Hello community, here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2019-08-27 11:58:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mokutil (Old) and /work/SRC/openSUSE:Factory/.mokutil.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil" Tue Aug 27 11:58:00 2019 rev:22 rq:707344 version:0.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2019-01-29 14:44:51.763081339 +0100 +++ /work/SRC/openSUSE:Factory/.mokutil.new.7948/mokutil.changes 2019-08-27 11:58:04.887678390 +0200 @@ -1,0 +2,42 @@ +Tue May 28 04:38:14 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to 0.4.0 + + Rename export_moks as export_db_keys + + Add support for exporting other keys + + add new --mok argument + + set list-enrolled command as default for some arguments + + Add more info to --sb-state: show when we're in SetupMode or + with shim validation disabled + + Correct help: --set-timeout is really --timeout + + generate_hash() / generate_pw_hash(): don't use strlen() for + strncpy bounds + + Add the type casting to silence the warning + + Add a way for mokutil to configure a timeout for MokManager's + prompt + + list_keys_in_var(): check errno correctly, not ret twice + + Fix typo in error message when the system lacks Secure Boot + support + + Add bash completion file + + mokutil: be explicit about file modes in all cases + + Make all efi_guid_t const + + Don't allow sha1 on the mokutil command line + + Build with -fshort-wchar so toggle passwords work right + + Fix the 32bit signedness comparison + + Fix the potential buffer overflow +- Add mokutil-remove-shebang-from-bash-completion-file.patch to + remove shebang from bash-completion/mokutil +- Drop upstreamed patches + + mokutil-constify-efi-guid.patch + + mokutil-fix-overflow.patch + + mokutil-fshort-wchar.patch + + mokutil-set-efi-variable-file-mode.patch +- Refresh mokutil-support-revoke-builtin-cert.patch +- Install bash-completion/mokutil + +------------------------------------------------------------------- +Thu Mar 21 02:39:46 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com> + +- Add modhash to calculate the hash of kernel module (SLE-5661) + + Also add openssl to Requires since the script needs it + +------------------------------------------------------------------- Old: ---- mokutil-0.3.0.tar.bz2 mokutil-constify-efi-guid.patch mokutil-fix-overflow.patch mokutil-fshort-wchar.patch mokutil-set-efi-variable-file-mode.patch New: ---- 0.4.0.tar.gz modhash mokutil-remove-shebang-from-bash-completion-file.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ --- /var/tmp/diff_new_pack.MkJB21/_old 2019-08-27 11:58:05.587678293 +0200 +++ /var/tmp/diff_new_pack.MkJB21/_new 2019-08-27 11:58:05.591678293 +0200 @@ -17,29 +17,23 @@ Name: mokutil -Version: 0.3.0 +Version: 0.4.0 Release: 0 Summary: Tools for manipulating machine owner keys License: GPL-3.0-only Group: Productivity/Security Url: https://github.com/lcp/mokutil -Source: %{name}-%{version}.tar.bz2 -# PATCH-FIX-UPSTREAM mokutil-fix-overflow.patch g...@suse.com -- Fix the potential buffer overflow -Patch1: mokutil-fix-overflow.patch -# PATCH-FIX-UPSTREAM mokutil-fshort-wchar.patch g...@suse.com -- Add "-fshort-wchar" to make sure the UEFI strings are UCS-2 encoding -Patch2: mokutil-fshort-wchar.patch -# PATCH-FIX-UPSTREAM mokutil-set-efi-variable-file-mode.patch g...@suse.com -- Be explicit about file modes in all cases -Patch3: mokutil-set-efi-variable-file-mode.patch -# PATCH-FIX-UPSTREAM mokutil-constify-efi-guid.patch g...@suse.com -- Make all efi_guild_t variables const -Patch4: mokutil-constify-efi-guid.patch -# OPENSUSE ONLY -# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch g...@suse.com -- Add an option to revoke the built-in certificate +Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz +Source1: modhash +# PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch g...@suse.com -- Remove shebang from bash-completion/mokutil +Patch1: mokutil-remove-shebang-from-bash-completion-file.patch Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: efivar-devel >= 0.12 BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: pkg-config +Requires: openssl BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: x86_64 aarch64 @@ -56,18 +50,16 @@ %prep %setup -q %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %patch100 -p1 %build -autoreconf +./autogen.sh %configure make %install %makeinstall +install -m 755 -D %{SOURCE1} %{buildroot}/%{_bindir}/modhash %clean %{?buildroot:%__rm -rf "%{buildroot}"} @@ -76,6 +68,9 @@ %defattr(-,root,root) %license COPYING %{_bindir}/mokutil +%{_bindir}/modhash %{_mandir}/man?/* +%dir %{_datadir}/bash-completion/completions/ +%{_datadir}/bash-completion/completions/mokutil %changelog ++++++ modhash ++++++ #!/usr/bin/perl # # Calculate the digest of the kernel module # It will strip kernel modules signature before calculation. # # Based on modsign-verify, written by Michal Marek # Authors: # Gary Lin <g...@suse.com> # Joey Lee <j...@suse.com> # my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n"; use strict; use warnings; use IPC::Open2; use Getopt::Long; use File::Temp qw(tempfile); my $verbose = 1; my $dgst = "sha256"; GetOptions( "d=s" => \$dgst, "q|quiet" => sub { $verbose-- if $verbose; }, "v|verbose" => sub { $verbose++; }, "h|help" => sub { print $USAGE; exit(0); } ) or die($USAGE); sub _verbose { my $level = shift; return if $verbose < $level; print STDERR @_; } sub info { _verbose(1, @_); } sub verbose { _verbose(2, @_); } sub debug { _verbose(3, @_); } if (@ARGV > 1) { print STDERR "Excess arguments\n"; die($USAGE); } elsif (@ARGV < 1) { print STDERR "No module supplied\n"; die($USAGE); } my $module_name = shift(@ARGV); if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and $dgst ne "sha384" and $dgst ne "sha512") { die("unsupported algorithm: $dgst"); } # # Function to read the contents of a file into a variable. # sub read_file($) { my ($file) = @_; my $contents; my $len; open(FD, "<$file") || die $file; binmode FD; my @st = stat(FD); die $file if (!@st); $len = read(FD, $contents, $st[7]) || die $file; close(FD) || die $file; die "$file: Wanted length ", $st[7], ", got ", $len, "\n" if ($len != $st[7]); return $contents; } sub openssl_pipe($$) { my ($input, $cmd) = @_; my ($pid, $res); $pid = open2(*read_from, *write_to, $cmd) || die $cmd; binmode write_to; if (defined($input) && $input ne "") { print write_to $input || die "$cmd: $!"; } close(write_to) || die "$cmd: $!"; binmode read_from; read(read_from, $res, 4096) || die "$cmd: $!"; close(read_from) || die "$cmd: $!"; waitpid($pid, 0) || die; die "$cmd died: $?" if ($? >> 8); return $res; } my $module = read_file($module_name); my $module_len = length($module); my $magic_number = "~Module signature appended~\n"; my $magic_len = length($magic_number); my $info_len = 12; if ($module_len < $magic_len) { die "Module size too short\n"; } sub eat { my $length = shift; if ($module_len < $length) { die "Module size too short\n"; } my $res = substr($module, -$length); $module = substr($module, 0, $module_len - $length); $module_len -= $length; return $res; } if (substr($module, -$magic_len) eq $magic_number) { $module = substr($module, 0, $module_len - $magic_len); $module_len -= $magic_len; my $info = eat($info_len); my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) = unpack("CCCCCxxxN", $info); my $signature = eat($sig_len); if ($id_type == 1) { if (unpack("n", $signature) == $sig_len - 2) { verbose ("signed module (X.509)\n"); } else { die "Invalid signature format\n"; } if ($algo != 1) { die "Unsupported signature algorithm\n"; } $signature = substr($signature, 2); my $key_id = eat($key_len); my $name = eat($name_len); } elsif ($id_type == 2) { verbose ("signed module (PKCS#7)\n"); } } else { verbose ("unsigned module\n"); } verbose("Hash algorithm: $dgst\n"); my $digest = openssl_pipe($module, "openssl dgst -$dgst"); $digest =~ s/\(stdin\)= //; print "$module_name: $digest" ++++++ mokutil-remove-shebang-from-bash-completion-file.patch ++++++ >From e27b85622fcb1cc59e0fd4e7d630fc62f89dd225 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Tue, 28 May 2019 12:33:32 +0800 Subject: [PATCH] Remove shebang from bash-completion/mokutil Signed-off-by: Gary Lin <g...@suse.com> --- data/mokutil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/mokutil b/data/mokutil index 800b039..cf50606 100755 --- a/data/mokutil +++ b/data/mokutil @@ -1,4 +1,4 @@ -#!/bin/bash +# mokutil(1) completion _mokutil() { -- 2.21.0 ++++++ mokutil-support-revoke-builtin-cert.patch ++++++ --- /var/tmp/diff_new_pack.MkJB21/_old 2019-08-27 11:58:05.639678286 +0200 +++ /var/tmp/diff_new_pack.MkJB21/_new 2019-08-27 11:58:05.639678286 +0200 @@ -1,4 +1,4 @@ -From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001 +From 93ded288224a18f336f9e3654a33a48bcb748b11 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Fri, 21 Feb 2014 17:56:55 +0800 Subject: [PATCH 1/3] Add the option to revoke the built-in certificate @@ -9,30 +9,30 @@ the password hash to notify MokManager to show the option to revoke the built-in certificate. --- - src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/mokutil.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c -index 5b34f22..ab3d04f 100644 +index e2d567d..1ada2a0 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -83,6 +83,7 @@ - #define IMPORT_HASH (1 << 21) +@@ -84,6 +84,7 @@ #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) -+#define REVOKE_CERT (1 << 24) + #define TIMEOUT (1 << 24) ++#define REVOKE_CERT (1 << 25) #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX -@@ -156,6 +157,7 @@ print_help () - printf (" --kek\t\t\t\t\tList the keys in KEK\n"); +@@ -176,6 +177,7 @@ print_help () printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); + printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); + printf (" --revoke-cert\t\t\t\tRevoke the built-in certificate in shim\n"); printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); -@@ -1994,6 +1996,79 @@ set_verbosity (uint8_t verbosity) +@@ -2103,6 +2105,79 @@ set_verbosity (uint8_t verbosity) return 0; } @@ -112,26 +112,26 @@ static inline int list_db (DBName db_name) { -@@ -2070,6 +2145,7 @@ main (int argc, char *argv[]) - {"kek", no_argument, 0, 0 }, +@@ -2182,6 +2257,7 @@ main (int argc, char *argv[]) {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, + {"timeout", required_argument, 0, 0 }, + {"revoke-cert", no_argument, 0, 0 }, {0, 0, 0, 0} }; -@@ -2157,6 +2233,8 @@ main (int argc, char *argv[]) - command |= LIST_ENROLLED; - db_name = DBX; - } +@@ -2268,6 +2344,8 @@ main (int argc, char *argv[]) + } else if (strcmp (option, "timeout") == 0) { + command |= TIMEOUT; + timeout = strdup (optarg); + } else if (strcmp (option, "revoke-cert") == 0) { + command |= REVOKE_CERT; } break; -@@ -2416,6 +2494,10 @@ main (int argc, char *argv[]) - case VERBOSITY: - ret = set_verbosity (verbosity); +@@ -2537,6 +2615,10 @@ main (int argc, char *argv[]) + case TIMEOUT: + ret = set_timeout (timeout); break; + case REVOKE_CERT: + case REVOKE_CERT | SIMPLE_HASH: @@ -141,10 +141,10 @@ print_help (); break; -- -2.9.0 +2.21.0 -From 09ac7c76b0c313abc664fe104bc32d89df0e0976 Mon Sep 17 00:00:00 2001 +From 17f9850edce4dd40f96107c97d3d720406bf9f09 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Tue, 4 Nov 2014 14:50:36 +0800 Subject: [PATCH 2/3] Use the efivar functions to access UEFI variables @@ -157,10 +157,10 @@ 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c -index ab3d04f..9dcf4f1 100644 +index 1ada2a0..dcf55dc 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -1999,28 +1999,35 @@ set_verbosity (uint8_t verbosity) +@@ -2108,28 +2108,35 @@ set_verbosity (uint8_t verbosity) static int revoke_builtin_cert (void) { @@ -205,7 +205,7 @@ memset (&pw_crypt, 0, sizeof(pw_crypt_t)); memset (auth, 0, SHA256_DIGEST_LENGTH); -@@ -2043,20 +2050,18 @@ revoke_builtin_cert (void) +@@ -2152,20 +2159,18 @@ revoke_builtin_cert (void) } if (!use_simple_hash) { @@ -236,10 +236,10 @@ goto error; } -- -2.9.0 +2.21.0 -From 05c64b7b7d44f1c2a106e7273a33f83e57452d92 Mon Sep 17 00:00:00 2001 +From 1ab85ee4d98a5436c4612b8f893c3c73f113a6e0 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Wed, 13 Jul 2016 14:58:15 +0800 Subject: [PATCH 3/3] Use efi_set_variable from efivar 0.24 @@ -250,10 +250,10 @@ 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c -index 9dcf4f1..1a8ccc9 100644 +index dcf55dc..0160c06 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -2061,7 +2061,8 @@ revoke_builtin_cert (void) +@@ -2170,7 +2170,8 @@ revoke_builtin_cert (void) | EFI_VARIABLE_RUNTIME_ACCESS; if (efi_set_variable (efi_guid_shim, "ClearVerify", @@ -264,5 +264,5 @@ goto error; } -- -2.9.0 +2.21.0