpack("n", $signature) == $sig_len - 2) { verbose ("signed module (X.509)\n"); } else { die "Invalid signature format\n"; } if ($algo != 1) { die "Unsupported signature algorithm\n"; } $signature = substr($signature, 2); my $key_id = eat($key_len); my $name = eat($name_len); } elsif ($id_type == 2) { verbose ("signed module (PKCS#7)\n"); } } else { verbose ("unsigned module\n"); } verbose("Hash algorithm: $dgst\n"); my $digest = openssl_pipe($module, "openssl dgst -$dgst"); $digest =~ s/\(stdin\)= //; print "$module_name: $digest" ++++++ mokutil-bsc1173115-add-ca-and-keyring-checks.patch ++++++ ++++ 1159 lines (skipped) ++++++ mokutil-remove-libkeyutils-check.patch ++++++ >From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Wed, 16 Sep 2020 17:02:56 +0800 Subject: [PATCH] Remove libkeyutils pkgconfig check keyutils didn't provide pkgconfig in 1.5.* Signed-off-by: Gary Lin <g...@suse.com> --- configure.ac | 1 - src/Makefile.am | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index b0b0376..d74fd21 100644 --- a/configure.ac +++ b/configure.ac @@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset]) PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) -PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5]) AC_ARG_WITH([bash-completion-dir], AS_HELP_STRING([--with-bash-completion-dir[=PATH]], diff --git a/src/Makefile.am b/src/Makefile.am index f616b90..664b80a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -2,12 +2,11 @@ bin_PROGRAMS = mokutil mokutil_CFLAGS = $(OPENSSL_CFLAGS) \ $(EFIVAR_CFLAGS) \ - $(LIBKEYUTILS_CFLAGS) \ $(WARNINGFLAGS_C) mokutil_LDADD = $(OPENSSL_LIBS) \ $(EFIVAR_LIBS) \ - $(LIBKEYUTILS_LIBS) \ + -lkeyutils \ -lcrypt mokutil_SOURCES = signature.h \ -- 2.28.0 ++++++ mokutil-remove-shebang-from-bash-completion-file.patch ++++++ >From e27b85622fcb1cc59e0fd4e7d630fc62f89dd225 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Tue, 28 May 2019 12:33:32 +0800 Subject: [PATCH] Remove shebang from bash-completion/mokutil Signed-off-by: Gary Lin <g...@suse.com> --- data/mokutil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/mokutil b/data/mokutil index 800b039..cf50606 100755 --- a/data/mokutil +++ b/data/mokutil @@ -1,4 +1,4 @@ -#!/bin/bash +# mokutil(1) completion _mokutil() { -- 2.21.0 ++++++ mokutil-support-revoke-builtin-cert.patch ++++++ >From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Fri, 21 Feb 2014 17:56:55 +0800 Subject: [PATCH 1/4] Add the option to revoke the built-in certificate This is an openSUSE-only patch. This commit adds an option to create ClearVerify which contains the password hash to notify MokManager to show the option to revoke the built-in certificate. --- src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index 02ed21f..d95a2eb 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -86,6 +86,7 @@ #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) #define TIMEOUT (1 << 24) +#define REVOKE_CERT (1 << 25) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -180,6 +181,7 @@ print_help () printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); + printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); @@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity) return 0; } +static int +revoke_builtin_cert (void) +{ + efi_variable_t var; + pw_crypt_t pw_crypt; + uint8_t auth[SHA256_DIGEST_LENGTH]; + char *password = NULL; + int pw_len; + int auth_ret; + int ret = -1; + + /* Check use_openSUSE_cert */ + memset (&var, 0, sizeof(var)); + var.VariableName = "use_openSUSE_cert"; + var.VendorGuid = SHIM_LOCK_GUID; + + if (read_variable (&var) != EFI_SUCCESS) + return 0; + + if ((uint8_t)*var.Data != 1) { + free (var.Data); + fprintf (stderr, "The built-in certificate is already revoked.\n"); + return 0; + } + free (var.Data); + + memset (&pw_crypt, 0, sizeof(pw_crypt_t)); + memset (auth, 0, SHA256_DIGEST_LENGTH); + + if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) { + fprintf (stderr, "Abort\n"); + goto error; + } + + if (!use_simple_hash) { + pw_crypt.method = DEFAULT_CRYPT_METHOD; + auth_ret = generate_hash (&pw_crypt, password, pw_len); + } else { + auth_ret = generate_auth (NULL, 0, password, pw_len, + auth); + } + if (auth_ret < 0) { + fprintf (stderr, "Couldn't generate hash\n"); + goto error; + } + + if (!use_simple_hash) { + var.Data = (void *)&pw_crypt; + var.DataSize = PASSWORD_CRYPT_SIZE; + } else { + var.Data = (void *)auth; + var.DataSize = SHA256_DIGEST_LENGTH; + } + var.VariableName = "ClearVerify"; + + var.VendorGuid = SHIM_LOCK_GUID; + var.Attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + + if (edit_protected_variable (&var) != EFI_SUCCESS) { + fprintf (stderr, "Failed to write ClearVerify\n"); + goto error; + } + + ret = 0; +error: + if (password) + free (password); + + return ret; +} + static inline int list_db (DBName db_name) { @@ -2480,6 +2555,7 @@ main (int argc, char *argv[]) {"timeout", required_argument, 0, 0 }, {"ca-check", no_argument, 0, 0 }, {"ignore-keyring", no_argument, 0, 0 }, + {"revoke-cert", no_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2570,6 +2646,8 @@ main (int argc, char *argv[]) force_ca_check = 1; } else if (strcmp (option, "ignore-keyring") == 0) { check_keyring = 0; + } else if (strcmp (option, "revoke-cert") == 0) { + command |= REVOKE_CERT; } break; @@ -2839,6 +2917,10 @@ main (int argc, char *argv[]) case TIMEOUT: ret = set_timeout (timeout); break; + case REVOKE_CERT: + case REVOKE_CERT | SIMPLE_HASH: + ret = revoke_builtin_cert (); + break; default: print_help (); break; -- 2.28.0 >From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Tue, 4 Nov 2014 14:50:36 +0800 Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables This is an openSUSE-only patch. Adapt the changes in the mainline. --- src/mokutil.c | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index d95a2eb..8be0b77 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity) static int revoke_builtin_cert (void) { - efi_variable_t var; + uint32_t attributes; + size_t data_size; + uint8_t *data; pw_crypt_t pw_crypt; uint8_t auth[SHA256_DIGEST_LENGTH]; char *password = NULL; - int pw_len; + unsigned int pw_len; int auth_ret; int ret = -1; /* Check use_openSUSE_cert */ - memset (&var, 0, sizeof(var)); - var.VariableName = "use_openSUSE_cert"; - var.VendorGuid = SHIM_LOCK_GUID; + if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert", + &data, &data_size, &attributes) < 0) { + fprintf (stderr, "Failed to get use_openSUSE_cert\n"); + return 0; + } - if (read_variable (&var) != EFI_SUCCESS) + if (data_size != 1) { + free (data); + fprintf (stderr, "Invalid variable: use_openSUSE_cert\n"); return 0; + } - if ((uint8_t)*var.Data != 1) { - free (var.Data); + if (*data != 1) { + free (data); fprintf (stderr, "The built-in certificate is already revoked.\n"); return 0; } - free (var.Data); + free (data); memset (&pw_crypt, 0, sizeof(pw_crypt_t)); memset (auth, 0, SHA256_DIGEST_LENGTH); @@ -2446,20 +2453,18 @@ revoke_builtin_cert (void) } if (!use_simple_hash) { - var.Data = (void *)&pw_crypt; - var.DataSize = PASSWORD_CRYPT_SIZE; + data = (uint8_t *)&pw_crypt; + data_size = PASSWORD_CRYPT_SIZE; } else { - var.Data = (void *)auth; - var.DataSize = SHA256_DIGEST_LENGTH; + data = auth; + data_size = SHA256_DIGEST_LENGTH; } - var.VariableName = "ClearVerify"; - - var.VendorGuid = SHIM_LOCK_GUID; - var.Attributes = EFI_VARIABLE_NON_VOLATILE - | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_RUNTIME_ACCESS; + attributes = EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; - if (edit_protected_variable (&var) != EFI_SUCCESS) { + if (efi_set_variable (efi_guid_shim, "ClearVerify", + data, data_size, attributes) < 0) { fprintf (stderr, "Failed to write ClearVerify\n"); goto error; } -- 2.28.0 >From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Wed, 13 Jul 2016 14:58:15 +0800 Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24 This is an openSUSE-only patch. --- src/mokutil.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index 8be0b77..f27bba0 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -2464,7 +2464,8 @@ revoke_builtin_cert (void) | EFI_VARIABLE_RUNTIME_ACCESS; if (efi_set_variable (efi_guid_shim, "ClearVerify", - data, data_size, attributes) < 0) { + data, data_size, attributes, + S_IRUSR | S_IWUSR) < 0) { fprintf (stderr, "Failed to write ClearVerify\n"); goto error; } -- 2.28.0 >From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Fri, 14 Aug 2020 14:57:23 +0800 Subject: [PATCH 4/4] man: add "--revoke-cert" The argument "--revoke-cert" was not addressed in the man page. This is an openSUSE-only patch. Signed-off-by: Gary Lin <g...@suse.com> --- man/mokutil.1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/man/mokutil.1 b/man/mokutil.1 index cbea367..1c18d7a 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--dbx] .br +\fBmokutil\fR [--revoke-cert] +.br .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys @@ -180,3 +182,6 @@ databases. \fB--ignore-keyring\fR Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList .TP +\fB--revoke-cert\fR +Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic) +.TP -- 2.28.0