Merge ~enr0n/ubuntu/+source/mokutil:lp2015664-bionic into ubuntu/+source/mokutil:ubuntu/bionic-devel
- Git
- lp:~enr0n/ubuntu/+source/mokutil
- lp2015664-bionic
- Merge into ubuntu/bionic-devel
Proposed by
Nick Rosbrook
Status: | Needs review |
---|---|
Proposed branch: | ~enr0n/ubuntu/+source/mokutil:lp2015664-bionic |
Merge into: | ubuntu/+source/mokutil:ubuntu/bionic-devel |
Diff against target: |
4122 lines (+2032/-979) 23 files modified
configure.ac (+2/-1) data/mokutil (+9/-1) debian/changelog (+52/-0) debian/compat (+1/-1) debian/control (+7/-5) debian/patches/manually-define-LIBKEYUTILS-make-vars.patch (+21/-0) debian/patches/series (+1/-1) debian/rules (+1/-5) dev/null (+0/-22) man/mokutil.1 (+50/-20) src/Makefile.am (+13/-1) src/efi_hash.c (+183/-0) src/efi_hash.h (+48/-0) src/efi_x509.c (+242/-0) src/efi_x509.h (+43/-0) src/keyring.c (+111/-0) src/keyring.h (+37/-0) src/mokutil.c (+619/-911) src/mokutil.h (+66/-0) src/password-crypt.c (+7/-6) src/password-crypt.h (+5/-5) src/util.c (+456/-0) src/util.h (+58/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Langasek (community) | Approve | ||
Review via email: mp+444298@code.launchpad.net |
Commit message
Description of the change
I tested this using the test plan in LP: 2015664.
To post a comment you must log in.
Revision history for this message
Nick Rosbrook (enr0n) : | # |
Unmerged commits
- 62b8407... by Nick Rosbrook
-
changelog
- 7a6ca28... by Nick Rosbrook
-
update-maintainer
- 4b0011c... by Nick Rosbrook
-
d/p/manually-
define- LIBKEYUTILS- make-vars. patch: workaround missing libkeyutils.pc in bionic - d1ac81c... by Nick Rosbrook
-
debian/control: drop debhelper version to 11 for bionic
- 319fc44... by Nick Rosbrook
-
debian/compat: drop to 11 for bionic
- 3a48661... by Steve McIntyre
-
0.6.0-2 (patches unapplied)
Imported using git-ubuntu import.
- b7f0112... by Steve McIntyre
-
0.6.0-1 (patches unapplied)
Imported using git-ubuntu import.
- a52b060... by Steve McIntyre
-
0.4.0-1 (patches unapplied)
Imported using git-ubuntu import.
- ca9362e... by Simon Quigley
-
0.3.0+153871043
7.fb6250f- 1 (patches unapplied) Imported using git-ubuntu import.
- 18df241... by Mathieu Trudel-Lapierre
-
0.3.0+153871043
7.fb6250f- 0ubuntu2~ 18.04.1 (patches unapplied) Imported using git-ubuntu import.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/configure.ac b/configure.ac | |||
2 | index 7b52a06..bfa0dfe 100644 | |||
3 | --- a/configure.ac | |||
4 | +++ b/configure.ac | |||
5 | @@ -2,7 +2,7 @@ | |||
6 | 2 | # Process this file with autoconf to produce a configure script. | 2 | # Process this file with autoconf to produce a configure script. |
7 | 3 | 3 | ||
8 | 4 | AC_PREREQ([2.68]) | 4 | AC_PREREQ([2.68]) |
10 | 5 | AC_INIT([mokutil], [0.3.0], [glin@suse.com]) | 5 | AC_INIT([mokutil], [0.6.0], [chingpang@gmail.com]) |
11 | 6 | AM_INIT_AUTOMAKE([1.11 -Wno-portability tar-ustar dist-bzip2 no-dist-gzip]) | 6 | AM_INIT_AUTOMAKE([1.11 -Wno-portability tar-ustar dist-bzip2 no-dist-gzip]) |
12 | 7 | AC_CONFIG_SRCDIR([src/mokutil.c]) | 7 | AC_CONFIG_SRCDIR([src/mokutil.c]) |
13 | 8 | AC_CONFIG_HEADERS([config.h]) | 8 | AC_CONFIG_HEADERS([config.h]) |
14 | @@ -85,6 +85,7 @@ AC_CHECK_FUNCS([memset]) | |||
15 | 85 | 85 | ||
16 | 86 | PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) | 86 | PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) |
17 | 87 | PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) | 87 | PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) |
18 | 88 | PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5]) | ||
19 | 88 | 89 | ||
20 | 89 | AC_ARG_WITH([bash-completion-dir], | 90 | AC_ARG_WITH([bash-completion-dir], |
21 | 90 | AS_HELP_STRING([--with-bash-completion-dir[=PATH]], | 91 | AS_HELP_STRING([--with-bash-completion-dir[=PATH]], |
22 | diff --git a/data/mokutil b/data/mokutil | |||
23 | index 800b039..b6ee859 100755 | |||
24 | --- a/data/mokutil | |||
25 | +++ b/data/mokutil | |||
26 | @@ -1,4 +1,4 @@ | |||
28 | 1 | #!/bin/bash | 1 | # mokutil(1) completion |
29 | 2 | 2 | ||
30 | 3 | _mokutil() | 3 | _mokutil() |
31 | 4 | { | 4 | { |
32 | @@ -24,6 +24,14 @@ _mokutil() | |||
33 | 24 | COMPREPLY=( $( compgen -W "true false") ) | 24 | COMPREPLY=( $( compgen -W "true false") ) |
34 | 25 | return 0 | 25 | return 0 |
35 | 26 | ;; | 26 | ;; |
36 | 27 | --set-fallback-verbosity) | ||
37 | 28 | COMPREPLY=( $( compgen -W "true false") ) | ||
38 | 29 | return 0 | ||
39 | 30 | ;; | ||
40 | 31 | --set-fallback-noreboot) | ||
41 | 32 | COMPREPLY=( $( compgen -W "true false") ) | ||
42 | 33 | return 0 | ||
43 | 34 | ;; | ||
44 | 27 | --generate-hash|-g) | 35 | --generate-hash|-g) |
45 | 28 | COMPREPLY=( $( compgen -o nospace -P= -W "") ) | 36 | COMPREPLY=( $( compgen -o nospace -P= -W "") ) |
46 | 29 | return 0 | 37 | return 0 |
47 | diff --git a/debian/changelog b/debian/changelog | |||
48 | index a753ef6..733aee3 100644 | |||
49 | --- a/debian/changelog | |||
50 | +++ b/debian/changelog | |||
51 | @@ -1,3 +1,55 @@ | |||
52 | 1 | mokutil (0.6.0-2~18.04.1) bionic; urgency=medium | ||
53 | 2 | |||
54 | 3 | * Backport 0.6.0-2 to bionic (LP: #2015664). | ||
55 | 4 | - debian/control,debian/compat: Drop debhelper version to 11 | ||
56 | 5 | to build on bionic. | ||
57 | 6 | - debian/patches/manually-define-LIBKEYUTILS-make-vars.patch: Workaround | ||
58 | 7 | missing libkeyutils.pc in bionic. | ||
59 | 8 | |||
60 | 9 | -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 07 Jun 2023 14:14:30 -0400 | ||
61 | 10 | |||
62 | 11 | mokutil (0.6.0-2) unstable; urgency=medium | ||
63 | 12 | |||
64 | 13 | * *Actually* switch to Arch: any to allow for more | ||
65 | 14 | architectures. :-( Closes: #987613. | ||
66 | 15 | |||
67 | 16 | -- Steve McIntyre <93sam@debian.org> Wed, 15 Jun 2022 14:30:50 +0100 | ||
68 | 17 | |||
69 | 18 | mokutil (0.6.0-1) unstable; urgency=medium | ||
70 | 19 | |||
71 | 20 | * Move to new upstream version 0.6.0. | ||
72 | 21 | + Drop old patches, no longer needed. | ||
73 | 22 | * Switch to Arch: any to allow for more architectures. | ||
74 | 23 | Closes: #987613, #991933. | ||
75 | 24 | * Clean up old tweaks in debian/rules, no longer needed. | ||
76 | 25 | * Add build-dep on libkeyutils-dev, new dependency. | ||
77 | 26 | * Bump Standards-Version to 4.6.1, no changes needed. | ||
78 | 27 | |||
79 | 28 | -- Steve McIntyre <93sam@debian.org> Sun, 12 Jun 2022 21:41:39 +0100 | ||
80 | 29 | |||
81 | 30 | mokutil (0.4.0-1) unstable; urgency=medium | ||
82 | 31 | |||
83 | 32 | * Take mokutil under the wing of efi-team. | ||
84 | 33 | Thanks to Simon for his work previously, added him as an uploader | ||
85 | 34 | * Import the upstream source | ||
86 | 35 | * Move to new upstream version 0.4.0. Closes: #925223 | ||
87 | 36 | + Includes manpage fixes. Closes: #930759 | ||
88 | 37 | * Fix compiler warnings about potential unaligned pointers | ||
89 | 38 | * Update packaging: | ||
90 | 39 | + Raise debhelper-compat to 13 | ||
91 | 40 | + Raise Standards-Version to 4.5.1 | ||
92 | 41 | + Remove now-redundant build-dep on dh-autoreconf | ||
93 | 42 | |||
94 | 43 | -- Steve McIntyre <93sam@debian.org> Sun, 25 Apr 2021 21:47:18 +0100 | ||
95 | 44 | |||
96 | 45 | mokutil (0.3.0+1538710437.fb6250f-1) unstable; urgency=medium | ||
97 | 46 | |||
98 | 47 | * Upload to Debian (Closes: #925471). | ||
99 | 48 | * Adopt the package; thanks to Steve Langasek for your work! | ||
100 | 49 | * Update Vcs-* to reflect the move to Salsa. | ||
101 | 50 | |||
102 | 51 | -- Simon Quigley <tsimonq2@debian.org> Fri, 12 Apr 2019 17:45:52 -0500 | ||
103 | 52 | |||
104 | 1 | mokutil (0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1) bionic; urgency=medium | 53 | mokutil (0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1) bionic; urgency=medium |
105 | 2 | 54 | ||
106 | 3 | * Backport mokutil 0.3.0+1538710437.fb6250f-0ubuntu2 to 18.04. | 55 | * Backport mokutil 0.3.0+1538710437.fb6250f-0ubuntu2 to 18.04. |
107 | diff --git a/debian/compat b/debian/compat | |||
108 | index ec63514..b4de394 100644 | |||
109 | --- a/debian/compat | |||
110 | +++ b/debian/compat | |||
111 | @@ -1 +1 @@ | |||
113 | 1 | 9 | 1 | 11 |
114 | diff --git a/debian/control b/debian/control | |||
115 | index 8f8b6c7..fd9e619 100644 | |||
116 | --- a/debian/control | |||
117 | +++ b/debian/control | |||
118 | @@ -2,13 +2,15 @@ Source: mokutil | |||
119 | 2 | Section: admin | 2 | Section: admin |
120 | 3 | Priority: optional | 3 | Priority: optional |
121 | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
126 | 5 | XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org> | 5 | XSBC-Original-Maintainer: Debian UEFI Maintainers <debian-efi@lists.debian.org> |
127 | 6 | Standards-Version: 3.9.4 | 6 | Uploaders: Steve McIntyre <93sam@debian.org>, Simon Quigley <tsimonq2@debian.org> |
128 | 7 | Build-Depends: debhelper (>= 9), libssl-dev, pkg-config, libefivar-dev, dh-autoreconf | 7 | Standards-Version: 4.6.1 |
129 | 8 | Vcs-Bzr: lp:ubuntu/mokutil | 8 | Build-Depends: debhelper (>= 11), libssl-dev, pkg-config, libefivar-dev, libkeyutils-dev |
130 | 9 | Vcs-Browser: https://salsa.debian.org/efi-team/mokutil | ||
131 | 10 | Vcs-Git: https://salsa.debian.org/efi-team/mokutil.git | ||
132 | 9 | 11 | ||
133 | 10 | Package: mokutil | 12 | Package: mokutil |
135 | 11 | Architecture: any-amd64 any-arm any-arm64 any-i386 any-ia64 | 13 | Architecture: any |
136 | 12 | Depends: ${shlibs:Depends}, ${misc:Depends} | 14 | Depends: ${shlibs:Depends}, ${misc:Depends} |
137 | 13 | Description: tools for manipulating machine owner keys | 15 | Description: tools for manipulating machine owner keys |
138 | 14 | This program provides the means to enroll and erase the machine owner | 16 | This program provides the means to enroll and erase the machine owner |
139 | diff --git a/debian/patches/int-signedness.patch b/debian/patches/int-signedness.patch | |||
140 | 15 | deleted file mode 100644 | 17 | deleted file mode 100644 |
141 | index 34b7dfa..0000000 | |||
142 | --- a/debian/patches/int-signedness.patch | |||
143 | +++ /dev/null | |||
144 | @@ -1,22 +0,0 @@ | |||
145 | 1 | Description: Fix compile failure on platforms where int != unsigned int | ||
146 | 2 | The compiler may rightly warn about a comparison between an unsigned int | ||
147 | 3 | and an int on architectures where int is signed by default. Since the | ||
148 | 4 | existing code has been tested on architectures where int *is* unsigned, | ||
149 | 5 | we just make our other int explicitly unsigned, ignoring certain existing | ||
150 | 6 | corner cases for now wrt possible integer underflows. | ||
151 | 7 | Author: Steve Langasek <steve.langasek@canonical.com> | ||
152 | 8 | Last-Updated: 2018-10-10 | ||
153 | 9 | |||
154 | 10 | Index: mokutil-0.3.0+1538710437.fb6250f/src/mokutil.c | ||
155 | 11 | =================================================================== | ||
156 | 12 | --- mokutil-0.3.0+1538710437.fb6250f.orig/src/mokutil.c | ||
157 | 13 | +++ mokutil-0.3.0+1538710437.fb6250f/src/mokutil.c | ||
158 | 14 | @@ -2005,7 +2005,7 @@ | ||
159 | 15 | char *password = NULL; | ||
160 | 16 | char *crypt_string; | ||
161 | 17 | const char *prefix; | ||
162 | 18 | - int settings_len = sizeof (settings) - 2; | ||
163 | 19 | + unsigned int settings_len = sizeof (settings) - 2; | ||
164 | 20 | unsigned int pw_len, salt_size; | ||
165 | 21 | |||
166 | 22 | if (input_pw) { | ||
167 | diff --git a/debian/patches/manually-define-LIBKEYUTILS-make-vars.patch b/debian/patches/manually-define-LIBKEYUTILS-make-vars.patch | |||
168 | 23 | new file mode 100644 | 0 | new file mode 100644 |
169 | index 0000000..46df49c | |||
170 | --- /dev/null | |||
171 | +++ b/debian/patches/manually-define-LIBKEYUTILS-make-vars.patch | |||
172 | @@ -0,0 +1,21 @@ | |||
173 | 1 | Description: Manually define LIBKEYUTILS_{CFLAGS,LIBS} if missing libkeyutils.pc | ||
174 | 2 | Author: Nick Rosbrook <nick.rosbrook@canonical.com> | ||
175 | 3 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/jammy/+source/mokutil/+bug/2015664 | ||
176 | 4 | Forwarded: no | ||
177 | 5 | Last-Update: 2023-06-07 | ||
178 | 6 | --- a/configure.ac | ||
179 | 7 | +++ b/configure.ac | ||
180 | 8 | @@ -85,7 +85,12 @@ | ||
181 | 9 | |||
182 | 10 | PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) | ||
183 | 11 | PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) | ||
184 | 12 | -PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5]) | ||
185 | 13 | +PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5], [], [pkgconfig_found_keyutils="no"]) | ||
186 | 14 | + | ||
187 | 15 | +if test "x$pkgconfig_found_keyutils" = "xno"; then | ||
188 | 16 | + AC_SUBST([LIBKEYUTILS_CFLAGS],["-I${includedir}"]) | ||
189 | 17 | + AC_SUBST([LIBKEYUTILS_LIBS],["-L${libdir} -lkeyutils"]) | ||
190 | 18 | +fi | ||
191 | 19 | |||
192 | 20 | AC_ARG_WITH([bash-completion-dir], | ||
193 | 21 | AS_HELP_STRING([--with-bash-completion-dir[=PATH]], | ||
194 | diff --git a/debian/patches/series b/debian/patches/series | |||
195 | index e7d00e3..4c264fa 100644 | |||
196 | --- a/debian/patches/series | |||
197 | +++ b/debian/patches/series | |||
198 | @@ -1 +1 @@ | |||
200 | 1 | int-signedness.patch | 1 | manually-define-LIBKEYUTILS-make-vars.patch |
201 | diff --git a/debian/rules b/debian/rules | |||
202 | index e31f87c..2d33f6a 100755 | |||
203 | --- a/debian/rules | |||
204 | +++ b/debian/rules | |||
205 | @@ -1,8 +1,4 @@ | |||
206 | 1 | #!/usr/bin/make -f | 1 | #!/usr/bin/make -f |
207 | 2 | 2 | ||
208 | 3 | %: | 3 | %: |
214 | 4 | dh $@ --with autoreconf | 4 | dh $@ |
210 | 5 | |||
211 | 6 | #override_dh_autoreconf: | ||
212 | 7 | # NOCONFIGURE=1 dh_autoreconf ./autogen.sh | ||
213 | 8 | |||
215 | diff --git a/man/mokutil.1 b/man/mokutil.1 | |||
216 | index 25fe8b4..4260a7e 100644 | |||
217 | --- a/man/mokutil.1 | |||
218 | +++ b/man/mokutil.1 | |||
219 | @@ -15,11 +15,11 @@ mokutil \- utility to manipulate machine owner keys | |||
220 | 15 | .br | 15 | .br |
221 | 16 | \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] | 16 | \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] |
222 | 17 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | | 17 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | |
224 | 18 | [--simple-hash | -s] | [--mokx | -X]) | 18 | [--mokx | -X] | [--ca-check] | [--ignore-keyring]) |
225 | 19 | .br | 19 | .br |
226 | 20 | \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] | 20 | \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] |
227 | 21 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | | 21 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | |
229 | 22 | [--simple-hash | -s] | [--mokx |- X]) | 22 | [--mokx |- X]) |
230 | 23 | .br | 23 | .br |
231 | 24 | \fBmokutil\fR [--revoke-import] | 24 | \fBmokutil\fR [--revoke-import] |
232 | 25 | ([--mokx | -X]) | 25 | ([--mokx | -X]) |
233 | @@ -30,11 +30,9 @@ mokutil \- utility to manipulate machine owner keys | |||
234 | 30 | \fBmokutil\fR [--export | -x] | 30 | \fBmokutil\fR [--export | -x] |
235 | 31 | .br | 31 | .br |
236 | 32 | \fBmokutil\fR [--password | -p] | 32 | \fBmokutil\fR [--password | -p] |
239 | 33 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | | 33 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P]) |
238 | 34 | [--simple-hash | -s]) | ||
240 | 35 | .br | 34 | .br |
241 | 36 | \fBmokutil\fR [--clear-password | -c] | 35 | \fBmokutil\fR [--clear-password | -c] |
242 | 37 | ([--simple-hash | -s]) | ||
243 | 38 | .br | 36 | .br |
244 | 39 | \fBmokutil\fR [--disable-validation] | 37 | \fBmokutil\fR [--disable-validation] |
245 | 40 | .br | 38 | .br |
246 | @@ -43,11 +41,11 @@ mokutil \- utility to manipulate machine owner keys | |||
247 | 43 | \fBmokutil\fR [--sb-state] | 41 | \fBmokutil\fR [--sb-state] |
248 | 44 | .br | 42 | .br |
249 | 45 | \fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR] | 43 | \fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR] |
251 | 46 | ([--mokx | -X]) | 44 | ([--mokx | -X] | [--ca-check] | [--ignore-keyring]) |
252 | 47 | .br | 45 | .br |
253 | 48 | \fBmokutil\fR [--reset] | 46 | \fBmokutil\fR [--reset] |
254 | 49 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | | 47 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | |
256 | 50 | [--simple-hash | -s] | [--mok | -X]) | 48 | [--mok | -X]) |
257 | 51 | .br | 49 | .br |
258 | 52 | \fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR] | 50 | \fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR] |
259 | 53 | .br | 51 | .br |
260 | @@ -57,14 +55,18 @@ mokutil \- utility to manipulate machine owner keys | |||
261 | 57 | .br | 55 | .br |
262 | 58 | \fBmokutil\fR [--import-hash \fIhash\fR] | 56 | \fBmokutil\fR [--import-hash \fIhash\fR] |
263 | 59 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | | 57 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | |
265 | 60 | [--simple-hash | -s] | [--mokx | -X]) | 58 | [--mokx | -X]) |
266 | 61 | .br | 59 | .br |
267 | 62 | \fBmokutil\fR [--delete-hash \fIhash\fR] | 60 | \fBmokutil\fR [--delete-hash \fIhash\fR] |
268 | 63 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | | 61 | ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | |
270 | 64 | [--simple-hash | -s] | [--mokx | -X]) | 62 | [--mokx | -X]) |
271 | 65 | .br | 63 | .br |
272 | 66 | \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] | 64 | \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] |
273 | 67 | .br | 65 | .br |
274 | 66 | \fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)] | ||
275 | 67 | .br | ||
276 | 68 | \fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)] | ||
277 | 69 | .br | ||
278 | 68 | \fBmokutil\fR [--pk] | 70 | \fBmokutil\fR [--pk] |
279 | 69 | .br | 71 | .br |
280 | 70 | \fBmokutil\fR [--kek] | 72 | \fBmokutil\fR [--kek] |
281 | @@ -73,6 +75,12 @@ mokutil \- utility to manipulate machine owner keys | |||
282 | 73 | .br | 75 | .br |
283 | 74 | \fBmokutil\fR [--dbx] | 76 | \fBmokutil\fR [--dbx] |
284 | 75 | .br | 77 | .br |
285 | 78 | \fBmokutil\fR [--list-sbat-revocations] | ||
286 | 79 | .br | ||
287 | 80 | \fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)] | ||
288 | 81 | .br | ||
289 | 82 | \fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR] | ||
290 | 83 | .br | ||
291 | 76 | 84 | ||
292 | 77 | .SH DESCRIPTION | 85 | .SH DESCRIPTION |
293 | 78 | \fBmokutil\fR is a tool to import or delete the machines owner keys | 86 | \fBmokutil\fR is a tool to import or delete the machines owner keys |
294 | @@ -90,11 +98,11 @@ List the keys to be enrolled | |||
295 | 90 | List the keys to be deleted | 98 | List the keys to be deleted |
296 | 91 | .TP | 99 | .TP |
297 | 92 | \fB-i, --import\fR | 100 | \fB-i, --import\fR |
299 | 93 | Collect the followed files and form a enrolling request to shim. The files must | 101 | Collect the following files and form an enrolling request to shim. The files must |
300 | 94 | be in DER format. | 102 | be in DER format. |
301 | 95 | .TP | 103 | .TP |
302 | 96 | \fB-d, --delete\fR | 104 | \fB-d, --delete\fR |
304 | 97 | Collect the followed files and form a deleting request to shim. The files must be | 105 | Collect the following files and form a deleting request to shim. The files must be |
305 | 98 | in DER format. | 106 | in DER format. |
306 | 99 | .TP | 107 | .TP |
307 | 100 | \fB--revoke-import\fR | 108 | \fB--revoke-import\fR |
308 | @@ -115,7 +123,7 @@ Clear the password for MokManager (MokPW) | |||
309 | 115 | \fB--disable-validation\fR | 123 | \fB--disable-validation\fR |
310 | 116 | Disable the validation process in shim | 124 | Disable the validation process in shim |
311 | 117 | .TP | 125 | .TP |
313 | 118 | \fB--enrolled-validation\fR | 126 | \fB--enable-validation\fR |
314 | 119 | Enable the validation process in shim | 127 | Enable the validation process in shim |
315 | 120 | .TP | 128 | .TP |
316 | 121 | \fB--sb-state\fR | 129 | \fB--sb-state\fR |
317 | @@ -136,11 +144,6 @@ Use the password hash from a specific file | |||
318 | 136 | \fB-P, --root-pw\fR | 144 | \fB-P, --root-pw\fR |
319 | 137 | Use the root password hash from /etc/shadow | 145 | Use the root password hash from /etc/shadow |
320 | 138 | .TP | 146 | .TP |
321 | 139 | \fB-s, --simple-hash\fR | ||
322 | 140 | Use the old SHA256 password hash method to hash the password | ||
323 | 141 | .br | ||
324 | 142 | Note: --root-pw invalidates --simple-hash | ||
325 | 143 | .TP | ||
326 | 144 | \fB--ignore-db\fR | 147 | \fB--ignore-db\fR |
327 | 145 | Tell shim to not use the keys in db to verify EFI images | 148 | Tell shim to not use the keys in db to verify EFI images |
328 | 146 | .TP | 149 | .TP |
329 | @@ -150,17 +153,23 @@ Tell shim to use the keys in db to verify EFI images (default) | |||
330 | 150 | \fB-X, --mokx\fR | 153 | \fB-X, --mokx\fR |
331 | 151 | Manipulate the MOK blacklist (MOKX) instead of the MOK list | 154 | Manipulate the MOK blacklist (MOKX) instead of the MOK list |
332 | 152 | .TP | 155 | .TP |
334 | 153 | \fB-i, --import-hash\fR | 156 | \fB--import-hash\fR |
335 | 154 | Create an enrolling request for the hash of a key in DER format. Note that | 157 | Create an enrolling request for the hash of a key in DER format. Note that |
336 | 155 | this is not the password hash. | 158 | this is not the password hash. |
337 | 156 | .TP | 159 | .TP |
340 | 157 | \fB-d, --delete-hash\fR | 160 | \fB--delete-hash\fR |
341 | 158 | Create an deleting request for the hash of a key in DER format. Note that | 161 | Create a deleting request for the hash of a key in DER format. Note that |
342 | 159 | this is not the password hash. | 162 | this is not the password hash. |
343 | 160 | .TP | 163 | .TP |
344 | 161 | \fB--set-verbosity\fR | 164 | \fB--set-verbosity\fR |
345 | 162 | Set the SHIM_VERBOSE to make shim more or less verbose | 165 | Set the SHIM_VERBOSE to make shim more or less verbose |
346 | 163 | .TP | 166 | .TP |
347 | 167 | \fB--set-fallback-verbosity\fR | ||
348 | 168 | Set the FALLBACK_VERBOSE to make fallback more or less verbose | ||
349 | 169 | .TP | ||
350 | 170 | \fB--set-fallback-noreboot\fR | ||
351 | 171 | Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system | ||
352 | 172 | .TP | ||
353 | 164 | \fB--pk\fR | 173 | \fB--pk\fR |
354 | 165 | List the keys in the public Platform Key (PK) | 174 | List the keys in the public Platform Key (PK) |
355 | 166 | .TP | 175 | .TP |
356 | @@ -173,3 +182,24 @@ List the keys in the secure boot signature store (db) | |||
357 | 173 | \fB--dbx\fR | 182 | \fB--dbx\fR |
358 | 174 | List the keys in the secure boot blacklist signature store (dbx) | 183 | List the keys in the secure boot blacklist signature store (dbx) |
359 | 175 | .TP | 184 | .TP |
360 | 185 | \fB--list-sbat-revocations\fR | ||
361 | 186 | List the entries in the Secure Boot Advanced Targeting store (SBAT) | ||
362 | 187 | .TP | ||
363 | 188 | \fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR | ||
364 | 189 | Set the SbatPolicy UEFI Variable to have shim apply either the latest | ||
365 | 190 | or the previous SBAT revocations. If UEFI Secure Boot is disabled, then | ||
366 | 191 | delete will reset the SBAT revocations to an empty revocation list. | ||
367 | 192 | While latest and previous are persistent configuration, delete will be | ||
368 | 193 | cleared by shim on the next boot whether or not it succeeds. The default | ||
369 | 194 | behavior is for shim to apply the previous revocations. | ||
370 | 195 | .TP | ||
371 | 196 | \fB--timeout\fR | ||
372 | 197 | Set the timeout for MOK prompt | ||
373 | 198 | .TP | ||
374 | 199 | \fB--ca-check\fR | ||
375 | 200 | Check if the CA of the given key is already enrolled or blocked in the key | ||
376 | 201 | databases. | ||
377 | 202 | .TP | ||
378 | 203 | \fB--ignore-keyring\fR | ||
379 | 204 | Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList | ||
380 | 205 | .TP | ||
381 | diff --git a/src/Makefile.am b/src/Makefile.am | |||
382 | index 87b1515..1ac380d 100644 | |||
383 | --- a/src/Makefile.am | |||
384 | +++ b/src/Makefile.am | |||
385 | @@ -2,13 +2,25 @@ bin_PROGRAMS = mokutil | |||
386 | 2 | 2 | ||
387 | 3 | mokutil_CFLAGS = $(OPENSSL_CFLAGS) \ | 3 | mokutil_CFLAGS = $(OPENSSL_CFLAGS) \ |
388 | 4 | $(EFIVAR_CFLAGS) \ | 4 | $(EFIVAR_CFLAGS) \ |
390 | 5 | $(WARNINGFLAGS_C) | 5 | $(LIBKEYUTILS_CFLAGS) \ |
391 | 6 | $(WARNINGFLAGS_C) \ | ||
392 | 7 | -DVERSION="\"$(VERSION)\"" | ||
393 | 6 | 8 | ||
394 | 7 | mokutil_LDADD = $(OPENSSL_LIBS) \ | 9 | mokutil_LDADD = $(OPENSSL_LIBS) \ |
395 | 8 | $(EFIVAR_LIBS) \ | 10 | $(EFIVAR_LIBS) \ |
396 | 11 | $(LIBKEYUTILS_LIBS) \ | ||
397 | 9 | -lcrypt | 12 | -lcrypt |
398 | 10 | 13 | ||
399 | 11 | mokutil_SOURCES = signature.h \ | 14 | mokutil_SOURCES = signature.h \ |
400 | 15 | efi_hash.h \ | ||
401 | 16 | efi_hash.c \ | ||
402 | 17 | efi_x509.h \ | ||
403 | 18 | efi_x509.c \ | ||
404 | 19 | keyring.h \ | ||
405 | 20 | keyring.c \ | ||
406 | 12 | password-crypt.h \ | 21 | password-crypt.h \ |
407 | 13 | password-crypt.c \ | 22 | password-crypt.c \ |
408 | 23 | util.h \ | ||
409 | 24 | util.c \ | ||
410 | 25 | mokutil.h \ | ||
411 | 14 | mokutil.c | 26 | mokutil.c |
412 | diff --git a/src/efi_hash.c b/src/efi_hash.c | |||
413 | 15 | new file mode 100644 | 27 | new file mode 100644 |
414 | index 0000000..1ffe347 | |||
415 | --- /dev/null | |||
416 | +++ b/src/efi_hash.c | |||
417 | @@ -0,0 +1,183 @@ | |||
418 | 1 | /** | ||
419 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
420 | 3 | * | ||
421 | 4 | * This program is free software: you can redistribute it and/or modify | ||
422 | 5 | * it under the terms of the GNU General Public License as published by | ||
423 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
424 | 7 | * (at your option) any later version. | ||
425 | 8 | * | ||
426 | 9 | * This program is distributed in the hope that it will be useful, | ||
427 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
428 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
429 | 12 | * GNU General Public License for more details. | ||
430 | 13 | * | ||
431 | 14 | * You should have received a copy of the GNU General Public License | ||
432 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
433 | 16 | * | ||
434 | 17 | * In addition, as a special exception, the copyright holders give | ||
435 | 18 | * permission to link the code of portions of this program with the | ||
436 | 19 | * OpenSSL library under certain conditions as described in each | ||
437 | 20 | * individual source file, and distribute linked combinations | ||
438 | 21 | * including the two. | ||
439 | 22 | * | ||
440 | 23 | * You must obey the GNU General Public License in all respects | ||
441 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
442 | 25 | * file(s) with this exception, you may extend this exception to your | ||
443 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
444 | 27 | * do not wish to do so, delete this exception statement from your | ||
445 | 28 | * version. If you delete this exception statement from all source | ||
446 | 29 | * files in the program, then also delete it here. | ||
447 | 30 | */ | ||
448 | 31 | |||
449 | 32 | #include <stdio.h> | ||
450 | 33 | #include <stdlib.h> | ||
451 | 34 | #include <openssl/sha.h> | ||
452 | 35 | |||
453 | 36 | #include "efi_hash.h" | ||
454 | 37 | |||
455 | 38 | uint32_t | ||
456 | 39 | efi_hash_size (const efi_guid_t *hash_type) | ||
457 | 40 | { | ||
458 | 41 | if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) { | ||
459 | 42 | return SHA_DIGEST_LENGTH; | ||
460 | 43 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha224) == 0) { | ||
461 | 44 | return SHA224_DIGEST_LENGTH; | ||
462 | 45 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha256) == 0) { | ||
463 | 46 | return SHA256_DIGEST_LENGTH; | ||
464 | 47 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha384) == 0) { | ||
465 | 48 | return SHA384_DIGEST_LENGTH; | ||
466 | 49 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha512) == 0) { | ||
467 | 50 | return SHA512_DIGEST_LENGTH; | ||
468 | 51 | } | ||
469 | 52 | |||
470 | 53 | return 0; | ||
471 | 54 | } | ||
472 | 55 | |||
473 | 56 | uint32_t | ||
474 | 57 | signature_size (const efi_guid_t *hash_type) | ||
475 | 58 | { | ||
476 | 59 | uint32_t hash_size; | ||
477 | 60 | |||
478 | 61 | hash_size = efi_hash_size (hash_type); | ||
479 | 62 | if (hash_size) | ||
480 | 63 | return (hash_size + sizeof(efi_guid_t)); | ||
481 | 64 | |||
482 | 65 | return 0; | ||
483 | 66 | } | ||
484 | 67 | |||
485 | 68 | int | ||
486 | 69 | print_hash_array (const efi_guid_t *hash_type, const void *hash_array, | ||
487 | 70 | const uint32_t array_size) | ||
488 | 71 | { | ||
489 | 72 | uint32_t hash_size, remain; | ||
490 | 73 | uint32_t sig_size; | ||
491 | 74 | uint8_t *hash; | ||
492 | 75 | char *name; | ||
493 | 76 | |||
494 | 77 | if (!hash_array || array_size == 0) { | ||
495 | 78 | fprintf (stderr, "invalid hash array\n"); | ||
496 | 79 | return -1; | ||
497 | 80 | } | ||
498 | 81 | |||
499 | 82 | int rc = efi_guid_to_name ((efi_guid_t *)hash_type, &name); | ||
500 | 83 | if (rc < 0 || isxdigit(name[0])) { | ||
501 | 84 | if (name) | ||
502 | 85 | free(name); | ||
503 | 86 | fprintf (stderr, "unknown hash type\n"); | ||
504 | 87 | return -1; | ||
505 | 88 | } | ||
506 | 89 | |||
507 | 90 | hash_size = efi_hash_size (hash_type); | ||
508 | 91 | sig_size = hash_size + sizeof(efi_guid_t); | ||
509 | 92 | |||
510 | 93 | printf (" [%s]\n", name); | ||
511 | 94 | free(name); | ||
512 | 95 | remain = array_size; | ||
513 | 96 | hash = (uint8_t *)hash_array; | ||
514 | 97 | |||
515 | 98 | while (remain > 0) { | ||
516 | 99 | if (remain < sig_size) { | ||
517 | 100 | fprintf (stderr, "invalid array size\n"); | ||
518 | 101 | return -1; | ||
519 | 102 | } | ||
520 | 103 | |||
521 | 104 | printf (" "); | ||
522 | 105 | hash += sizeof(efi_guid_t); | ||
523 | 106 | for (unsigned int i = 0; i<hash_size; i++) | ||
524 | 107 | printf ("%02x", *(hash + i)); | ||
525 | 108 | printf ("\n"); | ||
526 | 109 | hash += hash_size; | ||
527 | 110 | remain -= sig_size; | ||
528 | 111 | } | ||
529 | 112 | |||
530 | 113 | return 0; | ||
531 | 114 | } | ||
532 | 115 | |||
533 | 116 | /* match the hash in the hash array and return the index if matched */ | ||
534 | 117 | int | ||
535 | 118 | match_hash_array (const efi_guid_t *hash_type, const void *hash, | ||
536 | 119 | const void *hash_array, const uint32_t array_size) | ||
537 | 120 | { | ||
538 | 121 | uint32_t hash_size, hash_count; | ||
539 | 122 | uint32_t sig_size; | ||
540 | 123 | void *ptr; | ||
541 | 124 | |||
542 | 125 | hash_size = efi_hash_size (hash_type); | ||
543 | 126 | if (!hash_size) | ||
544 | 127 | return -1; | ||
545 | 128 | |||
546 | 129 | sig_size = hash_size + sizeof(efi_guid_t); | ||
547 | 130 | if ((array_size % sig_size) != 0) { | ||
548 | 131 | fprintf (stderr, "invalid hash array size\n"); | ||
549 | 132 | return -1; | ||
550 | 133 | } | ||
551 | 134 | |||
552 | 135 | ptr = (void *)hash_array; | ||
553 | 136 | hash_count = array_size / sig_size; | ||
554 | 137 | for (unsigned int i = 0; i < hash_count; i++) { | ||
555 | 138 | ptr += sizeof(efi_guid_t); | ||
556 | 139 | if (memcmp (ptr, hash, hash_size) == 0) | ||
557 | 140 | return i; | ||
558 | 141 | ptr += hash_size; | ||
559 | 142 | } | ||
560 | 143 | |||
561 | 144 | return -1; | ||
562 | 145 | } | ||
563 | 146 | |||
564 | 147 | /* Return the hash type and size of a given hash string */ | ||
565 | 148 | int | ||
566 | 149 | identify_hash_type (const char *hash_str, efi_guid_t *type) | ||
567 | 150 | { | ||
568 | 151 | unsigned int len = strlen (hash_str); | ||
569 | 152 | int hash_size; | ||
570 | 153 | |||
571 | 154 | for (unsigned int i = 0; i < len; i++) { | ||
572 | 155 | if ((hash_str[i] > '9' || hash_str[i] < '0') && | ||
573 | 156 | (hash_str[i] > 'f' || hash_str[i] < 'a') && | ||
574 | 157 | (hash_str[i] > 'F' || hash_str[i] < 'A')) | ||
575 | 158 | return -1; | ||
576 | 159 | } | ||
577 | 160 | |||
578 | 161 | switch (len) { | ||
579 | 162 | case SHA224_DIGEST_LENGTH*2: | ||
580 | 163 | *type = efi_guid_sha224; | ||
581 | 164 | hash_size = SHA224_DIGEST_LENGTH; | ||
582 | 165 | break; | ||
583 | 166 | case SHA256_DIGEST_LENGTH*2: | ||
584 | 167 | *type = efi_guid_sha256; | ||
585 | 168 | hash_size = SHA256_DIGEST_LENGTH; | ||
586 | 169 | break; | ||
587 | 170 | case SHA384_DIGEST_LENGTH*2: | ||
588 | 171 | *type = efi_guid_sha384; | ||
589 | 172 | hash_size = SHA384_DIGEST_LENGTH; | ||
590 | 173 | break; | ||
591 | 174 | case SHA512_DIGEST_LENGTH*2: | ||
592 | 175 | *type = efi_guid_sha512; | ||
593 | 176 | hash_size = SHA512_DIGEST_LENGTH; | ||
594 | 177 | break; | ||
595 | 178 | default: | ||
596 | 179 | return -1; | ||
597 | 180 | } | ||
598 | 181 | |||
599 | 182 | return hash_size; | ||
600 | 183 | } | ||
601 | diff --git a/src/efi_hash.h b/src/efi_hash.h | |||
602 | 0 | new file mode 100644 | 184 | new file mode 100644 |
603 | index 0000000..d09f793 | |||
604 | --- /dev/null | |||
605 | +++ b/src/efi_hash.h | |||
606 | @@ -0,0 +1,48 @@ | |||
607 | 1 | /** | ||
608 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
609 | 3 | * | ||
610 | 4 | * This program is free software: you can redistribute it and/or modify | ||
611 | 5 | * it under the terms of the GNU General Public License as published by | ||
612 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
613 | 7 | * (at your option) any later version. | ||
614 | 8 | * | ||
615 | 9 | * This program is distributed in the hope that it will be useful, | ||
616 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
617 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
618 | 12 | * GNU General Public License for more details. | ||
619 | 13 | * | ||
620 | 14 | * You should have received a copy of the GNU General Public License | ||
621 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
622 | 16 | * | ||
623 | 17 | * In addition, as a special exception, the copyright holders give | ||
624 | 18 | * permission to link the code of portions of this program with the | ||
625 | 19 | * OpenSSL library under certain conditions as described in each | ||
626 | 20 | * individual source file, and distribute linked combinations | ||
627 | 21 | * including the two. | ||
628 | 22 | * | ||
629 | 23 | * You must obey the GNU General Public License in all respects | ||
630 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
631 | 25 | * file(s) with this exception, you may extend this exception to your | ||
632 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
633 | 27 | * do not wish to do so, delete this exception statement from your | ||
634 | 28 | * version. If you delete this exception statement from all source | ||
635 | 29 | * files in the program, then also delete it here. | ||
636 | 30 | */ | ||
637 | 31 | |||
638 | 32 | #ifndef __EFI_HASH_H__ | ||
639 | 33 | #define __EFI_HASH_H__ | ||
640 | 34 | |||
641 | 35 | #include <ctype.h> | ||
642 | 36 | #include <efivar.h> | ||
643 | 37 | |||
644 | 38 | #include "mokutil.h" | ||
645 | 39 | |||
646 | 40 | uint32_t efi_hash_size (const efi_guid_t *hash_type); | ||
647 | 41 | uint32_t signature_size (const efi_guid_t *hash_type); | ||
648 | 42 | int print_hash_array (const efi_guid_t *hash_type, const void *hash_array, | ||
649 | 43 | const uint32_t array_size); | ||
650 | 44 | int match_hash_array (const efi_guid_t *hash_type, const void *hash, | ||
651 | 45 | const void *hash_array, const uint32_t array_size); | ||
652 | 46 | int identify_hash_type (const char *hash_str, efi_guid_t *type); | ||
653 | 47 | |||
654 | 48 | #endif /* __EFI_HASH_H__ */ | ||
655 | diff --git a/src/efi_x509.c b/src/efi_x509.c | |||
656 | 0 | new file mode 100644 | 49 | new file mode 100644 |
657 | index 0000000..4788740 | |||
658 | --- /dev/null | |||
659 | +++ b/src/efi_x509.c | |||
660 | @@ -0,0 +1,242 @@ | |||
661 | 1 | /** | ||
662 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
663 | 3 | * | ||
664 | 4 | * This program is free software: you can redistribute it and/or modify | ||
665 | 5 | * it under the terms of the GNU General Public License as published by | ||
666 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
667 | 7 | * (at your option) any later version. | ||
668 | 8 | * | ||
669 | 9 | * This program is distributed in the hope that it will be useful, | ||
670 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
671 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
672 | 12 | * GNU General Public License for more details. | ||
673 | 13 | * | ||
674 | 14 | * You should have received a copy of the GNU General Public License | ||
675 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
676 | 16 | * | ||
677 | 17 | * In addition, as a special exception, the copyright holders give | ||
678 | 18 | * permission to link the code of portions of this program with the | ||
679 | 19 | * OpenSSL library under certain conditions as described in each | ||
680 | 20 | * individual source file, and distribute linked combinations | ||
681 | 21 | * including the two. | ||
682 | 22 | * | ||
683 | 23 | * You must obey the GNU General Public License in all respects | ||
684 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
685 | 25 | * file(s) with this exception, you may extend this exception to your | ||
686 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
687 | 27 | * do not wish to do so, delete this exception statement from your | ||
688 | 28 | * version. If you delete this exception statement from all source | ||
689 | 29 | * files in the program, then also delete it here. | ||
690 | 30 | */ | ||
691 | 31 | |||
692 | 32 | #include <stdio.h> | ||
693 | 33 | #include <openssl/x509.h> | ||
694 | 34 | #include <openssl/x509v3.h> | ||
695 | 35 | |||
696 | 36 | #include "efi_x509.h" | ||
697 | 37 | |||
698 | 38 | int | ||
699 | 39 | print_x509 (const uint8_t *cert, const int cert_size) | ||
700 | 40 | { | ||
701 | 41 | X509 *X509cert; | ||
702 | 42 | EVP_MD_CTX *ctx; | ||
703 | 43 | const EVP_MD *md; | ||
704 | 44 | unsigned int md_len; | ||
705 | 45 | const unsigned char *in = (const unsigned char *)cert; | ||
706 | 46 | unsigned char fingerprint[EVP_MAX_MD_SIZE]; | ||
707 | 47 | |||
708 | 48 | X509cert = d2i_X509 (NULL, &in, cert_size); | ||
709 | 49 | if (X509cert == NULL) { | ||
710 | 50 | fprintf (stderr, "Invalid X509 certificate\n"); | ||
711 | 51 | return -1; | ||
712 | 52 | } | ||
713 | 53 | |||
714 | 54 | md = EVP_get_digestbyname ("SHA1"); | ||
715 | 55 | if(md == NULL) { | ||
716 | 56 | fprintf (stderr, "Failed to get SHA1 digest\n"); | ||
717 | 57 | goto cleanup_cert; | ||
718 | 58 | } | ||
719 | 59 | |||
720 | 60 | ctx = EVP_MD_CTX_create (); | ||
721 | 61 | if (ctx == NULL) { | ||
722 | 62 | fprintf (stderr, "Failed to create digest context\n"); | ||
723 | 63 | goto cleanup_cert; | ||
724 | 64 | } | ||
725 | 65 | |||
726 | 66 | if (!EVP_DigestInit_ex (ctx, md, NULL)) { | ||
727 | 67 | fprintf (stderr, "Failed to initialize digest context\n"); | ||
728 | 68 | goto cleanup_ctx; | ||
729 | 69 | } | ||
730 | 70 | |||
731 | 71 | if (!EVP_DigestUpdate (ctx, cert, cert_size)) { | ||
732 | 72 | fprintf (stderr, "Failed to hash into the digest context\n"); | ||
733 | 73 | goto cleanup_ctx; | ||
734 | 74 | } | ||
735 | 75 | |||
736 | 76 | if (!EVP_DigestFinal_ex (ctx, fingerprint, &md_len)) { | ||
737 | 77 | fprintf (stderr, "Failed to get digest value\n"); | ||
738 | 78 | goto cleanup_ctx; | ||
739 | 79 | } | ||
740 | 80 | |||
741 | 81 | printf ("SHA1 Fingerprint: "); | ||
742 | 82 | for (unsigned int i = 0; i < md_len; i++) { | ||
743 | 83 | printf ("%02x", fingerprint[i]); | ||
744 | 84 | if (i < md_len - 1) | ||
745 | 85 | printf (":"); | ||
746 | 86 | } | ||
747 | 87 | printf ("\n"); | ||
748 | 88 | X509_print_fp (stdout, X509cert); | ||
749 | 89 | |||
750 | 90 | cleanup_ctx: | ||
751 | 91 | EVP_MD_CTX_destroy (ctx); | ||
752 | 92 | cleanup_cert: | ||
753 | 93 | X509_free (X509cert); | ||
754 | 94 | |||
755 | 95 | return 0; | ||
756 | 96 | } | ||
757 | 97 | |||
758 | 98 | int | ||
759 | 99 | is_valid_cert (const uint8_t *cert, const uint32_t cert_size) | ||
760 | 100 | { | ||
761 | 101 | X509 *X509cert; | ||
762 | 102 | |||
763 | 103 | if (cert == NULL) | ||
764 | 104 | return 0; | ||
765 | 105 | |||
766 | 106 | X509cert = d2i_X509 (NULL, &cert, cert_size); | ||
767 | 107 | if (X509cert == NULL) | ||
768 | 108 | return 0; | ||
769 | 109 | |||
770 | 110 | X509_free (X509cert); | ||
771 | 111 | |||
772 | 112 | return 1; | ||
773 | 113 | } | ||
774 | 114 | |||
775 | 115 | /** | ||
776 | 116 | * Check whether the given CA cert is the immediate CA of the given cert | ||
777 | 117 | **/ | ||
778 | 118 | int | ||
779 | 119 | is_immediate_ca (const uint8_t *cert, const uint32_t cert_size, | ||
780 | 120 | const uint8_t *ca_cert, const uint32_t ca_cert_size) | ||
781 | 121 | { | ||
782 | 122 | X509 *X509cert = NULL; | ||
783 | 123 | X509 *X509ca = NULL; | ||
784 | 124 | X509_STORE *cert_store = NULL; | ||
785 | 125 | X509_STORE_CTX *cert_ctx = NULL; | ||
786 | 126 | int ret = 0; | ||
787 | 127 | |||
788 | 128 | if (cert == NULL || ca_cert == NULL) | ||
789 | 129 | return 0; | ||
790 | 130 | |||
791 | 131 | if (EVP_add_digest (EVP_md5 ()) == 0) | ||
792 | 132 | return 0; | ||
793 | 133 | if (EVP_add_digest (EVP_sha1 ()) == 0) | ||
794 | 134 | return 0; | ||
795 | 135 | if (EVP_add_digest (EVP_sha256 ()) == 0) | ||
796 | 136 | return 0; | ||
797 | 137 | |||
798 | 138 | X509cert = d2i_X509 (NULL, &cert, cert_size); | ||
799 | 139 | if (X509cert == NULL) | ||
800 | 140 | return 0; | ||
801 | 141 | |||
802 | 142 | X509ca = d2i_X509 (NULL, &ca_cert, ca_cert_size); | ||
803 | 143 | if (X509ca == NULL) | ||
804 | 144 | goto err; | ||
805 | 145 | |||
806 | 146 | cert_store = X509_STORE_new (); | ||
807 | 147 | if (cert_store == NULL) | ||
808 | 148 | goto err; | ||
809 | 149 | |||
810 | 150 | if (X509_STORE_add_cert (cert_store, X509ca) == 0) | ||
811 | 151 | goto err; | ||
812 | 152 | |||
813 | 153 | /* Follow edk2 CryptoPkg to allow partial certificate chains and | ||
814 | 154 | * disable time checks */ | ||
815 | 155 | X509_STORE_set_flags (cert_store, | ||
816 | 156 | X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); | ||
817 | 157 | |||
818 | 158 | cert_ctx = X509_STORE_CTX_new (); | ||
819 | 159 | if (cert_ctx == NULL) | ||
820 | 160 | goto err; | ||
821 | 161 | |||
822 | 162 | if (X509_STORE_CTX_init (cert_ctx, cert_store, X509cert, NULL) == 0) | ||
823 | 163 | goto err; | ||
824 | 164 | |||
825 | 165 | /* Verify the cert */ | ||
826 | 166 | ret = X509_verify_cert (cert_ctx); | ||
827 | 167 | /* Treat the exceptional error as FALSE */ | ||
828 | 168 | if (ret < 0) | ||
829 | 169 | ret = 0; | ||
830 | 170 | X509_STORE_CTX_cleanup (cert_ctx); | ||
831 | 171 | |||
832 | 172 | err: | ||
833 | 173 | if (X509cert) | ||
834 | 174 | X509_free (X509cert); | ||
835 | 175 | |||
836 | 176 | if (X509ca) | ||
837 | 177 | X509_free (X509ca); | ||
838 | 178 | |||
839 | 179 | if (cert_store) | ||
840 | 180 | X509_STORE_free (cert_store); | ||
841 | 181 | |||
842 | 182 | if (cert_store) | ||
843 | 183 | X509_STORE_CTX_free (cert_ctx); | ||
844 | 184 | |||
845 | 185 | return ret; | ||
846 | 186 | } | ||
847 | 187 | |||
848 | 188 | /** | ||
849 | 189 | * Get the Subject Key Identifier of the given certificate | ||
850 | 190 | * | ||
851 | 191 | * This function allocates the SKID string and the caller is responsible to | ||
852 | 192 | * free the string. | ||
853 | 193 | * | ||
854 | 194 | * Return value: | ||
855 | 195 | * - 0 : Success | ||
856 | 196 | * - -1 : Error | ||
857 | 197 | */ | ||
858 | 198 | int | ||
859 | 199 | get_cert_skid(const uint8_t *cert, const uint32_t cert_size, char **skid) | ||
860 | 200 | { | ||
861 | 201 | X509 *X509cert; | ||
862 | 202 | const ASN1_OCTET_STRING *asn1_id; | ||
863 | 203 | const uint8_t *data; | ||
864 | 204 | int data_len, i; | ||
865 | 205 | char *id_str, *ptr; | ||
866 | 206 | int ret = -1; | ||
867 | 207 | |||
868 | 208 | X509cert = d2i_X509 (NULL, &cert, cert_size); | ||
869 | 209 | if (X509cert == NULL) { | ||
870 | 210 | fprintf (stderr, "invalid x509 certificate\n"); | ||
871 | 211 | goto out; | ||
872 | 212 | } | ||
873 | 213 | |||
874 | 214 | asn1_id = X509_get0_subject_key_id (X509cert); | ||
875 | 215 | if (asn1_id == NULL) { | ||
876 | 216 | fprintf (stderr, "Failed to get Subject Key ID\n"); | ||
877 | 217 | goto out; | ||
878 | 218 | } | ||
879 | 219 | |||
880 | 220 | data = ASN1_STRING_get0_data (asn1_id); | ||
881 | 221 | data_len = ASN1_STRING_length (asn1_id); | ||
882 | 222 | |||
883 | 223 | id_str = malloc (data_len*2 + 1); | ||
884 | 224 | if (id_str == NULL) { | ||
885 | 225 | fprintf (stderr, "Failed to allocated id string\n"); | ||
886 | 226 | goto out; | ||
887 | 227 | } | ||
888 | 228 | |||
889 | 229 | ptr = id_str; | ||
890 | 230 | for (i = 0; i < data_len; i++) { | ||
891 | 231 | snprintf (ptr, 3, "%02x", data[i]); | ||
892 | 232 | ptr += 2; | ||
893 | 233 | } | ||
894 | 234 | |||
895 | 235 | *skid = id_str; | ||
896 | 236 | ret = 0; | ||
897 | 237 | out: | ||
898 | 238 | if (X509cert) | ||
899 | 239 | X509_free (X509cert); | ||
900 | 240 | |||
901 | 241 | return ret; | ||
902 | 242 | } | ||
903 | diff --git a/src/efi_x509.h b/src/efi_x509.h | |||
904 | 0 | new file mode 100644 | 243 | new file mode 100644 |
905 | index 0000000..99e5d09 | |||
906 | --- /dev/null | |||
907 | +++ b/src/efi_x509.h | |||
908 | @@ -0,0 +1,43 @@ | |||
909 | 1 | /** | ||
910 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
911 | 3 | * | ||
912 | 4 | * This program is free software: you can redistribute it and/or modify | ||
913 | 5 | * it under the terms of the GNU General Public License as published by | ||
914 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
915 | 7 | * (at your option) any later version. | ||
916 | 8 | * | ||
917 | 9 | * This program is distributed in the hope that it will be useful, | ||
918 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
919 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
920 | 12 | * GNU General Public License for more details. | ||
921 | 13 | * | ||
922 | 14 | * You should have received a copy of the GNU General Public License | ||
923 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
924 | 16 | * | ||
925 | 17 | * In addition, as a special exception, the copyright holders give | ||
926 | 18 | * permission to link the code of portions of this program with the | ||
927 | 19 | * OpenSSL library under certain conditions as described in each | ||
928 | 20 | * individual source file, and distribute linked combinations | ||
929 | 21 | * including the two. | ||
930 | 22 | * | ||
931 | 23 | * You must obey the GNU General Public License in all respects | ||
932 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
933 | 25 | * file(s) with this exception, you may extend this exception to your | ||
934 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
935 | 27 | * do not wish to do so, delete this exception statement from your | ||
936 | 28 | * version. If you delete this exception statement from all source | ||
937 | 29 | * files in the program, then also delete it here. | ||
938 | 30 | */ | ||
939 | 31 | |||
940 | 32 | #ifndef __EFI_X509_H__ | ||
941 | 33 | #define __EFI_X509_H__ | ||
942 | 34 | |||
943 | 35 | #include <stdint.h> | ||
944 | 36 | |||
945 | 37 | int print_x509 (const uint8_t *cert, const int cert_size); | ||
946 | 38 | int is_valid_cert (const uint8_t *cert, const uint32_t cert_size); | ||
947 | 39 | int is_immediate_ca (const uint8_t *cert, const uint32_t cert_size, | ||
948 | 40 | const uint8_t *ca_cert, const uint32_t ca_cert_size); | ||
949 | 41 | int get_cert_skid(const uint8_t *cert, const uint32_t cert_size, char **skid); | ||
950 | 42 | |||
951 | 43 | #endif /* __EFI_X509_H__ */ | ||
952 | diff --git a/src/keyring.c b/src/keyring.c | |||
953 | 0 | new file mode 100644 | 44 | new file mode 100644 |
954 | index 0000000..9709efd | |||
955 | --- /dev/null | |||
956 | +++ b/src/keyring.c | |||
957 | @@ -0,0 +1,111 @@ | |||
958 | 1 | /** | ||
959 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
960 | 3 | * | ||
961 | 4 | * This program is free software: you can redistribute it and/or modify | ||
962 | 5 | * it under the terms of the GNU General Public License as published by | ||
963 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
964 | 7 | * (at your option) any later version. | ||
965 | 8 | * | ||
966 | 9 | * This program is distributed in the hope that it will be useful, | ||
967 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
968 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
969 | 12 | * GNU General Public License for more details. | ||
970 | 13 | * | ||
971 | 14 | * You should have received a copy of the GNU General Public License | ||
972 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
973 | 16 | * | ||
974 | 17 | * In addition, as a special exception, the copyright holders give | ||
975 | 18 | * permission to link the code of portions of this program with the | ||
976 | 19 | * OpenSSL library under certain conditions as described in each | ||
977 | 20 | * individual source file, and distribute linked combinations | ||
978 | 21 | * including the two. | ||
979 | 22 | * | ||
980 | 23 | * You must obey the GNU General Public License in all respects | ||
981 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
982 | 25 | * file(s) with this exception, you may extend this exception to your | ||
983 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
984 | 27 | * do not wish to do so, delete this exception statement from your | ||
985 | 28 | * version. If you delete this exception statement from all source | ||
986 | 29 | * files in the program, then also delete it here. | ||
987 | 30 | */ | ||
988 | 31 | |||
989 | 32 | #include <stdio.h> | ||
990 | 33 | #include <stdlib.h> | ||
991 | 34 | #include <errno.h> | ||
992 | 35 | #include <string.h> | ||
993 | 36 | |||
994 | 37 | #include <keyutils.h> | ||
995 | 38 | |||
996 | 39 | #include "keyring.h" | ||
997 | 40 | |||
998 | 41 | /** | ||
999 | 42 | * Match the x509v3 Subject Key ID in the descriptions of the kernel built-in | ||
1000 | 43 | * trusted keys keyring | ||
1001 | 44 | * | ||
1002 | 45 | * return value | ||
1003 | 46 | * - 0 : not matched | ||
1004 | 47 | * - 1 : matched | ||
1005 | 48 | * - -1 : error | ||
1006 | 49 | */ | ||
1007 | 50 | int | ||
1008 | 51 | match_skid_in_trusted_keyring (const char *skid) | ||
1009 | 52 | { | ||
1010 | 53 | key_serial_t ring_id, key_id, *key_ptr; | ||
1011 | 54 | void *keylist = NULL; | ||
1012 | 55 | int count; | ||
1013 | 56 | char buffer[1024]; | ||
1014 | 57 | char *ptr; | ||
1015 | 58 | long buf_size; | ||
1016 | 59 | int ret = -1; | ||
1017 | 60 | |||
1018 | 61 | if (skid == NULL) | ||
1019 | 62 | return -1; | ||
1020 | 63 | |||
1021 | 64 | /* Find the keyring ID of the kernel trusted keys */ | ||
1022 | 65 | ring_id = find_key_by_type_and_desc("keyring", ".builtin_trusted_keys", 0); | ||
1023 | 66 | if (ring_id < 0) { | ||
1024 | 67 | fprintf(stderr, "Failed to accesss kernel trusted keyring: %m\n"); | ||
1025 | 68 | goto out; | ||
1026 | 69 | } | ||
1027 | 70 | |||
1028 | 71 | count = keyctl_read_alloc(ring_id, &keylist); | ||
1029 | 72 | if (count < 0) { | ||
1030 | 73 | fprintf(stderr, "Failed to read kernel trusted keyring\n"); | ||
1031 | 74 | goto out; | ||
1032 | 75 | } | ||
1033 | 76 | |||
1034 | 77 | count /= sizeof(key_serial_t); | ||
1035 | 78 | if (count == 0) { | ||
1036 | 79 | /* The keyring is empty */ | ||
1037 | 80 | ret = 0; | ||
1038 | 81 | goto out; | ||
1039 | 82 | } | ||
1040 | 83 | |||
1041 | 84 | /* Iterate the keylist and match SKID */ | ||
1042 | 85 | key_ptr = keylist; | ||
1043 | 86 | do { | ||
1044 | 87 | key_id = *key_ptr++; | ||
1045 | 88 | |||
1046 | 89 | buf_size = keyctl_describe(key_id, buffer, sizeof(buffer)); | ||
1047 | 90 | if (buf_size < 0) { | ||
1048 | 91 | fprintf(stderr, "key %X inaccessible %m\n", key_id); | ||
1049 | 92 | goto out; | ||
1050 | 93 | } | ||
1051 | 94 | |||
1052 | 95 | /* Check if SKID is in the description */ | ||
1053 | 96 | ptr = strstr(buffer, skid); | ||
1054 | 97 | if (ptr && *(ptr + strlen(skid)) == '\0') { | ||
1055 | 98 | /* Matched */ | ||
1056 | 99 | ret = 1; | ||
1057 | 100 | goto out; | ||
1058 | 101 | } | ||
1059 | 102 | } while (--count); | ||
1060 | 103 | |||
1061 | 104 | ret = 0; | ||
1062 | 105 | out: | ||
1063 | 106 | if (keylist) | ||
1064 | 107 | free(keylist); | ||
1065 | 108 | |||
1066 | 109 | return ret; | ||
1067 | 110 | |||
1068 | 111 | } | ||
1069 | diff --git a/src/keyring.h b/src/keyring.h | |||
1070 | 0 | new file mode 100644 | 112 | new file mode 100644 |
1071 | index 0000000..44127cf | |||
1072 | --- /dev/null | |||
1073 | +++ b/src/keyring.h | |||
1074 | @@ -0,0 +1,37 @@ | |||
1075 | 1 | /** | ||
1076 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
1077 | 3 | * | ||
1078 | 4 | * This program is free software: you can redistribute it and/or modify | ||
1079 | 5 | * it under the terms of the GNU General Public License as published by | ||
1080 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
1081 | 7 | * (at your option) any later version. | ||
1082 | 8 | * | ||
1083 | 9 | * This program is distributed in the hope that it will be useful, | ||
1084 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
1085 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
1086 | 12 | * GNU General Public License for more details. | ||
1087 | 13 | * | ||
1088 | 14 | * You should have received a copy of the GNU General Public License | ||
1089 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
1090 | 16 | * | ||
1091 | 17 | * In addition, as a special exception, the copyright holders give | ||
1092 | 18 | * permission to link the code of portions of this program with the | ||
1093 | 19 | * OpenSSL library under certain conditions as described in each | ||
1094 | 20 | * individual source file, and distribute linked combinations | ||
1095 | 21 | * including the two. | ||
1096 | 22 | * | ||
1097 | 23 | * You must obey the GNU General Public License in all respects | ||
1098 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
1099 | 25 | * file(s) with this exception, you may extend this exception to your | ||
1100 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
1101 | 27 | * do not wish to do so, delete this exception statement from your | ||
1102 | 28 | * version. If you delete this exception statement from all source | ||
1103 | 29 | * files in the program, then also delete it here. | ||
1104 | 30 | */ | ||
1105 | 31 | |||
1106 | 32 | #ifndef __KEYRING_H__ | ||
1107 | 33 | #define __KEYRING_H__ | ||
1108 | 34 | |||
1109 | 35 | int match_skid_in_trusted_keyring (const char *skid); | ||
1110 | 36 | |||
1111 | 37 | #endif /* __KEYRING_H__ */ | ||
1112 | diff --git a/src/mokutil.c b/src/mokutil.c | |||
1113 | index e2d567d..5d725c9 100644 | |||
1114 | --- a/src/mokutil.c | |||
1115 | +++ b/src/mokutil.c | |||
1116 | @@ -1,5 +1,5 @@ | |||
1117 | 1 | /** | 1 | /** |
1119 | 2 | * Copyright (C) 2012-2014 Gary Lin <glin@suse.com> | 2 | * Copyright (C) 2012-2020 Gary Lin <glin@suse.com> |
1120 | 3 | * Copyright (C) 2012 Matthew Garrett <mjg@redhat.com> | 3 | * Copyright (C) 2012 Matthew Garrett <mjg@redhat.com> |
1121 | 4 | * | 4 | * |
1122 | 5 | * This program is free software: you can redistribute it and/or modify | 5 | * This program is free software: you can redistribute it and/or modify |
1123 | @@ -29,30 +29,29 @@ | |||
1124 | 29 | * version. If you delete this exception statement from all source | 29 | * version. If you delete this exception statement from all source |
1125 | 30 | * files in the program, then also delete it here. | 30 | * files in the program, then also delete it here. |
1126 | 31 | */ | 31 | */ |
1127 | 32 | #include <ctype.h> | ||
1128 | 33 | #include <dirent.h> | 32 | #include <dirent.h> |
1129 | 34 | #include <errno.h> | 33 | #include <errno.h> |
1130 | 35 | #include <stdio.h> | 34 | #include <stdio.h> |
1131 | 36 | #include <stdlib.h> | 35 | #include <stdlib.h> |
1132 | 37 | #include <string.h> | 36 | #include <string.h> |
1133 | 38 | #include <strings.h> | 37 | #include <strings.h> |
1134 | 39 | #include <sys/types.h> | ||
1135 | 40 | #include <sys/stat.h> | ||
1136 | 41 | #include <fcntl.h> | ||
1137 | 42 | #include <unistd.h> | 38 | #include <unistd.h> |
1138 | 43 | #include <termios.h> | ||
1139 | 44 | #include <getopt.h> | 39 | #include <getopt.h> |
1140 | 45 | #include <shadow.h> | 40 | #include <shadow.h> |
1141 | 46 | #include <sys/time.h> | 41 | #include <sys/time.h> |
1142 | 47 | 42 | ||
1143 | 48 | #include <openssl/sha.h> | 43 | #include <openssl/sha.h> |
1144 | 49 | #include <openssl/x509.h> | ||
1145 | 50 | 44 | ||
1146 | 51 | #include <crypt.h> | 45 | #include <crypt.h> |
1147 | 52 | #include <efivar.h> | 46 | #include <efivar.h> |
1148 | 53 | 47 | ||
1149 | 48 | #include "mokutil.h" | ||
1150 | 54 | #include "signature.h" | 49 | #include "signature.h" |
1151 | 50 | #include "efi_hash.h" | ||
1152 | 51 | #include "efi_x509.h" | ||
1153 | 52 | #include "keyring.h" | ||
1154 | 55 | #include "password-crypt.h" | 53 | #include "password-crypt.h" |
1155 | 54 | #include "util.h" | ||
1156 | 56 | 55 | ||
1157 | 57 | #define PASSWORD_MAX 256 | 56 | #define PASSWORD_MAX 256 |
1158 | 58 | #define PASSWORD_MIN 1 | 57 | #define PASSWORD_MIN 1 |
1159 | @@ -76,65 +75,27 @@ | |||
1160 | 76 | #define TEST_KEY (1 << 14) | 75 | #define TEST_KEY (1 << 14) |
1161 | 77 | #define RESET (1 << 15) | 76 | #define RESET (1 << 15) |
1162 | 78 | #define GENERATE_PW_HASH (1 << 16) | 77 | #define GENERATE_PW_HASH (1 << 16) |
1171 | 79 | #define SIMPLE_HASH (1 << 17) | 78 | #define IGNORE_DB (1 << 17) |
1172 | 80 | #define IGNORE_DB (1 << 18) | 79 | #define USE_DB (1 << 18) |
1173 | 81 | #define USE_DB (1 << 19) | 80 | #define MOKX (1 << 19) |
1174 | 82 | #define MOKX (1 << 20) | 81 | #define IMPORT_HASH (1 << 20) |
1175 | 83 | #define IMPORT_HASH (1 << 21) | 82 | #define DELETE_HASH (1 << 21) |
1176 | 84 | #define DELETE_HASH (1 << 22) | 83 | #define VERBOSITY (1 << 22) |
1177 | 85 | #define VERBOSITY (1 << 23) | 84 | #define TIMEOUT (1 << 23) |
1178 | 86 | #define TIMEOUT (1 << 24) | 85 | #define LIST_SBAT (1 << 24) |
1179 | 86 | #define FB_VERBOSITY (1 << 25) | ||
1180 | 87 | #define FB_NOREBOOT (1 << 26) | ||
1181 | 88 | #define TRUST_MOK (1 << 27) | ||
1182 | 89 | #define UNTRUST_MOK (1 << 28) | ||
1183 | 90 | #define SET_SBAT (1 << 29) | ||
1184 | 87 | 91 | ||
1185 | 88 | #define DEFAULT_CRYPT_METHOD SHA512_BASED | 92 | #define DEFAULT_CRYPT_METHOD SHA512_BASED |
1186 | 89 | #define DEFAULT_SALT_SIZE SHA512_SALT_MAX | 93 | #define DEFAULT_SALT_SIZE SHA512_SALT_MAX |
1187 | 90 | #define SETTINGS_LEN (DEFAULT_SALT_SIZE*2) | 94 | #define SETTINGS_LEN (DEFAULT_SALT_SIZE*2) |
1188 | 91 | #define BUF_SIZE 300 | 95 | #define BUF_SIZE 300 |
1189 | 92 | 96 | ||
1235 | 93 | typedef unsigned long efi_status_t; | 97 | static int force_ca_check; |
1236 | 94 | typedef uint8_t efi_bool_t; | 98 | static int check_keyring; |
1192 | 95 | typedef wchar_t efi_char16_t; /* UNICODE character */ | ||
1193 | 96 | |||
1194 | 97 | static int use_simple_hash; | ||
1195 | 98 | |||
1196 | 99 | typedef enum { | ||
1197 | 100 | DELETE_MOK = 0, | ||
1198 | 101 | ENROLL_MOK, | ||
1199 | 102 | DELETE_BLACKLIST, | ||
1200 | 103 | ENROLL_BLACKLIST, | ||
1201 | 104 | } MokRequest; | ||
1202 | 105 | |||
1203 | 106 | typedef enum { | ||
1204 | 107 | MOK_LIST_RT = 0, | ||
1205 | 108 | MOK_LIST_X_RT, | ||
1206 | 109 | PK, | ||
1207 | 110 | KEK, | ||
1208 | 111 | DB, | ||
1209 | 112 | DBX, | ||
1210 | 113 | } DBName; | ||
1211 | 114 | |||
1212 | 115 | const char *db_var_name[] = { | ||
1213 | 116 | [MOK_LIST_RT] = "MokListRT", | ||
1214 | 117 | [MOK_LIST_X_RT] = "MokListXRT", | ||
1215 | 118 | [PK] = "PK", | ||
1216 | 119 | [KEK] = "KEK", | ||
1217 | 120 | [DB] = "db", | ||
1218 | 121 | [DBX] = "dbx", | ||
1219 | 122 | }; | ||
1220 | 123 | |||
1221 | 124 | const char *db_friendly_name[] = { | ||
1222 | 125 | [MOK_LIST_RT] = "MOK", | ||
1223 | 126 | [MOK_LIST_X_RT] = "MOKX", | ||
1224 | 127 | [PK] = "PK", | ||
1225 | 128 | [KEK] = "KEK", | ||
1226 | 129 | [DB] = "DB", | ||
1227 | 130 | [DBX] = "DBX", | ||
1228 | 131 | }; | ||
1229 | 132 | |||
1230 | 133 | typedef struct { | ||
1231 | 134 | EFI_SIGNATURE_LIST *header; | ||
1232 | 135 | uint32_t mok_size; | ||
1233 | 136 | void *mok; | ||
1234 | 137 | } MokListNode; | ||
1237 | 138 | 99 | ||
1238 | 139 | typedef struct { | 100 | typedef struct { |
1239 | 140 | uint32_t mok_toggle_state; | 101 | uint32_t mok_toggle_state; |
1240 | @@ -171,266 +132,28 @@ print_help () | |||
1241 | 171 | printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n"); | 132 | printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n"); |
1242 | 172 | printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n"); | 133 | printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n"); |
1243 | 173 | printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n"); | 134 | printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n"); |
1244 | 135 | printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n"); | ||
1245 | 136 | printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n"); | ||
1246 | 137 | printf (" --trust-mok\t\t\t\tTrust MOK keys within the kernel keyring\n"); | ||
1247 | 138 | printf (" --untrust-mok\t\t\t\tDo not trust MOK keys\n"); | ||
1248 | 139 | printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest, Previous, or Blank SBAT revocations\n"); | ||
1249 | 174 | printf (" --pk\t\t\t\t\tList the keys in PK\n"); | 140 | printf (" --pk\t\t\t\t\tList the keys in PK\n"); |
1250 | 175 | printf (" --kek\t\t\t\t\tList the keys in KEK\n"); | 141 | printf (" --kek\t\t\t\t\tList the keys in KEK\n"); |
1251 | 176 | printf (" --db\t\t\t\t\tList the keys in db\n"); | 142 | printf (" --db\t\t\t\t\tList the keys in db\n"); |
1252 | 177 | printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); | 143 | printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); |
1253 | 178 | printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); | 144 | printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); |
1254 | 145 | printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n"); | ||
1255 | 179 | printf ("\n"); | 146 | printf ("\n"); |
1256 | 180 | printf ("Supplimentary Options:\n"); | 147 | printf ("Supplimentary Options:\n"); |
1257 | 181 | printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); | 148 | printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); |
1258 | 182 | printf (" --root-pw\t\t\t\tUse the root password\n"); | 149 | printf (" --root-pw\t\t\t\tUse the root password\n"); |
1259 | 183 | printf (" --simple-hash\t\t\t\tUse the old password hash method\n"); | ||
1260 | 184 | printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); | 150 | printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); |
1261 | 151 | printf (" --ca-check\t\t\t\tCheck if CA of the key is enrolled/blocked\n"); | ||
1262 | 152 | printf (" --ignore-keyring\t\t\tDon't check if the key is the kernel keyring\n"); | ||
1263 | 185 | } | 153 | } |
1264 | 186 | 154 | ||
1265 | 187 | static int | 155 | static int |
1512 | 188 | test_and_delete_var (const char *var_name) | 156 | list_keys (const uint8_t *data, const size_t data_size) |
1267 | 189 | { | ||
1268 | 190 | size_t size; | ||
1269 | 191 | int ret; | ||
1270 | 192 | |||
1271 | 193 | ret = efi_get_variable_size (efi_guid_shim, var_name, &size); | ||
1272 | 194 | if (ret < 0) { | ||
1273 | 195 | if (errno == ENOENT) | ||
1274 | 196 | return 0; | ||
1275 | 197 | fprintf (stderr, "Failed to access variable \"%s\": %m\n", | ||
1276 | 198 | var_name); | ||
1277 | 199 | } | ||
1278 | 200 | |||
1279 | 201 | /* Attempt to delete it no matter what, problem efi_get_variable_size() | ||
1280 | 202 | * had, unless it just doesn't exist anyway. */ | ||
1281 | 203 | if (!(ret < 0 && errno == ENOENT)) { | ||
1282 | 204 | if (efi_del_variable (efi_guid_shim, var_name) < 0) | ||
1283 | 205 | fprintf (stderr, "Failed to unset \"%s\": %m\n", var_name); | ||
1284 | 206 | } | ||
1285 | 207 | |||
1286 | 208 | return ret; | ||
1287 | 209 | } | ||
1288 | 210 | |||
1289 | 211 | static unsigned long | ||
1290 | 212 | efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) | ||
1291 | 213 | { | ||
1292 | 214 | unsigned int i, src_len = strlen(src); | ||
1293 | 215 | for (i=0; i < src_len && i < (dest_len/sizeof(*dest)) - 1; i++) { | ||
1294 | 216 | dest[i] = src[i]; | ||
1295 | 217 | } | ||
1296 | 218 | dest[i] = 0; | ||
1297 | 219 | return i * sizeof(*dest); | ||
1298 | 220 | } | ||
1299 | 221 | |||
1300 | 222 | static uint32_t | ||
1301 | 223 | efi_hash_size (const efi_guid_t *hash_type) | ||
1302 | 224 | { | ||
1303 | 225 | if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) { | ||
1304 | 226 | return SHA_DIGEST_LENGTH; | ||
1305 | 227 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha224) == 0) { | ||
1306 | 228 | return SHA224_DIGEST_LENGTH; | ||
1307 | 229 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha256) == 0) { | ||
1308 | 230 | return SHA256_DIGEST_LENGTH; | ||
1309 | 231 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha384) == 0) { | ||
1310 | 232 | return SHA384_DIGEST_LENGTH; | ||
1311 | 233 | } else if (efi_guid_cmp (hash_type, &efi_guid_sha512) == 0) { | ||
1312 | 234 | return SHA512_DIGEST_LENGTH; | ||
1313 | 235 | } | ||
1314 | 236 | |||
1315 | 237 | return 0; | ||
1316 | 238 | } | ||
1317 | 239 | |||
1318 | 240 | static uint32_t | ||
1319 | 241 | signature_size (const efi_guid_t *hash_type) | ||
1320 | 242 | { | ||
1321 | 243 | uint32_t hash_size; | ||
1322 | 244 | |||
1323 | 245 | hash_size = efi_hash_size (hash_type); | ||
1324 | 246 | if (hash_size) | ||
1325 | 247 | return (hash_size + sizeof(efi_guid_t)); | ||
1326 | 248 | |||
1327 | 249 | return 0; | ||
1328 | 250 | } | ||
1329 | 251 | |||
1330 | 252 | static MokListNode* | ||
1331 | 253 | build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) | ||
1332 | 254 | { | ||
1333 | 255 | MokListNode *list = NULL; | ||
1334 | 256 | MokListNode *list_new = NULL; | ||
1335 | 257 | EFI_SIGNATURE_LIST *CertList = data; | ||
1336 | 258 | EFI_SIGNATURE_DATA *Cert; | ||
1337 | 259 | unsigned long dbsize = data_size; | ||
1338 | 260 | unsigned long count = 0; | ||
1339 | 261 | void *end = data + data_size; | ||
1340 | 262 | |||
1341 | 263 | while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { | ||
1342 | 264 | if ((void *)(CertList + 1) > end || | ||
1343 | 265 | CertList->SignatureListSize == 0 || | ||
1344 | 266 | CertList->SignatureListSize <= CertList->SignatureSize) { | ||
1345 | 267 | fprintf (stderr, "Corrupted signature list\n"); | ||
1346 | 268 | if (list) | ||
1347 | 269 | free (list); | ||
1348 | 270 | return NULL; | ||
1349 | 271 | } | ||
1350 | 272 | |||
1351 | 273 | if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && | ||
1352 | 274 | (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) && | ||
1353 | 275 | (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) && | ||
1354 | 276 | (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) && | ||
1355 | 277 | (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) && | ||
1356 | 278 | (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) { | ||
1357 | 279 | dbsize -= CertList->SignatureListSize; | ||
1358 | 280 | CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + | ||
1359 | 281 | CertList->SignatureListSize); | ||
1360 | 282 | continue; | ||
1361 | 283 | } | ||
1362 | 284 | |||
1363 | 285 | if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && | ||
1364 | 286 | (CertList->SignatureSize != signature_size (&CertList->SignatureType))) { | ||
1365 | 287 | dbsize -= CertList->SignatureListSize; | ||
1366 | 288 | CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + | ||
1367 | 289 | CertList->SignatureListSize); | ||
1368 | 290 | continue; | ||
1369 | 291 | } | ||
1370 | 292 | |||
1371 | 293 | Cert = (EFI_SIGNATURE_DATA *) (((uint8_t *) CertList) + | ||
1372 | 294 | sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); | ||
1373 | 295 | |||
1374 | 296 | if ((void *)(Cert + 1) > end || | ||
1375 | 297 | CertList->SignatureSize <= sizeof(efi_guid_t)) { | ||
1376 | 298 | if (list) | ||
1377 | 299 | free (list); | ||
1378 | 300 | fprintf (stderr, "Corrupted signature\n"); | ||
1379 | 301 | return NULL; | ||
1380 | 302 | } | ||
1381 | 303 | |||
1382 | 304 | list_new = realloc(list, sizeof(MokListNode) * (count + 1)); | ||
1383 | 305 | if (list_new) { | ||
1384 | 306 | list = list_new; | ||
1385 | 307 | } else { | ||
1386 | 308 | if (list) | ||
1387 | 309 | free (list); | ||
1388 | 310 | fprintf(stderr, "Unable to allocate MOK list\n"); | ||
1389 | 311 | return NULL; | ||
1390 | 312 | } | ||
1391 | 313 | |||
1392 | 314 | list[count].header = CertList; | ||
1393 | 315 | if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) { | ||
1394 | 316 | /* X509 certificate */ | ||
1395 | 317 | list[count].mok_size = CertList->SignatureSize - | ||
1396 | 318 | sizeof(efi_guid_t); | ||
1397 | 319 | list[count].mok = (void *)Cert->SignatureData; | ||
1398 | 320 | } else { | ||
1399 | 321 | /* hash array */ | ||
1400 | 322 | list[count].mok_size = CertList->SignatureListSize - | ||
1401 | 323 | sizeof(EFI_SIGNATURE_LIST) - | ||
1402 | 324 | CertList->SignatureHeaderSize; | ||
1403 | 325 | list[count].mok = (void *)Cert; | ||
1404 | 326 | } | ||
1405 | 327 | |||
1406 | 328 | if (list[count].mok_size > (unsigned long)end - | ||
1407 | 329 | (unsigned long)list[count].mok) { | ||
1408 | 330 | fprintf (stderr, "Corrupted data\n"); | ||
1409 | 331 | free (list); | ||
1410 | 332 | return NULL; | ||
1411 | 333 | } | ||
1412 | 334 | |||
1413 | 335 | count++; | ||
1414 | 336 | dbsize -= CertList->SignatureListSize; | ||
1415 | 337 | CertList = (EFI_SIGNATURE_LIST *) ((uint8_t *) CertList + | ||
1416 | 338 | CertList->SignatureListSize); | ||
1417 | 339 | } | ||
1418 | 340 | |||
1419 | 341 | *mok_num = count; | ||
1420 | 342 | |||
1421 | 343 | return list; | ||
1422 | 344 | } | ||
1423 | 345 | |||
1424 | 346 | static int | ||
1425 | 347 | print_x509 (char *cert, int cert_size) | ||
1426 | 348 | { | ||
1427 | 349 | X509 *X509cert; | ||
1428 | 350 | BIO *cert_bio; | ||
1429 | 351 | SHA_CTX ctx; | ||
1430 | 352 | uint8_t fingerprint[SHA_DIGEST_LENGTH]; | ||
1431 | 353 | |||
1432 | 354 | cert_bio = BIO_new (BIO_s_mem ()); | ||
1433 | 355 | BIO_write (cert_bio, cert, cert_size); | ||
1434 | 356 | if (cert_bio == NULL) { | ||
1435 | 357 | fprintf (stderr, "Failed to write BIO\n"); | ||
1436 | 358 | return -1; | ||
1437 | 359 | } | ||
1438 | 360 | |||
1439 | 361 | X509cert = d2i_X509_bio (cert_bio, NULL); | ||
1440 | 362 | if (X509cert == NULL) { | ||
1441 | 363 | fprintf (stderr, "Invalid X509 certificate\n"); | ||
1442 | 364 | return -1; | ||
1443 | 365 | } | ||
1444 | 366 | |||
1445 | 367 | SHA1_Init (&ctx); | ||
1446 | 368 | SHA1_Update (&ctx, cert, cert_size); | ||
1447 | 369 | SHA1_Final (fingerprint, &ctx); | ||
1448 | 370 | |||
1449 | 371 | printf ("SHA1 Fingerprint: "); | ||
1450 | 372 | for (unsigned int i = 0; i < SHA_DIGEST_LENGTH; i++) { | ||
1451 | 373 | printf ("%02x", fingerprint[i]); | ||
1452 | 374 | if (i < SHA_DIGEST_LENGTH - 1) | ||
1453 | 375 | printf (":"); | ||
1454 | 376 | } | ||
1455 | 377 | printf ("\n"); | ||
1456 | 378 | X509_print_fp (stdout, X509cert); | ||
1457 | 379 | |||
1458 | 380 | BIO_free (cert_bio); | ||
1459 | 381 | |||
1460 | 382 | return 0; | ||
1461 | 383 | } | ||
1462 | 384 | |||
1463 | 385 | static int | ||
1464 | 386 | print_hash_array (efi_guid_t *hash_type, void *hash_array, uint32_t array_size) | ||
1465 | 387 | { | ||
1466 | 388 | uint32_t hash_size, remain; | ||
1467 | 389 | uint32_t sig_size; | ||
1468 | 390 | uint8_t *hash; | ||
1469 | 391 | char *name; | ||
1470 | 392 | |||
1471 | 393 | if (!hash_array || array_size == 0) { | ||
1472 | 394 | fprintf (stderr, "invalid hash array\n"); | ||
1473 | 395 | return -1; | ||
1474 | 396 | } | ||
1475 | 397 | |||
1476 | 398 | int rc = efi_guid_to_name(hash_type, &name); | ||
1477 | 399 | if (rc < 0 || isxdigit(name[0])) { | ||
1478 | 400 | if (name) | ||
1479 | 401 | free(name); | ||
1480 | 402 | fprintf (stderr, "unknown hash type\n"); | ||
1481 | 403 | return -1; | ||
1482 | 404 | } | ||
1483 | 405 | |||
1484 | 406 | hash_size = efi_hash_size (hash_type); | ||
1485 | 407 | sig_size = hash_size + sizeof(efi_guid_t); | ||
1486 | 408 | |||
1487 | 409 | printf (" [%s]\n", name); | ||
1488 | 410 | free(name); | ||
1489 | 411 | remain = array_size; | ||
1490 | 412 | hash = (uint8_t *)hash_array; | ||
1491 | 413 | |||
1492 | 414 | while (remain > 0) { | ||
1493 | 415 | if (remain < sig_size) { | ||
1494 | 416 | fprintf (stderr, "invalid array size\n"); | ||
1495 | 417 | return -1; | ||
1496 | 418 | } | ||
1497 | 419 | |||
1498 | 420 | printf (" "); | ||
1499 | 421 | hash += sizeof(efi_guid_t); | ||
1500 | 422 | for (unsigned int i = 0; i<hash_size; i++) | ||
1501 | 423 | printf ("%02x", *(hash + i)); | ||
1502 | 424 | printf ("\n"); | ||
1503 | 425 | hash += hash_size; | ||
1504 | 426 | remain -= sig_size; | ||
1505 | 427 | } | ||
1506 | 428 | |||
1507 | 429 | return 0; | ||
1508 | 430 | } | ||
1509 | 431 | |||
1510 | 432 | static int | ||
1511 | 433 | list_keys (uint8_t *data, size_t data_size) | ||
1513 | 434 | { | 157 | { |
1514 | 435 | uint32_t mok_num; | 158 | uint32_t mok_num; |
1515 | 436 | MokListNode *list; | 159 | MokListNode *list; |
1516 | @@ -442,10 +165,11 @@ list_keys (uint8_t *data, size_t data_size) | |||
1517 | 442 | 165 | ||
1518 | 443 | for (unsigned int i = 0; i < mok_num; i++) { | 166 | for (unsigned int i = 0; i < mok_num; i++) { |
1519 | 444 | printf ("[key %d]\n", i+1); | 167 | printf ("[key %d]\n", i+1); |
1522 | 445 | if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) { | 168 | efi_guid_t sigtype = list[i].header->SignatureType; |
1523 | 446 | print_x509 ((char *)list[i].mok, list[i].mok_size); | 169 | if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { |
1524 | 170 | print_x509 (list[i].mok, list[i].mok_size); | ||
1525 | 447 | } else { | 171 | } else { |
1527 | 448 | print_hash_array (&list[i].header->SignatureType, | 172 | print_hash_array (&sigtype, |
1528 | 449 | list[i].mok, list[i].mok_size); | 173 | list[i].mok, list[i].mok_size); |
1529 | 450 | } | 174 | } |
1530 | 451 | if (i < mok_num - 1) | 175 | if (i < mok_num - 1) |
1531 | @@ -457,222 +181,53 @@ list_keys (uint8_t *data, size_t data_size) | |||
1532 | 457 | return 0; | 181 | return 0; |
1533 | 458 | } | 182 | } |
1534 | 459 | 183 | ||
1535 | 460 | /* match the hash in the hash array and return the index if matched */ | ||
1536 | 461 | static int | ||
1537 | 462 | match_hash_array (const efi_guid_t *hash_type, const void *hash, | ||
1538 | 463 | const void *hash_array, const uint32_t array_size) | ||
1539 | 464 | { | ||
1540 | 465 | uint32_t hash_size, hash_count; | ||
1541 | 466 | uint32_t sig_size; | ||
1542 | 467 | void *ptr; | ||
1543 | 468 | |||
1544 | 469 | hash_size = efi_hash_size (hash_type); | ||
1545 | 470 | if (!hash_size) | ||
1546 | 471 | return -1; | ||
1547 | 472 | |||
1548 | 473 | sig_size = hash_size + sizeof(efi_guid_t); | ||
1549 | 474 | if ((array_size % sig_size) != 0) { | ||
1550 | 475 | fprintf (stderr, "invalid hash array size\n"); | ||
1551 | 476 | return -1; | ||
1552 | 477 | } | ||
1553 | 478 | |||
1554 | 479 | ptr = (void *)hash_array; | ||
1555 | 480 | hash_count = array_size / sig_size; | ||
1556 | 481 | for (unsigned int i = 0; i < hash_count; i++) { | ||
1557 | 482 | ptr += sizeof(efi_guid_t); | ||
1558 | 483 | if (memcmp (ptr, hash, hash_size) == 0) | ||
1559 | 484 | return i; | ||
1560 | 485 | ptr += hash_size; | ||
1561 | 486 | } | ||
1562 | 487 | |||
1563 | 488 | return -1; | ||
1564 | 489 | } | ||
1565 | 490 | |||
1566 | 491 | static int | ||
1567 | 492 | delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, | ||
1568 | 493 | const efi_guid_t *type, void *data, uint32_t data_size) | ||
1569 | 494 | { | ||
1570 | 495 | uint8_t *var_data = NULL; | ||
1571 | 496 | size_t var_data_size = 0; | ||
1572 | 497 | uint32_t attributes; | ||
1573 | 498 | MokListNode *list; | ||
1574 | 499 | uint32_t mok_num, total, remain; | ||
1575 | 500 | void *end, *start = NULL; | ||
1576 | 501 | int del_ind, ret = 0; | ||
1577 | 502 | uint32_t sig_list_size, sig_size; | ||
1578 | 503 | |||
1579 | 504 | if (!var_name || !data || data_size == 0) | ||
1580 | 505 | return 0; | ||
1581 | 506 | |||
1582 | 507 | ret = efi_get_variable (*var_guid, var_name, &var_data, &var_data_size, | ||
1583 | 508 | &attributes); | ||
1584 | 509 | if (ret < 0) { | ||
1585 | 510 | if (errno == ENOENT) | ||
1586 | 511 | return 0; | ||
1587 | 512 | fprintf (stderr, "Failed to read variable \"%s\": %m\n", | ||
1588 | 513 | var_name); | ||
1589 | 514 | return -1; | ||
1590 | 515 | } | ||
1591 | 516 | |||
1592 | 517 | total = var_data_size; | ||
1593 | 518 | |||
1594 | 519 | list = build_mok_list (var_data, var_data_size, &mok_num); | ||
1595 | 520 | if (list == NULL) | ||
1596 | 521 | goto done; | ||
1597 | 522 | |||
1598 | 523 | remain = total; | ||
1599 | 524 | for (unsigned int i = 0; i < mok_num; i++) { | ||
1600 | 525 | remain -= list[i].header->SignatureListSize; | ||
1601 | 526 | if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) | ||
1602 | 527 | continue; | ||
1603 | 528 | |||
1604 | 529 | sig_list_size = list[i].header->SignatureListSize; | ||
1605 | 530 | |||
1606 | 531 | if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { | ||
1607 | 532 | if (list[i].mok_size != data_size) | ||
1608 | 533 | continue; | ||
1609 | 534 | |||
1610 | 535 | if (memcmp (list[i].mok, data, data_size) == 0) { | ||
1611 | 536 | /* Remove this key */ | ||
1612 | 537 | start = (void *)list[i].header; | ||
1613 | 538 | end = start + sig_list_size; | ||
1614 | 539 | total -= sig_list_size; | ||
1615 | 540 | break; | ||
1616 | 541 | } | ||
1617 | 542 | } else { | ||
1618 | 543 | del_ind = match_hash_array (type, data, list[i].mok, | ||
1619 | 544 | list[i].mok_size); | ||
1620 | 545 | if (del_ind < 0) | ||
1621 | 546 | continue; | ||
1622 | 547 | |||
1623 | 548 | start = (void *)list[i].header; | ||
1624 | 549 | sig_size = signature_size (type); | ||
1625 | 550 | if (sig_list_size == (sizeof(EFI_SIGNATURE_LIST) + sig_size)) { | ||
1626 | 551 | /* Only one hash in the list */ | ||
1627 | 552 | end = start + sig_list_size; | ||
1628 | 553 | total -= sig_list_size; | ||
1629 | 554 | } else { | ||
1630 | 555 | /* More than one hash in the list */ | ||
1631 | 556 | start += sizeof(EFI_SIGNATURE_LIST) + sig_size * del_ind; | ||
1632 | 557 | end = start + sig_size; | ||
1633 | 558 | total -= sig_size; | ||
1634 | 559 | list[i].header->SignatureListSize -= sig_size; | ||
1635 | 560 | remain += sig_list_size - sizeof(EFI_SIGNATURE_LIST) - | ||
1636 | 561 | (del_ind + 1) * sig_size; | ||
1637 | 562 | } | ||
1638 | 563 | break; | ||
1639 | 564 | } | ||
1640 | 565 | } | ||
1641 | 566 | |||
1642 | 567 | /* the key or hash is not in this list */ | ||
1643 | 568 | if (start == NULL) | ||
1644 | 569 | return 0; | ||
1645 | 570 | |||
1646 | 571 | /* all keys are removed */ | ||
1647 | 572 | if (total == 0) { | ||
1648 | 573 | test_and_delete_var (var_name); | ||
1649 | 574 | |||
1650 | 575 | /* delete the password */ | ||
1651 | 576 | if (strcmp (var_name, "MokNew") == 0) | ||
1652 | 577 | test_and_delete_var ("MokAuth"); | ||
1653 | 578 | else if (strcmp (var_name, "MokXNew") == 0) | ||
1654 | 579 | test_and_delete_var ("MokXAuth"); | ||
1655 | 580 | else if (strcmp (var_name, "MokDel") == 0) | ||
1656 | 581 | test_and_delete_var ("MokDelAuth"); | ||
1657 | 582 | else if (strcmp (var_name, "MokXDel") == 0) | ||
1658 | 583 | test_and_delete_var ("MokXDelAuth"); | ||
1659 | 584 | |||
1660 | 585 | ret = 1; | ||
1661 | 586 | goto done; | ||
1662 | 587 | } | ||
1663 | 588 | |||
1664 | 589 | /* remove the key or hash */ | ||
1665 | 590 | if (remain > 0) | ||
1666 | 591 | memmove (start, end, remain); | ||
1667 | 592 | |||
1668 | 593 | attributes = EFI_VARIABLE_NON_VOLATILE | ||
1669 | 594 | | EFI_VARIABLE_BOOTSERVICE_ACCESS | ||
1670 | 595 | | EFI_VARIABLE_RUNTIME_ACCESS; | ||
1671 | 596 | ret = efi_set_variable (*var_guid, var_name, | ||
1672 | 597 | var_data, total, attributes, | ||
1673 | 598 | S_IRUSR | S_IWUSR); | ||
1674 | 599 | if (ret < 0) { | ||
1675 | 600 | fprintf (stderr, "Failed to write variable \"%s\": %m\n", | ||
1676 | 601 | var_name); | ||
1677 | 602 | goto done; | ||
1678 | 603 | } | ||
1679 | 604 | efi_chmod_variable(*var_guid, var_name, S_IRUSR | S_IWUSR); | ||
1680 | 605 | |||
1681 | 606 | ret = 1; | ||
1682 | 607 | done: | ||
1683 | 608 | if (list) | ||
1684 | 609 | free (list); | ||
1685 | 610 | free (var_data); | ||
1686 | 611 | |||
1687 | 612 | return ret; | ||
1688 | 613 | } | ||
1689 | 614 | |||
1690 | 615 | static int | 184 | static int |
1691 | 616 | list_keys_in_var (const char *var_name, const efi_guid_t guid) | 185 | list_keys_in_var (const char *var_name, const efi_guid_t guid) |
1692 | 617 | { | 186 | { |
1693 | 618 | uint8_t *data = NULL; | 187 | uint8_t *data = NULL; |
1695 | 619 | size_t data_size; | 188 | char varname[] = "implausibly-long-mok-variable-name"; |
1696 | 189 | size_t data_sz, i, varname_sz = sizeof(varname); | ||
1697 | 620 | uint32_t attributes; | 190 | uint32_t attributes; |
1698 | 621 | int ret; | 191 | int ret; |
1699 | 622 | 192 | ||
1709 | 623 | ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); | 193 | ret = mok_get_variable(var_name, &data, &data_sz); |
1710 | 624 | if (ret < 0) { | 194 | if (ret >= 0) { |
1711 | 625 | if (errno == ENOENT) { | 195 | ret = list_keys (data, data_sz); |
1712 | 626 | printf ("%s is empty\n", var_name); | 196 | free(data); |
1713 | 627 | return 0; | 197 | return ret; |
1705 | 628 | } | ||
1706 | 629 | |||
1707 | 630 | fprintf (stderr, "Failed to read %s: %m\n", var_name); | ||
1708 | 631 | return -1; | ||
1714 | 632 | } | 198 | } |
1715 | 633 | 199 | ||
1740 | 634 | ret = list_keys (data, data_size); | 200 | for (i = 0; i < SIZE_MAX; i++) { |
1741 | 635 | free (data); | 201 | if (i == 0) { |
1742 | 636 | 202 | snprintf(varname, varname_sz, "%s", var_name); | |
1743 | 637 | return ret; | 203 | } else { |
1744 | 638 | } | 204 | snprintf(varname, varname_sz, "%s%zu", var_name, i); |
1745 | 639 | 205 | } | |
1722 | 640 | static int | ||
1723 | 641 | read_hidden_line (char **line, size_t *n) | ||
1724 | 642 | { | ||
1725 | 643 | struct termios old, new; | ||
1726 | 644 | int nread; | ||
1727 | 645 | int isTTY = isatty(fileno (stdin)); | ||
1728 | 646 | |||
1729 | 647 | if (isTTY) { | ||
1730 | 648 | /* Turn echoing off and fail if we can't. */ | ||
1731 | 649 | if (tcgetattr (fileno (stdin), &old) != 0) | ||
1732 | 650 | return -1; | ||
1733 | 651 | |||
1734 | 652 | new = old; | ||
1735 | 653 | new.c_lflag &= ~ECHO; | ||
1736 | 654 | |||
1737 | 655 | if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0) | ||
1738 | 656 | return -1; | ||
1739 | 657 | } | ||
1746 | 658 | 206 | ||
1749 | 659 | /* Read the password. */ | 207 | ret = efi_get_variable (guid, varname, &data, &data_sz, |
1750 | 660 | nread = getline (line, n, stdin); | 208 | &attributes); |
1751 | 209 | if (ret < 0) | ||
1752 | 210 | return 0; | ||
1753 | 661 | 211 | ||
1757 | 662 | if (isTTY) { | 212 | ret = list_keys (data, data_sz); |
1758 | 663 | /* Restore terminal. */ | 213 | free(data); |
1759 | 664 | (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old); | 214 | /* |
1760 | 215 | * If ret is < 0, the next one will error as well. | ||
1761 | 216 | * If ret is 0, we need to test the next variable. | ||
1762 | 217 | * If it's 1, that's a real answer. | ||
1763 | 218 | */ | ||
1764 | 219 | if (ret < 0) | ||
1765 | 220 | return 0; | ||
1766 | 221 | if (ret > 0) | ||
1767 | 222 | return ret; | ||
1768 | 665 | } | 223 | } |
1769 | 666 | 224 | ||
1774 | 667 | /* Remove the newline */ | 225 | return 0; |
1771 | 668 | (*line)[nread-1] = '\0'; | ||
1772 | 669 | |||
1773 | 670 | return nread-1; | ||
1775 | 671 | } | 226 | } |
1776 | 672 | 227 | ||
1777 | 673 | static int | 228 | static int |
1778 | 674 | get_password (char **password, unsigned int *len, | 229 | get_password (char **password, unsigned int *len, |
1780 | 675 | unsigned int min, unsigned int max) | 230 | const unsigned int min, const unsigned int max) |
1781 | 676 | { | 231 | { |
1782 | 677 | char *password_1, *password_2; | 232 | char *password_1, *password_2; |
1783 | 678 | unsigned int len_1, len_2; | 233 | unsigned int len_1, len_2; |
1784 | @@ -732,34 +287,8 @@ error: | |||
1785 | 732 | return ret; | 287 | return ret; |
1786 | 733 | } | 288 | } |
1787 | 734 | 289 | ||
1788 | 735 | static int | ||
1789 | 736 | generate_auth (void *new_list, int list_len, char *password, | ||
1790 | 737 | unsigned int pw_len, uint8_t *auth) | ||
1791 | 738 | { | ||
1792 | 739 | efi_char16_t efichar_pass[PASSWORD_MAX+1]; | ||
1793 | 740 | unsigned long efichar_len; | ||
1794 | 741 | SHA256_CTX ctx; | ||
1795 | 742 | |||
1796 | 743 | if (!password || !auth) | ||
1797 | 744 | return -1; | ||
1798 | 745 | |||
1799 | 746 | efichar_len = efichar_from_char (efichar_pass, password, | ||
1800 | 747 | pw_len * sizeof(efi_char16_t)); | ||
1801 | 748 | |||
1802 | 749 | SHA256_Init (&ctx); | ||
1803 | 750 | |||
1804 | 751 | if (new_list) | ||
1805 | 752 | SHA256_Update (&ctx, new_list, list_len); | ||
1806 | 753 | |||
1807 | 754 | SHA256_Update (&ctx, efichar_pass, efichar_len); | ||
1808 | 755 | |||
1809 | 756 | SHA256_Final (auth, &ctx); | ||
1810 | 757 | |||
1811 | 758 | return 0; | ||
1812 | 759 | } | ||
1813 | 760 | |||
1814 | 761 | static void | 290 | static void |
1816 | 762 | generate_salt (char salt[], unsigned int salt_size) | 291 | generate_pw_salt (char salt[], const unsigned int salt_size) |
1817 | 763 | { | 292 | { |
1818 | 764 | struct timeval tv; | 293 | struct timeval tv; |
1819 | 765 | char *rand_str; | 294 | char *rand_str; |
1820 | @@ -780,7 +309,8 @@ generate_salt (char salt[], unsigned int salt_size) | |||
1821 | 780 | } | 309 | } |
1822 | 781 | 310 | ||
1823 | 782 | static int | 311 | static int |
1825 | 783 | generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) | 312 | generate_pw_crypt (pw_crypt_t *pw_crypt, const char *password, |
1826 | 313 | const unsigned int pw_len) | ||
1827 | 784 | { | 314 | { |
1828 | 785 | pw_crypt_t new_crypt; | 315 | pw_crypt_t new_crypt; |
1829 | 786 | char settings[SETTINGS_LEN]; | 316 | char settings[SETTINGS_LEN]; |
1830 | @@ -796,8 +326,8 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) | |||
1831 | 796 | if (!prefix) | 326 | if (!prefix) |
1832 | 797 | return -1; | 327 | return -1; |
1833 | 798 | 328 | ||
1836 | 799 | pw_crypt->salt_size = get_salt_size (pw_crypt->method); | 329 | pw_crypt->salt_size = get_pw_salt_size (pw_crypt->method); |
1837 | 800 | generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size); | 330 | generate_pw_salt ((char *)pw_crypt->salt, pw_crypt->salt_size); |
1838 | 801 | 331 | ||
1839 | 802 | memset (settings, 0, sizeof (settings)); | 332 | memset (settings, 0, sizeof (settings)); |
1840 | 803 | next = stpncpy (settings, prefix, settings_len); | 333 | next = stpncpy (settings, prefix, settings_len); |
1841 | @@ -816,7 +346,7 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) | |||
1842 | 816 | if (decode_pass (crypt_string, &new_crypt) < 0) | 346 | if (decode_pass (crypt_string, &new_crypt) < 0) |
1843 | 817 | return -1; | 347 | return -1; |
1844 | 818 | 348 | ||
1846 | 819 | hash_len = get_hash_size (new_crypt.method); | 349 | hash_len = get_pw_hash_size (new_crypt.method); |
1847 | 820 | if (hash_len < 0) | 350 | if (hash_len < 0) |
1848 | 821 | return -1; | 351 | return -1; |
1849 | 822 | memcpy (pw_crypt->hash, new_crypt.hash, hash_len); | 352 | memcpy (pw_crypt->hash, new_crypt.hash, hash_len); |
1850 | @@ -831,7 +361,7 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) | |||
1851 | 831 | } | 361 | } |
1852 | 832 | 362 | ||
1853 | 833 | static int | 363 | static int |
1855 | 834 | get_hash_from_file (const char *file, pw_crypt_t *pw_crypt) | 364 | get_pw_hash_from_file (const char *file, pw_crypt_t *pw_crypt) |
1856 | 835 | { | 365 | { |
1857 | 836 | char string[BUF_SIZE]; | 366 | char string[BUF_SIZE]; |
1858 | 837 | ssize_t read_len = 0; | 367 | ssize_t read_len = 0; |
1859 | @@ -890,14 +420,11 @@ get_password_from_shadow (pw_crypt_t *pw_crypt) | |||
1860 | 890 | } | 420 | } |
1861 | 891 | 421 | ||
1862 | 892 | static int | 422 | static int |
1865 | 893 | update_request (void *new_list, int list_len, MokRequest req, | 423 | update_request (void *new_list, const int list_len, const MokRequest req, |
1866 | 894 | const char *hash_file, const int root_pw) | 424 | const char *pw_hash_file, const int root_pw) |
1867 | 895 | { | 425 | { |
1868 | 896 | uint8_t *data; | ||
1869 | 897 | size_t data_size; | ||
1870 | 898 | const char *req_name, *auth_name; | 426 | const char *req_name, *auth_name; |
1871 | 899 | pw_crypt_t pw_crypt; | 427 | pw_crypt_t pw_crypt; |
1872 | 900 | uint8_t auth[SHA256_DIGEST_LENGTH]; | ||
1873 | 901 | char *password = NULL; | 428 | char *password = NULL; |
1874 | 902 | unsigned int pw_len; | 429 | unsigned int pw_len; |
1875 | 903 | int auth_ret; | 430 | int auth_ret; |
1876 | @@ -930,8 +457,8 @@ update_request (void *new_list, int list_len, MokRequest req, | |||
1877 | 930 | return -1; | 457 | return -1; |
1878 | 931 | } | 458 | } |
1879 | 932 | 459 | ||
1882 | 933 | if (hash_file) { | 460 | if (pw_hash_file) { |
1883 | 934 | if (get_hash_from_file (hash_file, &pw_crypt) < 0) { | 461 | if (get_pw_hash_from_file (pw_hash_file, &pw_crypt) < 0) { |
1884 | 935 | fprintf (stderr, "Failed to read hash\n"); | 462 | fprintf (stderr, "Failed to read hash\n"); |
1885 | 936 | goto error; | 463 | goto error; |
1886 | 937 | } | 464 | } |
1887 | @@ -946,12 +473,7 @@ update_request (void *new_list, int list_len, MokRequest req, | |||
1888 | 946 | goto error; | 473 | goto error; |
1889 | 947 | } | 474 | } |
1890 | 948 | 475 | ||
1897 | 949 | if (!use_simple_hash) { | 476 | auth_ret = generate_pw_crypt (&pw_crypt, password, pw_len); |
1892 | 950 | auth_ret = generate_hash (&pw_crypt, password, pw_len); | ||
1893 | 951 | } else { | ||
1894 | 952 | auth_ret = generate_auth (new_list, list_len, password, | ||
1895 | 953 | pw_len, auth); | ||
1896 | 954 | } | ||
1898 | 955 | if (auth_ret < 0) { | 477 | if (auth_ret < 0) { |
1899 | 956 | fprintf (stderr, "Couldn't generate hash\n"); | 478 | fprintf (stderr, "Couldn't generate hash\n"); |
1900 | 957 | goto error; | 479 | goto error; |
1901 | @@ -960,12 +482,10 @@ update_request (void *new_list, int list_len, MokRequest req, | |||
1902 | 960 | 482 | ||
1903 | 961 | if (new_list) { | 483 | if (new_list) { |
1904 | 962 | /* Write MokNew, MokDel, MokXNew, or MokXDel*/ | 484 | /* Write MokNew, MokDel, MokXNew, or MokXDel*/ |
1911 | 963 | data = new_list; | 485 | ret = efi_set_variable (efi_guid_shim, req_name, |
1912 | 964 | data_size = list_len; | 486 | new_list, list_len, attributes, |
1913 | 965 | 487 | S_IRUSR | S_IWUSR); | |
1914 | 966 | if (efi_set_variable (efi_guid_shim, req_name, | 488 | if (ret < 0) { |
1909 | 967 | data, data_size, attributes, | ||
1910 | 968 | S_IRUSR | S_IWUSR) < 0) { | ||
1915 | 969 | switch (req) { | 489 | switch (req) { |
1916 | 970 | case ENROLL_MOK: | 490 | case ENROLL_MOK: |
1917 | 971 | fprintf (stderr, "Failed to enroll new keys\n"); | 491 | fprintf (stderr, "Failed to enroll new keys\n"); |
1918 | @@ -983,22 +503,16 @@ update_request (void *new_list, int list_len, MokRequest req, | |||
1919 | 983 | goto error; | 503 | goto error; |
1920 | 984 | } | 504 | } |
1921 | 985 | } else { | 505 | } else { |
1923 | 986 | test_and_delete_var (req_name); | 506 | test_and_delete_mok_var (req_name); |
1924 | 987 | } | 507 | } |
1925 | 988 | 508 | ||
1926 | 989 | /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */ | 509 | /* Write MokAuth, MokDelAuth, MokXAuth, or MokXDelAuth */ |
1937 | 990 | if (!use_simple_hash) { | 510 | ret = efi_set_variable (efi_guid_shim, auth_name, (void *)&pw_crypt, |
1938 | 991 | data = (void *)&pw_crypt; | 511 | PASSWORD_CRYPT_SIZE, attributes, |
1939 | 992 | data_size = PASSWORD_CRYPT_SIZE; | 512 | S_IRUSR | S_IWUSR); |
1940 | 993 | } else { | 513 | if (ret < 0) { |
1931 | 994 | data = (void *)auth; | ||
1932 | 995 | data_size = SHA256_DIGEST_LENGTH; | ||
1933 | 996 | } | ||
1934 | 997 | |||
1935 | 998 | if (efi_set_variable (efi_guid_shim, auth_name, data, data_size, | ||
1936 | 999 | attributes, S_IRUSR | S_IWUSR) < 0) { | ||
1941 | 1000 | fprintf (stderr, "Failed to write %s\n", auth_name); | 514 | fprintf (stderr, "Failed to write %s\n", auth_name); |
1943 | 1001 | test_and_delete_var (req_name); | 515 | test_and_delete_mok_var (req_name); |
1944 | 1002 | goto error; | 516 | goto error; |
1945 | 1003 | } | 517 | } |
1946 | 1004 | 518 | ||
1947 | @@ -1010,45 +524,15 @@ error: | |||
1948 | 1010 | } | 524 | } |
1949 | 1011 | 525 | ||
1950 | 1012 | static int | 526 | static int |
1976 | 1013 | is_valid_cert (void *cert, uint32_t cert_size) | 527 | is_one_duplicate (const efi_guid_t *type, |
1977 | 1014 | { | 528 | const void *data, const uint32_t data_size, |
1978 | 1015 | X509 *X509cert; | 529 | uint8_t *var_data, size_t var_data_size) |
1954 | 1016 | BIO *cert_bio; | ||
1955 | 1017 | |||
1956 | 1018 | cert_bio = BIO_new (BIO_s_mem ()); | ||
1957 | 1019 | BIO_write (cert_bio, cert, cert_size); | ||
1958 | 1020 | if (cert_bio == NULL) { | ||
1959 | 1021 | return 0; | ||
1960 | 1022 | } | ||
1961 | 1023 | |||
1962 | 1024 | X509cert = d2i_X509_bio (cert_bio, NULL); | ||
1963 | 1025 | if (X509cert == NULL) { | ||
1964 | 1026 | BIO_free (cert_bio); | ||
1965 | 1027 | return 0; | ||
1966 | 1028 | } | ||
1967 | 1029 | |||
1968 | 1030 | BIO_free (cert_bio); | ||
1969 | 1031 | |||
1970 | 1032 | return 1; | ||
1971 | 1033 | } | ||
1972 | 1034 | |||
1973 | 1035 | static int | ||
1974 | 1036 | is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, | ||
1975 | 1037 | const efi_guid_t *vendor, const char *db_name) | ||
1979 | 1038 | { | 530 | { |
1980 | 1039 | uint8_t *var_data; | ||
1981 | 1040 | size_t var_data_size; | ||
1982 | 1041 | uint32_t attributes; | ||
1983 | 1042 | uint32_t node_num; | 531 | uint32_t node_num; |
1984 | 1043 | MokListNode *list; | 532 | MokListNode *list; |
1985 | 1044 | int ret = 0; | 533 | int ret = 0; |
1986 | 1045 | 534 | ||
1993 | 1046 | if (!data || data_size == 0 || !db_name) | 535 | if (!data || data_size == 0) |
1988 | 1047 | return 0; | ||
1989 | 1048 | |||
1990 | 1049 | ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size, | ||
1991 | 1050 | &attributes); | ||
1992 | 1051 | if (ret < 0) | ||
1994 | 1052 | return 0; | 536 | return 0; |
1995 | 1053 | 537 | ||
1996 | 1054 | list = build_mok_list (var_data, var_data_size, &node_num); | 538 | list = build_mok_list (var_data, var_data_size, &node_num); |
1997 | @@ -1057,7 +541,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size | |||
1998 | 1057 | } | 541 | } |
1999 | 1058 | 542 | ||
2000 | 1059 | for (unsigned int i = 0; i < node_num; i++) { | 543 | for (unsigned int i = 0; i < node_num; i++) { |
2002 | 1060 | if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) | 544 | efi_guid_t sigtype = list[i].header->SignatureType; |
2003 | 545 | if (efi_guid_cmp (&sigtype, type) != 0) | ||
2004 | 1061 | continue; | 546 | continue; |
2005 | 1062 | 547 | ||
2006 | 1063 | if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { | 548 | if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { |
2007 | @@ -1080,24 +565,84 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size | |||
2008 | 1080 | done: | 565 | done: |
2009 | 1081 | if (list) | 566 | if (list) |
2010 | 1082 | free (list); | 567 | free (list); |
2011 | 1083 | free (var_data); | ||
2012 | 1084 | 568 | ||
2013 | 1085 | return ret; | 569 | return ret; |
2014 | 1086 | } | 570 | } |
2015 | 1087 | 571 | ||
2016 | 1088 | static int | 572 | static int |
2019 | 1089 | is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, | 573 | is_duplicate (const efi_guid_t *type, |
2020 | 1090 | MokRequest req) | 574 | const void *data, const uint32_t data_size, |
2021 | 575 | const efi_guid_t *vendor, const char *db_name) | ||
2022 | 576 | { | ||
2023 | 577 | uint32_t attributes; | ||
2024 | 578 | char varname[] = "implausibly-long-mok-variable-name"; | ||
2025 | 579 | size_t varname_sz = sizeof(varname); | ||
2026 | 580 | int ret = 0; | ||
2027 | 581 | size_t i; | ||
2028 | 582 | |||
2029 | 583 | if (!strncmp(db_name, "Mok", 3)) { | ||
2030 | 584 | uint8_t *var_data = NULL; | ||
2031 | 585 | size_t var_data_size = 0; | ||
2032 | 586 | ret = mok_get_variable(db_name, &var_data, &var_data_size); | ||
2033 | 587 | if (ret >= 0) { | ||
2034 | 588 | ret = is_one_duplicate(type, data, data_size, | ||
2035 | 589 | var_data, var_data_size); | ||
2036 | 590 | if (ret >= 0) { | ||
2037 | 591 | free (var_data); | ||
2038 | 592 | return ret; | ||
2039 | 593 | } | ||
2040 | 594 | var_data = NULL; | ||
2041 | 595 | var_data_size = 0; | ||
2042 | 596 | } | ||
2043 | 597 | } | ||
2044 | 598 | |||
2045 | 599 | for (i = 0; i < SIZE_MAX; i++) { | ||
2046 | 600 | uint8_t *var_data = NULL; | ||
2047 | 601 | size_t var_data_size = 0; | ||
2048 | 602 | if (i == 0) { | ||
2049 | 603 | snprintf(varname, varname_sz, "%s", db_name); | ||
2050 | 604 | } else { | ||
2051 | 605 | snprintf(varname, varname_sz, "%s%zu", db_name, i); | ||
2052 | 606 | } | ||
2053 | 607 | |||
2054 | 608 | ret = efi_get_variable (*vendor, varname, | ||
2055 | 609 | &var_data, &var_data_size, | ||
2056 | 610 | &attributes); | ||
2057 | 611 | if (ret < 0) | ||
2058 | 612 | return 0; | ||
2059 | 613 | |||
2060 | 614 | ret = is_one_duplicate(type, data, data_size, | ||
2061 | 615 | var_data, var_data_size); | ||
2062 | 616 | free (var_data); | ||
2063 | 617 | /* | ||
2064 | 618 | * If ret is < 0, the next one will error as well. | ||
2065 | 619 | * If ret is 0, we need to test the next variable. | ||
2066 | 620 | * If it's 1, that's a real answer. | ||
2067 | 621 | */ | ||
2068 | 622 | if (ret < 0) | ||
2069 | 623 | return 0; | ||
2070 | 624 | if (ret > 0) | ||
2071 | 625 | return ret; | ||
2072 | 626 | } | ||
2073 | 627 | |||
2074 | 628 | return 0; | ||
2075 | 629 | } | ||
2076 | 630 | |||
2077 | 631 | static int | ||
2078 | 632 | is_valid_request (const efi_guid_t *type, const void *mok, | ||
2079 | 633 | const uint32_t mok_size, const MokRequest req) | ||
2080 | 1091 | { | 634 | { |
2081 | 1092 | switch (req) { | 635 | switch (req) { |
2082 | 1093 | case ENROLL_MOK: | 636 | case ENROLL_MOK: |
2086 | 1094 | if (is_duplicate (type, mok, mok_size, &efi_guid_global, "PK") || | 637 | if (is_duplicate (type, mok, mok_size, &efi_guid_security, "db") || |
2084 | 1095 | is_duplicate (type, mok, mok_size, &efi_guid_global, "KEK") || | ||
2085 | 1096 | is_duplicate (type, mok, mok_size, &efi_guid_security, "db") || | ||
2087 | 1097 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListRT") || | 638 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListRT") || |
2088 | 1098 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokNew")) { | 639 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokNew")) { |
2089 | 1099 | return 0; | 640 | return 0; |
2090 | 1100 | } | 641 | } |
2091 | 642 | /* Also check the blocklists */ | ||
2092 | 643 | if (is_duplicate (type, mok, mok_size, &efi_guid_security, "dbx") || | ||
2093 | 644 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListXRT")) | ||
2094 | 645 | return 0; | ||
2095 | 1101 | break; | 646 | break; |
2096 | 1102 | case DELETE_MOK: | 647 | case DELETE_MOK: |
2097 | 1103 | if (!is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListRT") || | 648 | if (!is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListRT") || |
2098 | @@ -1111,111 +656,181 @@ is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, | |||
2099 | 1111 | return 0; | 656 | return 0; |
2100 | 1112 | } | 657 | } |
2101 | 1113 | break; | 658 | break; |
2107 | 1114 | case DELETE_BLACKLIST: | 659 | case DELETE_BLACKLIST: |
2108 | 1115 | if (!is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListXRT") || | 660 | if (!is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokListXRT") || |
2109 | 1116 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokXDel")) { | 661 | is_duplicate (type, mok, mok_size, &efi_guid_shim, "MokXDel")) { |
2110 | 1117 | return 0; | 662 | return 0; |
2111 | 1118 | } | 663 | } |
2112 | 664 | break; | ||
2113 | 665 | } | ||
2114 | 666 | |||
2115 | 667 | return 1; | ||
2116 | 668 | } | ||
2117 | 669 | |||
2118 | 670 | static int | ||
2119 | 671 | is_ca_in_db (const void *cert, const uint32_t cert_size, | ||
2120 | 672 | const efi_guid_t *vendor, const char *db_name) | ||
2121 | 673 | { | ||
2122 | 674 | uint8_t *var_data = NULL; | ||
2123 | 675 | size_t var_data_size; | ||
2124 | 676 | uint32_t attributes; | ||
2125 | 677 | uint32_t node_num; | ||
2126 | 678 | MokListNode *list; | ||
2127 | 679 | int ret = 0; | ||
2128 | 680 | |||
2129 | 681 | if (!cert || cert_size == 0 || !vendor || !db_name) | ||
2130 | 682 | return 0; | ||
2131 | 683 | |||
2132 | 684 | ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size, | ||
2133 | 685 | &attributes); | ||
2134 | 686 | if (ret < 0) | ||
2135 | 687 | return 0; | ||
2136 | 688 | |||
2137 | 689 | list = build_mok_list (var_data, var_data_size, &node_num); | ||
2138 | 690 | if (list == NULL) { | ||
2139 | 691 | goto done; | ||
2140 | 692 | } | ||
2141 | 693 | |||
2142 | 694 | for (unsigned int i = 0; i < node_num; i++) { | ||
2143 | 695 | efi_guid_t sigtype = list[i].header->SignatureType; | ||
2144 | 696 | if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) | ||
2145 | 697 | continue; | ||
2146 | 698 | |||
2147 | 699 | if (is_immediate_ca (cert, cert_size, list[i].mok, | ||
2148 | 700 | list[i].mok_size)) { | ||
2149 | 701 | ret = 1; | ||
2150 | 702 | break; | ||
2151 | 703 | } | ||
2152 | 704 | } | ||
2153 | 705 | |||
2154 | 706 | done: | ||
2155 | 707 | if (list) | ||
2156 | 708 | free (list); | ||
2157 | 709 | free (var_data); | ||
2158 | 710 | |||
2159 | 711 | return ret; | ||
2160 | 712 | } | ||
2161 | 713 | |||
2162 | 714 | /* Check whether the CA cert is already enrolled */ | ||
2163 | 715 | static int | ||
2164 | 716 | is_ca_enrolled (const void *mok, const uint32_t mok_size, const MokRequest req) | ||
2165 | 717 | { | ||
2166 | 718 | switch (req) { | ||
2167 | 719 | case ENROLL_MOK: | ||
2168 | 720 | if (is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListRT")) | ||
2169 | 721 | return 1; | ||
2170 | 722 | break; | ||
2171 | 723 | case ENROLL_BLACKLIST: | ||
2172 | 724 | if (is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListXRT")) | ||
2173 | 725 | return 1; | ||
2174 | 1119 | break; | 726 | break; |
2175 | 727 | default: | ||
2176 | 728 | return 0; | ||
2177 | 1120 | } | 729 | } |
2178 | 1121 | 730 | ||
2180 | 1122 | return 1; | 731 | return 0; |
2181 | 1123 | } | 732 | } |
2182 | 1124 | 733 | ||
2183 | 734 | /* Check whether the CA cert is blocked */ | ||
2184 | 1125 | static int | 735 | static int |
2187 | 1126 | in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size, | 736 | is_ca_blocked (const void *mok, const uint32_t mok_size, const MokRequest req) |
2186 | 1127 | MokRequest req) | ||
2188 | 1128 | { | 737 | { |
2208 | 1129 | uint8_t *authvar_data; | 738 | switch (req) { |
2209 | 1130 | size_t authvar_data_size; | 739 | case ENROLL_MOK: |
2210 | 1131 | uint32_t attributes; | 740 | if (is_ca_in_db (mok, mok_size, &efi_guid_security, "dbx") || |
2211 | 1132 | int ret; | 741 | is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListXRT")) |
2212 | 1133 | 742 | return 1; | |
2213 | 1134 | const char *authvar_names[] = { | 743 | break; |
2214 | 1135 | [DELETE_MOK] = "MokDelAuth", | 744 | default: |
2196 | 1136 | [ENROLL_MOK] = "MokAuth", | ||
2197 | 1137 | [DELETE_BLACKLIST] = "MokXDelAuth", | ||
2198 | 1138 | [ENROLL_BLACKLIST] = "MokXAuth" | ||
2199 | 1139 | }; | ||
2200 | 1140 | const char *var_names[] = { | ||
2201 | 1141 | [DELETE_MOK] = "MokDel", | ||
2202 | 1142 | [ENROLL_MOK] = "Mok", | ||
2203 | 1143 | [DELETE_BLACKLIST] = "MokXDel", | ||
2204 | 1144 | [ENROLL_BLACKLIST] = "MokX" | ||
2205 | 1145 | }; | ||
2206 | 1146 | |||
2207 | 1147 | if (!data || data_size == 0) | ||
2215 | 1148 | return 0; | 745 | return 0; |
2216 | 746 | } | ||
2217 | 1149 | 747 | ||
2221 | 1150 | if (efi_get_variable (efi_guid_shim, authvar_names[req], &authvar_data, | 748 | return 0; |
2222 | 1151 | &authvar_data_size, &attributes) < 0) | 749 | } |
2223 | 1152 | return 0; | 750 | |
2224 | 751 | /* Check whether the key is already in the kernel trusted keyring */ | ||
2225 | 752 | static int | ||
2226 | 753 | is_in_trusted_keyring (const void *cert, const uint32_t cert_size) | ||
2227 | 754 | { | ||
2228 | 755 | char *skid = NULL; | ||
2229 | 756 | int ret; | ||
2230 | 1153 | 757 | ||
2234 | 1154 | free (authvar_data); | 758 | if (get_cert_skid (cert, cert_size, &skid) < 0) |
2232 | 1155 | /* Check if the password hash is in the old format */ | ||
2233 | 1156 | if (authvar_data_size == SHA256_DIGEST_LENGTH) | ||
2235 | 1157 | return 0; | 759 | return 0; |
2236 | 1158 | 760 | ||
2239 | 1159 | ret = delete_data_from_list (&efi_guid_shim, var_names[req], | 761 | ret = match_skid_in_trusted_keyring (skid); |
2238 | 1160 | type, data, data_size); | ||
2240 | 1161 | if (ret < 0) | 762 | if (ret < 0) |
2242 | 1162 | return -1; | 763 | ret = 0; |
2243 | 764 | |||
2244 | 765 | free (skid); | ||
2245 | 1163 | 766 | ||
2246 | 1164 | return ret; | 767 | return ret; |
2247 | 1165 | } | 768 | } |
2248 | 1166 | 769 | ||
2249 | 770 | static int | ||
2250 | 771 | in_reverse_pending_request (const efi_guid_t *type, const void *data, | ||
2251 | 772 | uint32_t data_size, const MokRequest req) | ||
2252 | 773 | { | ||
2253 | 774 | MokRequest reverse_req = get_reverse_req (req); | ||
2254 | 775 | |||
2255 | 776 | if (!data || data_size == 0) | ||
2256 | 777 | return 0; | ||
2257 | 778 | |||
2258 | 779 | return delete_data_from_req_var (reverse_req, type, data, data_size); | ||
2259 | 780 | } | ||
2260 | 781 | |||
2261 | 1167 | static void | 782 | static void |
2264 | 1168 | print_skip_message (const char *filename, void *mok, uint32_t mok_size, | 783 | print_skip_message (const char *filename, const void *mok, |
2265 | 1169 | MokRequest req) | 784 | const uint32_t mok_size, const MokRequest req) |
2266 | 1170 | { | 785 | { |
2267 | 1171 | switch (req) { | 786 | switch (req) { |
2268 | 1172 | case ENROLL_MOK: | 787 | case ENROLL_MOK: |
2269 | 1173 | if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 788 | if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2278 | 1174 | &efi_guid_global, "PK")) | 789 | &efi_guid_security, "db")) |
2279 | 1175 | printf ("SKIP: %s is already in PK\n", filename); | 790 | printf ("%s is already in db\n", filename); |
2272 | 1176 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | ||
2273 | 1177 | &efi_guid_global, "KEK")) | ||
2274 | 1178 | printf ("SKIP: %s is already in KEK\n", filename); | ||
2275 | 1179 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | ||
2276 | 1180 | &efi_guid_security, "db")) | ||
2277 | 1181 | printf ("SKIP: %s is already in db\n", filename); | ||
2280 | 1182 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 791 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2281 | 1183 | &efi_guid_shim, "MokListRT")) | 792 | &efi_guid_shim, "MokListRT")) |
2283 | 1184 | printf ("SKIP: %s is already enrolled\n", filename); | 793 | printf ("%s is already enrolled\n", filename); |
2284 | 1185 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 794 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2285 | 1186 | &efi_guid_shim, "MokNew")) | 795 | &efi_guid_shim, "MokNew")) |
2287 | 1187 | printf ("SKIP: %s is already in the enrollement request\n", filename); | 796 | printf ("%s is already in the enrollment request\n", filename); |
2288 | 797 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | ||
2289 | 798 | &efi_guid_security, "dbx")) | ||
2290 | 799 | printf ("%s is blocked in dbx\n", filename); | ||
2291 | 800 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | ||
2292 | 801 | &efi_guid_shim, "MokListXRT")) | ||
2293 | 802 | printf ("%s is blocked in MokListXRT\n", filename); | ||
2294 | 1188 | break; | 803 | break; |
2295 | 1189 | case DELETE_MOK: | 804 | case DELETE_MOK: |
2296 | 1190 | if (!is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 805 | if (!is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2297 | 1191 | &efi_guid_shim, "MokListRT")) | 806 | &efi_guid_shim, "MokListRT")) |
2299 | 1192 | printf ("SKIP: %s is not in MokList\n", filename); | 807 | printf ("%s is not in MokList\n", filename); |
2300 | 1193 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 808 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2301 | 1194 | &efi_guid_shim, "MokDel")) | 809 | &efi_guid_shim, "MokDel")) |
2303 | 1195 | printf ("SKIP: %s is already in the deletion request\n", filename); | 810 | printf ("%s is already in the deletion request\n", filename); |
2304 | 1196 | break; | 811 | break; |
2305 | 1197 | case ENROLL_BLACKLIST: | 812 | case ENROLL_BLACKLIST: |
2306 | 1198 | if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 813 | if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2307 | 1199 | &efi_guid_shim, "MokListXRT")) | 814 | &efi_guid_shim, "MokListXRT")) |
2309 | 1200 | printf ("SKIP: %s is already in MokListX\n", filename); | 815 | printf ("%s is already in MokListX\n", filename); |
2310 | 1201 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 816 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2311 | 1202 | &efi_guid_shim, "MokXNew")) | 817 | &efi_guid_shim, "MokXNew")) |
2313 | 1203 | printf ("SKIP: %s is already in the MokX enrollment request\n", filename); | 818 | printf ("%s is already in the MokX enrollment request\n", filename); |
2314 | 1204 | break; | 819 | break; |
2315 | 1205 | case DELETE_BLACKLIST: | 820 | case DELETE_BLACKLIST: |
2316 | 1206 | if (!is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 821 | if (!is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2317 | 1207 | &efi_guid_shim, "MokListXRT")) | 822 | &efi_guid_shim, "MokListXRT")) |
2319 | 1208 | printf ("SKIP: %s is not in MokListX\n", filename); | 823 | printf ("%s is not in MokListX\n", filename); |
2320 | 1209 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, | 824 | else if (is_duplicate (&efi_guid_x509_cert, mok, mok_size, |
2321 | 1210 | &efi_guid_shim, "MokXDel")) | 825 | &efi_guid_shim, "MokXDel")) |
2323 | 1211 | printf ("SKIP: %s is already in the MokX deletion request\n", filename); | 826 | printf ("%s is already in the MokX deletion request\n", filename); |
2324 | 1212 | break; | 827 | break; |
2325 | 1213 | } | 828 | } |
2326 | 1214 | } | 829 | } |
2327 | 1215 | 830 | ||
2328 | 1216 | static int | 831 | static int |
2331 | 1217 | issue_mok_request (char **files, uint32_t total, MokRequest req, | 832 | issue_mok_request (char **files, const uint32_t total, const MokRequest req, |
2332 | 1218 | const char *hash_file, const int root_pw) | 833 | const char *pw_hash_file, const int root_pw) |
2333 | 1219 | { | 834 | { |
2334 | 1220 | uint8_t *old_req_data = NULL; | 835 | uint8_t *old_req_data = NULL; |
2335 | 1221 | size_t old_req_data_size = 0; | 836 | size_t old_req_data_size = 0; |
2336 | @@ -1231,18 +846,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, | |||
2337 | 1231 | int ret = -1; | 846 | int ret = -1; |
2338 | 1232 | EFI_SIGNATURE_LIST *CertList; | 847 | EFI_SIGNATURE_LIST *CertList; |
2339 | 1233 | EFI_SIGNATURE_DATA *CertData; | 848 | EFI_SIGNATURE_DATA *CertData; |
2352 | 1234 | const char *req_names[] = { | 849 | const char *var_name = get_req_var_name (req); |
2341 | 1235 | [DELETE_MOK] = "MokDel", | ||
2342 | 1236 | [ENROLL_MOK] = "MokNew", | ||
2343 | 1237 | [DELETE_BLACKLIST] = "MokXDel", | ||
2344 | 1238 | [ENROLL_BLACKLIST] = "MokXNew" | ||
2345 | 1239 | }; | ||
2346 | 1240 | const char *reverse_req_names[] = { | ||
2347 | 1241 | [DELETE_MOK] = "MokNew", | ||
2348 | 1242 | [ENROLL_MOK] = "MokDel", | ||
2349 | 1243 | [DELETE_BLACKLIST] = "MokXNew", | ||
2350 | 1244 | [ENROLL_BLACKLIST] = "MokXDel" | ||
2351 | 1245 | }; | ||
2353 | 1246 | 850 | ||
2354 | 1247 | if (!files) | 851 | if (!files) |
2355 | 1248 | return -1; | 852 | return -1; |
2356 | @@ -1268,12 +872,12 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, | |||
2357 | 1268 | list_size += sizeof(EFI_SIGNATURE_LIST) * total; | 872 | list_size += sizeof(EFI_SIGNATURE_LIST) * total; |
2358 | 1269 | list_size += sizeof(efi_guid_t) * total; | 873 | list_size += sizeof(efi_guid_t) * total; |
2359 | 1270 | 874 | ||
2361 | 1271 | ret = efi_get_variable (efi_guid_shim, req_names[req], &old_req_data, | 875 | ret = efi_get_variable (efi_guid_shim, var_name, &old_req_data, |
2362 | 1272 | &old_req_data_size, &attributes); | 876 | &old_req_data_size, &attributes); |
2363 | 1273 | if (ret < 0) { | 877 | if (ret < 0) { |
2364 | 1274 | if (errno != ENOENT) { | 878 | if (errno != ENOENT) { |
2365 | 1275 | fprintf (stderr, "Failed to read variable \"%s\": %m\n", | 879 | fprintf (stderr, "Failed to read variable \"%s\": %m\n", |
2367 | 1276 | req_names[req]); | 880 | var_name); |
2368 | 1277 | goto error; | 881 | goto error; |
2369 | 1278 | } | 882 | } |
2370 | 1279 | } else { | 883 | } else { |
2371 | @@ -1284,7 +888,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, | |||
2372 | 1284 | new_list = malloc (list_size); | 888 | new_list = malloc (list_size); |
2373 | 1285 | if (!new_list) { | 889 | if (!new_list) { |
2374 | 1286 | fprintf (stderr, "Failed to allocate space for %s\n", | 890 | fprintf (stderr, "Failed to allocate space for %s\n", |
2376 | 1287 | req_names[req]); | 891 | var_name); |
2377 | 1288 | goto error; | 892 | goto error; |
2378 | 1289 | } | 893 | } |
2379 | 1290 | ptr = new_list; | 894 | ptr = new_list; |
2380 | @@ -1313,23 +917,53 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, | |||
2381 | 1313 | read_size = read (fd, ptr, sizes[i]); | 917 | read_size = read (fd, ptr, sizes[i]); |
2382 | 1314 | if (read_size < 0 || read_size != (int64_t)sizes[i]) { | 918 | if (read_size < 0 || read_size != (int64_t)sizes[i]) { |
2383 | 1315 | fprintf (stderr, "Failed to read %s\n", files[i]); | 919 | fprintf (stderr, "Failed to read %s\n", files[i]); |
2384 | 920 | close (fd); | ||
2385 | 1316 | goto error; | 921 | goto error; |
2386 | 1317 | } | 922 | } |
2388 | 1318 | if (!is_valid_cert (ptr, read_size)) { | 923 | |
2389 | 924 | const void *mok = ptr; | ||
2390 | 925 | const uint32_t mok_size = sizes[i]; | ||
2391 | 926 | |||
2392 | 927 | if (!is_valid_cert (mok, mok_size)) { | ||
2393 | 1319 | fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n", | 928 | fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n", |
2394 | 1320 | files[i]); | 929 | files[i]); |
2395 | 930 | close (fd); | ||
2396 | 1321 | goto error; | 931 | goto error; |
2397 | 1322 | } | 932 | } |
2398 | 1323 | 933 | ||
2403 | 1324 | if (is_valid_request (&efi_guid_x509_cert, ptr, sizes[i], req)) { | 934 | /* Check whether the key is already in the trusted keyring */ |
2404 | 1325 | ptr += sizes[i]; | 935 | if (req == ENROLL_MOK && check_keyring && |
2405 | 1326 | real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); | 936 | is_in_trusted_keyring (mok, mok_size)) { |
2406 | 1327 | } else if (in_pending_request (&efi_guid_x509_cert, ptr, sizes[i], req)) { | 937 | printf ("Already in kernel trusted keyring. Skip %s\n", |
2407 | 938 | files[i]); | ||
2408 | 939 | close (fd); | ||
2409 | 940 | continue; | ||
2410 | 941 | } | ||
2411 | 942 | |||
2412 | 943 | /* Check whether CA is already enrolled */ | ||
2413 | 944 | if (force_ca_check && is_ca_enrolled (mok, mok_size, req)) { | ||
2414 | 945 | printf ("CA enrolled. Skip %s\n", files[i]); | ||
2415 | 946 | close (fd); | ||
2416 | 947 | continue; | ||
2417 | 948 | } | ||
2418 | 949 | |||
2419 | 950 | /* Check whether CA is blocked */ | ||
2420 | 951 | if (force_ca_check && is_ca_blocked (mok, mok_size, req)) { | ||
2421 | 952 | printf ("CA blocked. Skip %s\n", files[i]); | ||
2422 | 953 | close (fd); | ||
2423 | 954 | continue; | ||
2424 | 955 | } | ||
2425 | 956 | |||
2426 | 957 | if (is_valid_request (&efi_guid_x509_cert, mok, mok_size, req)) { | ||
2427 | 958 | ptr += mok_size; | ||
2428 | 959 | real_size += mok_size + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); | ||
2429 | 960 | } else if (in_reverse_pending_request (&efi_guid_x509_cert, mok, mok_size, req)) { | ||
2430 | 1328 | printf ("Removed %s from %s\n", files[i], | 961 | printf ("Removed %s from %s\n", files[i], |
2432 | 1329 | reverse_req_names[req]); | 962 | get_reverse_req_var_name (req)); |
2433 | 1330 | ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); | 963 | ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); |
2434 | 1331 | } else { | 964 | } else { |
2436 | 1332 | print_skip_message (files[i], ptr, sizes[i], req); | 965 | printf ("SKIP: "); |
2437 | 966 | print_skip_message (files[i], mok, mok_size, req); | ||
2438 | 1333 | ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); | 967 | ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); |
2439 | 1334 | } | 968 | } |
2440 | 1335 | 969 | ||
2441 | @@ -1348,7 +982,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, | |||
2442 | 1348 | real_size += old_req_data_size; | 982 | real_size += old_req_data_size; |
2443 | 1349 | } | 983 | } |
2444 | 1350 | 984 | ||
2446 | 1351 | if (update_request (new_list, real_size, req, hash_file, root_pw) < 0) { | 985 | if (update_request (new_list, real_size, req, pw_hash_file, root_pw) < 0) { |
2447 | 1352 | goto error; | 986 | goto error; |
2448 | 1353 | } | 987 | } |
2449 | 1354 | 988 | ||
2450 | @@ -1365,50 +999,7 @@ error: | |||
2451 | 1365 | } | 999 | } |
2452 | 1366 | 1000 | ||
2453 | 1367 | static int | 1001 | static int |
2498 | 1368 | identify_hash_type (const char *hash_str, efi_guid_t *type) | 1002 | hex_str_to_binary (const char *hex_str, uint8_t *array, const unsigned int len) |
2455 | 1369 | { | ||
2456 | 1370 | unsigned int len = strlen (hash_str); | ||
2457 | 1371 | int hash_size; | ||
2458 | 1372 | |||
2459 | 1373 | for (unsigned int i = 0; i < len; i++) { | ||
2460 | 1374 | if ((hash_str[i] > '9' || hash_str[i] < '0') && | ||
2461 | 1375 | (hash_str[i] > 'f' || hash_str[i] < 'a') && | ||
2462 | 1376 | (hash_str[i] > 'F' || hash_str[i] < 'A')) | ||
2463 | 1377 | return -1; | ||
2464 | 1378 | } | ||
2465 | 1379 | |||
2466 | 1380 | switch (len) { | ||
2467 | 1381 | #if 0 | ||
2468 | 1382 | case SHA_DIGEST_LENGTH*2: | ||
2469 | 1383 | *type = efi_guid_sha1; | ||
2470 | 1384 | hash_size = SHA_DIGEST_LENGTH; | ||
2471 | 1385 | break; | ||
2472 | 1386 | #endif | ||
2473 | 1387 | case SHA224_DIGEST_LENGTH*2: | ||
2474 | 1388 | *type = efi_guid_sha224; | ||
2475 | 1389 | hash_size = SHA224_DIGEST_LENGTH; | ||
2476 | 1390 | break; | ||
2477 | 1391 | case SHA256_DIGEST_LENGTH*2: | ||
2478 | 1392 | *type = efi_guid_sha256; | ||
2479 | 1393 | hash_size = SHA256_DIGEST_LENGTH; | ||
2480 | 1394 | break; | ||
2481 | 1395 | case SHA384_DIGEST_LENGTH*2: | ||
2482 | 1396 | *type = efi_guid_sha384; | ||
2483 | 1397 | hash_size = SHA384_DIGEST_LENGTH; | ||
2484 | 1398 | break; | ||
2485 | 1399 | case SHA512_DIGEST_LENGTH*2: | ||
2486 | 1400 | *type = efi_guid_sha512; | ||
2487 | 1401 | hash_size = SHA512_DIGEST_LENGTH; | ||
2488 | 1402 | break; | ||
2489 | 1403 | default: | ||
2490 | 1404 | return -1; | ||
2491 | 1405 | } | ||
2492 | 1406 | |||
2493 | 1407 | return hash_size; | ||
2494 | 1408 | } | ||
2495 | 1409 | |||
2496 | 1410 | static int | ||
2497 | 1411 | hex_str_to_binary (const char *hex_str, uint8_t *array, unsigned int len) | ||
2499 | 1412 | { | 1003 | { |
2500 | 1413 | char *pos; | 1004 | char *pos; |
2501 | 1414 | 1005 | ||
2502 | @@ -1425,14 +1016,12 @@ hex_str_to_binary (const char *hex_str, uint8_t *array, unsigned int len) | |||
2503 | 1425 | } | 1016 | } |
2504 | 1426 | 1017 | ||
2505 | 1427 | static int | 1018 | static int |
2508 | 1428 | issue_hash_request (const char *hash_str, MokRequest req, | 1019 | issue_hash_request (const char *hash_str, const MokRequest req, |
2509 | 1429 | const char *hash_file, const int root_pw) | 1020 | const char *pw_hash_file, const int root_pw) |
2510 | 1430 | { | 1021 | { |
2511 | 1431 | uint8_t *old_req_data = NULL; | 1022 | uint8_t *old_req_data = NULL; |
2512 | 1432 | size_t old_req_data_size = 0; | 1023 | size_t old_req_data_size = 0; |
2513 | 1433 | uint32_t attributes; | 1024 | uint32_t attributes; |
2514 | 1434 | const char *req_name; | ||
2515 | 1435 | const char *reverse_req; | ||
2516 | 1436 | void *new_list = NULL; | 1025 | void *new_list = NULL; |
2517 | 1437 | void *ptr; | 1026 | void *ptr; |
2518 | 1438 | unsigned long list_size = 0; | 1027 | unsigned long list_size = 0; |
2519 | @@ -1444,9 +1033,9 @@ issue_hash_request (const char *hash_str, MokRequest req, | |||
2520 | 1444 | uint8_t db_hash[SHA512_DIGEST_LENGTH]; | 1033 | uint8_t db_hash[SHA512_DIGEST_LENGTH]; |
2521 | 1445 | int hash_size; | 1034 | int hash_size; |
2522 | 1446 | int merge_ind = -1; | 1035 | int merge_ind = -1; |
2523 | 1447 | uint8_t valid = 0; | ||
2524 | 1448 | MokListNode *mok_list = NULL; | 1036 | MokListNode *mok_list = NULL; |
2525 | 1449 | uint32_t mok_num; | 1037 | uint32_t mok_num; |
2526 | 1038 | const char *var_name = get_req_var_name (req); | ||
2527 | 1450 | 1039 | ||
2528 | 1451 | if (!hash_str) | 1040 | if (!hash_str) |
2529 | 1452 | return -1; | 1041 | return -1; |
2530 | @@ -1458,48 +1047,24 @@ issue_hash_request (const char *hash_str, MokRequest req, | |||
2531 | 1458 | if (hex_str_to_binary (hash_str, db_hash, hash_size) < 0) | 1047 | if (hex_str_to_binary (hash_str, db_hash, hash_size) < 0) |
2532 | 1459 | return -1; | 1048 | return -1; |
2533 | 1460 | 1049 | ||
2560 | 1461 | switch (req) { | 1050 | if (is_valid_request (&hash_type, db_hash, hash_size, req) == 0) { |
2535 | 1462 | case ENROLL_MOK: | ||
2536 | 1463 | req_name = "MokNew"; | ||
2537 | 1464 | reverse_req = "MokDel"; | ||
2538 | 1465 | break; | ||
2539 | 1466 | case DELETE_MOK: | ||
2540 | 1467 | req_name = "MokDel"; | ||
2541 | 1468 | reverse_req = "MokNew"; | ||
2542 | 1469 | break; | ||
2543 | 1470 | case ENROLL_BLACKLIST: | ||
2544 | 1471 | req_name = "MokXNew"; | ||
2545 | 1472 | reverse_req = "MokXDel"; | ||
2546 | 1473 | break; | ||
2547 | 1474 | case DELETE_BLACKLIST: | ||
2548 | 1475 | req_name = "MokXDel"; | ||
2549 | 1476 | reverse_req = "MokXNew"; | ||
2550 | 1477 | break; | ||
2551 | 1478 | default: | ||
2552 | 1479 | return -1; | ||
2553 | 1480 | } | ||
2554 | 1481 | |||
2555 | 1482 | if (is_valid_request (&hash_type, db_hash, hash_size, req)) { | ||
2556 | 1483 | valid = 1; | ||
2557 | 1484 | } else if (in_pending_request (&hash_type, db_hash, hash_size, req)) { | ||
2558 | 1485 | printf ("Removed hash from %s\n", reverse_req); | ||
2559 | 1486 | } else { | ||
2561 | 1487 | printf ("Skip hash\n"); | 1051 | printf ("Skip hash\n"); |
2565 | 1488 | } | 1052 | ret = 0; |
2566 | 1489 | 1053 | goto error; | |
2567 | 1490 | if (!valid) { | 1054 | } else if (in_reverse_pending_request (&hash_type, db_hash, hash_size, req)) { |
2568 | 1055 | printf ("Removed hash from %s\n", get_reverse_req_var_name (req)); | ||
2569 | 1491 | ret = 0; | 1056 | ret = 0; |
2570 | 1492 | goto error; | 1057 | goto error; |
2571 | 1493 | } | 1058 | } |
2572 | 1494 | 1059 | ||
2573 | 1495 | list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size; | 1060 | list_size = sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t) + hash_size; |
2574 | 1496 | 1061 | ||
2576 | 1497 | ret = efi_get_variable (efi_guid_shim, req_name, &old_req_data, | 1062 | ret = efi_get_variable (efi_guid_shim, var_name, &old_req_data, |
2577 | 1498 | &old_req_data_size, &attributes); | 1063 | &old_req_data_size, &attributes); |
2578 | 1499 | if (ret < 0) { | 1064 | if (ret < 0) { |
2579 | 1500 | if (errno != ENOENT) { | 1065 | if (errno != ENOENT) { |
2580 | 1501 | fprintf (stderr, "Failed to read variable \"%s\": %m\n", | 1066 | fprintf (stderr, "Failed to read variable \"%s\": %m\n", |
2582 | 1502 | req_name); | 1067 | var_name); |
2583 | 1503 | goto error; | 1068 | goto error; |
2584 | 1504 | } | 1069 | } |
2585 | 1505 | } else { | 1070 | } else { |
2586 | @@ -1510,8 +1075,8 @@ issue_hash_request (const char *hash_str, MokRequest req, | |||
2587 | 1510 | goto error; | 1075 | goto error; |
2588 | 1511 | /* Check if there is a signature list with the same type */ | 1076 | /* Check if there is a signature list with the same type */ |
2589 | 1512 | for (unsigned int i = 0; i < mok_num; i++) { | 1077 | for (unsigned int i = 0; i < mok_num; i++) { |
2592 | 1513 | if (efi_guid_cmp (&mok_list[i].header->SignatureType, | 1078 | efi_guid_t sigtype = mok_list[i].header->SignatureType; |
2593 | 1514 | &hash_type) == 0) { | 1079 | if (efi_guid_cmp (&sigtype, &hash_type) == 0) { |
2594 | 1515 | merge_ind = i; | 1080 | merge_ind = i; |
2595 | 1516 | list_size -= sizeof(EFI_SIGNATURE_LIST); | 1081 | list_size -= sizeof(EFI_SIGNATURE_LIST); |
2596 | 1517 | break; | 1082 | break; |
2597 | @@ -1523,7 +1088,7 @@ issue_hash_request (const char *hash_str, MokRequest req, | |||
2598 | 1523 | new_list = malloc (list_size); | 1088 | new_list = malloc (list_size); |
2599 | 1524 | if (!new_list) { | 1089 | if (!new_list) { |
2600 | 1525 | fprintf (stderr, "Failed to allocate space for %s: %m\n", | 1090 | fprintf (stderr, "Failed to allocate space for %s: %m\n", |
2602 | 1526 | req_name); | 1091 | var_name); |
2603 | 1527 | goto error; | 1092 | goto error; |
2604 | 1528 | } | 1093 | } |
2605 | 1529 | ptr = new_list; | 1094 | ptr = new_list; |
2606 | @@ -1577,7 +1142,7 @@ issue_hash_request (const char *hash_str, MokRequest req, | |||
2607 | 1577 | } | 1142 | } |
2608 | 1578 | } | 1143 | } |
2609 | 1579 | 1144 | ||
2611 | 1580 | if (update_request (new_list, list_size, req, hash_file, root_pw) < 0) { | 1145 | if (update_request (new_list, list_size, req, pw_hash_file, root_pw) < 0) { |
2612 | 1581 | goto error; | 1146 | goto error; |
2613 | 1582 | } | 1147 | } |
2614 | 1583 | 1148 | ||
2615 | @@ -1594,34 +1159,12 @@ error: | |||
2616 | 1594 | } | 1159 | } |
2617 | 1595 | 1160 | ||
2618 | 1596 | static int | 1161 | static int |
2620 | 1597 | revoke_request (MokRequest req) | 1162 | revoke_request (const MokRequest req) |
2621 | 1598 | { | 1163 | { |
2648 | 1599 | switch (req) { | 1164 | if (test_and_delete_mok_var (get_req_var_name(req)) < 0) |
2649 | 1600 | case ENROLL_MOK: | 1165 | return -1; |
2650 | 1601 | if (test_and_delete_var ("MokNew") < 0) | 1166 | if (test_and_delete_mok_var (get_req_auth_var_name(req)) < 0) |
2651 | 1602 | return -1; | 1167 | return -1; |
2626 | 1603 | if (test_and_delete_var ("MokAuth") < 0) | ||
2627 | 1604 | return -1; | ||
2628 | 1605 | break; | ||
2629 | 1606 | case DELETE_MOK: | ||
2630 | 1607 | if (test_and_delete_var ("MokDel") < 0) | ||
2631 | 1608 | return -1; | ||
2632 | 1609 | if (test_and_delete_var ("MokDelAuth") < 0) | ||
2633 | 1610 | return -1; | ||
2634 | 1611 | break; | ||
2635 | 1612 | case ENROLL_BLACKLIST: | ||
2636 | 1613 | if (test_and_delete_var ("MokXNew") < 0) | ||
2637 | 1614 | return -1; | ||
2638 | 1615 | if (test_and_delete_var ("MokXAuth") < 0) | ||
2639 | 1616 | return -1; | ||
2640 | 1617 | break; | ||
2641 | 1618 | case DELETE_BLACKLIST: | ||
2642 | 1619 | if (test_and_delete_var ("MokXDel") < 0) | ||
2643 | 1620 | return -1; | ||
2644 | 1621 | if (test_and_delete_var ("MokXDelAuth") < 0) | ||
2645 | 1622 | return -1; | ||
2646 | 1623 | break; | ||
2647 | 1624 | } | ||
2652 | 1625 | 1168 | ||
2653 | 1626 | return 0; | 1169 | return 0; |
2654 | 1627 | } | 1170 | } |
2655 | @@ -1629,6 +1172,7 @@ revoke_request (MokRequest req) | |||
2656 | 1629 | static int | 1172 | static int |
2657 | 1630 | export_db_keys (const DBName db_name) | 1173 | export_db_keys (const DBName db_name) |
2658 | 1631 | { | 1174 | { |
2659 | 1175 | const char *db_var_name; | ||
2660 | 1632 | uint8_t *data = NULL; | 1176 | uint8_t *data = NULL; |
2661 | 1633 | size_t data_size = 0; | 1177 | size_t data_size = 0; |
2662 | 1634 | uint32_t attributes; | 1178 | uint32_t attributes; |
2663 | @@ -1655,15 +1199,17 @@ export_db_keys (const DBName db_name) | |||
2664 | 1655 | break; | 1199 | break; |
2665 | 1656 | }; | 1200 | }; |
2666 | 1657 | 1201 | ||
2668 | 1658 | ret = efi_get_variable (guid, db_var_name[db_name], &data, &data_size, | 1202 | db_var_name = get_db_var_name(db_name); |
2669 | 1203 | |||
2670 | 1204 | ret = efi_get_variable (guid, db_var_name, &data, &data_size, | ||
2671 | 1659 | &attributes); | 1205 | &attributes); |
2672 | 1660 | if (ret < 0) { | 1206 | if (ret < 0) { |
2673 | 1661 | if (errno == ENOENT) { | 1207 | if (errno == ENOENT) { |
2675 | 1662 | printf ("%s is empty\n", db_var_name[db_name]); | 1208 | printf ("%s is empty\n", db_var_name); |
2676 | 1663 | return 0; | 1209 | return 0; |
2677 | 1664 | } | 1210 | } |
2678 | 1665 | 1211 | ||
2680 | 1666 | fprintf (stderr, "Failed to read %s: %m\n", db_var_name[db_name]); | 1212 | fprintf (stderr, "Failed to read %s: %m\n", db_var_name); |
2681 | 1667 | return -1; | 1213 | return -1; |
2682 | 1668 | } | 1214 | } |
2683 | 1669 | ret = -1; | 1215 | ret = -1; |
2684 | @@ -1678,12 +1224,14 @@ export_db_keys (const DBName db_name) | |||
2685 | 1678 | for (unsigned i = 0; i < mok_num; i++) { | 1224 | for (unsigned i = 0; i < mok_num; i++) { |
2686 | 1679 | off_t offset = 0; | 1225 | off_t offset = 0; |
2687 | 1680 | ssize_t write_size; | 1226 | ssize_t write_size; |
2688 | 1227 | efi_guid_t sigtype = list[i].header->SignatureType; | ||
2689 | 1681 | 1228 | ||
2691 | 1682 | if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0) | 1229 | if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) |
2692 | 1683 | continue; | 1230 | continue; |
2693 | 1684 | 1231 | ||
2694 | 1685 | /* Dump X509 certificate to files */ | 1232 | /* Dump X509 certificate to files */ |
2696 | 1686 | snprintf (filename, PATH_MAX, "%s-%04d.der", db_friendly_name[db_name], i+1); | 1233 | snprintf (filename, PATH_MAX, "%s-%04d.der", |
2697 | 1234 | get_db_friendly_name(db_name), i+1); | ||
2698 | 1687 | fd = open (filename, O_CREAT | O_WRONLY, mode); | 1235 | fd = open (filename, O_CREAT | O_WRONLY, mode); |
2699 | 1688 | if (fd < 0) { | 1236 | if (fd < 0) { |
2700 | 1689 | fprintf (stderr, "Failed to open %s: %m\n", filename); | 1237 | fprintf (stderr, "Failed to open %s: %m\n", filename); |
2701 | @@ -1714,22 +1262,18 @@ error: | |||
2702 | 1714 | } | 1262 | } |
2703 | 1715 | 1263 | ||
2704 | 1716 | static int | 1264 | static int |
2706 | 1717 | set_password (const char *hash_file, const int root_pw, const int clear) | 1265 | set_password (const char *pw_hash_file, const int root_pw, const int clear) |
2707 | 1718 | { | 1266 | { |
2708 | 1719 | uint8_t *data; | ||
2709 | 1720 | size_t data_size; | ||
2710 | 1721 | pw_crypt_t pw_crypt; | 1267 | pw_crypt_t pw_crypt; |
2711 | 1722 | uint8_t auth[SHA256_DIGEST_LENGTH]; | ||
2712 | 1723 | char *password = NULL; | 1268 | char *password = NULL; |
2713 | 1724 | unsigned int pw_len; | 1269 | unsigned int pw_len; |
2714 | 1725 | int auth_ret; | 1270 | int auth_ret; |
2715 | 1726 | int ret = -1; | 1271 | int ret = -1; |
2716 | 1727 | 1272 | ||
2717 | 1728 | memset (&pw_crypt, 0, sizeof(pw_crypt_t)); | 1273 | memset (&pw_crypt, 0, sizeof(pw_crypt_t)); |
2718 | 1729 | memset (auth, 0, SHA256_DIGEST_LENGTH); | ||
2719 | 1730 | 1274 | ||
2722 | 1731 | if (hash_file) { | 1275 | if (pw_hash_file) { |
2723 | 1732 | if (get_hash_from_file (hash_file, &pw_crypt) < 0) { | 1276 | if (get_pw_hash_from_file (pw_hash_file, &pw_crypt) < 0) { |
2724 | 1733 | fprintf (stderr, "Failed to read hash\n"); | 1277 | fprintf (stderr, "Failed to read hash\n"); |
2725 | 1734 | goto error; | 1278 | goto error; |
2726 | 1735 | } | 1279 | } |
2727 | @@ -1744,31 +1288,20 @@ set_password (const char *hash_file, const int root_pw, const int clear) | |||
2728 | 1744 | goto error; | 1288 | goto error; |
2729 | 1745 | } | 1289 | } |
2730 | 1746 | 1290 | ||
2738 | 1747 | if (!use_simple_hash) { | 1291 | pw_crypt.method = DEFAULT_CRYPT_METHOD; |
2739 | 1748 | pw_crypt.method = DEFAULT_CRYPT_METHOD; | 1292 | auth_ret = generate_pw_crypt (&pw_crypt, password, pw_len); |
2733 | 1749 | auth_ret = generate_hash (&pw_crypt, password, pw_len); | ||
2734 | 1750 | } else { | ||
2735 | 1751 | auth_ret = generate_auth (NULL, 0, password, pw_len, | ||
2736 | 1752 | auth); | ||
2737 | 1753 | } | ||
2740 | 1754 | if (auth_ret < 0) { | 1293 | if (auth_ret < 0) { |
2741 | 1755 | fprintf (stderr, "Couldn't generate hash\n"); | 1294 | fprintf (stderr, "Couldn't generate hash\n"); |
2742 | 1756 | goto error; | 1295 | goto error; |
2743 | 1757 | } | 1296 | } |
2744 | 1758 | } | 1297 | } |
2745 | 1759 | 1298 | ||
2746 | 1760 | if (!use_simple_hash) { | ||
2747 | 1761 | data = (void *)&pw_crypt; | ||
2748 | 1762 | data_size = PASSWORD_CRYPT_SIZE; | ||
2749 | 1763 | } else { | ||
2750 | 1764 | data = (void *)auth; | ||
2751 | 1765 | data_size = SHA256_DIGEST_LENGTH; | ||
2752 | 1766 | } | ||
2753 | 1767 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE | 1299 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE |
2754 | 1768 | | EFI_VARIABLE_BOOTSERVICE_ACCESS | 1300 | | EFI_VARIABLE_BOOTSERVICE_ACCESS |
2755 | 1769 | | EFI_VARIABLE_RUNTIME_ACCESS; | 1301 | | EFI_VARIABLE_RUNTIME_ACCESS; |
2758 | 1770 | ret = efi_set_variable (efi_guid_shim, "MokPW", data, data_size, | 1302 | ret = efi_set_variable (efi_guid_shim, "MokPW", (void *)&pw_crypt, |
2759 | 1771 | attributes, S_IRUSR | S_IWUSR); | 1303 | PASSWORD_CRYPT_SIZE, attributes, |
2760 | 1304 | S_IRUSR | S_IWUSR); | ||
2761 | 1772 | if (ret < 0) { | 1305 | if (ret < 0) { |
2762 | 1773 | fprintf (stderr, "Failed to write MokPW: %m\n"); | 1306 | fprintf (stderr, "Failed to write MokPW: %m\n"); |
2763 | 1774 | goto error; | 1307 | goto error; |
2764 | @@ -1782,7 +1315,7 @@ error: | |||
2765 | 1782 | } | 1315 | } |
2766 | 1783 | 1316 | ||
2767 | 1784 | static int | 1317 | static int |
2769 | 1785 | set_toggle (const char * VarName, uint32_t state) | 1318 | set_toggle (const char * VarName, const uint32_t state) |
2770 | 1786 | { | 1319 | { |
2771 | 1787 | uint32_t attributes; | 1320 | uint32_t attributes; |
2772 | 1788 | MokToggleVar tvar; | 1321 | MokToggleVar tvar; |
2773 | @@ -1823,14 +1356,14 @@ error: | |||
2774 | 1823 | return ret; | 1356 | return ret; |
2775 | 1824 | } | 1357 | } |
2776 | 1825 | 1358 | ||
2779 | 1826 | static int | 1359 | static inline int |
2780 | 1827 | disable_validation() | 1360 | disable_validation(void) |
2781 | 1828 | { | 1361 | { |
2782 | 1829 | return set_toggle("MokSB", 0); | 1362 | return set_toggle("MokSB", 0); |
2783 | 1830 | } | 1363 | } |
2784 | 1831 | 1364 | ||
2787 | 1832 | static int | 1365 | static inline int |
2788 | 1833 | enable_validation() | 1366 | enable_validation(void) |
2789 | 1834 | { | 1367 | { |
2790 | 1835 | return set_toggle("MokSB", 1); | 1368 | return set_toggle("MokSB", 1); |
2791 | 1836 | } | 1369 | } |
2792 | @@ -1838,7 +1371,7 @@ enable_validation() | |||
2793 | 1838 | static int | 1371 | static int |
2794 | 1839 | sb_state () | 1372 | sb_state () |
2795 | 1840 | { | 1373 | { |
2797 | 1841 | uint8_t *data; | 1374 | uint8_t *data = NULL; |
2798 | 1842 | size_t data_size; | 1375 | size_t data_size; |
2799 | 1843 | uint32_t attributes; | 1376 | uint32_t attributes; |
2800 | 1844 | int32_t secureboot = -1; | 1377 | int32_t secureboot = -1; |
2801 | @@ -1856,17 +1389,16 @@ sb_state () | |||
2802 | 1856 | printf ("Strange data size %zd for \"SecureBoot\" variable\n", | 1389 | printf ("Strange data size %zd for \"SecureBoot\" variable\n", |
2803 | 1857 | data_size); | 1390 | data_size); |
2804 | 1858 | } | 1391 | } |
2811 | 1859 | if (data_size == 4) { | 1392 | if (data_size == 4 || data_size == 2 || data_size == 1) { |
2812 | 1860 | secureboot = (int32_t)*(uint32_t *)data; | 1393 | secureboot = 0; |
2813 | 1861 | } else if (data_size == 2) { | 1394 | memcpy(&secureboot, data, data_size); |
2808 | 1862 | secureboot = (int32_t)*(uint16_t *)data; | ||
2809 | 1863 | } else if (data_size == 1) { | ||
2810 | 1864 | secureboot = (int32_t)*(uint8_t *)data; | ||
2814 | 1865 | } | 1395 | } |
2815 | 1396 | free (data); | ||
2816 | 1866 | 1397 | ||
2817 | 1398 | data = NULL; | ||
2818 | 1867 | if (efi_get_variable (efi_guid_global, "SetupMode", &data, &data_size, | 1399 | if (efi_get_variable (efi_guid_global, "SetupMode", &data, &data_size, |
2819 | 1868 | &attributes) < 0) { | 1400 | &attributes) < 0) { |
2821 | 1869 | fprintf (stderr, "Failed to read \"SecureBoot\" " | 1401 | fprintf (stderr, "Failed to read \"SetupMode\" " |
2822 | 1870 | "variable: %m\n"); | 1402 | "variable: %m\n"); |
2823 | 1871 | return -1; | 1403 | return -1; |
2824 | 1872 | } | 1404 | } |
2825 | @@ -1875,17 +1407,17 @@ sb_state () | |||
2826 | 1875 | printf ("Strange data size %zd for \"SetupMode\" variable\n", | 1407 | printf ("Strange data size %zd for \"SetupMode\" variable\n", |
2827 | 1876 | data_size); | 1408 | data_size); |
2828 | 1877 | } | 1409 | } |
2835 | 1878 | if (data_size == 4) { | 1410 | if (data_size == 4 || data_size == 2 || data_size == 1) { |
2836 | 1879 | setupmode = (int32_t)*(uint32_t *)data; | 1411 | setupmode = 0; |
2837 | 1880 | } else if (data_size == 2) { | 1412 | memcpy(&setupmode, data, data_size); |
2832 | 1881 | setupmode = (int32_t)*(uint16_t *)data; | ||
2833 | 1882 | } else if (data_size == 1) { | ||
2834 | 1883 | setupmode = (int32_t)*(uint8_t *)data; | ||
2838 | 1884 | } | 1413 | } |
2839 | 1414 | free (data); | ||
2840 | 1885 | 1415 | ||
2841 | 1416 | data = NULL; | ||
2842 | 1886 | if (efi_get_variable (efi_guid_shim, "MokSBStateRT", &data, &data_size, | 1417 | if (efi_get_variable (efi_guid_shim, "MokSBStateRT", &data, &data_size, |
2843 | 1887 | &attributes) >= 0) { | 1418 | &attributes) >= 0) { |
2844 | 1888 | moksbstate = 1; | 1419 | moksbstate = 1; |
2845 | 1420 | free (data); | ||
2846 | 1889 | } | 1421 | } |
2847 | 1890 | 1422 | ||
2848 | 1891 | if (secureboot == 1 && setupmode == 0) { | 1423 | if (secureboot == 1 && setupmode == 0) { |
2849 | @@ -1900,25 +1432,36 @@ sb_state () | |||
2850 | 1900 | printf ("Cannot determine secure boot state.\n"); | 1432 | printf ("Cannot determine secure boot state.\n"); |
2851 | 1901 | } | 1433 | } |
2852 | 1902 | 1434 | ||
2853 | 1903 | free (data); | ||
2854 | 1904 | |||
2855 | 1905 | return 0; | 1435 | return 0; |
2856 | 1906 | } | 1436 | } |
2857 | 1907 | 1437 | ||
2860 | 1908 | static int | 1438 | static inline int |
2861 | 1909 | disable_db() | 1439 | disable_db(void) |
2862 | 1910 | { | 1440 | { |
2863 | 1911 | return set_toggle("MokDB", 0); | 1441 | return set_toggle("MokDB", 0); |
2864 | 1912 | } | 1442 | } |
2865 | 1913 | 1443 | ||
2868 | 1914 | static int | 1444 | static inline int |
2869 | 1915 | enable_db() | 1445 | enable_db(void) |
2870 | 1916 | { | 1446 | { |
2871 | 1917 | return set_toggle("MokDB", 1); | 1447 | return set_toggle("MokDB", 1); |
2872 | 1918 | } | 1448 | } |
2873 | 1919 | 1449 | ||
2874 | 1450 | static int | ||
2875 | 1451 | trust_mok_keys() | ||
2876 | 1452 | { | ||
2877 | 1453 | return set_toggle("MokListTrustedNew", 0); | ||
2878 | 1454 | } | ||
2879 | 1455 | |||
2880 | 1456 | static int | ||
2881 | 1457 | untrust_mok_keys() | ||
2882 | 1458 | { | ||
2883 | 1459 | return set_toggle("MokListTrustedNew", 1); | ||
2884 | 1460 | } | ||
2885 | 1461 | |||
2886 | 1920 | static inline int | 1462 | static inline int |
2888 | 1921 | read_file(int fd, void **bufp, size_t *lenptr) { | 1463 | read_file(const int fd, void **bufp, size_t *lenptr) |
2889 | 1464 | { | ||
2890 | 1922 | int alloced = 0, size = 0, i = 0; | 1465 | int alloced = 0, size = 0, i = 0; |
2891 | 1923 | void *buf = NULL; | 1466 | void *buf = NULL; |
2892 | 1924 | void *buf_new = NULL; | 1467 | void *buf_new = NULL; |
2893 | @@ -1950,7 +1493,7 @@ read_file(int fd, void **bufp, size_t *lenptr) { | |||
2894 | 1950 | } | 1493 | } |
2895 | 1951 | 1494 | ||
2896 | 1952 | static int | 1495 | static int |
2898 | 1953 | test_key (MokRequest req, const char *key_file) | 1496 | test_key (const MokRequest req, const char *key_file) |
2899 | 1954 | { | 1497 | { |
2900 | 1955 | void *key = NULL; | 1498 | void *key = NULL; |
2901 | 1956 | size_t read_size; | 1499 | size_t read_size; |
2902 | @@ -1968,11 +1511,34 @@ test_key (MokRequest req, const char *key_file) | |||
2903 | 1968 | goto error; | 1511 | goto error; |
2904 | 1969 | } | 1512 | } |
2905 | 1970 | 1513 | ||
2906 | 1514 | if (!is_valid_cert (key, read_size)) { | ||
2907 | 1515 | fprintf (stderr, "Not a valid x509 certificate\n"); | ||
2908 | 1516 | goto error; | ||
2909 | 1517 | } | ||
2910 | 1518 | |||
2911 | 1519 | if (check_keyring && is_in_trusted_keyring (key, read_size)) { | ||
2912 | 1520 | fprintf (stderr, "%s is already in the built-in trusted keyring\n", | ||
2913 | 1521 | key_file); | ||
2914 | 1522 | goto error; | ||
2915 | 1523 | } | ||
2916 | 1524 | |||
2917 | 1525 | if (force_ca_check && is_ca_enrolled (key, read_size, req)) { | ||
2918 | 1526 | fprintf (stderr, "CA of %s is already enrolled\n", | ||
2919 | 1527 | key_file); | ||
2920 | 1528 | goto error; | ||
2921 | 1529 | } | ||
2922 | 1530 | |||
2923 | 1531 | if (force_ca_check && is_ca_blocked (key, read_size, req)) { | ||
2924 | 1532 | fprintf (stderr, "CA of %s is blocked\n", | ||
2925 | 1533 | key_file); | ||
2926 | 1534 | goto error; | ||
2927 | 1535 | } | ||
2928 | 1536 | |||
2929 | 1971 | if (is_valid_request (&efi_guid_x509_cert, key, read_size, req)) { | 1537 | if (is_valid_request (&efi_guid_x509_cert, key, read_size, req)) { |
2930 | 1972 | printf ("%s is not enrolled\n", key_file); | 1538 | printf ("%s is not enrolled\n", key_file); |
2931 | 1973 | ret = 0; | 1539 | ret = 0; |
2932 | 1974 | } else { | 1540 | } else { |
2934 | 1975 | printf ("%s is already enrolled\n", key_file); | 1541 | print_skip_message (key_file, key, read_size, req); |
2935 | 1976 | ret = 1; | 1542 | ret = 1; |
2936 | 1977 | } | 1543 | } |
2937 | 1978 | 1544 | ||
2938 | @@ -1987,9 +1553,9 @@ error: | |||
2939 | 1987 | } | 1553 | } |
2940 | 1988 | 1554 | ||
2941 | 1989 | static int | 1555 | static int |
2943 | 1990 | reset_moks (MokRequest req, const char *hash_file, const int root_pw) | 1556 | reset_moks (const MokRequest req, const char *pw_hash_file, const int root_pw) |
2944 | 1991 | { | 1557 | { |
2946 | 1992 | if (update_request (NULL, 0, req, hash_file, root_pw)) { | 1558 | if (update_request (NULL, 0, req, pw_hash_file, root_pw)) { |
2947 | 1993 | fprintf (stderr, "Failed to issue a reset request\n"); | 1559 | fprintf (stderr, "Failed to issue a reset request\n"); |
2948 | 1994 | return -1; | 1560 | return -1; |
2949 | 1995 | } | 1561 | } |
2950 | @@ -2005,7 +1571,7 @@ generate_pw_hash (const char *input_pw) | |||
2951 | 2005 | char *password = NULL; | 1571 | char *password = NULL; |
2952 | 2006 | char *crypt_string; | 1572 | char *crypt_string; |
2953 | 2007 | const char *prefix; | 1573 | const char *prefix; |
2955 | 2008 | int settings_len = sizeof (settings) - 2; | 1574 | size_t settings_len = sizeof (settings) - 2; |
2956 | 2009 | unsigned int pw_len, salt_size; | 1575 | unsigned int pw_len, salt_size; |
2957 | 2010 | 1576 | ||
2958 | 2011 | if (input_pw) { | 1577 | if (input_pw) { |
2959 | @@ -2034,13 +1600,13 @@ generate_pw_hash (const char *input_pw) | |||
2960 | 2034 | 1600 | ||
2961 | 2035 | memset (settings, 0, sizeof (settings)); | 1601 | memset (settings, 0, sizeof (settings)); |
2962 | 2036 | next = stpncpy (settings, prefix, settings_len); | 1602 | next = stpncpy (settings, prefix, settings_len); |
2964 | 2037 | salt_size = get_salt_size (DEFAULT_CRYPT_METHOD); | 1603 | salt_size = get_pw_salt_size (DEFAULT_CRYPT_METHOD); |
2965 | 2038 | if (salt_size > settings_len - (next - settings)) { | 1604 | if (salt_size > settings_len - (next - settings)) { |
2966 | 2039 | free(password); | 1605 | free(password); |
2967 | 2040 | errno = EOVERFLOW; | 1606 | errno = EOVERFLOW; |
2968 | 2041 | return -1; | 1607 | return -1; |
2969 | 2042 | } | 1608 | } |
2971 | 2043 | generate_salt (next, salt_size); | 1609 | generate_pw_salt (next, salt_size); |
2972 | 2044 | next += salt_size; | 1610 | next += salt_size; |
2973 | 2045 | *next = '\0'; | 1611 | *next = '\0'; |
2974 | 2046 | 1612 | ||
2975 | @@ -2057,7 +1623,7 @@ generate_pw_hash (const char *input_pw) | |||
2976 | 2057 | } | 1623 | } |
2977 | 2058 | 1624 | ||
2978 | 2059 | static int | 1625 | static int |
2980 | 2060 | set_timeout (char *t) | 1626 | set_timeout (const char *t) |
2981 | 2061 | { | 1627 | { |
2982 | 2062 | int timeout = strtol(t, NULL, 10); | 1628 | int timeout = strtol(t, NULL, 10); |
2983 | 2063 | 1629 | ||
2984 | @@ -2077,14 +1643,39 @@ set_timeout (char *t) | |||
2985 | 2077 | return -1; | 1643 | return -1; |
2986 | 2078 | } | 1644 | } |
2987 | 2079 | } else { | 1645 | } else { |
2989 | 2080 | return test_and_delete_var ("MokTimeout"); | 1646 | return test_and_delete_mok_var ("MokTimeout"); |
2990 | 2081 | } | 1647 | } |
2991 | 2082 | 1648 | ||
2992 | 2083 | return 0; | 1649 | return 0; |
2993 | 2084 | } | 1650 | } |
2994 | 2085 | 1651 | ||
2995 | 2086 | static int | 1652 | static int |
2997 | 2087 | set_verbosity (uint8_t verbosity) | 1653 | print_var_content (const char *var_name, const efi_guid_t guid) |
2998 | 1654 | { | ||
2999 | 1655 | uint8_t *data = NULL; | ||
3000 | 1656 | size_t data_size; | ||
3001 | 1657 | uint32_t attributes; | ||
3002 | 1658 | int ret; | ||
3003 | 1659 | |||
3004 | 1660 | ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); | ||
3005 | 1661 | if (ret < 0) { | ||
3006 | 1662 | if (errno == ENOENT) { | ||
3007 | 1663 | printf ("%s is empty\n", var_name); | ||
3008 | 1664 | return 0; | ||
3009 | 1665 | } | ||
3010 | 1666 | |||
3011 | 1667 | fprintf (stderr, "Failed to read %s: %m\n", var_name); | ||
3012 | 1668 | return -1; | ||
3013 | 1669 | } | ||
3014 | 1670 | |||
3015 | 1671 | printf ("%s", data); | ||
3016 | 1672 | free (data); | ||
3017 | 1673 | |||
3018 | 1674 | return ret; | ||
3019 | 1675 | } | ||
3020 | 1676 | |||
3021 | 1677 | static int | ||
3022 | 1678 | set_verbosity (const uint8_t verbosity) | ||
3023 | 2088 | { | 1679 | { |
3024 | 2089 | if (verbosity) { | 1680 | if (verbosity) { |
3025 | 2090 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE | 1681 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE |
3026 | @@ -2097,14 +1688,54 @@ set_verbosity (uint8_t verbosity) | |||
3027 | 2097 | return -1; | 1688 | return -1; |
3028 | 2098 | } | 1689 | } |
3029 | 2099 | } else { | 1690 | } else { |
3031 | 2100 | return test_and_delete_var ("SHIM_VERBOSE"); | 1691 | return test_and_delete_mok_var ("SHIM_VERBOSE"); |
3032 | 1692 | } | ||
3033 | 1693 | |||
3034 | 1694 | return 0; | ||
3035 | 1695 | } | ||
3036 | 1696 | |||
3037 | 1697 | static int | ||
3038 | 1698 | set_fallback_verbosity (const uint8_t verbosity) | ||
3039 | 1699 | { | ||
3040 | 1700 | if (verbosity) { | ||
3041 | 1701 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE | ||
3042 | 1702 | | EFI_VARIABLE_BOOTSERVICE_ACCESS | ||
3043 | 1703 | | EFI_VARIABLE_RUNTIME_ACCESS; | ||
3044 | 1704 | if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE", | ||
3045 | 1705 | (uint8_t *)&verbosity, sizeof (verbosity), | ||
3046 | 1706 | attributes, S_IRUSR | S_IWUSR) < 0) { | ||
3047 | 1707 | fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n"); | ||
3048 | 1708 | return -1; | ||
3049 | 1709 | } | ||
3050 | 1710 | } else { | ||
3051 | 1711 | return test_and_delete_mok_var ("FALLBACK_VERBOSE"); | ||
3052 | 1712 | } | ||
3053 | 1713 | |||
3054 | 1714 | return 0; | ||
3055 | 1715 | } | ||
3056 | 1716 | |||
3057 | 1717 | static int | ||
3058 | 1718 | set_fallback_noreboot (const uint8_t noreboot) | ||
3059 | 1719 | { | ||
3060 | 1720 | if (noreboot) { | ||
3061 | 1721 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE | ||
3062 | 1722 | | EFI_VARIABLE_BOOTSERVICE_ACCESS | ||
3063 | 1723 | | EFI_VARIABLE_RUNTIME_ACCESS; | ||
3064 | 1724 | if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT", | ||
3065 | 1725 | (uint8_t *)&noreboot, sizeof (noreboot), | ||
3066 | 1726 | attributes, S_IRUSR | S_IWUSR) < 0) { | ||
3067 | 1727 | fprintf (stderr, "Failed to set FB_NO_REBOOT\n"); | ||
3068 | 1728 | return -1; | ||
3069 | 1729 | } | ||
3070 | 1730 | } else { | ||
3071 | 1731 | return test_and_delete_mok_var ("FB_NO_REBOOT"); | ||
3072 | 2101 | } | 1732 | } |
3073 | 2102 | 1733 | ||
3074 | 2103 | return 0; | 1734 | return 0; |
3075 | 2104 | } | 1735 | } |
3076 | 2105 | 1736 | ||
3077 | 2106 | static inline int | 1737 | static inline int |
3079 | 2107 | list_db (DBName db_name) | 1738 | list_db (const DBName db_name) |
3080 | 2108 | { | 1739 | { |
3081 | 2109 | switch (db_name) { | 1740 | switch (db_name) { |
3082 | 2110 | case MOK_LIST_RT: | 1741 | case MOK_LIST_RT: |
3083 | @@ -2124,12 +1755,32 @@ list_db (DBName db_name) | |||
3084 | 2124 | return -1; | 1755 | return -1; |
3085 | 2125 | } | 1756 | } |
3086 | 2126 | 1757 | ||
3087 | 1758 | static int | ||
3088 | 1759 | manage_sbat (const uint8_t sbat_policy) | ||
3089 | 1760 | { | ||
3090 | 1761 | if (sbat_policy) { | ||
3091 | 1762 | uint32_t attributes = EFI_VARIABLE_NON_VOLATILE | ||
3092 | 1763 | | EFI_VARIABLE_BOOTSERVICE_ACCESS | ||
3093 | 1764 | | EFI_VARIABLE_RUNTIME_ACCESS; | ||
3094 | 1765 | if (efi_set_variable (efi_guid_shim, "SbatPolicy", | ||
3095 | 1766 | (uint8_t *)&sbat_policy, | ||
3096 | 1767 | sizeof (sbat_policy), | ||
3097 | 1768 | attributes, S_IRUSR | S_IWUSR) < 0) { | ||
3098 | 1769 | fprintf (stderr, "Failed to set SbatPolicy\n"); | ||
3099 | 1770 | return -1; | ||
3100 | 1771 | } | ||
3101 | 1772 | } else { | ||
3102 | 1773 | return test_and_delete_mok_var ("SbatPolicy"); | ||
3103 | 1774 | } | ||
3104 | 1775 | return 0; | ||
3105 | 1776 | } | ||
3106 | 1777 | |||
3107 | 2127 | int | 1778 | int |
3108 | 2128 | main (int argc, char *argv[]) | 1779 | main (int argc, char *argv[]) |
3109 | 2129 | { | 1780 | { |
3110 | 2130 | char **files = NULL; | 1781 | char **files = NULL; |
3111 | 2131 | char *key_file = NULL; | 1782 | char *key_file = NULL; |
3113 | 2132 | char *hash_file = NULL; | 1783 | char *pw_hash_file = NULL; |
3114 | 2133 | char *input_pw = NULL; | 1784 | char *input_pw = NULL; |
3115 | 2134 | char *hash_str = NULL; | 1785 | char *hash_str = NULL; |
3116 | 2135 | char *timeout = NULL; | 1786 | char *timeout = NULL; |
3117 | @@ -2138,10 +1789,15 @@ main (int argc, char *argv[]) | |||
3118 | 2138 | unsigned int command = 0; | 1789 | unsigned int command = 0; |
3119 | 2139 | int use_root_pw = 0; | 1790 | int use_root_pw = 0; |
3120 | 2140 | uint8_t verbosity = 0; | 1791 | uint8_t verbosity = 0; |
3121 | 1792 | uint8_t fb_verbosity = 0; | ||
3122 | 1793 | uint8_t fb_noreboot = 0; | ||
3123 | 1794 | uint8_t sbat_policy = 0; | ||
3124 | 2141 | DBName db_name = MOK_LIST_RT; | 1795 | DBName db_name = MOK_LIST_RT; |
3125 | 2142 | int ret = -1; | 1796 | int ret = -1; |
3126 | 1797 | int sb_check; | ||
3127 | 2143 | 1798 | ||
3129 | 2144 | use_simple_hash = 0; | 1799 | force_ca_check = 0; |
3130 | 1800 | check_keyring = 1; | ||
3131 | 2145 | 1801 | ||
3132 | 2146 | if (!efi_variables_supported ()) { | 1802 | if (!efi_variables_supported ()) { |
3133 | 2147 | fprintf (stderr, "EFI variables are not supported on this system\n"); | 1803 | fprintf (stderr, "EFI variables are not supported on this system\n"); |
3134 | @@ -2169,7 +1825,6 @@ main (int argc, char *argv[]) | |||
3135 | 2169 | {"hash-file", required_argument, 0, 'f'}, | 1825 | {"hash-file", required_argument, 0, 'f'}, |
3136 | 2170 | {"generate-hash", optional_argument, 0, 'g'}, | 1826 | {"generate-hash", optional_argument, 0, 'g'}, |
3137 | 2171 | {"root-pw", no_argument, 0, 'P'}, | 1827 | {"root-pw", no_argument, 0, 'P'}, |
3138 | 2172 | {"simple-hash", no_argument, 0, 's'}, | ||
3139 | 2173 | {"ignore-db", no_argument, 0, 0 }, | 1828 | {"ignore-db", no_argument, 0, 0 }, |
3140 | 2174 | {"use-db", no_argument, 0, 0 }, | 1829 | {"use-db", no_argument, 0, 0 }, |
3141 | 2175 | {"mok", no_argument, 0, 'm'}, | 1830 | {"mok", no_argument, 0, 'm'}, |
3142 | @@ -2177,16 +1832,26 @@ main (int argc, char *argv[]) | |||
3143 | 2177 | {"import-hash", required_argument, 0, 0 }, | 1832 | {"import-hash", required_argument, 0, 0 }, |
3144 | 2178 | {"delete-hash", required_argument, 0, 0 }, | 1833 | {"delete-hash", required_argument, 0, 0 }, |
3145 | 2179 | {"set-verbosity", required_argument, 0, 0 }, | 1834 | {"set-verbosity", required_argument, 0, 0 }, |
3146 | 1835 | {"set-fallback-verbosity", required_argument, 0, 0 }, | ||
3147 | 1836 | {"set-fallback-noreboot", required_argument, 0, 0 }, | ||
3148 | 1837 | {"trust-mok", no_argument, 0, 0 }, | ||
3149 | 1838 | {"untrust-mok", no_argument, 0, 0 }, | ||
3150 | 1839 | {"set-sbat-policy", required_argument, 0, 0 }, | ||
3151 | 2180 | {"pk", no_argument, 0, 0 }, | 1840 | {"pk", no_argument, 0, 0 }, |
3152 | 2181 | {"kek", no_argument, 0, 0 }, | 1841 | {"kek", no_argument, 0, 0 }, |
3153 | 2182 | {"db", no_argument, 0, 0 }, | 1842 | {"db", no_argument, 0, 0 }, |
3154 | 2183 | {"dbx", no_argument, 0, 0 }, | 1843 | {"dbx", no_argument, 0, 0 }, |
3155 | 1844 | {"list-sbat-revocations", no_argument, 0, 0 }, | ||
3156 | 1845 | {"sbat", no_argument, 0, 0 }, | ||
3157 | 2184 | {"timeout", required_argument, 0, 0 }, | 1846 | {"timeout", required_argument, 0, 0 }, |
3158 | 1847 | {"ca-check", no_argument, 0, 0 }, | ||
3159 | 1848 | {"ignore-keyring", no_argument, 0, 0 }, | ||
3160 | 1849 | {"version", no_argument, 0, 'v'}, | ||
3161 | 2185 | {0, 0, 0, 0} | 1850 | {0, 0, 0, 0} |
3162 | 2186 | }; | 1851 | }; |
3163 | 2187 | 1852 | ||
3164 | 2188 | int option_index = 0; | 1853 | int option_index = 0; |
3166 | 2189 | c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPX", | 1854 | c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv", |
3167 | 2190 | long_options, &option_index); | 1855 | long_options, &option_index); |
3168 | 2191 | 1856 | ||
3169 | 2192 | if (c == -1) | 1857 | if (c == -1) |
3170 | @@ -2211,6 +1876,10 @@ main (int argc, char *argv[]) | |||
3171 | 2211 | command |= IGNORE_DB; | 1876 | command |= IGNORE_DB; |
3172 | 2212 | } else if (strcmp (option, "use-db") == 0) { | 1877 | } else if (strcmp (option, "use-db") == 0) { |
3173 | 2213 | command |= USE_DB; | 1878 | command |= USE_DB; |
3174 | 1879 | } else if (strcmp (option, "trust-mok") == 0) { | ||
3175 | 1880 | command |= TRUST_MOK; | ||
3176 | 1881 | } else if (strcmp (option, "untrust-mok") == 0) { | ||
3177 | 1882 | command |= UNTRUST_MOK; | ||
3178 | 2214 | } else if (strcmp (option, "import-hash") == 0) { | 1883 | } else if (strcmp (option, "import-hash") == 0) { |
3179 | 2215 | command |= IMPORT_HASH; | 1884 | command |= IMPORT_HASH; |
3180 | 2216 | if (hash_str) { | 1885 | if (hash_str) { |
3181 | @@ -2241,6 +1910,32 @@ main (int argc, char *argv[]) | |||
3182 | 2241 | verbosity = 0; | 1910 | verbosity = 0; |
3183 | 2242 | else | 1911 | else |
3184 | 2243 | command |= HELP; | 1912 | command |= HELP; |
3185 | 1913 | } else if (strcmp (option, "set-fallback-verbosity") == 0) { | ||
3186 | 1914 | command |= FB_VERBOSITY; | ||
3187 | 1915 | if (strcmp (optarg, "true") == 0) | ||
3188 | 1916 | fb_verbosity = 1; | ||
3189 | 1917 | else if (strcmp (optarg, "false") == 0) | ||
3190 | 1918 | fb_verbosity = 0; | ||
3191 | 1919 | else | ||
3192 | 1920 | command |= HELP; | ||
3193 | 1921 | } else if (strcmp (option, "set-fallback-noreboot") == 0) { | ||
3194 | 1922 | command |= FB_NOREBOOT; | ||
3195 | 1923 | if (strcmp (optarg, "true") == 0) | ||
3196 | 1924 | fb_noreboot = 1; | ||
3197 | 1925 | else if (strcmp (optarg, "false") == 0) | ||
3198 | 1926 | fb_noreboot = 0; | ||
3199 | 1927 | else | ||
3200 | 1928 | command |= HELP; | ||
3201 | 1929 | } else if (strcmp (option, "set-sbat-policy") == 0) { | ||
3202 | 1930 | command |= SET_SBAT; | ||
3203 | 1931 | if (strcmp (optarg, "latest") == 0) | ||
3204 | 1932 | sbat_policy = 1; | ||
3205 | 1933 | else if (strcmp (optarg, "previous") == 0) | ||
3206 | 1934 | sbat_policy = 2; | ||
3207 | 1935 | else if (strcmp (optarg, "delete") == 0) | ||
3208 | 1936 | sbat_policy = 3; | ||
3209 | 1937 | else | ||
3210 | 1938 | command |= HELP; | ||
3211 | 2244 | } else if (strcmp (option, "pk") == 0) { | 1939 | } else if (strcmp (option, "pk") == 0) { |
3212 | 2245 | if (db_name != MOK_LIST_RT) { | 1940 | if (db_name != MOK_LIST_RT) { |
3213 | 2246 | command |= HELP; | 1941 | command |= HELP; |
3214 | @@ -2265,9 +1960,17 @@ main (int argc, char *argv[]) | |||
3215 | 2265 | } else { | 1960 | } else { |
3216 | 2266 | db_name = DBX; | 1961 | db_name = DBX; |
3217 | 2267 | } | 1962 | } |
3218 | 1963 | } else if (strcmp (option, "list-sbat-revocations") == 0) { | ||
3219 | 1964 | command |= LIST_SBAT; | ||
3220 | 1965 | } else if (strcmp (option, "sbat") == 0) { | ||
3221 | 1966 | command |= LIST_SBAT; | ||
3222 | 2268 | } else if (strcmp (option, "timeout") == 0) { | 1967 | } else if (strcmp (option, "timeout") == 0) { |
3223 | 2269 | command |= TIMEOUT; | 1968 | command |= TIMEOUT; |
3224 | 2270 | timeout = strdup (optarg); | 1969 | timeout = strdup (optarg); |
3225 | 1970 | } else if (strcmp (option, "ca-check") == 0) { | ||
3226 | 1971 | force_ca_check = 1; | ||
3227 | 1972 | } else if (strcmp (option, "ignore-keyring") == 0) { | ||
3228 | 1973 | check_keyring = 0; | ||
3229 | 2271 | } | 1974 | } |
3230 | 2272 | 1975 | ||
3231 | 2273 | break; | 1976 | break; |
3232 | @@ -2317,12 +2020,12 @@ main (int argc, char *argv[]) | |||
3233 | 2317 | 2020 | ||
3234 | 2318 | break; | 2021 | break; |
3235 | 2319 | case 'f': | 2022 | case 'f': |
3237 | 2320 | if (hash_file) { | 2023 | if (pw_hash_file) { |
3238 | 2321 | command |= HELP; | 2024 | command |= HELP; |
3239 | 2322 | break; | 2025 | break; |
3240 | 2323 | } | 2026 | } |
3243 | 2324 | hash_file = strdup (optarg); | 2027 | pw_hash_file = strdup (optarg); |
3244 | 2325 | if (hash_file == NULL) { | 2028 | if (pw_hash_file == NULL) { |
3245 | 2326 | fprintf (stderr, "Could not allocate space: %m\n"); | 2029 | fprintf (stderr, "Could not allocate space: %m\n"); |
3246 | 2327 | exit(1); | 2030 | exit(1); |
3247 | 2328 | } | 2031 | } |
3248 | @@ -2368,10 +2071,6 @@ main (int argc, char *argv[]) | |||
3249 | 2368 | case 'x': | 2071 | case 'x': |
3250 | 2369 | command |= EXPORT; | 2072 | command |= EXPORT; |
3251 | 2370 | break; | 2073 | break; |
3252 | 2371 | case 's': | ||
3253 | 2372 | command |= SIMPLE_HASH; | ||
3254 | 2373 | use_simple_hash = 1; | ||
3255 | 2374 | break; | ||
3256 | 2375 | case 'm': | 2074 | case 'm': |
3257 | 2376 | db_name = MOK_LIST_RT; | 2075 | db_name = MOK_LIST_RT; |
3258 | 2377 | break; | 2076 | break; |
3259 | @@ -2383,6 +2082,9 @@ main (int argc, char *argv[]) | |||
3260 | 2383 | db_name = MOK_LIST_X_RT; | 2082 | db_name = MOK_LIST_X_RT; |
3261 | 2384 | } | 2083 | } |
3262 | 2385 | break; | 2084 | break; |
3263 | 2085 | case 'v': | ||
3264 | 2086 | printf ("%s\n", VERSION); | ||
3265 | 2087 | goto out; | ||
3266 | 2386 | case 'h': | 2088 | case 'h': |
3267 | 2387 | case '?': | 2089 | case '?': |
3268 | 2388 | command |= HELP; | 2090 | command |= HELP; |
3269 | @@ -2392,19 +2094,19 @@ main (int argc, char *argv[]) | |||
3270 | 2392 | } | 2094 | } |
3271 | 2393 | } | 2095 | } |
3272 | 2394 | 2096 | ||
3277 | 2395 | if (use_root_pw == 1 && use_simple_hash == 1) | 2097 | if (pw_hash_file && use_root_pw) |
3274 | 2396 | use_simple_hash = 0; | ||
3275 | 2397 | |||
3276 | 2398 | if (hash_file && use_root_pw) | ||
3278 | 2399 | command |= HELP; | 2098 | command |= HELP; |
3279 | 2400 | 2099 | ||
3280 | 2401 | if (db_name != MOK_LIST_RT && !(command & ~MOKX)) | 2100 | if (db_name != MOK_LIST_RT && !(command & ~MOKX)) |
3281 | 2402 | command |= LIST_ENROLLED; | 2101 | command |= LIST_ENROLLED; |
3282 | 2403 | 2102 | ||
3284 | 2404 | if (!(command & HELP)) { | 2103 | sb_check = !(command & HELP || command & TEST_KEY || |
3285 | 2104 | command & VERBOSITY || command & TIMEOUT || | ||
3286 | 2105 | command & FB_VERBOSITY || command & FB_NOREBOOT); | ||
3287 | 2106 | if (sb_check) { | ||
3288 | 2405 | /* Check whether the machine supports Secure Boot or not */ | 2107 | /* Check whether the machine supports Secure Boot or not */ |
3289 | 2406 | int rc; | 2108 | int rc; |
3291 | 2407 | uint8_t *data; | 2109 | uint8_t *data = NULL; |
3292 | 2408 | size_t data_size; | 2110 | size_t data_size; |
3293 | 2409 | uint32_t attributes; | 2111 | uint32_t attributes; |
3294 | 2410 | 2112 | ||
3295 | @@ -2430,24 +2132,20 @@ main (int argc, char *argv[]) | |||
3296 | 2430 | ret = list_keys_in_var ("MokDel", efi_guid_shim); | 2132 | ret = list_keys_in_var ("MokDel", efi_guid_shim); |
3297 | 2431 | break; | 2133 | break; |
3298 | 2432 | case IMPORT: | 2134 | case IMPORT: |
3299 | 2433 | case IMPORT | SIMPLE_HASH: | ||
3300 | 2434 | ret = issue_mok_request (files, total, ENROLL_MOK, | 2135 | ret = issue_mok_request (files, total, ENROLL_MOK, |
3302 | 2435 | hash_file, use_root_pw); | 2136 | pw_hash_file, use_root_pw); |
3303 | 2436 | break; | 2137 | break; |
3304 | 2437 | case DELETE: | 2138 | case DELETE: |
3305 | 2438 | case DELETE | SIMPLE_HASH: | ||
3306 | 2439 | ret = issue_mok_request (files, total, DELETE_MOK, | 2139 | ret = issue_mok_request (files, total, DELETE_MOK, |
3308 | 2440 | hash_file, use_root_pw); | 2140 | pw_hash_file, use_root_pw); |
3309 | 2441 | break; | 2141 | break; |
3310 | 2442 | case IMPORT_HASH: | 2142 | case IMPORT_HASH: |
3311 | 2443 | case IMPORT_HASH | SIMPLE_HASH: | ||
3312 | 2444 | ret = issue_hash_request (hash_str, ENROLL_MOK, | 2143 | ret = issue_hash_request (hash_str, ENROLL_MOK, |
3314 | 2445 | hash_file, use_root_pw); | 2144 | pw_hash_file, use_root_pw); |
3315 | 2446 | break; | 2145 | break; |
3316 | 2447 | case DELETE_HASH: | 2146 | case DELETE_HASH: |
3317 | 2448 | case DELETE_HASH | SIMPLE_HASH: | ||
3318 | 2449 | ret = issue_hash_request (hash_str, DELETE_MOK, | 2147 | ret = issue_hash_request (hash_str, DELETE_MOK, |
3320 | 2450 | hash_file, use_root_pw); | 2148 | pw_hash_file, use_root_pw); |
3321 | 2451 | break; | 2149 | break; |
3322 | 2452 | case REVOKE_IMPORT: | 2150 | case REVOKE_IMPORT: |
3323 | 2453 | ret = revoke_request (ENROLL_MOK); | 2151 | ret = revoke_request (ENROLL_MOK); |
3324 | @@ -2460,11 +2158,9 @@ main (int argc, char *argv[]) | |||
3325 | 2460 | ret = export_db_keys (db_name); | 2158 | ret = export_db_keys (db_name); |
3326 | 2461 | break; | 2159 | break; |
3327 | 2462 | case PASSWORD: | 2160 | case PASSWORD: |
3330 | 2463 | case PASSWORD | SIMPLE_HASH: | 2161 | ret = set_password (pw_hash_file, use_root_pw, 0); |
3329 | 2464 | ret = set_password (hash_file, use_root_pw, 0); | ||
3331 | 2465 | break; | 2162 | break; |
3332 | 2466 | case CLEAR_PASSWORD: | 2163 | case CLEAR_PASSWORD: |
3333 | 2467 | case CLEAR_PASSWORD | SIMPLE_HASH: | ||
3334 | 2468 | ret = set_password (NULL, 0, 1); | 2164 | ret = set_password (NULL, 0, 1); |
3335 | 2469 | break; | 2165 | break; |
3336 | 2470 | case DISABLE_VALIDATION: | 2166 | case DISABLE_VALIDATION: |
3337 | @@ -2480,8 +2176,7 @@ main (int argc, char *argv[]) | |||
3338 | 2480 | ret = test_key (ENROLL_MOK, key_file); | 2176 | ret = test_key (ENROLL_MOK, key_file); |
3339 | 2481 | break; | 2177 | break; |
3340 | 2482 | case RESET: | 2178 | case RESET: |
3343 | 2483 | case RESET | SIMPLE_HASH: | 2179 | ret = reset_moks (ENROLL_MOK, pw_hash_file, use_root_pw); |
3342 | 2484 | ret = reset_moks (ENROLL_MOK, hash_file, use_root_pw); | ||
3344 | 2485 | break; | 2180 | break; |
3345 | 2486 | case GENERATE_PW_HASH: | 2181 | case GENERATE_PW_HASH: |
3346 | 2487 | ret = generate_pw_hash (input_pw); | 2182 | ret = generate_pw_hash (input_pw); |
3347 | @@ -2492,6 +2187,12 @@ main (int argc, char *argv[]) | |||
3348 | 2492 | case USE_DB: | 2187 | case USE_DB: |
3349 | 2493 | ret = enable_db (); | 2188 | ret = enable_db (); |
3350 | 2494 | break; | 2189 | break; |
3351 | 2190 | case TRUST_MOK: | ||
3352 | 2191 | ret = trust_mok_keys (); | ||
3353 | 2192 | break; | ||
3354 | 2193 | case UNTRUST_MOK: | ||
3355 | 2194 | ret = untrust_mok_keys (); | ||
3356 | 2195 | break; | ||
3357 | 2495 | case LIST_NEW | MOKX: | 2196 | case LIST_NEW | MOKX: |
3358 | 2496 | ret = list_keys_in_var ("MokXNew", efi_guid_shim); | 2197 | ret = list_keys_in_var ("MokXNew", efi_guid_shim); |
3359 | 2497 | break; | 2198 | break; |
3360 | @@ -2499,24 +2200,20 @@ main (int argc, char *argv[]) | |||
3361 | 2499 | ret = list_keys_in_var ("MokXDel", efi_guid_shim); | 2200 | ret = list_keys_in_var ("MokXDel", efi_guid_shim); |
3362 | 2500 | break; | 2201 | break; |
3363 | 2501 | case IMPORT | MOKX: | 2202 | case IMPORT | MOKX: |
3364 | 2502 | case IMPORT | SIMPLE_HASH | MOKX: | ||
3365 | 2503 | ret = issue_mok_request (files, total, ENROLL_BLACKLIST, | 2203 | ret = issue_mok_request (files, total, ENROLL_BLACKLIST, |
3367 | 2504 | hash_file, use_root_pw); | 2204 | pw_hash_file, use_root_pw); |
3368 | 2505 | break; | 2205 | break; |
3369 | 2506 | case DELETE | MOKX: | 2206 | case DELETE | MOKX: |
3370 | 2507 | case DELETE | SIMPLE_HASH | MOKX: | ||
3371 | 2508 | ret = issue_mok_request (files, total, DELETE_BLACKLIST, | 2207 | ret = issue_mok_request (files, total, DELETE_BLACKLIST, |
3373 | 2509 | hash_file, use_root_pw); | 2208 | pw_hash_file, use_root_pw); |
3374 | 2510 | break; | 2209 | break; |
3375 | 2511 | case IMPORT_HASH | MOKX: | 2210 | case IMPORT_HASH | MOKX: |
3376 | 2512 | case IMPORT_HASH | SIMPLE_HASH | MOKX: | ||
3377 | 2513 | ret = issue_hash_request (hash_str, ENROLL_BLACKLIST, | 2211 | ret = issue_hash_request (hash_str, ENROLL_BLACKLIST, |
3379 | 2514 | hash_file, use_root_pw); | 2212 | pw_hash_file, use_root_pw); |
3380 | 2515 | break; | 2213 | break; |
3381 | 2516 | case DELETE_HASH | MOKX: | 2214 | case DELETE_HASH | MOKX: |
3382 | 2517 | case DELETE_HASH | SIMPLE_HASH | MOKX: | ||
3383 | 2518 | ret = issue_hash_request (hash_str, DELETE_BLACKLIST, | 2215 | ret = issue_hash_request (hash_str, DELETE_BLACKLIST, |
3385 | 2519 | hash_file, use_root_pw); | 2216 | pw_hash_file, use_root_pw); |
3386 | 2520 | break; | 2217 | break; |
3387 | 2521 | case REVOKE_IMPORT | MOKX: | 2218 | case REVOKE_IMPORT | MOKX: |
3388 | 2522 | ret = revoke_request (ENROLL_BLACKLIST); | 2219 | ret = revoke_request (ENROLL_BLACKLIST); |
3389 | @@ -2525,8 +2222,7 @@ main (int argc, char *argv[]) | |||
3390 | 2525 | ret = revoke_request (DELETE_BLACKLIST); | 2222 | ret = revoke_request (DELETE_BLACKLIST); |
3391 | 2526 | break; | 2223 | break; |
3392 | 2527 | case RESET | MOKX: | 2224 | case RESET | MOKX: |
3395 | 2528 | case RESET | SIMPLE_HASH | MOKX: | 2225 | ret = reset_moks (ENROLL_BLACKLIST, pw_hash_file, use_root_pw); |
3394 | 2529 | ret = reset_moks (ENROLL_BLACKLIST, hash_file, use_root_pw); | ||
3396 | 2530 | break; | 2226 | break; |
3397 | 2531 | case TEST_KEY | MOKX: | 2227 | case TEST_KEY | MOKX: |
3398 | 2532 | ret = test_key (ENROLL_BLACKLIST, key_file); | 2228 | ret = test_key (ENROLL_BLACKLIST, key_file); |
3399 | @@ -2534,9 +2230,21 @@ main (int argc, char *argv[]) | |||
3400 | 2534 | case VERBOSITY: | 2230 | case VERBOSITY: |
3401 | 2535 | ret = set_verbosity (verbosity); | 2231 | ret = set_verbosity (verbosity); |
3402 | 2536 | break; | 2232 | break; |
3403 | 2233 | case FB_VERBOSITY: | ||
3404 | 2234 | ret = set_fallback_verbosity (fb_verbosity); | ||
3405 | 2235 | break; | ||
3406 | 2236 | case FB_NOREBOOT: | ||
3407 | 2237 | ret = set_fallback_noreboot (fb_noreboot); | ||
3408 | 2238 | break; | ||
3409 | 2537 | case TIMEOUT: | 2239 | case TIMEOUT: |
3410 | 2538 | ret = set_timeout (timeout); | 2240 | ret = set_timeout (timeout); |
3411 | 2539 | break; | 2241 | break; |
3412 | 2242 | case LIST_SBAT: | ||
3413 | 2243 | ret = print_var_content ("SbatLevelRT", efi_guid_shim); | ||
3414 | 2244 | break; | ||
3415 | 2245 | case SET_SBAT: | ||
3416 | 2246 | ret = manage_sbat(sbat_policy); | ||
3417 | 2247 | break; | ||
3418 | 2540 | default: | 2248 | default: |
3419 | 2541 | print_help (); | 2249 | print_help (); |
3420 | 2542 | break; | 2250 | break; |
3421 | @@ -2555,8 +2263,8 @@ out: | |||
3422 | 2555 | if (key_file) | 2263 | if (key_file) |
3423 | 2556 | free (key_file); | 2264 | free (key_file); |
3424 | 2557 | 2265 | ||
3427 | 2558 | if (hash_file) | 2266 | if (pw_hash_file) |
3428 | 2559 | free (hash_file); | 2267 | free (pw_hash_file); |
3429 | 2560 | 2268 | ||
3430 | 2561 | if (input_pw) | 2269 | if (input_pw) |
3431 | 2562 | free (input_pw); | 2270 | free (input_pw); |
3432 | diff --git a/src/mokutil.h b/src/mokutil.h | |||
3433 | 2563 | new file mode 100644 | 2271 | new file mode 100644 |
3434 | index 0000000..75922fa | |||
3435 | --- /dev/null | |||
3436 | +++ b/src/mokutil.h | |||
3437 | @@ -0,0 +1,66 @@ | |||
3438 | 1 | /** | ||
3439 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
3440 | 3 | * | ||
3441 | 4 | * This program is free software: you can redistribute it and/or modify | ||
3442 | 5 | * it under the terms of the GNU General Public License as published by | ||
3443 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
3444 | 7 | * (at your option) any later version. | ||
3445 | 8 | * | ||
3446 | 9 | * This program is distributed in the hope that it will be useful, | ||
3447 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
3448 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
3449 | 12 | * GNU General Public License for more details. | ||
3450 | 13 | * | ||
3451 | 14 | * You should have received a copy of the GNU General Public License | ||
3452 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
3453 | 16 | * | ||
3454 | 17 | * In addition, as a special exception, the copyright holders give | ||
3455 | 18 | * permission to link the code of portions of this program with the | ||
3456 | 19 | * OpenSSL library under certain conditions as described in each | ||
3457 | 20 | * individual source file, and distribute linked combinations | ||
3458 | 21 | * including the two. | ||
3459 | 22 | * | ||
3460 | 23 | * You must obey the GNU General Public License in all respects | ||
3461 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
3462 | 25 | * file(s) with this exception, you may extend this exception to your | ||
3463 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
3464 | 27 | * do not wish to do so, delete this exception statement from your | ||
3465 | 28 | * version. If you delete this exception statement from all source | ||
3466 | 29 | * files in the program, then also delete it here. | ||
3467 | 30 | */ | ||
3468 | 31 | |||
3469 | 32 | #ifndef __MOKUTIL_H__ | ||
3470 | 33 | #define __MOKUTIL_H__ | ||
3471 | 34 | |||
3472 | 35 | #include <ctype.h> | ||
3473 | 36 | #include <wchar.h> | ||
3474 | 37 | |||
3475 | 38 | #include "signature.h" | ||
3476 | 39 | |||
3477 | 40 | typedef unsigned long efi_status_t; | ||
3478 | 41 | typedef uint8_t efi_bool_t; | ||
3479 | 42 | typedef wchar_t efi_char16_t; /* UNICODE character */ | ||
3480 | 43 | |||
3481 | 44 | typedef enum { | ||
3482 | 45 | DELETE_MOK = 0, | ||
3483 | 46 | ENROLL_MOK, | ||
3484 | 47 | DELETE_BLACKLIST, | ||
3485 | 48 | ENROLL_BLACKLIST, | ||
3486 | 49 | } MokRequest; | ||
3487 | 50 | |||
3488 | 51 | typedef enum { | ||
3489 | 52 | MOK_LIST_RT = 0, | ||
3490 | 53 | MOK_LIST_X_RT, | ||
3491 | 54 | PK, | ||
3492 | 55 | KEK, | ||
3493 | 56 | DB, | ||
3494 | 57 | DBX, | ||
3495 | 58 | } DBName; | ||
3496 | 59 | |||
3497 | 60 | typedef struct { | ||
3498 | 61 | EFI_SIGNATURE_LIST *header; | ||
3499 | 62 | uint32_t mok_size; | ||
3500 | 63 | void *mok; | ||
3501 | 64 | } MokListNode; | ||
3502 | 65 | |||
3503 | 66 | #endif /* __MOKUTIL_H__ */ | ||
3504 | diff --git a/src/password-crypt.c b/src/password-crypt.c | |||
3505 | index 0b31d64..db69b88 100644 | |||
3506 | --- a/src/password-crypt.c | |||
3507 | +++ b/src/password-crypt.c | |||
3508 | @@ -79,7 +79,7 @@ gen_salt_size (uint16_t min, uint16_t max) | |||
3509 | 79 | } | 79 | } |
3510 | 80 | 80 | ||
3511 | 81 | uint16_t | 81 | uint16_t |
3513 | 82 | get_salt_size (int method) { | 82 | get_pw_salt_size (const HashMethod method) { |
3514 | 83 | switch (method) { | 83 | switch (method) { |
3515 | 84 | case TRADITIONAL_DES: | 84 | case TRADITIONAL_DES: |
3516 | 85 | return T_DES_SALT_MAX; | 85 | return T_DES_SALT_MAX; |
3517 | @@ -98,7 +98,7 @@ get_salt_size (int method) { | |||
3518 | 98 | } | 98 | } |
3519 | 99 | 99 | ||
3520 | 100 | int | 100 | int |
3522 | 101 | get_hash_size (int method) | 101 | get_pw_hash_size (const HashMethod method) |
3523 | 102 | { | 102 | { |
3524 | 103 | switch (method) { | 103 | switch (method) { |
3525 | 104 | case TRADITIONAL_DES: | 104 | case TRADITIONAL_DES: |
3526 | @@ -119,7 +119,7 @@ get_hash_size (int method) | |||
3527 | 119 | } | 119 | } |
3528 | 120 | 120 | ||
3529 | 121 | const char * | 121 | const char * |
3531 | 122 | get_crypt_prefix (int method) | 122 | get_crypt_prefix (const HashMethod method) |
3532 | 123 | { | 123 | { |
3533 | 124 | switch (method) { | 124 | switch (method) { |
3534 | 125 | case TRADITIONAL_DES: | 125 | case TRADITIONAL_DES: |
3535 | @@ -405,7 +405,8 @@ split_24bit (const char *string, uint8_t *hash, int start, int n, | |||
3536 | 405 | return 0; | 405 | return 0; |
3537 | 406 | } | 406 | } |
3538 | 407 | 407 | ||
3540 | 408 | int restore_md5_array (const char *string, uint8_t *hash) | 408 | static int |
3541 | 409 | restore_md5_array (const char *string, uint8_t *hash) | ||
3542 | 409 | { | 410 | { |
3543 | 410 | uint32_t tmp = 0; | 411 | uint32_t tmp = 0; |
3544 | 411 | int value1, value2; | 412 | int value1, value2; |
3545 | @@ -440,7 +441,7 @@ int restore_md5_array (const char *string, uint8_t *hash) | |||
3546 | 440 | return 0; | 441 | return 0; |
3547 | 441 | } | 442 | } |
3548 | 442 | 443 | ||
3550 | 443 | int | 444 | static int |
3551 | 444 | restore_sha256_array (const char *string, uint8_t *hash) | 445 | restore_sha256_array (const char *string, uint8_t *hash) |
3552 | 445 | { | 446 | { |
3553 | 446 | uint32_t tmp = 0; | 447 | uint32_t tmp = 0; |
3554 | @@ -483,7 +484,7 @@ restore_sha256_array (const char *string, uint8_t *hash) | |||
3555 | 483 | return 0; | 484 | return 0; |
3556 | 484 | } | 485 | } |
3557 | 485 | 486 | ||
3559 | 486 | int | 487 | static int |
3560 | 487 | restore_sha512_array (const char *string, uint8_t *hash) | 488 | restore_sha512_array (const char *string, uint8_t *hash) |
3561 | 488 | { | 489 | { |
3562 | 489 | uint32_t tmp = 0; | 490 | uint32_t tmp = 0; |
3563 | diff --git a/src/password-crypt.h b/src/password-crypt.h | |||
3564 | index 5487363..214a65b 100644 | |||
3565 | --- a/src/password-crypt.h | |||
3566 | +++ b/src/password-crypt.h | |||
3567 | @@ -41,14 +41,14 @@ | |||
3568 | 41 | #define SHA512_SALT_MAX 16 | 41 | #define SHA512_SALT_MAX 16 |
3569 | 42 | #define BLOWFISH_SALT_MAX 22 | 42 | #define BLOWFISH_SALT_MAX 22 |
3570 | 43 | 43 | ||
3572 | 44 | enum HashMethod { | 44 | typedef enum { |
3573 | 45 | TRADITIONAL_DES = 0, | 45 | TRADITIONAL_DES = 0, |
3574 | 46 | EXTEND_BSDI_DES, | 46 | EXTEND_BSDI_DES, |
3575 | 47 | MD5_BASED, | 47 | MD5_BASED, |
3576 | 48 | SHA256_BASED, | 48 | SHA256_BASED, |
3577 | 49 | SHA512_BASED, | 49 | SHA512_BASED, |
3578 | 50 | BLOWFISH_BASED | 50 | BLOWFISH_BASED |
3580 | 51 | }; | 51 | } HashMethod; |
3581 | 52 | 52 | ||
3582 | 53 | typedef struct { | 53 | typedef struct { |
3583 | 54 | uint16_t method; | 54 | uint16_t method; |
3584 | @@ -64,9 +64,9 @@ typedef struct { | |||
3585 | 64 | #define SHA256_B64_LENGTH 43 | 64 | #define SHA256_B64_LENGTH 43 |
3586 | 65 | #define SHA512_B64_LENGTH 86 | 65 | #define SHA512_B64_LENGTH 86 |
3587 | 66 | 66 | ||
3591 | 67 | uint16_t get_salt_size (int method); | 67 | uint16_t get_pw_salt_size (const HashMethod method); |
3592 | 68 | int get_hash_size (int method); | 68 | int get_pw_hash_size (const HashMethod method); |
3593 | 69 | const char *get_crypt_prefix (int method); | 69 | const char *get_crypt_prefix (const HashMethod method); |
3594 | 70 | int decode_pass (const char *crypt_pass, pw_crypt_t *pw_crypt); | 70 | int decode_pass (const char *crypt_pass, pw_crypt_t *pw_crypt); |
3595 | 71 | char int_to_b64 (const int i); | 71 | char int_to_b64 (const int i); |
3596 | 72 | int b64_to_int (const char c); | 72 | int b64_to_int (const char c); |
3597 | diff --git a/src/util.c b/src/util.c | |||
3598 | 73 | new file mode 100644 | 73 | new file mode 100644 |
3599 | index 0000000..621869f | |||
3600 | --- /dev/null | |||
3601 | +++ b/src/util.c | |||
3602 | @@ -0,0 +1,456 @@ | |||
3603 | 1 | /** | ||
3604 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
3605 | 3 | * | ||
3606 | 4 | * This program is free software: you can redistribute it and/or modify | ||
3607 | 5 | * it under the terms of the GNU General Public License as published by | ||
3608 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
3609 | 7 | * (at your option) any later version. | ||
3610 | 8 | * | ||
3611 | 9 | * This program is distributed in the hope that it will be useful, | ||
3612 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
3613 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
3614 | 12 | * GNU General Public License for more details. | ||
3615 | 13 | * | ||
3616 | 14 | * You should have received a copy of the GNU General Public License | ||
3617 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
3618 | 16 | * | ||
3619 | 17 | * In addition, as a special exception, the copyright holders give | ||
3620 | 18 | * permission to link the code of portions of this program with the | ||
3621 | 19 | * OpenSSL library under certain conditions as described in each | ||
3622 | 20 | * individual source file, and distribute linked combinations | ||
3623 | 21 | * including the two. | ||
3624 | 22 | * | ||
3625 | 23 | * You must obey the GNU General Public License in all respects | ||
3626 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
3627 | 25 | * file(s) with this exception, you may extend this exception to your | ||
3628 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
3629 | 27 | * do not wish to do so, delete this exception statement from your | ||
3630 | 28 | * version. If you delete this exception statement from all source | ||
3631 | 29 | * files in the program, then also delete it here. | ||
3632 | 30 | */ | ||
3633 | 31 | |||
3634 | 32 | #include <stdio.h> | ||
3635 | 33 | #include <stdlib.h> | ||
3636 | 34 | #include <termios.h> | ||
3637 | 35 | |||
3638 | 36 | #include "efi_hash.h" | ||
3639 | 37 | #include "util.h" | ||
3640 | 38 | |||
3641 | 39 | int | ||
3642 | 40 | mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep) | ||
3643 | 41 | { | ||
3644 | 42 | char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name"; | ||
3645 | 43 | size_t filename_sz = sizeof(filename); | ||
3646 | 44 | int fd, rc; | ||
3647 | 45 | struct stat sb = { 0, }; | ||
3648 | 46 | uint8_t *buf; | ||
3649 | 47 | size_t bufsz, pos = 0; | ||
3650 | 48 | ssize_t ssz; | ||
3651 | 49 | |||
3652 | 50 | *datap = 0; | ||
3653 | 51 | *data_sizep = 0; | ||
3654 | 52 | |||
3655 | 53 | snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name); | ||
3656 | 54 | |||
3657 | 55 | fd = open(filename, O_RDONLY); | ||
3658 | 56 | if (fd < 0) | ||
3659 | 57 | return fd; | ||
3660 | 58 | |||
3661 | 59 | rc = fstat(fd, &sb); | ||
3662 | 60 | if (rc < 0) { | ||
3663 | 61 | err_close: | ||
3664 | 62 | close(fd); | ||
3665 | 63 | return rc; | ||
3666 | 64 | } | ||
3667 | 65 | |||
3668 | 66 | if (sb.st_size == 0) { | ||
3669 | 67 | errno = ENOENT; | ||
3670 | 68 | rc = -1; | ||
3671 | 69 | goto err_close; | ||
3672 | 70 | } | ||
3673 | 71 | |||
3674 | 72 | bufsz = sb.st_size; | ||
3675 | 73 | buf = calloc(1, bufsz); | ||
3676 | 74 | if (!buf) | ||
3677 | 75 | goto err_close; | ||
3678 | 76 | |||
3679 | 77 | while (pos < bufsz) { | ||
3680 | 78 | ssz = read(fd, &buf[pos], bufsz - pos); | ||
3681 | 79 | if (ssz < 0) { | ||
3682 | 80 | if (errno == EAGAIN || | ||
3683 | 81 | errno == EWOULDBLOCK || | ||
3684 | 82 | errno == EINTR) | ||
3685 | 83 | continue; | ||
3686 | 84 | free(buf); | ||
3687 | 85 | goto err_close; | ||
3688 | 86 | } | ||
3689 | 87 | |||
3690 | 88 | pos += ssz; | ||
3691 | 89 | } | ||
3692 | 90 | *datap = buf; | ||
3693 | 91 | *data_sizep = pos; | ||
3694 | 92 | |||
3695 | 93 | return 0; | ||
3696 | 94 | } | ||
3697 | 95 | |||
3698 | 96 | MokListNode* | ||
3699 | 97 | build_mok_list (const void *data, const uintptr_t data_size, | ||
3700 | 98 | uint32_t *mok_num) | ||
3701 | 99 | { | ||
3702 | 100 | MokListNode *list = NULL; | ||
3703 | 101 | MokListNode *list_new = NULL; | ||
3704 | 102 | EFI_SIGNATURE_LIST *CertList = (void *)data; | ||
3705 | 103 | EFI_SIGNATURE_DATA *Cert; | ||
3706 | 104 | unsigned long dbsize = data_size; | ||
3707 | 105 | unsigned long count = 0; | ||
3708 | 106 | const void *end = data + data_size; | ||
3709 | 107 | |||
3710 | 108 | while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { | ||
3711 | 109 | if ((void *)(CertList + 1) > end || | ||
3712 | 110 | CertList->SignatureListSize == 0 || | ||
3713 | 111 | CertList->SignatureListSize <= CertList->SignatureSize) { | ||
3714 | 112 | fprintf (stderr, "Corrupted signature list\n"); | ||
3715 | 113 | if (list) | ||
3716 | 114 | free (list); | ||
3717 | 115 | return NULL; | ||
3718 | 116 | } | ||
3719 | 117 | |||
3720 | 118 | efi_guid_t sigtype = CertList->SignatureType; | ||
3721 | 119 | |||
3722 | 120 | if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && | ||
3723 | 121 | (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) && | ||
3724 | 122 | (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) && | ||
3725 | 123 | (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) && | ||
3726 | 124 | (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) && | ||
3727 | 125 | (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) { | ||
3728 | 126 | dbsize -= CertList->SignatureListSize; | ||
3729 | 127 | CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + | ||
3730 | 128 | CertList->SignatureListSize); | ||
3731 | 129 | continue; | ||
3732 | 130 | } | ||
3733 | 131 | |||
3734 | 132 | if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && | ||
3735 | 133 | (CertList->SignatureSize != signature_size (&sigtype))) { | ||
3736 | 134 | dbsize -= CertList->SignatureListSize; | ||
3737 | 135 | CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + | ||
3738 | 136 | CertList->SignatureListSize); | ||
3739 | 137 | continue; | ||
3740 | 138 | } | ||
3741 | 139 | |||
3742 | 140 | Cert = (EFI_SIGNATURE_DATA *) (((uint8_t *) CertList) + | ||
3743 | 141 | sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); | ||
3744 | 142 | |||
3745 | 143 | if ((void *)(Cert + 1) > end || | ||
3746 | 144 | CertList->SignatureSize <= sizeof(efi_guid_t)) { | ||
3747 | 145 | if (list) | ||
3748 | 146 | free (list); | ||
3749 | 147 | fprintf (stderr, "Corrupted signature\n"); | ||
3750 | 148 | return NULL; | ||
3751 | 149 | } | ||
3752 | 150 | |||
3753 | 151 | list_new = realloc(list, sizeof(MokListNode) * (count + 1)); | ||
3754 | 152 | if (list_new) { | ||
3755 | 153 | list = list_new; | ||
3756 | 154 | } else { | ||
3757 | 155 | if (list) | ||
3758 | 156 | free (list); | ||
3759 | 157 | fprintf(stderr, "Unable to allocate MOK list\n"); | ||
3760 | 158 | return NULL; | ||
3761 | 159 | } | ||
3762 | 160 | |||
3763 | 161 | list[count].header = CertList; | ||
3764 | 162 | if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { | ||
3765 | 163 | /* X509 certificate */ | ||
3766 | 164 | list[count].mok_size = CertList->SignatureSize - | ||
3767 | 165 | sizeof(efi_guid_t); | ||
3768 | 166 | list[count].mok = (void *)Cert->SignatureData; | ||
3769 | 167 | } else { | ||
3770 | 168 | /* hash array */ | ||
3771 | 169 | list[count].mok_size = CertList->SignatureListSize - | ||
3772 | 170 | sizeof(EFI_SIGNATURE_LIST) - | ||
3773 | 171 | CertList->SignatureHeaderSize; | ||
3774 | 172 | list[count].mok = (void *)Cert; | ||
3775 | 173 | } | ||
3776 | 174 | |||
3777 | 175 | if (list[count].mok_size > (unsigned long)end - | ||
3778 | 176 | (unsigned long)list[count].mok) { | ||
3779 | 177 | fprintf (stderr, "Corrupted data\n"); | ||
3780 | 178 | free (list); | ||
3781 | 179 | return NULL; | ||
3782 | 180 | } | ||
3783 | 181 | |||
3784 | 182 | count++; | ||
3785 | 183 | dbsize -= CertList->SignatureListSize; | ||
3786 | 184 | CertList = (EFI_SIGNATURE_LIST *) ((uint8_t *) CertList + | ||
3787 | 185 | CertList->SignatureListSize); | ||
3788 | 186 | } | ||
3789 | 187 | |||
3790 | 188 | *mok_num = count; | ||
3791 | 189 | |||
3792 | 190 | return list; | ||
3793 | 191 | } | ||
3794 | 192 | |||
3795 | 193 | int | ||
3796 | 194 | test_and_delete_mok_var (const char *var_name) | ||
3797 | 195 | { | ||
3798 | 196 | size_t size; | ||
3799 | 197 | int ret; | ||
3800 | 198 | |||
3801 | 199 | ret = efi_get_variable_size (efi_guid_shim, var_name, &size); | ||
3802 | 200 | if (ret < 0) { | ||
3803 | 201 | if (errno == ENOENT) | ||
3804 | 202 | return 0; | ||
3805 | 203 | fprintf (stderr, "Failed to access variable \"%s\": %m\n", | ||
3806 | 204 | var_name); | ||
3807 | 205 | } | ||
3808 | 206 | |||
3809 | 207 | /* Attempt to delete it no matter what, problem efi_get_variable_size() | ||
3810 | 208 | * had, unless it just doesn't exist anyway. */ | ||
3811 | 209 | if (!(ret < 0 && errno == ENOENT)) { | ||
3812 | 210 | if (efi_del_variable (efi_guid_shim, var_name) < 0) | ||
3813 | 211 | fprintf (stderr, "Failed to unset \"%s\": %m\n", var_name); | ||
3814 | 212 | } | ||
3815 | 213 | |||
3816 | 214 | return ret; | ||
3817 | 215 | } | ||
3818 | 216 | |||
3819 | 217 | int | ||
3820 | 218 | delete_data_from_req_var (const MokRequest req, const efi_guid_t *type, | ||
3821 | 219 | const void *data, const uint32_t data_size) | ||
3822 | 220 | { | ||
3823 | 221 | const efi_guid_t *var_guid = &efi_guid_shim; | ||
3824 | 222 | const char *var_name = get_req_var_name (req); | ||
3825 | 223 | const char *authvar_name = get_req_auth_var_name (req); | ||
3826 | 224 | uint8_t *var_data = NULL; | ||
3827 | 225 | size_t var_data_size = 0; | ||
3828 | 226 | uint32_t attributes; | ||
3829 | 227 | MokListNode *list; | ||
3830 | 228 | uint32_t mok_num, total, remain; | ||
3831 | 229 | void *end, *start = NULL; | ||
3832 | 230 | int del_ind, ret = 0; | ||
3833 | 231 | uint32_t sig_list_size, sig_size; | ||
3834 | 232 | |||
3835 | 233 | if (!var_name || !data || data_size == 0) | ||
3836 | 234 | return 0; | ||
3837 | 235 | |||
3838 | 236 | ret = efi_get_variable (*var_guid, var_name, &var_data, &var_data_size, | ||
3839 | 237 | &attributes); | ||
3840 | 238 | if (ret < 0) { | ||
3841 | 239 | if (errno == ENOENT) | ||
3842 | 240 | return 0; | ||
3843 | 241 | fprintf (stderr, "Failed to read variable \"%s\": %m\n", | ||
3844 | 242 | var_name); | ||
3845 | 243 | return -1; | ||
3846 | 244 | } | ||
3847 | 245 | |||
3848 | 246 | total = var_data_size; | ||
3849 | 247 | |||
3850 | 248 | list = build_mok_list (var_data, var_data_size, &mok_num); | ||
3851 | 249 | if (list == NULL) | ||
3852 | 250 | goto done; | ||
3853 | 251 | |||
3854 | 252 | remain = total; | ||
3855 | 253 | for (unsigned int i = 0; i < mok_num; i++) { | ||
3856 | 254 | remain -= list[i].header->SignatureListSize; | ||
3857 | 255 | efi_guid_t sigtype = list[i].header->SignatureType; | ||
3858 | 256 | if (efi_guid_cmp (&sigtype, type) != 0) | ||
3859 | 257 | continue; | ||
3860 | 258 | |||
3861 | 259 | sig_list_size = list[i].header->SignatureListSize; | ||
3862 | 260 | |||
3863 | 261 | if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { | ||
3864 | 262 | if (list[i].mok_size != data_size) | ||
3865 | 263 | continue; | ||
3866 | 264 | |||
3867 | 265 | if (memcmp (list[i].mok, data, data_size) == 0) { | ||
3868 | 266 | /* Remove this key */ | ||
3869 | 267 | start = (void *)list[i].header; | ||
3870 | 268 | end = start + sig_list_size; | ||
3871 | 269 | total -= sig_list_size; | ||
3872 | 270 | break; | ||
3873 | 271 | } | ||
3874 | 272 | } else { | ||
3875 | 273 | del_ind = match_hash_array (type, data, list[i].mok, | ||
3876 | 274 | list[i].mok_size); | ||
3877 | 275 | if (del_ind < 0) | ||
3878 | 276 | continue; | ||
3879 | 277 | |||
3880 | 278 | start = (void *)list[i].header; | ||
3881 | 279 | sig_size = signature_size (type); | ||
3882 | 280 | if (sig_list_size == (sizeof(EFI_SIGNATURE_LIST) + sig_size)) { | ||
3883 | 281 | /* Only one hash in the list */ | ||
3884 | 282 | end = start + sig_list_size; | ||
3885 | 283 | total -= sig_list_size; | ||
3886 | 284 | } else { | ||
3887 | 285 | /* More than one hash in the list */ | ||
3888 | 286 | start += sizeof(EFI_SIGNATURE_LIST) + sig_size * del_ind; | ||
3889 | 287 | end = start + sig_size; | ||
3890 | 288 | total -= sig_size; | ||
3891 | 289 | list[i].header->SignatureListSize -= sig_size; | ||
3892 | 290 | remain += sig_list_size - sizeof(EFI_SIGNATURE_LIST) - | ||
3893 | 291 | (del_ind + 1) * sig_size; | ||
3894 | 292 | } | ||
3895 | 293 | break; | ||
3896 | 294 | } | ||
3897 | 295 | } | ||
3898 | 296 | |||
3899 | 297 | /* the key or hash is not in this list */ | ||
3900 | 298 | if (start == NULL) | ||
3901 | 299 | return 0; | ||
3902 | 300 | |||
3903 | 301 | /* all keys are removed */ | ||
3904 | 302 | if (total == 0) { | ||
3905 | 303 | if (test_and_delete_mok_var (var_name) != 0) | ||
3906 | 304 | goto done; | ||
3907 | 305 | if (test_and_delete_mok_var (authvar_name) != 0) | ||
3908 | 306 | goto done; | ||
3909 | 307 | ret = 1; | ||
3910 | 308 | goto done; | ||
3911 | 309 | } | ||
3912 | 310 | |||
3913 | 311 | /* remove the key or hash */ | ||
3914 | 312 | if (remain > 0) | ||
3915 | 313 | memmove (start, end, remain); | ||
3916 | 314 | |||
3917 | 315 | attributes = EFI_VARIABLE_NON_VOLATILE | ||
3918 | 316 | | EFI_VARIABLE_BOOTSERVICE_ACCESS | ||
3919 | 317 | | EFI_VARIABLE_RUNTIME_ACCESS; | ||
3920 | 318 | ret = efi_set_variable (*var_guid, var_name, | ||
3921 | 319 | var_data, total, attributes, | ||
3922 | 320 | S_IRUSR | S_IWUSR); | ||
3923 | 321 | if (ret < 0) { | ||
3924 | 322 | fprintf (stderr, "Failed to write variable \"%s\": %m\n", | ||
3925 | 323 | var_name); | ||
3926 | 324 | goto done; | ||
3927 | 325 | } | ||
3928 | 326 | efi_chmod_variable(*var_guid, var_name, S_IRUSR | S_IWUSR); | ||
3929 | 327 | |||
3930 | 328 | ret = 1; | ||
3931 | 329 | done: | ||
3932 | 330 | if (list) | ||
3933 | 331 | free (list); | ||
3934 | 332 | free (var_data); | ||
3935 | 333 | |||
3936 | 334 | return ret; | ||
3937 | 335 | } | ||
3938 | 336 | |||
3939 | 337 | unsigned long | ||
3940 | 338 | efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) | ||
3941 | 339 | { | ||
3942 | 340 | unsigned int i, src_len = strlen(src); | ||
3943 | 341 | for (i=0; i < src_len && i < (dest_len/sizeof(*dest)) - 1; i++) { | ||
3944 | 342 | dest[i] = src[i]; | ||
3945 | 343 | } | ||
3946 | 344 | dest[i] = 0; | ||
3947 | 345 | return i * sizeof(*dest); | ||
3948 | 346 | } | ||
3949 | 347 | |||
3950 | 348 | int | ||
3951 | 349 | read_hidden_line (char **line, size_t *n) | ||
3952 | 350 | { | ||
3953 | 351 | struct termios old, new; | ||
3954 | 352 | int nread; | ||
3955 | 353 | int isTTY = isatty(fileno (stdin)); | ||
3956 | 354 | |||
3957 | 355 | if (isTTY) { | ||
3958 | 356 | /* Turn echoing off and fail if we can't. */ | ||
3959 | 357 | if (tcgetattr (fileno (stdin), &old) != 0) | ||
3960 | 358 | return -1; | ||
3961 | 359 | |||
3962 | 360 | new = old; | ||
3963 | 361 | new.c_lflag &= ~ECHO; | ||
3964 | 362 | |||
3965 | 363 | if (tcsetattr (fileno (stdin), TCSAFLUSH, &new) != 0) | ||
3966 | 364 | return -1; | ||
3967 | 365 | } | ||
3968 | 366 | |||
3969 | 367 | /* Read the password. */ | ||
3970 | 368 | nread = getline (line, n, stdin); | ||
3971 | 369 | |||
3972 | 370 | if (isTTY) { | ||
3973 | 371 | /* Restore terminal. */ | ||
3974 | 372 | (void) tcsetattr (fileno (stdin), TCSAFLUSH, &old); | ||
3975 | 373 | } | ||
3976 | 374 | |||
3977 | 375 | /* Remove the newline */ | ||
3978 | 376 | (*line)[nread-1] = '\0'; | ||
3979 | 377 | |||
3980 | 378 | return nread-1; | ||
3981 | 379 | } | ||
3982 | 380 | |||
3983 | 381 | const char * | ||
3984 | 382 | get_db_var_name (const DBName db_name) | ||
3985 | 383 | { | ||
3986 | 384 | const char *db_var_names[] = { | ||
3987 | 385 | [MOK_LIST_RT] = "MokListRT", | ||
3988 | 386 | [MOK_LIST_X_RT] = "MokListXRT", | ||
3989 | 387 | [PK] = "PK", | ||
3990 | 388 | [KEK] = "KEK", | ||
3991 | 389 | [DB] = "db", | ||
3992 | 390 | [DBX] = "dbx", | ||
3993 | 391 | }; | ||
3994 | 392 | |||
3995 | 393 | return db_var_names[db_name]; | ||
3996 | 394 | } | ||
3997 | 395 | |||
3998 | 396 | const char * | ||
3999 | 397 | get_db_friendly_name (const DBName db_name) | ||
4000 | 398 | { | ||
4001 | 399 | const char *db_friendly_names[] = { | ||
4002 | 400 | [MOK_LIST_RT] = "MOK", | ||
4003 | 401 | [MOK_LIST_X_RT] = "MOKX", | ||
4004 | 402 | [PK] = "PK", | ||
4005 | 403 | [KEK] = "KEK", | ||
4006 | 404 | [DB] = "DB", | ||
4007 | 405 | [DBX] = "DBX", | ||
4008 | 406 | }; | ||
4009 | 407 | |||
4010 | 408 | return db_friendly_names[db_name]; | ||
4011 | 409 | } | ||
4012 | 410 | |||
4013 | 411 | const char * | ||
4014 | 412 | get_req_var_name (const MokRequest req) | ||
4015 | 413 | { | ||
4016 | 414 | const char *var_names[] = { | ||
4017 | 415 | [DELETE_MOK] = "MokDel", | ||
4018 | 416 | [ENROLL_MOK] = "MokNew", | ||
4019 | 417 | [DELETE_BLACKLIST] = "MokXDel", | ||
4020 | 418 | [ENROLL_BLACKLIST] = "MokXNew" | ||
4021 | 419 | }; | ||
4022 | 420 | |||
4023 | 421 | return var_names[req]; | ||
4024 | 422 | } | ||
4025 | 423 | |||
4026 | 424 | const char * | ||
4027 | 425 | get_req_auth_var_name (const MokRequest req) | ||
4028 | 426 | { | ||
4029 | 427 | const char *auth_var_names[] = { | ||
4030 | 428 | [DELETE_MOK] = "MokDelAuth", | ||
4031 | 429 | [ENROLL_MOK] = "MokAuth", | ||
4032 | 430 | [DELETE_BLACKLIST] = "MokXDelAuth", | ||
4033 | 431 | [ENROLL_BLACKLIST] = "MokXAuth" | ||
4034 | 432 | }; | ||
4035 | 433 | |||
4036 | 434 | return auth_var_names[req]; | ||
4037 | 435 | } | ||
4038 | 436 | |||
4039 | 437 | MokRequest | ||
4040 | 438 | get_reverse_req (const MokRequest req) | ||
4041 | 439 | { | ||
4042 | 440 | const MokRequest reverse_reqs[] = { | ||
4043 | 441 | [DELETE_MOK] = ENROLL_MOK, | ||
4044 | 442 | [ENROLL_MOK] = DELETE_MOK, | ||
4045 | 443 | [DELETE_BLACKLIST] = ENROLL_BLACKLIST, | ||
4046 | 444 | [ENROLL_BLACKLIST] = DELETE_BLACKLIST, | ||
4047 | 445 | }; | ||
4048 | 446 | |||
4049 | 447 | return reverse_reqs[req]; | ||
4050 | 448 | } | ||
4051 | 449 | |||
4052 | 450 | const char * | ||
4053 | 451 | get_reverse_req_var_name (const MokRequest req) | ||
4054 | 452 | { | ||
4055 | 453 | const MokRequest reverse_req = get_reverse_req (req); | ||
4056 | 454 | |||
4057 | 455 | return get_req_var_name (reverse_req); | ||
4058 | 456 | } | ||
4059 | diff --git a/src/util.h b/src/util.h | |||
4060 | 0 | new file mode 100644 | 457 | new file mode 100644 |
4061 | index 0000000..70deb31 | |||
4062 | --- /dev/null | |||
4063 | +++ b/src/util.h | |||
4064 | @@ -0,0 +1,58 @@ | |||
4065 | 1 | /** | ||
4066 | 2 | * Copyright (C) 2020 Gary Lin <glin@suse.com> | ||
4067 | 3 | * | ||
4068 | 4 | * This program is free software: you can redistribute it and/or modify | ||
4069 | 5 | * it under the terms of the GNU General Public License as published by | ||
4070 | 6 | * the Free Software Foundation, either version 3 of the License, or | ||
4071 | 7 | * (at your option) any later version. | ||
4072 | 8 | * | ||
4073 | 9 | * This program is distributed in the hope that it will be useful, | ||
4074 | 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
4075 | 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
4076 | 12 | * GNU General Public License for more details. | ||
4077 | 13 | * | ||
4078 | 14 | * You should have received a copy of the GNU General Public License | ||
4079 | 15 | * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
4080 | 16 | * | ||
4081 | 17 | * In addition, as a special exception, the copyright holders give | ||
4082 | 18 | * permission to link the code of portions of this program with the | ||
4083 | 19 | * OpenSSL library under certain conditions as described in each | ||
4084 | 20 | * individual source file, and distribute linked combinations | ||
4085 | 21 | * including the two. | ||
4086 | 22 | * | ||
4087 | 23 | * You must obey the GNU General Public License in all respects | ||
4088 | 24 | * for all of the code used other than OpenSSL. If you modify | ||
4089 | 25 | * file(s) with this exception, you may extend this exception to your | ||
4090 | 26 | * version of the file(s), but you are not obligated to do so. If you | ||
4091 | 27 | * do not wish to do so, delete this exception statement from your | ||
4092 | 28 | * version. If you delete this exception statement from all source | ||
4093 | 29 | * files in the program, then also delete it here. | ||
4094 | 30 | */ | ||
4095 | 31 | |||
4096 | 32 | #ifndef __UTIL_H__ | ||
4097 | 33 | #define __UTIL_H__ | ||
4098 | 34 | |||
4099 | 35 | #include <efivar.h> | ||
4100 | 36 | #include "mokutil.h" | ||
4101 | 37 | |||
4102 | 38 | #include <sys/types.h> | ||
4103 | 39 | #include <sys/stat.h> | ||
4104 | 40 | #include <fcntl.h> | ||
4105 | 41 | |||
4106 | 42 | int mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep); | ||
4107 | 43 | MokListNode *build_mok_list (const void *data, const uintptr_t data_size, | ||
4108 | 44 | uint32_t *mok_num); | ||
4109 | 45 | int test_and_delete_mok_var (const char *var_name); | ||
4110 | 46 | int delete_data_from_req_var (const MokRequest req, const efi_guid_t *type, | ||
4111 | 47 | const void *data, const uint32_t data_size); | ||
4112 | 48 | unsigned long efichar_from_char (efi_char16_t *dest, const char *src, | ||
4113 | 49 | size_t dest_len); | ||
4114 | 50 | int read_hidden_line (char **line, size_t *n); | ||
4115 | 51 | const char *get_db_var_name (const DBName db); | ||
4116 | 52 | const char *get_db_friendly_name (const DBName db); | ||
4117 | 53 | const char *get_req_var_name (const MokRequest req); | ||
4118 | 54 | const char *get_req_auth_var_name (const MokRequest req); | ||
4119 | 55 | MokRequest get_reverse_req (const MokRequest req); | ||
4120 | 56 | const char *get_reverse_req_var_name (const MokRequest req); | ||
4121 | 57 | |||
4122 | 58 | #endif /* __UTIL_H__ */ |