diff options
| author | Steve Langasek <vorlon@debian.org> | 2017-04-14 21:44:06 +0000 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2019-03-06 21:15:15 +0000 |
| commit | bf3018eb1399f512672127987fbc134e898d3102 (patch) | |
| tree | 7d6f95ae8a61bb363e67e3001b7f8bfec86dfa60 | |
| download | shim-signed-bf3018eb1399f512672127987fbc134e898d3102.tar.gz shim-signed-bf3018eb1399f512672127987fbc134e898d3102.zip | |
Import Debian version 1.28debian/1.28
shim-signed (1.28) unstable; urgency=medium
* Initial Debian upload, based on Ubuntu package.
| -rw-r--r-- | Makefile | 14 | ||||
| -rw-r--r-- | MicCorUEFCA2011_2011-06-27.crt | 35 | ||||
| -rw-r--r-- | debian/bzr-builddeb.conf | 2 | ||||
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 21 | ||||
| -rw-r--r-- | debian/copyright | 33 | ||||
| -rw-r--r-- | debian/lintian-overrides | 1 | ||||
| -rw-r--r-- | debian/po/POTFILES.in | 1 | ||||
| -rw-r--r-- | debian/po/templates.pot | 110 | ||||
| -rwxr-xr-x | debian/rules | 19 | ||||
| -rw-r--r-- | debian/shim-signed.install | 3 | ||||
| -rw-r--r-- | debian/shim-signed.links | 1 | ||||
| -rw-r--r-- | debian/shim-signed.postinst | 45 | ||||
| -rw-r--r-- | debian/shim-signed.triggers | 1 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/source_shim-signed.py | 55 | ||||
| -rw-r--r-- | debian/templates | 56 | ||||
| -rw-r--r-- | shimx64.efi.signed | bin | 0 -> 1169528 bytes | |||
| -rwxr-xr-x | update-secureboot-policy | 151 |
20 files changed, 555 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1d82b19 --- /dev/null +++ b/Makefile @@ -0,0 +1,14 @@ +all: + +check: + mkdir -p build + # Verifying that the image is signed with the correct key. + sbverify --cert MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed + # Verifying that we have the correct binary. + sbattach --detach build/detached-sig shimx64.efi.signed + cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed + sbattach --attach build/detached-sig build/shimx64.efi.signed + cmp shimx64.efi.signed build/shimx64.efi.signed + +clean: + rm -rf build diff --git a/MicCorUEFCA2011_2011-06-27.crt b/MicCorUEFCA2011_2011-06-27.crt new file mode 100644 index 0000000..d7c29ef --- /dev/null +++ b/MicCorUEFCA2011_2011-06-27.crt @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z +b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN +MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p +Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0 +aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug ++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI +rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ +E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp +XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L +71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB +AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW +BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA +QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD +4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p +Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f +MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw +Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv +b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q +aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz +Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g +Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX +i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM +sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh +aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk +BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs +deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5 +QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7 +5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu +AkXuZcK2o35pFnUHkpv1prxZg1g= +-----END CERTIFICATE----- diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf new file mode 100644 index 0000000..3a08d60 --- /dev/null +++ b/debian/bzr-builddeb.conf @@ -0,0 +1,2 @@ +[BUILDDEB] +native = True diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..315a981 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +shim-signed (1.28) unstable; urgency=medium + + * Initial Debian upload, based on Ubuntu package. + + -- Steve Langasek <vorlon@debian.org> Fri, 14 Apr 2017 21:44:06 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..dfd26bd --- /dev/null +++ b/debian/control @@ -0,0 +1,21 @@ +Source: shim-signed +Section: utils +Priority: optional +Maintainer: Steve Langasek <vorlon@debian.org> +Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf +Standards-Version: 3.9.4 + +Package: shim-signed +Architecture: amd64 +Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil +Recommends: secureboot-db +Built-Using: shim (= ${shim:Version}) +Description: Secure Boot chain-loading bootloader (Microsoft-signed binary) + This package provides a minimalist boot loader which allows verifying + signatures of other UEFI binaries against either the Secure Boot DB/DBX or + against a built-in signature database. Its purpose is to allow a small, + infrequently-changing binary to be signed by the UEFI CA, while allowing + an OS distributor to revision their main bootloader independently of the CA. + . + This package contains the version of the bootloader binary signed by the + Microsoft UEFI CA. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..d9f1275 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,33 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: shim +Upstream-Contact: Matthew Garrett <mjg@redhat.com> +Source: https://github.com/mjg59/shim.git + +Files: * +Copyright: 2012 Red Hat, Inc + 2009-2012 Intel Corporation +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000..5ce68fc --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1 @@ +shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..cef83a3 --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..5cbebf0 --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,110 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the shim-signed package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: shim-signed\n" +"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n" +"POT-Creation-Date: 2016-05-04 16:57-0500\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: text +#. Description +#: ../templates:1001 +msgid "Configuring Secure Boot" +msgstr "" + +#. Type: error +#. Description +#: ../templates:2001 +msgid "Invalid password" +msgstr "" + +#. Type: error +#. Description +#: ../templates:2001 +msgid "" +"The Secure Boot key you've entered is not valid. The password used must be " +"between 8 and 16 characters." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Disable UEFI Secure Boot?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible " +"with the use of third-party drivers." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The system will assist you in disabling UEFI Secure Boot. To ensure that " +"this change is being made by you as an authorized user, and not by an " +"attacker, you must choose a password now and then use the same password " +"after reboot to confirm the change." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"If you choose to proceed but do not confirm the password upon reboot, Ubuntu " +"will still be able to boot on your system but these third-party drivers will " +"not be available for your hardware." +msgstr "" + +#. Type: password +#. Description +#: ../templates:4001 +msgid "Password:" +msgstr "" + +#. Type: password +#. Description +#: ../templates:4001 +msgid "" +"Please enter a password for disabling Secure Boot. It will be asked again " +"after a reboot." +msgstr "" + +#. Type: password +#. Description +#: ../templates:5001 +msgid "Re-enter password to verify:" +msgstr "" + +#. Type: password +#. Description +#: ../templates:5001 +msgid "" +"Please enter the same password again to verify you have typed it correctly." +msgstr "" + +#. Type: error +#. Description +#: ../templates:6001 +msgid "Password input error" +msgstr "" + +#. Type: error +#. Description +#: ../templates:6001 +msgid "The two passwords you entered were not the same. Please try again." +msgstr "" diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..418ca9c --- /dev/null +++ b/debian/rules @@ -0,0 +1,19 @@ +#! /usr/bin/make -f + +VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2) +SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim) + +%: + dh $@ + +docdir := debian/shim-signed/usr/share/doc/shim-signed + +override_dh_installchangelogs: + dh_installchangelogs + # Quieten lintian, which otherwise gets confused by our odd version + # number. + ln $(docdir)/changelog $(docdir)/changelog.Debian + +override_dh_gencontrol: + dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \ + -Vshim:Version=$(SHIM_VERSION) diff --git a/debian/shim-signed.install b/debian/shim-signed.install new file mode 100644 index 0000000..5082806 --- /dev/null +++ b/debian/shim-signed.install @@ -0,0 +1,3 @@ +shimx64.efi.signed /usr/lib/shim +debian/source_shim-signed.py /usr/share/apport/package-hooks/ +update-secureboot-policy /usr/sbin/ diff --git a/debian/shim-signed.links b/debian/shim-signed.links new file mode 100644 index 0000000..2e3ccf9 --- /dev/null +++ b/debian/shim-signed.links @@ -0,0 +1 @@ +usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst new file mode 100644 index 0000000..89d445d --- /dev/null +++ b/debian/shim-signed.postinst @@ -0,0 +1,45 @@ +#! /bin/sh +set -e + +# Must load the confmodule for our template to be installed correctly. +. /usr/share/debconf/confmodule + +config_item () +{ + if [ -f /etc/default/grub ]; then + . /etc/default/grub || return + for x in /etc/default/grub.d/*.cfg; do + if [ -e "$x" ]; then + . "$x" + fi + done + fi + eval echo "\$$1" +} + +case $1 in + triggered) + SHIM_NOTRIGGER=y update-secureboot-policy + ;; + configure) + bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ + cut -d' ' -f1)" + case $bootloader_id in + kubuntu) bootloader_id=ubuntu ;; + esac + if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \ + && which grub-install >/dev/null 2>&1 + then + grub-install --target=x86_64-efi + if dpkg --compare-versions "$2" lt-nl "1.22~"; then + rm -f /boot/efi/EFI/ubuntu/MokManager.efi + fi + fi + + SHIM_NOTRIGGER=y update-secureboot-policy + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers new file mode 100644 index 0000000..2b33128 --- /dev/null +++ b/debian/shim-signed.triggers @@ -0,0 +1 @@ +interest-noawait shim-secureboot-policy diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py new file mode 100644 index 0000000..d03504f --- /dev/null +++ b/debian/source_shim-signed.py @@ -0,0 +1,55 @@ +'''apport package hook for shim and shim-signed + +(c) 2015 Canonical Ltd. +Author: Brian Murray <brian@ubuntu.com> +''' + +import errno +import os + +from apport.hookutils import ( + command_available, + command_output, + attach_file, + attach_root_command_outputs) + +efiarch = {'amd64': 'x64', + 'i386': 'ia32', + 'arm64': 'aarch64' + } +grubarch = {'amd64': 'x86_64', + 'i386': 'i386', + 'arm64': 'arm64' + } + +def add_info(report, ui): + efiboot = '/boot/efi/EFI/ubuntu' + if command_available('efibootmgr'): + report['EFIBootMgr'] = command_output(['efibootmgr', '-v']) + else: + report['EFIBootMgr'] = 'efibootmgr not available' + commands = {} + try: + directory = os.stat(efiboot) + except OSError as e: + if e.errno == errno.ENOENT: + report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing' + return + if e.errno == errno.EACCES: + directory= True + if directory: + arch = report['Architecture'] + commands['BootEFIContents'] = 'ls %s' % efiboot + commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch]) + commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch]) + attach_root_command_outputs(report, commands) + + efivars_dir = '/sys/firmware/efi/efivars' + sb_var = os.path.join(efivars_dir, + 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c') + mok_var = os.path.join(efivars_dir, + 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23') + + attach_file(report, '/proc/sys/kernel/moksbstate_disabled') + attach_file(report, sb_var) + attach_file(report, mok_var) diff --git a/debian/templates b/debian/templates new file mode 100644 index 0000000..604cda1 --- /dev/null +++ b/debian/templates @@ -0,0 +1,56 @@ +Template: shim/title/secureboot +Type: text +_Description: Configuring Secure Boot + +Template: shim/error/bad_secureboot_key +Type: error +_Description: Invalid password + The Secure Boot key you've entered is not valid. The password used must be + between 8 and 16 characters. + +Template: shim/disable_secureboot +Type: boolean +Default: true +_Description: Disable UEFI Secure Boot? + If Secure Boot remains enabled on your system, your system may still boot but + any hardware that requires third-party drivers to work correctly may not be + usable. + +Template: shim/enable_secureboot +Type: boolean +Default: false +_Description: Enable UEFI Secure Boot? + If Secure Boot is enabled on your system, your system may still boot but + any hardware that requires third-party drivers to work correctly may not be + usable. + +Template: shim/secureboot_explanation +Type: note +_Description: Your system has UEFI Secure Boot enabled. + UEFI Secure Boot is not compatible with the use of third-party drivers. + . + The system will assist you in toggling UEFI Secure Boot. To ensure that this + change is being made by you as an authorized user, and not by an attacker, + you must choose a password now and then use the same password after reboot + to confirm the change. + . + If you choose to proceed but do not confirm the password upon reboot, Ubuntu + will still be able to boot on your system but the Secure Boot state will not + be changed. + . + If Secure Boot remains enabled on your system, your system may still boot but + any hardware that requires third-party drivers to work correctly may not be + usable. + +Template: shim/secureboot_key +Type: string +_Description: Enter a password for Secure Boot. It will be asked again after a reboot. + +Template: shim/secureboot_key_again +Type: string +_Description: Enter the same password again to verify you have typed it correctly. + +Template: shim/error/secureboot_key_mismatch +Type: error +_Description: Password input error + The two passwords you entered were not the same. Please try again. diff --git a/shimx64.efi.signed b/shimx64.efi.signed Binary files differnew file mode 100644 index 0000000..c6b4450 --- /dev/null +++ b/shimx64.efi.signed diff --git a/update-secureboot-policy b/update-secureboot-policy new file mode 100755 index 0000000..5e7b4a8 --- /dev/null +++ b/update-secureboot-policy @@ -0,0 +1,151 @@ +#!/bin/sh +set -e + +if test $# = 0 \ + && test x"$SHIM_NOTRIGGER" = x \ + && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \ + && dpkg-trigger --check-supported 2>/dev/null +then + if dpkg-trigger --no-await shim-secureboot-policy; then + if test x"$SHIM_TRIGGER_DEBUG" != x; then + echo "shim: wrapper deferring policy update (trigger activated)" + fi + exit 0 + fi +fi + +. /usr/share/debconf/confmodule + +setup_mok_validation() +{ + local moksbstatert + local efivars secureboot_var moksb_var moksbstatert_var + local enable_sb action + enable_sb=$1 + efivars=/sys/firmware/efi/efivars + secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c + moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23 + moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 + action=disable + + if [ $enable_sb -eq 1 ]; then + action=enable + fi + + if ! [ -f $efivars/$secureboot_var ] \ + || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] + then + echo "Secure Boot not enabled on this system." >&2 + return 0 + fi + moksbstatert=0 + if [ -f $efivars/$moksb_var ]; then + # if MokSB exists we've likely already run mokutil since last boot + echo "The Secure Boot policy was already changed since last reboot; nothing to do." >&2 + return 0 + fi + if [ -f /proc/sys/kernel/moksbstate_disabled ]; then + moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) + elif [ -f $efivars/$moksbstatert_var ]; then + # MokSBStateRT set to 1 means validation is disabled + moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ + awk '{ print $NF; }') + fi + # poor man's xor + if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then + STATE=1 + db_settitle shim/title/secureboot + while true; do + case "$STATE" in + 1) + db_capb + db_fset shim/secureboot_explanation seen false + db_input critical shim/secureboot_explanation || true + db_go + + # Allow the user to skip disabling Secure Boot. + db_fset shim/${action}_secureboot seen false + db_input critical shim/${action}_secureboot || true + ;; + 2) + db_get shim/${action}_secureboot + if [ "$RET" = "false" ]; then + break + fi + + db_input critical shim/secureboot_key || true + seen_key=$RET + db_input critical shim/secureboot_key_again || true + ;; + 3) + db_get shim/secureboot_key + key="$RET" + db_get shim/secureboot_key_again + again="$RET" + + if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then + echo "Running in non-interactive mode, doing nothing." >&2 + exit 1 + fi + + db_capb + if [ "$key" != "$again" ]; then + db_fset shim/error/secureboot_key_mismatch seen false + db_input critical shim/error/secureboot_key_mismatch || true + STATE=$(($STATE - 2)) + else + length=$((`echo "$key" | wc -c` - 1)) + if [ $length -lt 8 ] || [ $length -gt 16 ]; then + db_fset shim/error/bad_secureboot_key seen false + db_input critical shim/error/bad_secureboot_key || true + STATE=$(($STATE - 2)) + elif [ $length -ne 0 ]; then + printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true + fi + fi + + # Always clear secureboot key. + db_set shim/secureboot_key '' + db_fset shim/secureboot_key seen false + db_set shim/secureboot_key_again '' + db_fset shim/secureboot_key_again seen false + ;; + *) + break + ;; + esac + + if db_go; then + STATE=$(($STATE + 1)) + else + STATE=$(($STATE - 1)) + fi + db_capb backup + done + db_capb + fi +} + +args=$@ +enable_secureboot=0 + +if echo "$args" | grep -qc -- '--enable'; then + enable_secureboot=1 +elif echo "$args" | grep -qc -- '--disable'; then + enable_secureboot=0 +elif echo "$args" | grep -qc -- '--help'; then + echo "update-secureboot-policy: toggle UEFI Secure Boot in shim" + echo + echo "\t--enable\tPrompt to enable Secure Boot validation." + echo "\t--disable\tPrompt to disable Secure Boot validation (default)." + echo "\t--help\t\tThis help text." + exit 0 +fi + +if [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then + setup_mok_validation $enable_secureboot +else + echo "No DKMS packages installed: not changing Secure Boot validation state." +fi + +exit 0 |
