File mokutil-support-revoke-builtin-cert.patch of Package mokutil

From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH 1/3] Add the option to revoke the built-in certificate

This is an openSUSE-only patch.

This commit adds an option to create ClearVerify which contains
the password hash to notify MokManager to show the option to
revoke the built-in certificate.
---
 src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/src/mokutil.c b/src/mokutil.c
index 5b34f22..ab3d04f 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -83,6 +83,7 @@
 #define IMPORT_HASH        (1 << 21)
 #define DELETE_HASH        (1 << 22)
 #define VERBOSITY          (1 << 23)
+#define REVOKE_CERT        (1 << 24)
 
 #define DEFAULT_CRYPT_METHOD SHA512_BASED
 #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
@@ -156,6 +157,7 @@ print_help ()
 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
 	printf ("  --db\t\t\t\t\tList the keys in db\n");
 	printf ("  --dbx\t\t\t\t\tList the keys in dbx\n");
+	printf ("  --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
 	printf ("\n");
 	printf ("Supplimentary Options:\n");
 	printf ("  --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1994,6 +1996,79 @@ set_verbosity (uint8_t verbosity)
 	return 0;
 }
 
+static int
+revoke_builtin_cert (void)
+{
+	efi_variable_t var;
+	pw_crypt_t pw_crypt;
+	uint8_t auth[SHA256_DIGEST_LENGTH];
+	char *password = NULL;
+	int pw_len;
+	int auth_ret;
+	int ret = -1;
+
+	/* Check use_openSUSE_cert */
+	memset (&var, 0, sizeof(var));
+	var.VariableName = "use_openSUSE_cert";
+	var.VendorGuid = SHIM_LOCK_GUID;
+
+	if (read_variable (&var) != EFI_SUCCESS)
+		return 0;
+
+	if ((uint8_t)*var.Data != 1) {
+		free (var.Data);
+		fprintf (stderr, "The built-in certificate is already revoked.\n");
+		return 0;
+	}
+	free (var.Data);
+
+	memset (&pw_crypt, 0, sizeof(pw_crypt_t));
+	memset (auth, 0, SHA256_DIGEST_LENGTH);
+
+	if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
+		fprintf (stderr, "Abort\n");
+		goto error;
+	}
+
+	if (!use_simple_hash) {
+		pw_crypt.method = DEFAULT_CRYPT_METHOD;
+		auth_ret = generate_hash (&pw_crypt, password, pw_len);
+	} else {
+		auth_ret = generate_auth (NULL, 0, password, pw_len,
+					  auth);
+	}
+	if (auth_ret < 0) {
+		fprintf (stderr, "Couldn't generate hash\n");
+		goto error;
+	}
+
+	if (!use_simple_hash) {
+		var.Data = (void *)&pw_crypt;
+		var.DataSize = PASSWORD_CRYPT_SIZE;
+	} else {
+		var.Data = (void *)auth;
+		var.DataSize = SHA256_DIGEST_LENGTH;
+	}
+	var.VariableName = "ClearVerify";
+
+	var.VendorGuid = SHIM_LOCK_GUID;
+	var.Attributes = EFI_VARIABLE_NON_VOLATILE
+			 | EFI_VARIABLE_BOOTSERVICE_ACCESS
+			 | EFI_VARIABLE_RUNTIME_ACCESS;
+
+	if (edit_protected_variable (&var) != EFI_SUCCESS) {
+		fprintf (stderr, "Failed to write ClearVerify\n");
+		goto error;
+	}
+
+	ret = 0;
+error:
+	if (password)
+		free (password);
+
+	return ret;
+}
+
 static inline int
 list_db (DBName db_name)
 {
@@ -2070,6 +2145,7 @@ main (int argc, char *argv[])
 			{"kek",                no_argument,       0, 0  },
 			{"db",                 no_argument,       0, 0  },
 			{"dbx",                no_argument,       0, 0  },
+			{"revoke-cert",        no_argument,       0, 0  },
 			{0, 0, 0, 0}
 		};
 
@@ -2157,6 +2233,8 @@ main (int argc, char *argv[])
 					command |= LIST_ENROLLED;
 					db_name = DBX;
 				}
+			} else if (strcmp (option, "revoke-cert") == 0) {
+				command |= REVOKE_CERT;
 			}
 
 			break;
@@ -2416,6 +2494,10 @@ main (int argc, char *argv[])
 		case VERBOSITY:
 			ret = set_verbosity (verbosity);
 			break;
+		case REVOKE_CERT:
+		case REVOKE_CERT | SIMPLE_HASH:
+			ret = revoke_builtin_cert ();
+			break;
 		default:
 			print_help ();
 			break;
-- 
2.9.0


From 09ac7c76b0c313abc664fe104bc32d89df0e0976 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 14:50:36 +0800
Subject: [PATCH 2/3] Use the efivar functions to access UEFI variables

This is an openSUSE-only patch.

Adapt the changes in the mainline.
---
 src/mokutil.c | 45 +++++++++++++++++++++++++--------------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/src/mokutil.c b/src/mokutil.c
index ab3d04f..9dcf4f1 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1999,28 +1999,35 @@ set_verbosity (uint8_t verbosity)
 static int
 revoke_builtin_cert (void)
 {
-	efi_variable_t var;
+	uint32_t attributes;
+	size_t data_size;
+	uint8_t *data;
 	pw_crypt_t pw_crypt;
 	uint8_t auth[SHA256_DIGEST_LENGTH];
 	char *password = NULL;
-	int pw_len;
+	unsigned int pw_len;
 	int auth_ret;
 	int ret = -1;
 
 	/* Check use_openSUSE_cert */
-	memset (&var, 0, sizeof(var));
-	var.VariableName = "use_openSUSE_cert";
-	var.VendorGuid = SHIM_LOCK_GUID;
+	if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert",
+			      &data, &data_size, &attributes) < 0) {
+		fprintf (stderr, "Failed to get use_openSUSE_cert\n");
+		return 0;
+	}
 
-	if (read_variable (&var) != EFI_SUCCESS)
+	if (data_size != 1) {
+		free (data);
+		fprintf (stderr, "Invalid variable: use_openSUSE_cert\n");
 		return 0;
+	}
 
-	if ((uint8_t)*var.Data != 1) {
-		free (var.Data);
+	if (*data != 1) {
+		free (data);
 		fprintf (stderr, "The built-in certificate is already revoked.\n");
 		return 0;
 	}
-	free (var.Data);
+	free (data);
 
 	memset (&pw_crypt, 0, sizeof(pw_crypt_t));
 	memset (auth, 0, SHA256_DIGEST_LENGTH);
@@ -2043,20 +2050,18 @@ revoke_builtin_cert (void)
 	}
 
 	if (!use_simple_hash) {
-		var.Data = (void *)&pw_crypt;
-		var.DataSize = PASSWORD_CRYPT_SIZE;
+		data = (uint8_t *)&pw_crypt;
+		data_size = PASSWORD_CRYPT_SIZE;
 	} else {
-		var.Data = (void *)auth;
-		var.DataSize = SHA256_DIGEST_LENGTH;
+		data = auth;
+		data_size = SHA256_DIGEST_LENGTH;
 	}
-	var.VariableName = "ClearVerify";
-
-	var.VendorGuid = SHIM_LOCK_GUID;
-	var.Attributes = EFI_VARIABLE_NON_VOLATILE
-			 | EFI_VARIABLE_BOOTSERVICE_ACCESS
-			 | EFI_VARIABLE_RUNTIME_ACCESS;
+	attributes = EFI_VARIABLE_NON_VOLATILE
+		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
+		     | EFI_VARIABLE_RUNTIME_ACCESS;
 
-	if (edit_protected_variable (&var) != EFI_SUCCESS) {
+	if (efi_set_variable (efi_guid_shim, "ClearVerify",
+			      data, data_size, attributes) < 0) {
 		fprintf (stderr, "Failed to write ClearVerify\n");
 		goto error;
 	}
-- 
2.9.0


From 05c64b7b7d44f1c2a106e7273a33f83e57452d92 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jul 2016 14:58:15 +0800
Subject: [PATCH 3/3] Use efi_set_variable from efivar 0.24

This is an openSUSE-only patch.
---
 src/mokutil.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mokutil.c b/src/mokutil.c
index 9dcf4f1..1a8ccc9 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -2061,7 +2061,8 @@ revoke_builtin_cert (void)
 		     | EFI_VARIABLE_RUNTIME_ACCESS;
 
 	if (efi_set_variable (efi_guid_shim, "ClearVerify",
-			      data, data_size, attributes) < 0) {
+			      data, data_size, attributes,
+			      S_IRUSR | S_IWUSR) < 0) {
 		fprintf (stderr, "Failed to write ClearVerify\n");
 		goto error;
 	}
-- 
2.9.0
openSUSE Build Service is sponsored by