File mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch of Package mokutil.24584

From ba91a8a4b1eaea166f0bbf799aa2abbc889faa60 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 5 Mar 2021 18:01:36 +0100
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content

This variable contains the descriptive form of all the components used by
the operating systems that ship signed shim binaries. Along with a minimum
generation number for each component. More information in can be found in
the UEFI Secure Boot Advanced Targeting (SBAT) specification:

  https://github.com/rhboot/shim/blob/main/SBAT.md

Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
encoded strings, the data could just be printed without the need to do any
previous processing.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 man/mokutil.1 |  5 +++++
 src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

Index: mokutil-0.2.0/man/mokutil.1
===================================================================
--- mokutil-0.2.0.orig/man/mokutil.1
+++ mokutil-0.2.0/man/mokutil.1
@@ -65,6 +65,8 @@ mokutil \- utility to manipulate machine
 .br
 \fBmokutil\fR [--dbx]
 .br
+\fBmokutil\fR [--sbat]
+.br
 
 .SH DESCRIPTION
 \fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -157,3 +159,6 @@ List the keys in the secure boot signatu
 \fB--dbx\fR
 List the keys in the secure boot blacklist signature store (dbx)
 .TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP
Index: mokutil-0.2.0/src/mokutil.c
===================================================================
--- mokutil-0.2.0.orig/src/mokutil.c
+++ mokutil-0.2.0/src/mokutil.c
@@ -83,6 +83,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0x
 #define IMPORT_HASH        (1 << 21)
 #define DELETE_HASH        (1 << 22)
 #define VERBOSITY          (1 << 23)
+#define LIST_SBAT          (1 << 24)
 
 #define DEFAULT_CRYPT_METHOD SHA512_BASED
 #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
@@ -152,6 +153,7 @@ print_help ()
 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
 	printf ("  --db\t\t\t\t\tList the keys in db\n");
 	printf ("  --dbx\t\t\t\t\tList the keys in dbx\n");
+	printf ("  --sbat\t\t\t\tList the entries in SBAT\n");
 	printf ("\n");
 	printf ("Supplimentary Options:\n");
 	printf ("  --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -1956,6 +1958,33 @@ set_verbosity (uint8_t verbosity)
 	return 0;
 }
 
+static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+	efi_variable_t var;
+	efi_status_t status;
+
+	memset (&var, 0, sizeof(var));
+	var.VariableName = var_name;
+	var.VendorGuid = guid;
+
+	status = read_variable (&var);
+	if (status != EFI_SUCCESS) {
+		if (status == EFI_NOT_FOUND) {
+			printf ("%s is empty\n", var_name);
+			return 0;
+		}
+
+		fprintf (stderr, "Failed to read %s: %m\n", var_name);
+		return -1;
+	}
+
+	printf ("%s", (uint8_t *) var.Data);
+	free (var.Data);
+
+	return 0;
+}
+
 static inline int
 list_db (DBName db_name)
 {
@@ -2027,6 +2056,7 @@ main (int argc, char *argv[])
 			{"kek",                no_argument,       0, 0  },
 			{"db",                 no_argument,       0, 0  },
 			{"dbx",                no_argument,       0, 0  },
+			{"sbat",               no_argument,       0, 0  },
 			{0, 0, 0, 0}
 		};
 
@@ -2114,6 +2144,8 @@ main (int argc, char *argv[])
 					command |= LIST_ENROLLED;
 					db_name = DBX;
 				}
+			}  else if (strcmp (option, "sbat") == 0) {
+				command |= LIST_SBAT;
 			}
 
 			break;
@@ -2373,6 +2405,9 @@ main (int argc, char *argv[])
 		case VERBOSITY:
 			ret = set_verbosity (verbosity);
 			break;
+		case LIST_SBAT:
+			ret = print_var_content ("SBAT", SHIM_LOCK_GUID);
+			break;
 		default:
 			print_help ();
 			break;
openSUSE Build Service is sponsored by