From 29f231fd049f023bcf57810544b757b325fac2ce Mon Sep 17 00:00:00 2001 From: Steve McIntyre Date: Mon, 3 May 2021 20:52:35 +0100 Subject: Add maintainer scripts to the template packages Manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages. Closes: #966845 --- debian/changelog | 9 +++ debian/signing-template.generate | 6 +- .../signing-template/@final_pkg_name@.postinst.in | 81 ++++++++++++++++++++++ debian/signing-template/@final_pkg_name@.postrm.in | 53 ++++++++++++++ 4 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 debian/signing-template/@final_pkg_name@.postinst.in create mode 100644 debian/signing-template/@final_pkg_name@.postrm.in (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index b8f1fe35..996e79fb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +shim (15.4-3) unstable; urgency=medium + + * Add maintainer scripts to the template packages to manage + installing and removing fbXXX.efi and mmXXX.efi when we + install/remove the shim-helpers-$arch-signed packages. + Closes: #966845 + + -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100 + shim (15.4-2) unstable; urgency=medium * Add two further patches from upstream: diff --git a/debian/signing-template.generate b/debian/signing-template.generate index 63ba0f24..19a4fbcd 100755 --- a/debian/signing-template.generate +++ b/debian/signing-template.generate @@ -6,6 +6,8 @@ urgency="$(dpkg-parsechangelog -S Urgency)" date="$(dpkg-parsechangelog -S Date)" version_binary="$(dpkg-parsechangelog -S Version)" version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')" +pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template" +final_pkg_name="${pkg_name%-template}" subst () { sed \ @@ -16,11 +18,11 @@ subst () { -e "s/@distribution@/${distribution}/g" \ -e "s/@urgency@/${urgency}/g" \ -e "s/@date@/${date}/g" \ + -e "s/@final_pkg_name@/${final_pkg_name}/g" \ "$@" } template='./debian/signing-template' -pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template" pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}" pkg_deb="${pkg_dir}/source-template/debian" @@ -31,7 +33,7 @@ find "${template}" -type f -printf '%P\n' | while read path do src="${template}/${path}" - dst="${pkg_deb}/${path}" + dst=$(echo "${pkg_deb}/${path}" | subst) install -o 0 -g 0 -m 0755 -d "${dst%/*}" subst < "${src}" > "${dst%.in}" diff --git a/debian/signing-template/@final_pkg_name@.postinst.in b/debian/signing-template/@final_pkg_name@.postinst.in new file mode 100644 index 00000000..6da2a3d8 --- /dev/null +++ b/debian/signing-template/@final_pkg_name@.postinst.in @@ -0,0 +1,81 @@ +#! /bin/sh +set -e + +# Must load the confmodule for our template to be installed correctly. +. /usr/share/debconf/confmodule + +# Select the right target architecture for grub-install +ARCH=@arch@ +case ${ARCH} in + i386|amd64) + FW_SIZE=$(cat /sys/firmware/efi/fw_platform_size) + if [ "$FW_SIZE"x = "32"x ]; then + GRUB_EFI_TARGET="i386-efi" + elif [ "$FW_SIZE"x = "64"x ]; then + GRUB_EFI_TARGET="x86_64-efi" + else + echo "Unable to read a valid value from fw_platform_size, ABORT" + exit 1 + fi + ;; + arm64) + GRUB_EFI_TARGET="arm64-efi" + ;; + *) + echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT" + exit 1 + ;; +esac + +# Pull out a config value from /etc/default/grub +config_item () +{ + if [ -f /etc/default/grub ]; then + . /etc/default/grub || return + for x in /etc/default/grub.d/*.cfg; do + if [ -e "$x" ]; then + . "$x" + fi + done + fi + eval echo "\$$1" +} + +case $1 in + configure) + bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ + cut -d' ' -f1)" + case $bootloader_id in + kubuntu) bootloader_id=ubuntu ;; + esac + + # Call grub-install to make sure we're added to the ESP as + # needed + if [ "$bootloader_id" ] && \ + [ -d "/boot/efi/EFI/$bootloader_id" ] && \ + [ -d /sys/firmware/efi ] && \ + which grub-install >/dev/null 2>&1 + then + # Check for some of the options that matter, so we can + # call grub-install safely without dropping them + OPTIONS="" + + db_get grub2/force_efi_extra_removable + if [ "$RET" = true ]; then + OPTIONS="$OPTIONS --force-extra-removable" + fi + + db_get grub2/update_nvram + if [ "$RET" = false ]; then + OPTIONS="$OPTIONS --no-nvram" + fi + + grub-install --target=${GRUB_EFI_TARGET} $OPTIONS + fi + ;; +esac + +#DEBHELPER# + +exit 0 + diff --git a/debian/signing-template/@final_pkg_name@.postrm.in b/debian/signing-template/@final_pkg_name@.postrm.in new file mode 100644 index 00000000..cd261b15 --- /dev/null +++ b/debian/signing-template/@final_pkg_name@.postrm.in @@ -0,0 +1,53 @@ +#! /bin/sh +set -e + +case @arch@ in + i386) + SHIM_REMOVE="mmia32.efi fbia32.efi";; + amd64) + SHIM_REMOVE="mmx64.efi fbx64.efi";; + arm64) + SHIM_REMOVE="mmaa64.efi fbaa64.efi";; + *) + echo "Unsupported dpkg architecture @arch@ in $0. ABORT" + exit 1 + ;; +esac + +# Pull out a config value from /etc/default/grub +config_item () +{ + if [ -f /etc/default/grub ]; then + . /etc/default/grub || return + for x in /etc/default/grub.d/*.cfg; do + if [ -e "$x" ]; then + . "$x" + fi + done + fi + eval echo "\$$1" +} + +case $1 in + remove|purge) + bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ + cut -d' ' -f1)" + case $bootloader_id in + kubuntu) bootloader_id=ubuntu ;; + esac + + # If we're being removed, remove the copies installed in the + # ESP. grub-install doesn't clean those up for us. + if [ "$bootloader_id" ] && \ + [ -d "/boot/efi/EFI/$bootloader_id" ] && \ + [ -d /sys/firmware/efi ]; then + + cd /boot/efi/EFI/$bootloader_id + rm -f $SHIM_REMOVE + fi + ;; +esac + +#DEBHELPER# + +exit 0 -- cgit v1.2.3