File mokutil-support-revoke-builtin-cert.patch of Package mokutil.24583
From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 21 Feb 2014 17:56:55 +0800
Subject: [PATCH 1/3] Add the option to revoke the built-in certificate
This is an openSUSE-only patch.
This commit adds an option to create ClearVerify which contains
the password hash to notify MokManager to show the option to
revoke the built-in certificate.
---
src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
Index: mokutil-0.3.0/src/mokutil.c
===================================================================
--- mokutil-0.3.0.orig/src/mokutil.c
+++ mokutil-0.3.0/src/mokutil.c
@@ -87,6 +87,7 @@
#define FB_VERBOSITY (1 << 25)
#define FB_NOREBOOT (1 << 26)
#define SET_SBAT (1 << 27)
+#define REVOKE_CERT (1 << 28)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -164,6 +165,7 @@ print_help ()
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
+ printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password hash\n");
@@ -2068,6 +2070,85 @@ set_fallback_noreboot (const uint8_t nor
return 0;
}
+static int
+revoke_builtin_cert (void)
+{
+ uint32_t attributes;
+ size_t data_size;
+ uint8_t *data;
+ pw_crypt_t pw_crypt;
+ uint8_t auth[SHA256_DIGEST_LENGTH];
+ char *password = NULL;
+ unsigned int pw_len;
+ int auth_ret;
+ int ret = -1;
+
+ /* Check use_openSUSE_cert */
+ if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert",
+ &data, &data_size, &attributes) < 0) {
+ fprintf (stderr, "Failed to get use_openSUSE_cert\n");
+ return 0;
+ }
+
+ if (data_size != 1) {
+ free (data);
+ fprintf (stderr, "Invalid variable: use_openSUSE_cert\n");
+ return 0;
+ }
+
+ if (*data != 1) {
+ free (data);
+ fprintf (stderr, "The built-in certificate is already revoked.\n");
+ return 0;
+ }
+ free (data);
+
+ memset (&pw_crypt, 0, sizeof(pw_crypt_t));
+ memset (auth, 0, SHA256_DIGEST_LENGTH);
+
+ if (get_password (&password, &pw_len, PASSWORD_MIN, PASSWORD_MAX) < 0) {
+ fprintf (stderr, "Abort\n");
+ goto error;
+ }
+
+ if (!use_simple_hash) {
+ pw_crypt.method = DEFAULT_CRYPT_METHOD;
+ auth_ret = generate_hash (&pw_crypt, password, pw_len);
+ } else {
+ auth_ret = generate_auth (NULL, 0, password, pw_len,
+ auth);
+ }
+ if (auth_ret < 0) {
+ fprintf (stderr, "Couldn't generate hash\n");
+ goto error;
+ }
+
+ if (!use_simple_hash) {
+ data = (uint8_t *)&pw_crypt;
+ data_size = PASSWORD_CRYPT_SIZE;
+ } else {
+ data = auth;
+ data_size = SHA256_DIGEST_LENGTH;
+ }
+ attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+
+ if (efi_set_variable (efi_guid_shim, "ClearVerify",
+ data, data_size, attributes,
+ S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to write ClearVerify\n");
+ goto error;
+ }
+
+ ret = 0;
+error:
+ if (password)
+ free (password);
+
+ return ret;
+}
+
static inline int
list_db (DBName db_name)
{
@@ -2172,6 +2253,7 @@ main (int argc, char *argv[])
{"dbx", no_argument, 0, 0 },
{"list-sbat-revocations", no_argument, 0, 0 },
{"sbat", no_argument, 0, 0 },
+ {"revoke-cert", no_argument, 0, 0 },
{0, 0, 0, 0}
};
@@ -2289,6 +2371,8 @@ main (int argc, char *argv[])
command |= LIST_SBAT;
} else if (strcmp (option, "sbat") == 0) {
command |= LIST_SBAT;
+ } else if (strcmp (option, "revoke-cert") == 0) {
+ command |= REVOKE_CERT;
}
break;
@@ -2560,6 +2644,10 @@ main (int argc, char *argv[])
case SET_SBAT:
ret = manage_sbat(sbat_policy);
break;
+ case REVOKE_CERT:
+ case REVOKE_CERT | SIMPLE_HASH:
+ ret = revoke_builtin_cert ();
+ break;
default:
print_help ();
break;
