Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.6:Update
mokutil.24596
mokutil-Add-option-to-print-the-UEFI-SBAT-varia...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mokutil-Add-option-to-print-the-UEFI-SBAT-variable-c.patch of Package mokutil.24596
From ba91a8a4b1eaea166f0bbf799aa2abbc889faa60 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas <javierm@redhat.com> Date: Fri, 5 Mar 2021 18:01:36 +0100 Subject: [PATCH] mokutil: Add option to print the UEFI SBAT variable content This variable contains the descriptive form of all the components used by the operating systems that ship signed shim binaries. Along with a minimum generation number for each component. More information in can be found in the UEFI Secure Boot Advanced Targeting (SBAT) specification: https://github.com/rhboot/shim/blob/main/SBAT.md Since a SBAT variable contains a set of Comma Separated Values (CSV) UTF-8 encoded strings, the data could just be printed without the need to do any previous processing. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- man/mokutil.1 | 5 +++++ src/mokutil.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) Index: mokutil-0.3.0/man/mokutil.1 =================================================================== --- mokutil-0.3.0.orig/man/mokutil.1 +++ mokutil-0.3.0/man/mokutil.1 @@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine .br \fBmokutil\fR [--dbx] .br +\fBmokutil\fR [--sbat] +.br .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys @@ -173,3 +175,6 @@ List the keys in the secure boot signatu \fB--dbx\fR List the keys in the secure boot blacklist signature store (dbx) .TP +\fB--sbat\fR +List the entries in the Secure Boot Advanced Targeting store (SBAT) +.TP Index: mokutil-0.3.0/src/mokutil.c =================================================================== --- mokutil-0.3.0.orig/src/mokutil.c +++ mokutil-0.3.0/src/mokutil.c @@ -83,6 +83,7 @@ #define IMPORT_HASH (1 << 21) #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) +#define LIST_SBAT (1 << 24) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX @@ -156,6 +157,7 @@ print_help () printf (" --kek\t\t\t\t\tList the keys in KEK\n"); printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); + printf (" --sbat\t\t\t\tList the entries in SBAT\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); @@ -1976,6 +1978,31 @@ generate_pw_hash (const char *input_pw) } static int +print_var_content (const char *var_name, const efi_guid_t guid) +{ + uint8_t *data = NULL; + size_t data_size; + uint32_t attributes; + int ret; + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { + if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } + + fprintf (stderr, "Failed to read %s: %m\n", var_name); + return -1; + } + + printf ("%s", data); + free (data); + + return ret; +} + +static int set_verbosity (uint8_t verbosity) { if (verbosity) { @@ -2071,6 +2098,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, + {"sbat", no_argument, 0, 0 }, {0, 0, 0, 0} }; @@ -2158,6 +2186,8 @@ main (int argc, char *argv[]) command |= LIST_ENROLLED; db_name = DBX; } + } else if (strcmp (option, "sbat") == 0) { + command |= LIST_SBAT; } break; @@ -2417,6 +2447,9 @@ main (int argc, char *argv[]) case VERBOSITY: ret = set_verbosity (verbosity); break; + case LIST_SBAT: + ret = print_var_content ("SBAT", efi_guid_shim); + break; default: print_help (); break;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor