commit 94874785ee46cddbf7185f2c9ce54109e704548a Author: CentOS Sources Date: Tue Nov 8 02:01:28 2022 -0500 import mokutil-0.3.0-12.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..acc77e2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/0.3.0.tar.gz diff --git a/.mokutil.metadata b/.mokutil.metadata new file mode 100644 index 0000000..0e0d9df --- /dev/null +++ b/.mokutil.metadata @@ -0,0 +1 @@ +8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch new file mode 100644 index 0000000..daafcf2 --- /dev/null +++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 4 Nov 2014 15:50:03 +0800 +Subject: [PATCH] Fix the potential buffer overflow + +Signed-off-by: Gary Ching-Pang Lin +--- + src/mokutil.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 5b34f22..93fb6fa 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state) + MokToggleVar tvar; + char *password = NULL; + unsigned int pw_len; +- efi_char16_t efichar_pass[SB_PASSWORD_MAX]; ++ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1]; + int ret = -1; + + printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX); +@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state) + efichar_from_char (efichar_pass, password, + SB_PASSWORD_MAX * sizeof(efi_char16_t)); + +- memcpy(tvar.password, efichar_pass, +- SB_PASSWORD_MAX * sizeof(efi_char16_t)); ++ memcpy(tvar.password, efichar_pass, sizeof(tvar.password)); + + tvar.mok_toggle_state = state; + diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch new file mode 100644 index 0000000..59e661d --- /dev/null +++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 24 Nov 2014 11:38:54 +0800 +Subject: [PATCH] Fix the 32bit signedness comparison + +--- + src/mokutil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 93fb6fa..a7e83f7 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, + + /* Mok */ + read_size = read (fd, ptr, sizes[i]); +- if (read_size < 0 || read_size != sizes[i]) { ++ if (read_size < 0 || read_size != (int64_t)sizes[i]) { + fprintf (stderr, "Failed to read %s\n", files[i]); + goto error; + } +@@ -1645,7 +1645,7 @@ export_moks () + goto error; + } + +- while (offset < list[i].mok_size) { ++ while (offset < (int64_t)list[i].mok_size) { + write_size = write (fd, list[i].mok + offset, + list[i].mok_size - offset); + if (write_size < 0) { diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch new file mode 100644 index 0000000..335b877 --- /dev/null +++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 19 Jun 2015 16:53:36 -0400 +Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right. + +This source tree uses: + +typedef wchar_t efi_char16_t; + +to define UEFI's UCS-2 character type. On many platforms, wchar_t is +32-bits by default. As a result, efichar_from_char winds up writing +4-byte characters instead of 2-byte characters. In the case where we +hash the password in mokutil, this works fine, because the same datatype +is used, and the values are the same. But for our feature toggles, +where we store the raw data and shim is interpretting the character +array, every other character winds up being L'\0', and verification +fails. + +So always build with -fshort-wchar to ensure we get 2-byte character +storage. + +Signed-off-by: Peter Jones +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fe28fb9..69d412a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -37,7 +37,7 @@ else + default_strict=no + fi + +-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11" ++WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar" + + AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval, + enable_strict=$default_strict) diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch new file mode 100644 index 0000000..9cdecd6 --- /dev/null +++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 16 Jun 2015 17:06:30 -0400 +Subject: [PATCH] Don't allow sha1 on the mokutil command line. + +Related: rhbz#1115843 + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index a7e83f7..1fb34f9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type) + } + + switch (len) { ++#if 0 + case SHA_DIGEST_LENGTH*2: + *type = efi_guid_sha1; + hash_size = SHA_DIGEST_LENGTH; + break; ++#endif + case SHA224_DIGEST_LENGTH*2: + *type = efi_guid_sha224; + hash_size = SHA224_DIGEST_LENGTH; diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch new file mode 100644 index 0000000..c02dd6c --- /dev/null +++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 13 Jan 2016 16:05:21 +0800 +Subject: [PATCH] Make all efi_guid_t const + +All UEFI GUIDs defined in efivar are const. Declare all of them const +to make gcc happy. + +Signed-off-by: Gary Lin +--- + src/mokutil.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 1fb34f9..d2c52b4 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) + } + + static uint32_t +-efi_hash_size (efi_guid_t *hash_type) ++efi_hash_size (const efi_guid_t *hash_type) + { + if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) { + return SHA_DIGEST_LENGTH; +@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type) + } + + static uint32_t +-signature_size (efi_guid_t *hash_type) ++signature_size (const efi_guid_t *hash_type) + { + uint32_t hash_size; + +@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size) + + /* match the hash in the hash array and return the index if matched */ + static int +-match_hash_array (efi_guid_t *hash_type, const void *hash, ++match_hash_array (const efi_guid_t *hash_type, const void *hash, + const void *hash_array, const uint32_t array_size) + { + uint32_t hash_size, hash_count; +@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash, + } + + static int +-delete_data_from_list (efi_guid_t *var_guid, const char *var_name, +- efi_guid_t *type, void *data, uint32_t data_size) ++delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, ++ const efi_guid_t *type, void *data, uint32_t data_size) + { + uint8_t *var_data = NULL; + size_t var_data_size = 0; +@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size) + } + + static int +-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size, +- efi_guid_t *vendor, const char *db_name) ++is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, ++ const efi_guid_t *vendor, const char *db_name) + { + uint8_t *var_data; + size_t var_data_size; +@@ -1059,7 +1059,7 @@ done: + } + + static int +-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, ++is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, + MokRequest req) + { + switch (req) { +@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, + } + + static int +-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size, ++in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size, + MokRequest req) + { + uint8_t *authvar_data; diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch new file mode 100644 index 0000000..cedd058 --- /dev/null +++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:19:43 -0400 +Subject: [PATCH] mokutil: be explicit about file modes in all cases. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d2c52b4..d554f6c 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + ret = efi_set_variable (*var_guid, var_name, +- var_data, total, attributes); ++ var_data, total, attributes, ++ S_IRUSR | S_IWUSR); + if (ret < 0) { + fprintf (stderr, "Failed to write variable \"%s\": %m\n", + var_name); +@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req, + data_size = list_len; + + if (efi_set_variable (efi_guid_shim, req_name, +- data, data_size, attributes) < 0) { ++ data, data_size, attributes, ++ S_IRUSR | S_IWUSR) < 0) { + switch (req) { + case ENROLL_MOK: + fprintf (stderr, "Failed to enroll new keys\n"); diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch new file mode 100644 index 0000000..27263a1 --- /dev/null +++ b/SOURCES/0007-Add-bash-completion-file.patch @@ -0,0 +1,95 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:20:14 -0400 +Subject: [PATCH] Add bash completion file. + +Signed-off-by: Peter Jones +--- + configure.ac | 17 +++++++++++++++++ + Makefile.am | 5 +++++ + data/mokutil | 37 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 59 insertions(+) + create mode 100755 data/mokutil + +diff --git a/configure.ac b/configure.ac +index 69d412a..7b52a06 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset]) + PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) + PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) + ++AC_ARG_WITH([bash-completion-dir], ++ AS_HELP_STRING([--with-bash-completion-dir[=PATH]], ++ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]), ++ [], ++ [with_bash_completion_dir=yes]) ++ ++if test "x$with_bash_completion_dir" = "xyes"; then ++ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0], ++ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"], ++ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"]) ++else ++ BASH_COMPLETION_DIR="$with_bash_completion_dir" ++fi ++ ++AC_SUBST([BASH_COMPLETION_DIR]) ++AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"]) ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile]) +diff --git a/Makefile.am b/Makefile.am +index 9f0d419..c17cc4a 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1 +1,6 @@ + SUBDIRS = src man ++ ++if ENABLE_BASH_COMPLETION ++ bashcompletiondir = $(BASH_COMPLETION_DIR) ++ dist_bashcompletion_DATA = data/mokutil ++endif +diff --git a/data/mokutil b/data/mokutil +new file mode 100755 +index 0000000..800b039 +--- /dev/null ++++ b/data/mokutil +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++_mokutil() ++{ ++ local cur=${COMP_WORDS[COMP_CWORD]} ++ ++ if [[ "$cur" == -* ]]; then ++ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) ) ++ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) ) ++ [[ $COMPREPLY == *= ]] && compopt -o nospace ++ return 0 ++ fi ++ ++ case "${COMP_WORDS[COMP_CWORD-1]}" in ++ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f) ++ _filedir ++ return 0 ++ ;; ++ --import-hash|--delete-hash) ++ COMPREPLY=( $( compgen -W "" ) ) ++ return 0 ++ ;; ++ --set-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --generate-hash|-g) ++ COMPREPLY=( $( compgen -o nospace -P= -W "") ) ++ return 0 ++ ;; ++ *) ++ return 0 ++ ;; ++ esac ++} ++ ++complete -F _mokutil mokutil diff --git a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch new file mode 100644 index 0000000..f5df8be --- /dev/null +++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 20 Jun 2016 11:18:17 -0500 +Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot + support + +Signed-off-by: Tyler Hicks +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d554f6c..27f1292 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -2297,7 +2297,7 @@ main (int argc, char *argv[]) + rc = efi_get_variable (efi_guid_global, "SecureBoot", + &data, &data_size, &attributes); + if (rc < 0) { +- fprintf(stderr, "This system does't support Secure Boot\n"); ++ fprintf(stderr, "This system doesn't support Secure Boot\n"); + ret = -1; + goto out; + } diff --git a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch new file mode 100644 index 0000000..c793299 --- /dev/null +++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch @@ -0,0 +1,23 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 3 Apr 2017 16:33:38 -0400 +Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 27f1292..0be9e84 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid) + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { +- if (ret == ENOENT) { ++ if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } diff --git a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch new file mode 100644 index 0000000..a860ce3 --- /dev/null +++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch @@ -0,0 +1,98 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 15 May 2018 11:20:15 -0400 +Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for + strncpy bounds + +New gcc rightly comlplains when we do the following: + +strncpy (dest, src, strlen(src)); + +For two reasons: +a) it doesn't copy the NUL byte +b) it's otherwise the same thing strcpy() would have done + +This patch replaces that with stpncpy (just because it's slightly easier +to use) and the real bounds for the destination. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 0be9e84..b508010 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + { + pw_crypt_t new_crypt; + char settings[SETTINGS_LEN]; ++ char *next; + char *crypt_string; + const char *prefix; +- int hash_len, prefix_len; ++ int hash_len, settings_len = sizeof (settings) - 2; + + if (!password || !pw_crypt || password[pw_len] != '\0') + return -1; +@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + prefix = get_crypt_prefix (pw_crypt->method); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + + pw_crypt->salt_size = get_salt_size (pw_crypt->method); + generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size); + +- strncpy (settings, prefix, prefix_len); +- strncpy (settings + prefix_len, (const char *)pw_crypt->salt, +- pw_crypt->salt_size); +- settings[pw_crypt->salt_size + prefix_len] = '\0'; ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); ++ if (pw_crypt->salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ next = stpncpy (next, (const char *)pw_crypt->salt, ++ pw_crypt->salt_size); ++ *next = '\0'; + + crypt_string = crypt (password, settings); + if (!crypt_string) +@@ -1929,10 +1934,11 @@ static int + generate_pw_hash (const char *input_pw) + { + char settings[SETTINGS_LEN]; ++ char *next; + char *password = NULL; + char *crypt_string; + const char *prefix; +- int prefix_len; ++ int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { +@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw) + prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + +- strncpy (settings, prefix, prefix_len); ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); + salt_size = get_salt_size (DEFAULT_CRYPT_METHOD); +- generate_salt ((settings + prefix_len), salt_size); +- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0'; ++ if (salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ generate_salt (next, salt_size); ++ next += salt_size; ++ *next = '\0'; + + crypt_string = crypt (password, settings); + free (password); diff --git a/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch b/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch new file mode 100644 index 0000000..1f50e6b --- /dev/null +++ b/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 25 Jul 2018 10:27:34 -0400 +Subject: [PATCH] Fix a integer comparison sign issue. + +I introduced this, and it's stupid: + +mokutil.c: In function 'generate_pw_hash': +mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare] + if (salt_size > settings_len - (next - settings)) { + ^ + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index b508010..ac15c73 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw) + char *password = NULL; + char *crypt_string; + const char *prefix; +- int settings_len = sizeof (settings) - 2; ++ unsigned int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { diff --git a/SOURCES/0012-initial-mok-variables-code.patch b/SOURCES/0012-initial-mok-variables-code.patch new file mode 100644 index 0000000..bdac03d --- /dev/null +++ b/SOURCES/0012-initial-mok-variables-code.patch @@ -0,0 +1,240 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 17 Aug 2020 14:18:31 -0400 +Subject: [PATCH] initial mok-variables code + +This patch adds support for getting mok variables from +/sys/firmware/fi/mok-variables/$NAME , if they are present, as well as +for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok +variables. + +Resolves: rhbz#1868820 + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 151 insertions(+), 24 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index ac15c73..838599c 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type) + return 0; + } + ++static int ++mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep) ++{ ++ char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name"; ++ size_t filename_sz = sizeof(filename); ++ int fd, rc; ++ struct stat sb = { 0, }; ++ uint8_t *buf; ++ size_t bufsz, pos = 0; ++ ssize_t ssz; ++ ++ *datap = 0; ++ *data_sizep = 0; ++ ++ snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name); ++ ++ fd = open(filename, O_RDONLY); ++ if (fd < 0) ++ return fd; ++ ++ rc = fstat(fd, &sb); ++ if (rc < 0) { ++err_close: ++ close(fd); ++ return rc; ++ } ++ ++ if (sb.st_size == 0) { ++ errno = ENOENT; ++ rc = -1; ++ goto err_close; ++ } ++ ++ bufsz = sb.st_size; ++ buf = calloc(1, bufsz); ++ if (!buf) ++ goto err_close; ++ ++ while (pos < bufsz) { ++ ssz = read(fd, &buf[pos], bufsz - pos); ++ if (ssz < 0) { ++ if (errno == EAGAIN || ++ errno == EWOULDBLOCK || ++ errno == EINTR) ++ continue; ++ free(buf); ++ goto err_close; ++ } ++ ++ pos += ssz; ++ } ++ *datap = buf; ++ *data_sizep = pos; ++ ++ return 0; ++} ++ + static MokListNode* + build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) + { +@@ -596,25 +653,44 @@ static int + list_keys_in_var (const char *var_name, const efi_guid_t guid) + { + uint8_t *data = NULL; +- size_t data_size; ++ char varname[] = "implausibly-long-mok-variable-name"; ++ size_t data_sz, i, varname_sz = sizeof(varname); + uint32_t attributes; + int ret; + +- ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); +- if (ret < 0) { +- if (errno == ENOENT) { +- printf ("%s is empty\n", var_name); +- return 0; ++ ret = mok_get_variable(var_name, &data, &data_sz); ++ if (ret >= 0) { ++ ret = list_keys (data, data_sz); ++ free(data); ++ return ret; ++ } ++ ++ for (i = 0; i < SIZE_MAX; i++) { ++ if (i == 0) { ++ snprintf(varname, varname_sz, "%s", var_name); ++ } else { ++ snprintf(varname, varname_sz, "%s%zu", var_name, i); + } + +- fprintf (stderr, "Failed to read %s: %m\n", var_name); +- return -1; ++ ret = efi_get_variable (guid, varname, &data, &data_sz, ++ &attributes); ++ if (ret < 0) ++ return 0; ++ ++ ret = list_keys (data, data_sz); ++ free(data); ++ /* ++ * If ret is < 0, the next one will error as well. ++ * If ret is 0, we need to test the next variable. ++ * If it's 1, that's a real answer. ++ */ ++ if (ret < 0) ++ return 0; ++ if (ret > 0) ++ return ret; + } + +- ret = list_keys (data, data_size); +- free (data); +- +- return ret; ++ return 0; + } + + static int +@@ -1013,22 +1089,15 @@ is_valid_cert (void *cert, uint32_t cert_size) + } + + static int +-is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, +- const efi_guid_t *vendor, const char *db_name) ++is_one_duplicate (const efi_guid_t *type, ++ const void *data, const uint32_t data_size, ++ uint8_t *var_data, size_t var_data_size) + { +- uint8_t *var_data; +- size_t var_data_size; +- uint32_t attributes; + uint32_t node_num; + MokListNode *list; + int ret = 0; + +- if (!data || data_size == 0 || !db_name) +- return 0; +- +- ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size, +- &attributes); +- if (ret < 0) ++ if (!data || data_size == 0) + return 0; + + list = build_mok_list (var_data, var_data_size, &node_num); +@@ -1060,11 +1129,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size + done: + if (list) + free (list); +- free (var_data); + + return ret; + } + ++static int ++is_duplicate (const efi_guid_t *type, ++ const void *data, const uint32_t data_size, ++ const efi_guid_t *vendor, const char *db_name) ++{ ++ uint32_t attributes; ++ char varname[] = "implausibly-long-mok-variable-name"; ++ size_t varname_sz = sizeof(varname); ++ int ret = 0; ++ size_t i; ++ ++ if (!strncmp(db_name, "Mok", 3)) { ++ uint8_t *var_data = NULL; ++ size_t var_data_size = 0; ++ ret = mok_get_variable(db_name, &var_data, &var_data_size); ++ if (ret >= 0) { ++ ret = is_one_duplicate(type, data, data_size, ++ var_data, var_data_size); ++ if (ret >= 0) { ++ free (var_data); ++ return ret; ++ } ++ var_data = NULL; ++ var_data_size = 0; ++ } ++ } ++ ++ for (i = 0; i < SIZE_MAX; i++) { ++ uint8_t *var_data = NULL; ++ size_t var_data_size = 0; ++ if (i == 0) { ++ snprintf(varname, varname_sz, "%s", db_name); ++ } else { ++ snprintf(varname, varname_sz, "%s%zu", db_name, i); ++ } ++ ++ ret = efi_get_variable (*vendor, varname, ++ &var_data, &var_data_size, ++ &attributes); ++ if (ret < 0) ++ return 0; ++ ++ ret = is_one_duplicate(type, data, data_size, ++ var_data, var_data_size); ++ free (var_data); ++ /* ++ * If ret is < 0, the next one will error as well. ++ * If ret is 0, we need to test the next variable. ++ * If it's 1, that's a real answer. ++ */ ++ if (ret < 0) ++ return 0; ++ if (ret > 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ + static int + is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, + MokRequest req) diff --git a/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch b/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch new file mode 100644 index 0000000..3d94670 --- /dev/null +++ b/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch @@ -0,0 +1,193 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Fri, 3 Dec 2021 14:18:31 +0100 +Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases +fallback debugging. + +Signed-off-by: Renaud Métrich +(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e) +(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224) +[rharwood: no sb_check, no util renaming] +(cherry picked from commit 157a0969bdb5e7df152b4241f90b48209c235f2f) +[rharwood: flags are sparse now] +--- + src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + data/mokutil | 8 +++++++ + man/mokutil.1 | 10 +++++++++ + 3 files changed, 88 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 838599c..1cec4e9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -83,6 +83,8 @@ + #define IMPORT_HASH (1 << 21) + #define DELETE_HASH (1 << 22) + #define VERBOSITY (1 << 23) ++#define FB_VERBOSITY (1 << 25) ++#define FB_NOREBOOT (1 << 26) + + #define DEFAULT_CRYPT_METHOD SHA512_BASED + #define DEFAULT_SALT_SIZE SHA512_SALT_MAX +@@ -152,6 +154,8 @@ print_help () + printf (" --import-hash \t\t\tImport a hash into MOK or MOKX\n"); + printf (" --delete-hash \t\t\tDelete a hash in MOK or MOKX\n"); + printf (" --set-verbosity \t\tSet the verbosity bit for shim\n"); ++ printf (" --set-fallback-verbosity \t\tSet the verbosity bit for fallback\n"); ++ printf (" --set-fallback-noreboot \t\tPrevent fallback from automatically rebooting\n"); + printf (" --pk\t\t\t\t\tList the keys in PK\n"); + printf (" --kek\t\t\t\t\tList the keys in KEK\n"); + printf (" --db\t\t\t\t\tList the keys in db\n"); +@@ -2135,6 +2139,46 @@ set_verbosity (uint8_t verbosity) + return 0; + } + ++static int ++set_fallback_verbosity (const uint8_t verbosity) ++{ ++ if (verbosity) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE", ++ (uint8_t *)&verbosity, sizeof (verbosity), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_var ("FALLBACK_VERBOSE"); ++ } ++ ++ return 0; ++} ++ ++static int ++set_fallback_noreboot (const uint8_t noreboot) ++{ ++ if (noreboot) { ++ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; ++ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT", ++ (uint8_t *)&noreboot, sizeof (noreboot), ++ attributes, S_IRUSR | S_IWUSR) < 0) { ++ fprintf (stderr, "Failed to set FB_NO_REBOOT\n"); ++ return -1; ++ } ++ } else { ++ return test_and_delete_var ("FB_NO_REBOOT"); ++ } ++ ++ return 0; ++} ++ + static inline int + list_db (DBName db_name) + { +@@ -2169,6 +2213,8 @@ main (int argc, char *argv[]) + unsigned int command = 0; + int use_root_pw = 0; + uint8_t verbosity = 0; ++ uint8_t fb_verbosity = 0; ++ uint8_t fb_noreboot = 0; + DBName db_name = MOK_LIST_RT; + int ret = -1; + +@@ -2207,6 +2253,8 @@ main (int argc, char *argv[]) + {"import-hash", required_argument, 0, 0 }, + {"delete-hash", required_argument, 0, 0 }, + {"set-verbosity", required_argument, 0, 0 }, ++ {"set-fallback-verbosity", required_argument, 0, 0 }, ++ {"set-fallback-noreboot", required_argument, 0, 0 }, + {"pk", no_argument, 0, 0 }, + {"kek", no_argument, 0, 0 }, + {"db", no_argument, 0, 0 }, +@@ -2270,6 +2318,22 @@ main (int argc, char *argv[]) + verbosity = 0; + else + command |= HELP; ++ } else if (strcmp (option, "set-fallback-verbosity") == 0) { ++ command |= FB_VERBOSITY; ++ if (strcmp (optarg, "true") == 0) ++ fb_verbosity = 1; ++ else if (strcmp (optarg, "false") == 0) ++ fb_verbosity = 0; ++ else ++ command |= HELP; ++ } else if (strcmp (option, "set-fallback-noreboot") == 0) { ++ command |= FB_NOREBOOT; ++ if (strcmp (optarg, "true") == 0) ++ fb_noreboot = 1; ++ else if (strcmp (optarg, "false") == 0) ++ fb_noreboot = 0; ++ else ++ command |= HELP; + } else if (strcmp (option, "pk") == 0) { + if (db_name != MOK_LIST_RT) { + command |= HELP; +@@ -2557,6 +2621,12 @@ main (int argc, char *argv[]) + case VERBOSITY: + ret = set_verbosity (verbosity); + break; ++ case FB_VERBOSITY: ++ ret = set_fallback_verbosity (fb_verbosity); ++ break; ++ case FB_NOREBOOT: ++ ret = set_fallback_noreboot (fb_noreboot); ++ break; + default: + print_help (); + break; +diff --git a/data/mokutil b/data/mokutil +index 800b039..af6b6ff 100755 +--- a/data/mokutil ++++ b/data/mokutil +@@ -24,6 +24,14 @@ _mokutil() + COMPREPLY=( $( compgen -W "true false") ) + return 0 + ;; ++ --set-fallback-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --set-fallback-noreboot) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; + --generate-hash|-g) + COMPREPLY=( $( compgen -o nospace -P= -W "") ) + return 0 +diff --git a/man/mokutil.1 b/man/mokutil.1 +index 25fe8b4..30dcfb2 100644 +--- a/man/mokutil.1 ++++ b/man/mokutil.1 +@@ -65,6 +65,10 @@ mokutil \- utility to manipulate machine owner keys + .br + \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] + .br ++\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)] ++.br ++\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)] ++.br + \fBmokutil\fR [--pk] + .br + \fBmokutil\fR [--kek] +@@ -161,6 +165,12 @@ this is not the password hash. + \fB--set-verbosity\fR + Set the SHIM_VERBOSE to make shim more or less verbose + .TP ++\fB--set-fallback-verbosity\fR ++Set the FALLBACK_VERBOSE to make fallback more or less verbose ++.TP ++\fB--set-fallback-noreboot\fR ++Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system ++.TP + \fB--pk\fR + List the keys in the public Platform Key (PK) + .TP diff --git a/SOURCES/mokutil.patches b/SOURCES/mokutil.patches new file mode 100644 index 0000000..011b06c --- /dev/null +++ b/SOURCES/mokutil.patches @@ -0,0 +1,13 @@ +Patch0001: 0001-Fix-the-potential-buffer-overflow.patch +Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch +Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch +Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch +Patch0005: 0005-Make-all-efi_guid_t-const.patch +Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch +Patch0007: 0007-Add-bash-completion-file.patch +Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch +Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch +Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch +Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch +Patch0012: 0012-initial-mok-variables-code.patch +Patch0013: 0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch diff --git a/SPECS/mokutil.spec b/SPECS/mokutil.spec new file mode 100644 index 0000000..a0b87c9 --- /dev/null +++ b/SPECS/mokutil.spec @@ -0,0 +1,106 @@ +Name: mokutil +Version: 0.3.0 +Release: 12%{?dist} +Epoch: 1 +Summary: Tool to manage UEFI Secure Boot MoK Keys +License: GPLv3+ +URL: https://github.com/lcp/mokutil +ExclusiveArch: %{ix86} x86_64 aarch64 +BuildRequires: autoconf automake gnu-efi git openssl-devel openssl +BuildRequires: efivar-devel >= 31-1 +Source0: https://github.com/lcp/mokutil/archive/%{version}.tar.gz +Source1: mokutil.patches +Conflicts: shim < 0.8-1%{?dist} +Obsoletes: mokutil <= 1:0.3.0-1 + +%include %{SOURCE1} + +%description +mokutil provides a tool to manage keys for Secure Boot through the MoK +("Machine's Own Keys") mechanism. + +%prep +%setup -q -n %{name}-%{version} +git init +git config user.email "%{name}-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} - 1:0.3.0-12 +- Add ability to set fallback verbose mode +- Resolves: #2030704 + +* Tue Jan 05 2021 Javier Martinez Canillas - 0.3.0-11 +- Bump NVR for brew to build the package + Related: rhbz##1907418 + +* Wed Dec 30 2020 Javier Martinez Canillas - 0.3.0-10 +- Add mokutil code to consume data from /sys/firmware/efi/mok-variables/ + as well as attempting to consume numbered mok variables from efivarfs + when mok-variables aren't present (pjones) + Resolves: rhbz#1907418 + +* Tue Jul 24 2018 Peter Jones - 0.3.0-9 +- Minor obsoletes fix +- Import some fixes from upstream + +* Sat Jan 20 2018 Björn Esser - 1:0.3.0-8 +- Rebuilt for switch to libxcrypt + +* Thu Aug 03 2017 Fedora Release Engineering - 1:0.3.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:0.3.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 08 2017 Peter Jones - 0.3.0-5 +- Rebuild for efivar-31-1.fc26 + Related: rhbz#1468841 + +* Fri Feb 10 2017 Fedora Release Engineering - 1:0.3.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Aug 17 2016 Peter Jones - 0.3.0-3 +- Rebuild for newer efivar again. + +* Wed Aug 10 2016 Peter Jones - 0.3.0-2 +- Update for newer efivar. + +* Tue Jun 14 2016 Peter Jones - 0.3.0-1 +- Update to 0.3.0 release. + Resolves: rhbz#1334628 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:0.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 1:0.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 1:0.2.0-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Mon Oct 06 2014 Peter Jones - 0.2.0-1 +- First independent package.