|
 |
547a08 |
From 18843127dc0eace16d43d479bd091e221e8785c4 Mon Sep 17 00:00:00 2001
|
|
|
547a08 |
From: Peter Jones <pjones@redhat.com>
|
|
|
547a08 |
Date: Mon, 17 Aug 2020 15:47:19 -0400
|
|
|
547a08 |
Subject: [PATCH] Fix some mokmanager deletion paths
|
|
|
547a08 |
|
|
|
547a08 |
This fixes several codepaths where MokList and MokListX are supposed to
|
|
|
547a08 |
be deleted, but are not. It also adds debug logging to much of the
|
|
|
547a08 |
deletion codepath.
|
|
|
547a08 |
|
|
|
547a08 |
---
|
|
|
547a08 |
MokManager.c | 24 +++++++++++++++++++++++-
|
|
|
547a08 |
Makefile | 2 +-
|
|
|
547a08 |
2 files changed, 24 insertions(+), 2 deletions(-)
|
|
|
547a08 |
|
|
|
547a08 |
diff --git a/MokManager.c b/MokManager.c
|
|
|
547a08 |
index c9949e33bcf..9bae3414fe7 100644
|
|
|
547a08 |
--- a/MokManager.c
|
|
|
547a08 |
+++ b/MokManager.c
|
|
|
547a08 |
@@ -9,6 +9,8 @@
|
|
|
547a08 |
|
|
|
547a08 |
#include "shim.h"
|
|
|
547a08 |
|
|
|
547a08 |
+#include "hexdump.h"
|
|
|
547a08 |
+
|
|
|
547a08 |
#define PASSWORD_MAX 256
|
|
|
547a08 |
#define PASSWORD_MIN 1
|
|
|
547a08 |
#define SB_PASSWORD_LEN 16
|
|
|
547a08 |
@@ -1050,9 +1052,11 @@ static EFI_STATUS mok_reset_prompt(BOOLEAN MokX)
|
|
|
547a08 |
if (MokX) {
|
|
|
547a08 |
LibDeleteVariable(L"MokXNew", &SHIM_LOCK_GUID);
|
|
|
547a08 |
LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
|
|
|
547a08 |
+ LibDeleteVariable(L"MokListX", &SHIM_LOCK_GUID);
|
|
|
547a08 |
} else {
|
|
|
547a08 |
LibDeleteVariable(L"MokNew", &SHIM_LOCK_GUID);
|
|
|
547a08 |
LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
|
|
|
547a08 |
+ LibDeleteVariable(L"MokList", &SHIM_LOCK_GUID);
|
|
|
547a08 |
}
|
|
|
547a08 |
|
|
|
547a08 |
return EFI_SUCCESS;
|
|
|
547a08 |
@@ -1075,6 +1079,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
|
|
|
547a08 |
else
|
|
|
547a08 |
db_name = L"MokList";
|
|
|
547a08 |
|
|
|
547a08 |
+ dprint(L"Writing back %s (%d entries)\n", db_name, key_num);
|
|
|
547a08 |
for (i = 0; i < key_num; i++) {
|
|
|
547a08 |
if (list[i].Mok == NULL)
|
|
|
547a08 |
continue;
|
|
|
547a08 |
@@ -1085,8 +1090,15 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
|
|
|
547a08 |
DataSize += sizeof(EFI_GUID);
|
|
|
547a08 |
DataSize += list[i].MokSize;
|
|
|
547a08 |
}
|
|
|
547a08 |
- if (DataSize == 0)
|
|
|
547a08 |
+ if (DataSize == 0) {
|
|
|
547a08 |
+ dprint(L"DataSize = 0; deleting variable %s\n", db_name);
|
|
|
547a08 |
+ efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID,
|
|
|
547a08 |
+ EFI_VARIABLE_NON_VOLATILE |
|
|
|
547a08 |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
|
|
|
547a08 |
+ DataSize, Data);
|
|
|
547a08 |
+ dprint(L"efi_status:%llu\n", efi_status);
|
|
|
547a08 |
return EFI_SUCCESS;
|
|
|
547a08 |
+ }
|
|
|
547a08 |
|
|
|
547a08 |
Data = AllocatePool(DataSize);
|
|
|
547a08 |
if (Data == NULL)
|
|
|
547a08 |
@@ -1291,11 +1303,15 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
|
|
|
547a08 |
}
|
|
|
547a08 |
|
|
|
547a08 |
if (auth_size == PASSWORD_CRYPT_SIZE) {
|
|
|
547a08 |
+ dprint(L"matching password with CRYPT");
|
|
|
547a08 |
efi_status = match_password((PASSWORD_CRYPT *) auth, NULL, 0,
|
|
|
547a08 |
NULL, NULL);
|
|
|
547a08 |
+ dprint(L"match_password(0x%llx, NULL, 0, NULL, NULL) = %lu\n", auth, efi_status);
|
|
|
547a08 |
} else {
|
|
|
547a08 |
+ dprint(L"matching password as sha256sum");
|
|
|
547a08 |
efi_status =
|
|
|
547a08 |
match_password(NULL, MokDel, MokDelSize, auth, NULL);
|
|
|
547a08 |
+ dprint(L"match_password(NULL, 0x%llx, %llu, 0x%llx, NULL) = %lu\n", MokDel, MokDelSize, auth, efi_status);
|
|
|
547a08 |
}
|
|
|
547a08 |
if (EFI_ERROR(efi_status))
|
|
|
547a08 |
return EFI_ACCESS_DENIED;
|
|
|
547a08 |
@@ -1365,12 +1381,17 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
|
|
|
547a08 |
}
|
|
|
547a08 |
|
|
|
547a08 |
/* Search and destroy */
|
|
|
547a08 |
+ dprint(L"deleting certs from %a\n", MokX ? "MokListX" : "MokList");
|
|
|
547a08 |
for (i = 0; i < del_num; i++) {
|
|
|
547a08 |
type = del_key[i].Type; /* avoid -Werror=address-of-packed-member */
|
|
|
547a08 |
if (CompareGuid(&type, &X509_GUID) == 0) {
|
|
|
547a08 |
+ dprint(L"deleting key %d (total %d):\n", i, mok_num);
|
|
|
547a08 |
+ dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
|
|
|
547a08 |
delete_cert(del_key[i].Mok, del_key[i].MokSize,
|
|
|
547a08 |
mok, mok_num);
|
|
|
547a08 |
} else if (is_sha2_hash(del_key[i].Type)) {
|
|
|
547a08 |
+ dprint(L"deleting hash %d (total %d):\n", i, mok_num);
|
|
|
547a08 |
+ dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
|
|
|
547a08 |
delete_hash_list(del_key[i].Type, del_key[i].Mok,
|
|
|
547a08 |
del_key[i].MokSize, mok, mok_num);
|
|
|
547a08 |
}
|
|
|
547a08 |
@@ -2564,6 +2585,7 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE * systab)
|
|
|
547a08 |
|
|
|
547a08 |
InitializeLib(image_handle, systab);
|
|
|
547a08 |
|
|
|
547a08 |
+ setup_verbosity();
|
|
|
547a08 |
setup_rand();
|
|
|
547a08 |
|
|
|
547a08 |
console_mode_handle();
|
|
|
547a08 |
diff --git a/Makefile b/Makefile
|
|
|
547a08 |
index 49e14a26521..a17fa2bef14 100644
|
|
|
547a08 |
--- a/Makefile
|
|
|
547a08 |
+++ b/Makefile
|
|
|
547a08 |
@@ -36,7 +36,7 @@ endif
|
|
|
547a08 |
OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
|
|
|
547a08 |
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
|
|
547a08 |
ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
|
|
|
547a08 |
-MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
|
|
|
547a08 |
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o
|
|
|
547a08 |
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
|
|
|
547a08 |
FALLBACK_OBJS = fallback.o tpm.o errlog.o
|
|
|
547a08 |
ORIG_FALLBACK_SRCS = fallback.c
|
|
|
547a08 |
--
|
|
|
547a08 |
2.26.2
|
|
|
547a08 |
|