Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
mokutil
mokutil-bsc1193315-add-ca-check.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mokutil-bsc1193315-add-ca-check.patch of Package mokutil
From 3272ed2580a3d31c839cbd04ac89db77b5ccd4d2 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Thu, 27 Aug 2020 11:31:08 +0800 Subject: [PATCH 01/10] efi_x509: add the function to check immediate CA Add a new function, is_immediate_ca(), to check whether the given CA cert is the immediate CA of the cert. Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit 643bb8dacb221979354dab814fc2d41e94a02d67) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index d9b657b..202aa6a 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1037,6 +1037,79 @@ done: return ret; } +/** + * Check whether the given CA cert is the immediate CA of the given cert + **/ +static int +is_immediate_ca (const uint8_t *cert, const uint32_t cert_size, + const uint8_t *ca_cert, const uint32_t ca_cert_size) +{ + X509 *X509cert = NULL; + X509 *X509ca = NULL; + X509_STORE *cert_store = NULL; + X509_STORE_CTX *cert_ctx = NULL; + int ret = 0; + + if (cert == NULL || ca_cert == NULL) + return 0; + + if (EVP_add_digest (EVP_md5 ()) == 0) + return 0; + if (EVP_add_digest (EVP_sha1 ()) == 0) + return 0; + if (EVP_add_digest (EVP_sha256 ()) == 0) + return 0; + + X509cert = d2i_X509 (NULL, &cert, cert_size); + if (X509cert == NULL) + return 0; + + X509ca = d2i_X509 (NULL, &ca_cert, ca_cert_size); + if (X509ca == NULL) + return 0; + + cert_store = X509_STORE_new (); + if (cert_store == NULL) + goto err; + + if (X509_STORE_add_cert (cert_store, X509ca) == 0) + goto err; + + /* Follow edk2 CryptoPkg to allow partial certificate chains and + * disable time checks */ + X509_STORE_set_flags (cert_store, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); + + cert_ctx = X509_STORE_CTX_new (); + if (cert_ctx == NULL) + goto err; + + if (X509_STORE_CTX_init (cert_ctx, cert_store, X509cert, NULL) == 0) + goto err; + + /* Verify the cert */ + ret = X509_verify_cert (cert_ctx); + /* Treat the exceptional error as FALSE */ + if (ret < 0) + ret = 0; + X509_STORE_CTX_cleanup (cert_ctx); + +err: + if (X509cert) + X509_free (X509cert); + + if (X509ca) + X509_free (X509ca); + + if (cert_store) + X509_STORE_free (cert_store); + + if (cert_store) + X509_STORE_CTX_free (cert_ctx); + + return ret; +} + static int is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, MokRequest req) { -- 2.12.3 From 1f81aba7456ee2ecb6f280939369d3a9757ac76b Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Thu, 27 Aug 2020 14:11:56 +0800 Subject: [PATCH 02/10] mokutil: do the CA check Check whether th CA cert is already enrolled in the key database before enrolling the key. The check can be disabled with "--ignore-ca-check". Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit ff20a53a111fe3e027da7250175b7ef09ce3b1da) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index 202aa6a..da72918 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -90,6 +90,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, #define BUF_SIZE 300 static int use_simple_hash; +static int force_ca_check; typedef enum { DELETE_MOK = 0, @@ -158,6 +159,7 @@ print_help () printf (" --root-pw\t\t\t\tUse the root password\n"); printf (" --simple-hash\t\t\t\tUse the old password hash method\n"); printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); + printf (" --ignore-ca-check\t\t\tDon't check CA of the given certificate\n"); } static int @@ -1196,6 +1198,71 @@ in_pending_request (efi_guid_t type, void *data, uint32_t data_size, return 0; } +static int +is_ca_in_db (const void *cert, const uint32_t cert_size, + const efi_guid_t *vendor, const char *db_name) +{ + uint8_t *var_data; + size_t var_data_size; + uint32_t attributes; + uint32_t node_num; + MokListNode *list; + int ret = 0; + unsigned int i; + + if (!cert || cert_size == 0 || !vendor || !db_name) + return 0; + + ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size, + &attributes); + if (ret < 0) + return 0; + + list = build_mok_list (var_data, var_data_size, &node_num); + if (list == NULL) { + goto done; + } + + for (i = 0; i < node_num; i++) { + efi_guid_t sigtype = list[i].header->SignatureType; + if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) + continue; + + if (is_immediate_ca (cert, cert_size, list[i].mok, + list[i].mok_size)) { + ret = 1; + break; + } + } + +done: + if (list) + free (list); + free (var_data); + + return ret; +} + +/* Check whether the CA cert is already enrolled */ +static int +is_ca_enrolled (void *mok, uint32_t mok_size, MokRequest req) +{ + switch (req) { + case ENROLL_MOK: + if (is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListRT")) + return 1; + break; + case ENROLL_BLACKLIST: + if (is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListXRT")) + return 1; + break; + default: + return 0; + } + + return 0; +} + static void print_skip_message (const char *filename, void *mok, uint32_t mok_size, MokRequest req) @@ -1347,6 +1414,13 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, goto error; } + /* Check whether CA is already enrolled */ + if (force_ca_check && is_ca_enrolled (ptr, sizes[i], req)) { + fprintf (stderr, "CA of %s is already enrolled\n", + files[i]); + goto error; + } + if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) { ptr += sizes[i]; real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); @@ -1923,6 +1997,17 @@ test_key (MokRequest req, const char *key_file) goto error; } + if (!is_valid_cert (key, read_size)) { + fprintf (stderr, "Not a valid x509 certificate\n"); + goto error; + } + + if (force_ca_check && is_ca_enrolled (key, read_size, req)) { + fprintf (stderr, "CA of %s is already enrolled\n", + key_file); + goto error; + } + if (is_valid_request (EfiCertX509Guid, key, read_size, req)) { printf ("%s is not enrolled\n", key_file); ret = 0; @@ -2067,6 +2152,7 @@ main (int argc, char *argv[]) int ret = -1; use_simple_hash = 0; + force_ca_check = 1; while (1) { static struct option long_options[] = { @@ -2100,6 +2186,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, + {"ignore-ca-check", no_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2187,6 +2274,8 @@ main (int argc, char *argv[]) command |= LIST_ENROLLED; db_name = DBX; } + } else if (strcmp (option, "ignore-ca-check") == 0) { + force_ca_check = 0; } break; -- 2.12.3 From e9383972552fcee6e676bc638a6a85b1d92a364b Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" <jlee@suse.com> Date: Wed, 23 Feb 2022 14:16:44 +0800 Subject: [PATCH 03/10] mokutil: do the CA check use old api This patch modified Gary's changes in mokutil-do-the-CA-check.patch by using old api in mokutil instread of libefivar. The reason is that mokutil v0.2 has no configure.ac. It direct maintains configure file. SLE12-SP5 has efivar-devel but I don't want to patch the configure file to maintain a new efivar in it. So I choice to replace libefivar api to old EFI api in mokutil-do-the-CA-check.patch. Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index da72918..7962c76 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1200,32 +1200,34 @@ in_pending_request (efi_guid_t type, void *data, uint32_t data_size, static int is_ca_in_db (const void *cert, const uint32_t cert_size, - const efi_guid_t *vendor, const char *db_name) + const efi_guid_t vendor, const char *db_name) { - uint8_t *var_data; - size_t var_data_size; - uint32_t attributes; + efi_variable_t var; uint32_t node_num; MokListNode *list; int ret = 0; unsigned int i; - if (!cert || cert_size == 0 || !vendor || !db_name) + if (!cert || cert_size == 0 || !db_name) return 0; - ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size, - &attributes); - if (ret < 0) + memset (&var, 0, sizeof(var)); + var.VariableName = db_name; + var.VendorGuid = vendor; + + if (read_variable (&var) != EFI_SUCCESS) { + fprintf (stderr, "Failed to read CA\n"); return 0; + } - list = build_mok_list (var_data, var_data_size, &node_num); + list = build_mok_list (var.Data, var.DataSize, &node_num); if (list == NULL) { goto done; } for (i = 0; i < node_num; i++) { efi_guid_t sigtype = list[i].header->SignatureType; - if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) + if (efi_guidcmp (sigtype, EfiCertX509Guid) != 0) continue; if (is_immediate_ca (cert, cert_size, list[i].mok, @@ -1238,7 +1240,7 @@ is_ca_in_db (const void *cert, const uint32_t cert_size, done: if (list) free (list); - free (var_data); + free (var.Data); return ret; } @@ -1249,11 +1251,11 @@ is_ca_enrolled (void *mok, uint32_t mok_size, MokRequest req) { switch (req) { case ENROLL_MOK: - if (is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListRT")) + if (is_ca_in_db (mok, mok_size, SHIM_LOCK_GUID, "MokListRT")) return 1; break; case ENROLL_BLACKLIST: - if (is_ca_in_db (mok, mok_size, &efi_guid_shim, "MokListXRT")) + if (is_ca_in_db (mok, mok_size, SHIM_LOCK_GUID, "MokListXRT")) return 1; break; default: -- 2.12.3 From 60e3bc4b9ece5b70393911444cacc898382419e2 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Thu, 27 Aug 2020 14:18:29 +0800 Subject: [PATCH 04/10] mokutil: close file in the error path We should close the file descriptor when encountering an error in issue_mok_request(); Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit 0a0813d6f7dfa73f7947566e7fad2d42e016f30a) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index 7962c76..df9810b 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1408,11 +1408,13 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, read_size = read (fd, ptr, sizes[i]); if (read_size < 0 || read_size != sizes[i]) { fprintf (stderr, "Failed to read %s\n", files[i]); + close (fd); goto error; } if (!is_valid_cert (ptr, read_size)) { fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n", files[i]); + close (fd); goto error; } @@ -1420,6 +1422,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, if (force_ca_check && is_ca_enrolled (ptr, sizes[i], req)) { fprintf (stderr, "CA of %s is already enrolled\n", files[i]); + close (fd); goto error; } -- 2.12.3 From a924ce31970ef0306e7aaec32420bad6026d7f01 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Thu, 27 Aug 2020 14:22:52 +0800 Subject: [PATCH 05/10] make CA check non-fatal (cherry picked from commit 50098834780ee6d5dd0cfd3073d504030cc25037) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index df9810b..a23952a 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1420,10 +1420,9 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, /* Check whether CA is already enrolled */ if (force_ca_check && is_ca_enrolled (ptr, sizes[i], req)) { - fprintf (stderr, "CA of %s is already enrolled\n", - files[i]); + printf ("CA enrolled. Skip %s\n", files[i]); close (fd); - goto error; + continue; } if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) { -- 2.12.3 From 5a5fbaff4c0c3f9de4d63fd7e07559fee5d57a2f Mon Sep 17 00:00:00 2001 From: Sandy <39258624+sandy-lcq@users.noreply.github.com> Date: Fri, 13 Dec 2019 10:38:28 +0800 Subject: [PATCH 06/10] mokutil.c: fix typo enrollement -> enrollment Signed-off-by: Changqing Li <changqing.li@windriver.com> (cherry picked from commit e37eeef4866f5f3bbeaef3fe1d1360ebac76bdc5) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index a23952a..ecdf710 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1282,7 +1282,7 @@ print_skip_message (const char *filename, void *mok, uint32_t mok_size, else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT")) printf ("SKIP: %s is already enrolled\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) - printf ("SKIP: %s is already in the enrollement request\n", filename); + printf ("SKIP: %s is already in the enrollment request\n", filename); break; case DELETE_MOK: if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT")) -- 2.12.3 From 5e4225f441e2584916db5bed7c191838644eb931 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Fri, 28 Aug 2020 11:53:24 +0800 Subject: [PATCH 07/10] mokutil: check the blocklists before enrolling a key Check "dbx" and "MokListXRT" when enrolling a key. Joey Lee: I have changed this patch to old EFI api in mokutil instead of libefivar. The reason is the same with " mokutil: do the CA check" patch Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit 8de04a4dd566376316432bd60c3b0ab2686797a4) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index ecdf710..a386a5d 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1124,6 +1124,10 @@ is_valid_request (efi_guid_t type, void *mok, uint32_t mok_size, MokRequest req) is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) { return 0; } + /* Also check the blocklists */ + if (is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "dbx") || + is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT")) + return 0; break; case DELETE_MOK: if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT") || @@ -1265,6 +1269,23 @@ is_ca_enrolled (void *mok, uint32_t mok_size, MokRequest req) return 0; } +/* Check whether the CA cert is blocked */ +static int +is_ca_blocked (void *mok, uint32_t mok_size, MokRequest req) +{ + switch (req) { + case ENROLL_MOK: + if (is_ca_in_db (mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "dbx") || + is_ca_in_db (mok, mok_size, SHIM_LOCK_GUID, "MokListXRT")) + return 1; + break; + default: + return 0; + } + + return 0; +} + static void print_skip_message (const char *filename, void *mok, uint32_t mok_size, MokRequest req) @@ -1283,6 +1304,12 @@ print_skip_message (const char *filename, void *mok, uint32_t mok_size, printf ("SKIP: %s is already enrolled\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) printf ("SKIP: %s is already in the enrollment request\n", filename); + else if (is_duplicate (type, mok, mok_size, + EFI_IMAGE_SECURITY_DATABASE_GUID, "dbx")) + printf ("SKIP: %s is blocked in dbx\n", filename); + else if (is_duplicate (type, mok, mok_size, + SHIM_LOCK_GUID, "MokListXRT")) + printf ("SKIP: %s is blocked in MokListXRT\n", filename); break; case DELETE_MOK: if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT")) @@ -1425,6 +1452,13 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, continue; } + /* Check whether CA is blocked */ + if (force_ca_check && is_ca_blocked (ptr, sizes[i], req)) { + printf ("CA blocked. Skip %s\n", files[i]); + close (fd); + continue; + } + if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) { ptr += sizes[i]; real_size += sizes[i] + sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); @@ -2012,6 +2046,12 @@ test_key (MokRequest req, const char *key_file) goto error; } + if (force_ca_check && is_ca_blocked (key, read_size, req)) { + fprintf (stderr, "CA of %s is blocked\n", + key_file); + goto error; + } + if (is_valid_request (EfiCertX509Guid, key, read_size, req)) { printf ("%s is not enrolled\n", key_file); ret = 0; -- 2.12.3 From 316347ece868211f7fe3a16271cc47204125195d Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Fri, 28 Aug 2020 11:58:12 +0800 Subject: [PATCH 08/10] mokutil: improve the message from "--test-key" Print the details of the test result. Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit 5ede0bd0d68d27afc6d3d06556d0077e2840502b) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index a386a5d..4dc522f 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1295,39 +1295,39 @@ print_skip_message (const char *filename, void *mok, uint32_t mok_size, switch (req) { case ENROLL_MOK: if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "PK")) - printf ("SKIP: %s is already in PK\n", filename); + printf ("%s is already in PK\n", filename); else if (is_duplicate (type, mok, mok_size, EFI_GLOBAL_VARIABLE, "KEK")) - printf ("SKIP: %s is already in KEK\n", filename); + printf ("%s is already in KEK\n", filename); else if (is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "db")) - printf ("SKIP: %s is already in db\n", filename); + printf ("%s is already in db\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT")) - printf ("SKIP: %s is already enrolled\n", filename); + printf ("%s is already enrolled\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokNew")) - printf ("SKIP: %s is already in the enrollment request\n", filename); + printf ("%s is already in the enrollment request\n", filename); else if (is_duplicate (type, mok, mok_size, EFI_IMAGE_SECURITY_DATABASE_GUID, "dbx")) - printf ("SKIP: %s is blocked in dbx\n", filename); + printf ("%s is blocked in dbx\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT")) - printf ("SKIP: %s is blocked in MokListXRT\n", filename); + printf ("%s is blocked in MokListXRT\n", filename); break; case DELETE_MOK: if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListRT")) - printf ("SKIP: %s is not in MokList\n", filename); + printf ("%s is not in MokList\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokDel")) - printf ("SKIP: %s is already in the deletion request\n", filename); + printf ("%s is already in the deletion request\n", filename); break; case ENROLL_BLACKLIST: if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT")) - printf ("SKIP: %s is already in MokListX\n", filename); + printf ("%s is already in MokListX\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXNew")) - printf ("SKIP: %s is already in the MokX enrollment request\n", filename); + printf ("%s is already in the MokX enrollment request\n", filename); break; case DELETE_BLACKLIST: if (!is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokListXRT")) - printf ("SKIP: %s is not in MokListX\n", filename); + printf ("%s is not in MokListX\n", filename); else if (is_duplicate (type, mok, mok_size, SHIM_LOCK_GUID, "MokXDel")) - printf ("SKIP: %s is already in the MokX deletion request\n", filename); + printf ("%s is already in the MokX deletion request\n", filename); break; } } @@ -1466,6 +1466,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, printf ("Removed %s from %s\n", files[i], reverse_req); ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); } else { + printf ("SKIP: "); print_skip_message (files[i], ptr, sizes[i], req); ptr -= sizeof(EFI_SIGNATURE_LIST) + sizeof(efi_guid_t); } @@ -2056,7 +2057,7 @@ test_key (MokRequest req, const char *key_file) printf ("%s is not enrolled\n", key_file); ret = 0; } else { - printf ("%s is already enrolled\n", key_file); + print_skip_message (key_file, key, read_size, req); ret = 1; } -- 2.12.3 From 6f98791e4af745d72d29e37c704f54878673b3a4 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Wed, 2 Sep 2020 16:09:04 +0800 Subject: [PATCH 09/10] mokutil: disable CA check by default The SUSE PTF certificate is also issued by SUSE CA, so enabling CA check by default would ignore the enrollment of the PTF certificates and the PTF would be unloadable. Flip "--ignore-ca-check" to "--ca-check" and set force_ca_check to 0 by default. Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit 235e92a1d3e0f32f7be44aa0f37d7f3041306ccc) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- src/mokutil.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index 4dc522f..fc97962 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -159,7 +159,7 @@ print_help () printf (" --root-pw\t\t\t\tUse the root password\n"); printf (" --simple-hash\t\t\t\tUse the old password hash method\n"); printf (" --mokx\t\t\t\tManipulate the MOK blacklist\n"); - printf (" --ignore-ca-check\t\t\tDon't check CA of the given certificate\n"); + printf (" --ca-check\t\t\t\tCheck if CA of the key is enrolled/blocked\n"); } static int @@ -2197,7 +2197,7 @@ main (int argc, char *argv[]) int ret = -1; use_simple_hash = 0; - force_ca_check = 1; + force_ca_check = 0; while (1) { static struct option long_options[] = { @@ -2231,7 +2231,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, - {"ignore-ca-check", no_argument, 0, 0 }, + {"ca-check", no_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2319,8 +2319,8 @@ main (int argc, char *argv[]) command |= LIST_ENROLLED; db_name = DBX; } - } else if (strcmp (option, "ignore-ca-check") == 0) { - force_ca_check = 0; + } else if (strcmp (option, "ca-check") == 0) { + force_ca_check = 1; } break; -- 2.12.3 From e8d21ce15d7f46d814132ba986f2eeae2cf07c14 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Wed, 2 Sep 2020 16:19:44 +0800 Subject: [PATCH 10/10] man: add "--ca-check" to the man page Signed-off-by: Gary Lin <glin@suse.com> (cherry picked from commit ae0aaf1a62faaba16183ed01a7ac9406535d96a1) Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- man/mokutil.1 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/man/mokutil.1 b/man/mokutil.1 index ca9380d..9ae6794 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -15,7 +15,7 @@ mokutil \- utility to manipulate machine owner keys .br \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | - [--simple-hash | -s] | [--mokx | -X]) + [--simple-hash | -s] | [--mokx | -X] | [--ca-check]) .br \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | @@ -43,7 +43,7 @@ mokutil \- utility to manipulate machine owner keys \fBmokutil\fR [--sb-state] .br \fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR] - ([--mokx | -X]) + ([--mokx | -X] | [--ca-check]) .br \fBmokutil\fR [--reset] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | @@ -157,3 +157,7 @@ List the keys in the secure boot signature store (db) \fB--dbx\fR List the keys in the secure boot blacklist signature store (dbx) .TP +\fB--ca-check\fR +Check if the CA of the given key is already enrolled or blocked in the key +databases. +.TP -- 2.12.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor