efibootmgr: add support for listing cryptographic signature types.

Since UEFI 2.2, firmware has provided a list of supported signature types for Secure Boot binaries in a global variable named "SignatureSupport". This patch adds a new command line flag to efibootmgr, "--list-signature-types" ("-s") which collects that information from the firmware and displays it to the user, either by symbolic name if libefivar knows about that signature type or by GUID if it does not. On the system in front of me, that looks something like this: random:efibootmgr/signaturesupport$ ./src/efibootmgr -s x509_sha256 x509_sha384 x509_sha512 sha256 x509_cert rsa2048 rsa2048_sha256 rsa2048_sha1 external_management random:efibootmgr/signaturesupport$ Signed-off-by: Peter Jones <pjones@redhat.com>
rhboot · Jan 19, 2024 · 8eaccfb · 8eaccfb
1 parent 4a8d9c6
commit 8eaccfb
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 2 deletions.
diff --git a/src/efibootmgr.8.in b/src/efibootmgr.8.in
@@ -4,7 +4,7 @@
 efibootmgr \- change the UEFI Boot Manager configuration
 .SH SYNOPSIS
 
-\fBefibootmgr\fR [ \fB-a\fR ] [ \fB-A\fR ] [ \fB-b \fIXXXX\fB\fR ] [ \fB-B\fR ] [ \fB-c\fR ] [ \fB-d \fIDISK\fB\fR ] [ \fB-D\fR ] [ \fB-e \fI1|3|-1\fB\fR ] [ \fB-E \fINUM\fB\fR ] [ \fB--full-dev-path\fR | \fB--file-dev-path\fR ] [ \fB-f\fR ] [ \fB-F\fR ] [ \fB-g\fR ] [ \fB-i \fINAME\fB\fR ] [ \fB-l \fINAME\fB\fR ] [ \fB-L \fILABEL\fB\fR ] [ \fB-m \fIt|f\fB\fR ] [ \fB-M \fIX\fB\fR ] [ \fB-n \fIXXXX\fB\fR ] [ \fB-N\fR ] [ \fB-o \fIXXXX\fB,\fIYYYY\fB,\fIZZZZ\fB\fR\fI ...\fR ] [ \fB-O\fR ] [ \fB-p \fIPART\fB\fR ] [ \fB-q\fR ] [ \fB-r\fR | \fB-y\fR ] [ \fB-t \fIseconds\fB\fR ] [ \fB-T\fR ] [ \fB-u\fR ] [ \fB-v\fR ] [ \fB-V\fR ] [ \fB-w\fR ] [ \fB-@ \fIfile\fB\fR ]
+\fBefibootmgr\fR [ \fB-a\fR ] [ \fB-A\fR ] [ \fB-b \fIXXXX\fB\fR ] [ \fB-B\fR ] [ \fB-c\fR ] [ \fB-d \fIDISK\fB\fR ] [ \fB-D\fR ] [ \fB-e \fI1|3|-1\fB\fR ] [ \fB-E \fINUM\fB\fR ] [ \fB--full-dev-path\fR | \fB--file-dev-path\fR ] [ \fB-f\fR ] [ \fB-F\fR ] [ \fB-g\fR ] [ \fB-i \fINAME\fB\fR ] [ \fB-l \fINAME\fB\fR ] [ \fB-L \fILABEL\fB\fR ] [ \fB-m \fIt|f\fB\fR ] [ \fB-M \fIX\fB\fR ] [ \fB-n \fIXXXX\fB\fR ] [ \fB-N\fR ] [ \fB-o \fIXXXX\fB,\fIYYYY\fB,\fIZZZZ\fB\fR\fI ...\fR ] [ \fB-O\fR ] [ \fB-p \fIPART\fB\fR ] [ \fB-q\fR ] [ \fB-r\fR | \fB-y\fR ] [ \fB-s\fR ] [ \fB-t \fIseconds\fB\fR ] [ \fB-T\fR ] [ \fB-u\fR ] [ \fB-v\fR ] [ \fB-V\fR ] [ \fB-w\fR ] [ \fB-@ \fIfile\fB\fR ]
 
 .SH "DESCRIPTION"
 .PP
@@ -130,6 +130,9 @@ Quiet mode - suppresses output.
 \fB-r | --driver\fR
 Operate on Driver#### variables instead of Boot#### variables.
 .TP
+\fB-s | --list-signature-types\fR
+List cryptographic signature types supported on this machine and exit
+.TP
 \fB-t | --timeout \fIseconds\fB\fR
 Boot Manager timeout, in \fIseconds\fR\&.
 .TP

diff --git a/src/efibootmgr.c b/src/efibootmgr.c
@@ -1390,6 +1390,46 @@ show_mirror(void)
 	}
 }
 
+static int
+list_supported_signature_types(void)
+{
+	var_entry_t entry = { 0, };
+	int rc;
+	size_t n_entries;
+	unsigned int i;
+
+	rc = efi_get_variable(EFI_GLOBAL_GUID, "SignatureSupport",
+			      &entry.data, &entry.data_size, &entry.attributes);
+	if (rc == ENOENT) {
+		warning("Firmware does not support any signature types");
+		return 0;
+	}
+	if (rc < 0) {
+		efi_error("efi_get_variable failed");
+		return -1;
+	}
+	if (entry.data_size % sizeof(efi_guid_t) != 0)
+		warning("SignatureSupport variable has suspicious size %zu",
+			entry.data_size);
+
+	n_entries = entry.data_size / sizeof(efi_guid_t);
+
+	for (i = 0; i < n_entries; i++) {
+		efi_guid_t *guid = &((efi_guid_t *)entry.data)[i];
+		char *guidname = NULL;
+
+		rc = efi_guid_to_name(guid, &guidname);
+		if (rc < 0) {
+			efi_error("efi_guid_to_name failed");
+			return -1;
+		}
+		printf("%s\n", guidname);
+		free(guidname);
+	}
+
+	return 0;
+}
+
 static void
 usage()
 {
@@ -1495,6 +1535,7 @@ parse_opts(int argc, char **argv)
 			{"part",             required_argument, 0, 'p'},
 			{"quiet",                  no_argument, 0, 'q'},
 			{"driver",                 no_argument, 0, 'r'},
+			{"list-signature-types",   no_argument, 0, 's'},
 			{"timeout",          required_argument, 0, 't'},
 			{"delete-timeout",         no_argument, 0, 'T'},
 			{"unicode",                no_argument, 0, 'u'},
@@ -1509,7 +1550,7 @@ parse_opts(int argc, char **argv)
 		};
 
 		c = getopt_long(argc, argv,
-				"aAb:BcCd:De:E:fFgi:I:kl:L:m:M:n:No:Op:qrt:Tuv::Vwy@:h",
+				"aAb:BcCd:De:E:fFgi:I:kl:L:m:M:n:No:Op:qrst:Tuv::Vwy@:h",
 				long_options, &option_index);
 		if (c == -1)
 			break;
@@ -1715,6 +1756,14 @@ parse_opts(int argc, char **argv)
 		case 'r':
 			opts.driver = 1;
 			break;
+
+		case 's':
+			rc = list_supported_signature_types();
+			if (rc < 0)
+				errorx(40, "Could not read and display supported signature types\n");
+			exit(0);
+			break;
+
 		case 't':
 			rc = sscanf(optarg, "%u", &num);
 			if (rc == 1) {