File mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch of Package mokutil.24582
From ba91a8a4b1eaea166f0bbf799aa2abbc889faa60 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 5 Mar 2021 18:01:36 +0100
Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content
This variable contains the descriptive form of all the components used by
the operating systems that ship signed shim binaries. Along with a minimum
generation number for each component. More information in can be found in
the UEFI Secure Boot Advanced Targeting (SBAT) specification:
https://github.com/rhboot/shim/blob/main/SBAT.md
Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8
encoded strings, the data could just be printed without the need to do any
previous processing.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
man/mokutil.1 | 5 +++++
src/mokutil.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
Index: mokutil-0.4.0/man/mokutil.1
===================================================================
--- mokutil-0.4.0.orig/man/mokutil.1
+++ mokutil-0.4.0/man/mokutil.1
@@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine
.br
\fBmokutil\fR [--dbx]
.br
+\fBmokutil\fR [--sbat]
+.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
@@ -173,6 +175,9 @@ List the keys in the secure boot signatu
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
+\fB--sbat\fR
+List the entries in the Secure Boot Advanced Targeting store (SBAT)
+.TP
\fB--ca-check\fR
Check if the CA of the given key is already enrolled or blocked in the key
databases.
Index: mokutil-0.4.0/src/mokutil.c
===================================================================
--- mokutil-0.4.0.orig/src/mokutil.c
+++ mokutil-0.4.0/src/mokutil.c
@@ -86,6 +86,7 @@
#define DELETE_HASH (1 << 22)
#define VERBOSITY (1 << 23)
#define TIMEOUT (1 << 24)
+#define LIST_SBAT (1 << 25)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -180,6 +181,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n");
+ printf (" --sbat\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2378,6 +2380,31 @@ set_timeout (char *t)
}
static int
+print_var_content (const char *var_name, const efi_guid_t guid)
+{
+ uint8_t *data = NULL;
+ size_t data_size;
+ uint32_t attributes;
+ int ret;
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+
+ fprintf (stderr, "Failed to read %s: %m\n", var_name);
+ return -1;
+ }
+
+ printf ("%s", data);
+ free (data);
+
+ return ret;
+}
+
+static int
set_verbosity (uint8_t verbosity)
{
if (verbosity) {
@@ -2477,6 +2504,7 @@ main (int argc, char *argv[])
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{"ca-check", no_argument, 0, 0 },
{"ignore-keyring", no_argument, 0, 0 },
@@ -2563,6 +2591,8 @@ main (int argc, char *argv[])
} else {
db_name = DBX;
}
+ } else if (strcmp (option, "sbat") == 0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
command |= TIMEOUT;
timeout = strdup (optarg);
@@ -2839,6 +2869,9 @@ main (int argc, char *argv[])
case TIMEOUT:
ret = set_timeout (timeout);
break;
+ case LIST_SBAT:
+ ret = print_var_content ("SBAT", efi_guid_shim);
+ break;
default:
print_help ();
break;
