Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mokutil for openSUSE:Factory checked
in at 2022-08-04 13:22:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mokutil (Old)
and /work/SRC/openSUSE:Factory/.mokutil.new.1521 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil"
Thu Aug 4 13:22:54 2022 rev:28 rq:992467 version:0.6.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2021-07-17
23:36:45.269916179 +0200
+++ /work/SRC/openSUSE:Factory/.mokutil.new.1521/mokutil.changes
2022-08-04 13:23:05.516435418 +0200
@@ -1,0 +2,10 @@
+Mon Jun 27 05:00:25 UTC 2022 - Joey Lee <j...@suse.com>
+
+- Update to 0.6.0
+ + 6c98907 SBAT revocation update support
+ + 0276891 mokutil: Add trust_mok_keys and untrust_mok_keys
+ + 57bc385 mokutil: enable setting fallback verbosity and noreboot mode
+ + b15e7c4 util: add the missing stdio.h
+- Drop mokutil-fix-missing-header.patch (upstream)
+
+-------------------------------------------------------------------
Old:
----
0.5.0.tar.gz
mokutil-fix-missing-header.patch
New:
----
0.6.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mokutil.spec ++++++
--- /var/tmp/diff_new_pack.nWzGgq/_old 2022-08-04 13:23:05.960436678 +0200
+++ /var/tmp/diff_new_pack.nWzGgq/_new 2022-08-04 13:23:05.968436700 +0200
@@ -1,7 +1,7 @@
#
# spec file for package mokutil
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: mokutil
-Version: 0.5.0
+Version: 0.6.0
Release: 0
Summary: Tools for manipulating machine owner keys
License: GPL-3.0-only
@@ -27,8 +27,6 @@
Source1: modhash
# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch g...@suse.com --
Disable the check of libkeyutils version
Patch1: mokutil-remove-libkeyutils-check.patch
-# PATCH-FIX-UPSTREAM mokutil-fix-missing-header.patch g...@suse.com -- Fix the
compilation error due to the missing header
-Patch2: mokutil-fix-missing-header.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: efivar-devel >= 0.12
@@ -47,7 +45,6 @@
%if 0%{?suse_version} <= 1500
%patch1 -p1
%endif
-%patch2 -p1
%build
./autogen.sh
++++++ 0.5.0.tar.gz -> 0.6.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mokutil-0.5.0/configure.ac
new/mokutil-0.6.0/configure.ac
--- old/mokutil-0.5.0/configure.ac 2021-06-28 05:05:08.000000000 +0200
+++ new/mokutil-0.6.0/configure.ac 2022-05-07 09:02:34.000000000 +0200
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ([2.68])
-AC_INIT([mokutil], [0.5.0], [g...@suse.com])
+AC_INIT([mokutil], [0.6.0], [chingp...@gmail.com])
AM_INIT_AUTOMAKE([1.11 -Wno-portability tar-ustar dist-bzip2 no-dist-gzip])
AC_CONFIG_SRCDIR([src/mokutil.c])
AC_CONFIG_HEADERS([config.h])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mokutil-0.5.0/data/mokutil
new/mokutil-0.6.0/data/mokutil
--- old/mokutil-0.5.0/data/mokutil 2021-06-28 05:05:08.000000000 +0200
+++ new/mokutil-0.6.0/data/mokutil 2022-05-07 09:02:34.000000000 +0200
@@ -24,6 +24,14 @@
COMPREPLY=( $( compgen -W "true false") )
return 0
;;
+ --set-fallback-verbosity)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
+ --set-fallback-noreboot)
+ COMPREPLY=( $( compgen -W "true false") )
+ return 0
+ ;;
--generate-hash|-g)
COMPREPLY=( $( compgen -o nospace -P= -W "") )
return 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mokutil-0.5.0/man/mokutil.1
new/mokutil-0.6.0/man/mokutil.1
--- old/mokutil-0.5.0/man/mokutil.1 2021-06-28 05:05:08.000000000 +0200
+++ new/mokutil-0.6.0/man/mokutil.1 2022-05-07 09:02:34.000000000 +0200
@@ -63,6 +63,10 @@
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
@@ -71,7 +75,9 @@
.br
\fBmokutil\fR [--dbx]
.br
-\fBmokutil\fR [--sbat]
+\fBmokutil\fR [--list-sbat-revocations]
+.br
+\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR |
\fIdelete\fR)]
.br
\fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR]
.br
@@ -158,6 +164,12 @@
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the
system
+.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP
@@ -170,9 +182,17 @@
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
-\fB--sbat\fR
+\fB--list-sbat-revocations\fR
List the entries in the Secure Boot Advanced Targeting store (SBAT)
.TP
+\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
+Set the SbatPolicy UEFI Variable to have shim apply either the latest
+or the previous SBAT revocations. If UEFI Secure Boot is disabled, then
+delete will reset the SBAT revocations to an empty revocation list.
+While latest and previous are persistent configuration, delete will be
+cleared by shim on the next boot whether or not it succeeds. The default
+behavior is for shim to apply the previous revocations.
+.TP
\fB--timeout\fR
Set the timeout for MOK prompt
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mokutil-0.5.0/src/mokutil.c
new/mokutil-0.6.0/src/mokutil.c
--- old/mokutil-0.5.0/src/mokutil.c 2021-06-28 05:05:08.000000000 +0200
+++ new/mokutil-0.6.0/src/mokutil.c 2022-05-07 09:02:34.000000000 +0200
@@ -83,6 +83,11 @@
#define VERBOSITY (1 << 22)
#define TIMEOUT (1 << 23)
#define LIST_SBAT (1 << 24)
+#define FB_VERBOSITY (1 << 25)
+#define FB_NOREBOOT (1 << 26)
+#define TRUST_MOK (1 << 27)
+#define UNTRUST_MOK (1 << 28)
+#define SET_SBAT (1 << 29)
#define DEFAULT_CRYPT_METHOD SHA512_BASED
#define DEFAULT_SALT_SIZE SHA512_SALT_MAX
@@ -127,12 +132,17 @@
printf (" --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
printf (" --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
printf (" --set-verbosity <true/false>\t\tSet the verbosity bit for
shim\n");
+ printf (" --set-fallback-verbosity <true/false>\t\tSet the verbosity
bit for fallback\n");
+ printf (" --set-fallback-noreboot <true/false>\t\tPrevent fallback
from automatically rebooting\n");
+ printf (" --trust-mok\t\t\t\tTrust MOK keys within the kernel
keyring\n");
+ printf (" --untrust-mok\t\t\t\tDo not trust MOK keys\n");
+ printf (" --set-sbat-policy <latest/previous/delete>\t\tApply Latest,
Previous, or Blank SBAT revocations\n");
printf (" --pk\t\t\t\t\tList the keys in PK\n");
printf (" --kek\t\t\t\t\tList the keys in KEK\n");
printf (" --db\t\t\t\t\tList the keys in db\n");
printf (" --dbx\t\t\t\t\tList the keys in dbx\n");
printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK
prompt\n");
- printf (" --sbat\t\t\t\tList the entries in SBAT\n");
+ printf (" --list-sbat-revocations\t\t\t\tList the entries in SBAT\n");
printf ("\n");
printf ("Supplimentary Options:\n");
printf (" --hash-file <hash file>\t\tUse the specific password
hash\n");
@@ -1437,6 +1447,18 @@
return set_toggle("MokDB", 1);
}
+static int
+trust_mok_keys()
+{
+ return set_toggle("MokListTrustedNew", 0);
+}
+
+static int
+untrust_mok_keys()
+{
+ return set_toggle("MokListTrustedNew", 1);
+}
+
static inline int
read_file(const int fd, void **bufp, size_t *lenptr)
{
@@ -1672,6 +1694,46 @@
return 0;
}
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+ if (verbosity) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+ (uint8_t *)&verbosity, sizeof (verbosity),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_mok_var ("FALLBACK_VERBOSE");
+ }
+
+ return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+ if (noreboot) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+ (uint8_t *)&noreboot, sizeof (noreboot),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_mok_var ("FB_NO_REBOOT");
+ }
+
+ return 0;
+}
+
static inline int
list_db (const DBName db_name)
{
@@ -1693,6 +1755,26 @@
return -1;
}
+static int
+manage_sbat (const uint8_t sbat_policy)
+{
+ if (sbat_policy) {
+ uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS;
+ if (efi_set_variable (efi_guid_shim, "SbatPolicy",
+ (uint8_t *)&sbat_policy,
+ sizeof (sbat_policy),
+ attributes, S_IRUSR | S_IWUSR) < 0) {
+ fprintf (stderr, "Failed to set SbatPolicy\n");
+ return -1;
+ }
+ } else {
+ return test_and_delete_mok_var ("SbatPolicy");
+ }
+ return 0;
+}
+
int
main (int argc, char *argv[])
{
@@ -1707,6 +1789,9 @@
unsigned int command = 0;
int use_root_pw = 0;
uint8_t verbosity = 0;
+ uint8_t fb_verbosity = 0;
+ uint8_t fb_noreboot = 0;
+ uint8_t sbat_policy = 0;
DBName db_name = MOK_LIST_RT;
int ret = -1;
int sb_check;
@@ -1747,10 +1832,16 @@
{"import-hash", required_argument, 0, 0 },
{"delete-hash", required_argument, 0, 0 },
{"set-verbosity", required_argument, 0, 0 },
+ {"set-fallback-verbosity", required_argument, 0, 0 },
+ {"set-fallback-noreboot", required_argument, 0, 0 },
+ {"trust-mok", no_argument, 0, 0 },
+ {"untrust-mok", no_argument, 0, 0 },
+ {"set-sbat-policy", required_argument, 0, 0 },
{"pk", no_argument, 0, 0 },
{"kek", no_argument, 0, 0 },
{"db", no_argument, 0, 0 },
{"dbx", no_argument, 0, 0 },
+ {"list-sbat-revocations", no_argument, 0, 0 },
{"sbat", no_argument, 0, 0 },
{"timeout", required_argument, 0, 0 },
{"ca-check", no_argument, 0, 0 },
@@ -1785,6 +1876,10 @@
command |= IGNORE_DB;
} else if (strcmp (option, "use-db") == 0) {
command |= USE_DB;
+ } else if (strcmp (option, "trust-mok") == 0) {
+ command |= TRUST_MOK;
+ } else if (strcmp (option, "untrust-mok") == 0) {
+ command |= UNTRUST_MOK;
} else if (strcmp (option, "import-hash") == 0) {
command |= IMPORT_HASH;
if (hash_str) {
@@ -1815,6 +1910,32 @@
verbosity = 0;
else
command |= HELP;
+ } else if (strcmp (option, "set-fallback-verbosity") ==
0) {
+ command |= FB_VERBOSITY;
+ if (strcmp (optarg, "true") == 0)
+ fb_verbosity = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_verbosity = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-fallback-noreboot") ==
0) {
+ command |= FB_NOREBOOT;
+ if (strcmp (optarg, "true") == 0)
+ fb_noreboot = 1;
+ else if (strcmp (optarg, "false") == 0)
+ fb_noreboot = 0;
+ else
+ command |= HELP;
+ } else if (strcmp (option, "set-sbat-policy") == 0) {
+ command |= SET_SBAT;
+ if (strcmp (optarg, "latest") == 0)
+ sbat_policy = 1;
+ else if (strcmp (optarg, "previous") == 0)
+ sbat_policy = 2;
+ else if (strcmp (optarg, "delete") == 0)
+ sbat_policy = 3;
+ else
+ command |= HELP;
} else if (strcmp (option, "pk") == 0) {
if (db_name != MOK_LIST_RT) {
command |= HELP;
@@ -1839,6 +1960,8 @@
} else {
db_name = DBX;
}
+ } else if (strcmp (option, "list-sbat-revocations") ==
0) {
+ command |= LIST_SBAT;
} else if (strcmp (option, "sbat") == 0) {
command |= LIST_SBAT;
} else if (strcmp (option, "timeout") == 0) {
@@ -1978,7 +2101,8 @@
command |= LIST_ENROLLED;
sb_check = !(command & HELP || command & TEST_KEY ||
- command & VERBOSITY || command & TIMEOUT);
+ command & VERBOSITY || command & TIMEOUT ||
+ command & FB_VERBOSITY || command & FB_NOREBOOT);
if (sb_check) {
/* Check whether the machine supports Secure Boot or not */
int rc;
@@ -2063,6 +2187,12 @@
case USE_DB:
ret = enable_db ();
break;
+ case TRUST_MOK:
+ ret = trust_mok_keys ();
+ break;
+ case UNTRUST_MOK:
+ ret = untrust_mok_keys ();
+ break;
case LIST_NEW | MOKX:
ret = list_keys_in_var ("MokXNew", efi_guid_shim);
break;
@@ -2100,12 +2230,21 @@
case VERBOSITY:
ret = set_verbosity (verbosity);
break;
+ case FB_VERBOSITY:
+ ret = set_fallback_verbosity (fb_verbosity);
+ break;
+ case FB_NOREBOOT:
+ ret = set_fallback_noreboot (fb_noreboot);
+ break;
case TIMEOUT:
ret = set_timeout (timeout);
break;
case LIST_SBAT:
ret = print_var_content ("SbatLevelRT", efi_guid_shim);
break;
+ case SET_SBAT:
+ ret = manage_sbat(sbat_policy);
+ break;
default:
print_help ();
break;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mokutil-0.5.0/src/util.c new/mokutil-0.6.0/src/util.c
--- old/mokutil-0.5.0/src/util.c 2021-06-28 05:05:08.000000000 +0200
+++ new/mokutil-0.6.0/src/util.c 2022-05-07 09:02:34.000000000 +0200
@@ -29,6 +29,7 @@
* files in the program, then also delete it here.
*/
+#include <stdio.h>
#include <stdlib.h>
#include <termios.h>
++++++ mokutil-remove-libkeyutils-check.patch ++++++
--- /var/tmp/diff_new_pack.nWzGgq/_old 2022-08-04 13:23:06.056436950 +0200
+++ /var/tmp/diff_new_pack.nWzGgq/_new 2022-08-04 13:23:06.056436950 +0200
@@ -11,10 +11,10 @@
src/Makefile.am | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
-Index: mokutil-0.5.0/configure.ac
+Index: mokutil-0.6.0/configure.ac
===================================================================
---- mokutil-0.5.0.orig/configure.ac
-+++ mokutil-0.5.0/configure.ac
+--- mokutil-0.6.0.orig/configure.ac
++++ mokutil-0.6.0/configure.ac
@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
@@ -23,10 +23,10 @@
AC_ARG_WITH([bash-completion-dir],
AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
-Index: mokutil-0.5.0/src/Makefile.am
+Index: mokutil-0.6.0/src/Makefile.am
===================================================================
---- mokutil-0.5.0.orig/src/Makefile.am
-+++ mokutil-0.5.0/src/Makefile.am
+--- mokutil-0.6.0.orig/src/Makefile.am
++++ mokutil-0.6.0/src/Makefile.am
@@ -2,13 +2,12 @@ bin_PROGRAMS = mokutil
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
