summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2017-04-14 21:44:06 +0000
committerSteve McIntyre <steve@einval.com>2019-03-06 21:15:15 +0000
commitbf3018eb1399f512672127987fbc134e898d3102 (patch)
tree7d6f95ae8a61bb363e67e3001b7f8bfec86dfa60
downloadshim-signed-bf3018eb1399f512672127987fbc134e898d3102.tar.gz
shim-signed-bf3018eb1399f512672127987fbc134e898d3102.zip
Import Debian version 1.28debian/1.28
shim-signed (1.28) unstable; urgency=medium * Initial Debian upload, based on Ubuntu package.
-rw-r--r--Makefile14
-rw-r--r--MicCorUEFCA2011_2011-06-27.crt35
-rw-r--r--debian/bzr-builddeb.conf2
-rw-r--r--debian/changelog5
-rw-r--r--debian/compat1
-rw-r--r--debian/control21
-rw-r--r--debian/copyright33
-rw-r--r--debian/lintian-overrides1
-rw-r--r--debian/po/POTFILES.in1
-rw-r--r--debian/po/templates.pot110
-rwxr-xr-xdebian/rules19
-rw-r--r--debian/shim-signed.install3
-rw-r--r--debian/shim-signed.links1
-rw-r--r--debian/shim-signed.postinst45
-rw-r--r--debian/shim-signed.triggers1
-rw-r--r--debian/source/format1
-rw-r--r--debian/source_shim-signed.py55
-rw-r--r--debian/templates56
-rw-r--r--shimx64.efi.signedbin0 -> 1169528 bytes
-rwxr-xr-xupdate-secureboot-policy151
20 files changed, 555 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1d82b19
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,14 @@
+all:
+
+check:
+ mkdir -p build
+ # Verifying that the image is signed with the correct key.
+ sbverify --cert MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed
+ # Verifying that we have the correct binary.
+ sbattach --detach build/detached-sig shimx64.efi.signed
+ cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed
+ sbattach --attach build/detached-sig build/shimx64.efi.signed
+ cmp shimx64.efi.signed build/shimx64.efi.signed
+
+clean:
+ rm -rf build
diff --git a/MicCorUEFCA2011_2011-06-27.crt b/MicCorUEFCA2011_2011-06-27.crt
new file mode 100644
index 0000000..d7c29ef
--- /dev/null
+++ b/MicCorUEFCA2011_2011-06-27.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG
+A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
+HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z
+b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN
+MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
+Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0
+aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug
++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI
+rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ
+E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp
+XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L
+71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB
+AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW
+BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA
+QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD
+4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p
+Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f
+MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw
+Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv
+b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q
+aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz
+Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g
+Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX
+i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM
+sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh
+aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk
+BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs
+deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5
+QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7
+5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu
+AkXuZcK2o35pFnUHkpv1prxZg1g=
+-----END CERTIFICATE-----
diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf
new file mode 100644
index 0000000..3a08d60
--- /dev/null
+++ b/debian/bzr-builddeb.conf
@@ -0,0 +1,2 @@
+[BUILDDEB]
+native = True
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..315a981
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+shim-signed (1.28) unstable; urgency=medium
+
+ * Initial Debian upload, based on Ubuntu package.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 14 Apr 2017 21:44:06 +0000
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..dfd26bd
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,21 @@
+Source: shim-signed
+Section: utils
+Priority: optional
+Maintainer: Steve Langasek <vorlon@debian.org>
+Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
+Standards-Version: 3.9.4
+
+Package: shim-signed
+Architecture: amd64
+Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Recommends: secureboot-db
+Built-Using: shim (= ${shim:Version})
+Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database. Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the version of the bootloader binary signed by the
+ Microsoft UEFI CA.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..d9f1275
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,33 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: shim
+Upstream-Contact: Matthew Garrett <mjg@redhat.com>
+Source: https://github.com/mjg59/shim.git
+
+Files: *
+Copyright: 2012 Red Hat, Inc
+ 2009-2012 Intel Corporation
+License: BSD-2-Clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
new file mode 100644
index 0000000..5ce68fc
--- /dev/null
+++ b/debian/lintian-overrides
@@ -0,0 +1 @@
+shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 0000000..cef83a3
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] templates
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 0000000..5cbebf0
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,110 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the shim-signed package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: shim-signed\n"
+"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n"
+"POT-Creation-Date: 2016-05-04 16:57-0500\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: text
+#. Description
+#: ../templates:1001
+msgid "Configuring Secure Boot"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:2001
+msgid "Invalid password"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:2001
+msgid ""
+"The Secure Boot key you've entered is not valid. The password used must be "
+"between 8 and 16 characters."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid "Disable UEFI Secure Boot?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible "
+"with the use of third-party drivers."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"The system will assist you in disabling UEFI Secure Boot. To ensure that "
+"this change is being made by you as an authorized user, and not by an "
+"attacker, you must choose a password now and then use the same password "
+"after reboot to confirm the change."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"If you choose to proceed but do not confirm the password upon reboot, Ubuntu "
+"will still be able to boot on your system but these third-party drivers will "
+"not be available for your hardware."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:4001
+msgid "Password:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:4001
+msgid ""
+"Please enter a password for disabling Secure Boot. It will be asked again "
+"after a reboot."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:5001
+msgid "Re-enter password to verify:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:5001
+msgid ""
+"Please enter the same password again to verify you have typed it correctly."
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:6001
+msgid "Password input error"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:6001
+msgid "The two passwords you entered were not the same. Please try again."
+msgstr ""
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..418ca9c
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,19 @@
+#! /usr/bin/make -f
+
+VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
+SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
+
+%:
+ dh $@
+
+docdir := debian/shim-signed/usr/share/doc/shim-signed
+
+override_dh_installchangelogs:
+ dh_installchangelogs
+ # Quieten lintian, which otherwise gets confused by our odd version
+ # number.
+ ln $(docdir)/changelog $(docdir)/changelog.Debian
+
+override_dh_gencontrol:
+ dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
+ -Vshim:Version=$(SHIM_VERSION)
diff --git a/debian/shim-signed.install b/debian/shim-signed.install
new file mode 100644
index 0000000..5082806
--- /dev/null
+++ b/debian/shim-signed.install
@@ -0,0 +1,3 @@
+shimx64.efi.signed /usr/lib/shim
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/
diff --git a/debian/shim-signed.links b/debian/shim-signed.links
new file mode 100644
index 0000000..2e3ccf9
--- /dev/null
+++ b/debian/shim-signed.links
@@ -0,0 +1 @@
+usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py
diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
new file mode 100644
index 0000000..89d445d
--- /dev/null
+++ b/debian/shim-signed.postinst
@@ -0,0 +1,45 @@
+#! /bin/sh
+set -e
+
+# Must load the confmodule for our template to be installed correctly.
+. /usr/share/debconf/confmodule
+
+config_item ()
+{
+ if [ -f /etc/default/grub ]; then
+ . /etc/default/grub || return
+ for x in /etc/default/grub.d/*.cfg; do
+ if [ -e "$x" ]; then
+ . "$x"
+ fi
+ done
+ fi
+ eval echo "\$$1"
+}
+
+case $1 in
+ triggered)
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+ configure)
+ bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+ cut -d' ' -f1)"
+ case $bootloader_id in
+ kubuntu) bootloader_id=ubuntu ;;
+ esac
+ if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
+ && which grub-install >/dev/null 2>&1
+ then
+ grub-install --target=x86_64-efi
+ if dpkg --compare-versions "$2" lt-nl "1.22~"; then
+ rm -f /boot/efi/EFI/ubuntu/MokManager.efi
+ fi
+ fi
+
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers
new file mode 100644
index 0000000..2b33128
--- /dev/null
+++ b/debian/shim-signed.triggers
@@ -0,0 +1 @@
+interest-noawait shim-secureboot-policy
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py
new file mode 100644
index 0000000..d03504f
--- /dev/null
+++ b/debian/source_shim-signed.py
@@ -0,0 +1,55 @@
+'''apport package hook for shim and shim-signed
+
+(c) 2015 Canonical Ltd.
+Author: Brian Murray <brian@ubuntu.com>
+'''
+
+import errno
+import os
+
+from apport.hookutils import (
+ command_available,
+ command_output,
+ attach_file,
+ attach_root_command_outputs)
+
+efiarch = {'amd64': 'x64',
+ 'i386': 'ia32',
+ 'arm64': 'aarch64'
+ }
+grubarch = {'amd64': 'x86_64',
+ 'i386': 'i386',
+ 'arm64': 'arm64'
+ }
+
+def add_info(report, ui):
+ efiboot = '/boot/efi/EFI/ubuntu'
+ if command_available('efibootmgr'):
+ report['EFIBootMgr'] = command_output(['efibootmgr', '-v'])
+ else:
+ report['EFIBootMgr'] = 'efibootmgr not available'
+ commands = {}
+ try:
+ directory = os.stat(efiboot)
+ except OSError as e:
+ if e.errno == errno.ENOENT:
+ report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing'
+ return
+ if e.errno == errno.EACCES:
+ directory= True
+ if directory:
+ arch = report['Architecture']
+ commands['BootEFIContents'] = 'ls %s' % efiboot
+ commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch])
+ commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch])
+ attach_root_command_outputs(report, commands)
+
+ efivars_dir = '/sys/firmware/efi/efivars'
+ sb_var = os.path.join(efivars_dir,
+ 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c')
+ mok_var = os.path.join(efivars_dir,
+ 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23')
+
+ attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
+ attach_file(report, sb_var)
+ attach_file(report, mok_var)
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 0000000..604cda1
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,56 @@
+Template: shim/title/secureboot
+Type: text
+_Description: Configuring Secure Boot
+
+Template: shim/error/bad_secureboot_key
+Type: error
+_Description: Invalid password
+ The Secure Boot key you've entered is not valid. The password used must be
+ between 8 and 16 characters.
+
+Template: shim/disable_secureboot
+Type: boolean
+Default: true
+_Description: Disable UEFI Secure Boot?
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/enable_secureboot
+Type: boolean
+Default: false
+_Description: Enable UEFI Secure Boot?
+ If Secure Boot is enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_explanation
+Type: note
+_Description: Your system has UEFI Secure Boot enabled.
+ UEFI Secure Boot is not compatible with the use of third-party drivers.
+ .
+ The system will assist you in toggling UEFI Secure Boot. To ensure that this
+ change is being made by you as an authorized user, and not by an attacker,
+ you must choose a password now and then use the same password after reboot
+ to confirm the change.
+ .
+ If you choose to proceed but do not confirm the password upon reboot, Ubuntu
+ will still be able to boot on your system but the Secure Boot state will not
+ be changed.
+ .
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_key
+Type: string
+_Description: Enter a password for Secure Boot. It will be asked again after a reboot.
+
+Template: shim/secureboot_key_again
+Type: string
+_Description: Enter the same password again to verify you have typed it correctly.
+
+Template: shim/error/secureboot_key_mismatch
+Type: error
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.
diff --git a/shimx64.efi.signed b/shimx64.efi.signed
new file mode 100644
index 0000000..c6b4450
--- /dev/null
+++ b/shimx64.efi.signed
Binary files differ
diff --git a/update-secureboot-policy b/update-secureboot-policy
new file mode 100755
index 0000000..5e7b4a8
--- /dev/null
+++ b/update-secureboot-policy
@@ -0,0 +1,151 @@
+#!/bin/sh
+set -e
+
+if test $# = 0 \
+ && test x"$SHIM_NOTRIGGER" = x \
+ && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \
+ && dpkg-trigger --check-supported 2>/dev/null
+then
+ if dpkg-trigger --no-await shim-secureboot-policy; then
+ if test x"$SHIM_TRIGGER_DEBUG" != x; then
+ echo "shim: wrapper deferring policy update (trigger activated)"
+ fi
+ exit 0
+ fi
+fi
+
+. /usr/share/debconf/confmodule
+
+setup_mok_validation()
+{
+ local moksbstatert
+ local efivars secureboot_var moksb_var moksbstatert_var
+ local enable_sb action
+ enable_sb=$1
+ efivars=/sys/firmware/efi/efivars
+ secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
+ moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
+ moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
+ action=disable
+
+ if [ $enable_sb -eq 1 ]; then
+ action=enable
+ fi
+
+ if ! [ -f $efivars/$secureboot_var ] \
+ || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
+ then
+ echo "Secure Boot not enabled on this system." >&2
+ return 0
+ fi
+ moksbstatert=0
+ if [ -f $efivars/$moksb_var ]; then
+ # if MokSB exists we've likely already run mokutil since last boot
+ echo "The Secure Boot policy was already changed since last reboot; nothing to do." >&2
+ return 0
+ fi
+ if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
+ moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
+ elif [ -f $efivars/$moksbstatert_var ]; then
+ # MokSBStateRT set to 1 means validation is disabled
+ moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
+ awk '{ print $NF; }')
+ fi
+ # poor man's xor
+ if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then
+ STATE=1
+ db_settitle shim/title/secureboot
+ while true; do
+ case "$STATE" in
+ 1)
+ db_capb
+ db_fset shim/secureboot_explanation seen false
+ db_input critical shim/secureboot_explanation || true
+ db_go
+
+ # Allow the user to skip disabling Secure Boot.
+ db_fset shim/${action}_secureboot seen false
+ db_input critical shim/${action}_secureboot || true
+ ;;
+ 2)
+ db_get shim/${action}_secureboot
+ if [ "$RET" = "false" ]; then
+ break
+ fi
+
+ db_input critical shim/secureboot_key || true
+ seen_key=$RET
+ db_input critical shim/secureboot_key_again || true
+ ;;
+ 3)
+ db_get shim/secureboot_key
+ key="$RET"
+ db_get shim/secureboot_key_again
+ again="$RET"
+
+ if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
+ echo "Running in non-interactive mode, doing nothing." >&2
+ exit 1
+ fi
+
+ db_capb
+ if [ "$key" != "$again" ]; then
+ db_fset shim/error/secureboot_key_mismatch seen false
+ db_input critical shim/error/secureboot_key_mismatch || true
+ STATE=$(($STATE - 2))
+ else
+ length=$((`echo "$key" | wc -c` - 1))
+ if [ $length -lt 8 ] || [ $length -gt 16 ]; then
+ db_fset shim/error/bad_secureboot_key seen false
+ db_input critical shim/error/bad_secureboot_key || true
+ STATE=$(($STATE - 2))
+ elif [ $length -ne 0 ]; then
+ printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true
+ fi
+ fi
+
+ # Always clear secureboot key.
+ db_set shim/secureboot_key ''
+ db_fset shim/secureboot_key seen false
+ db_set shim/secureboot_key_again ''
+ db_fset shim/secureboot_key_again seen false
+ ;;
+ *)
+ break
+ ;;
+ esac
+
+ if db_go; then
+ STATE=$(($STATE + 1))
+ else
+ STATE=$(($STATE - 1))
+ fi
+ db_capb backup
+ done
+ db_capb
+ fi
+}
+
+args=$@
+enable_secureboot=0
+
+if echo "$args" | grep -qc -- '--enable'; then
+ enable_secureboot=1
+elif echo "$args" | grep -qc -- '--disable'; then
+ enable_secureboot=0
+elif echo "$args" | grep -qc -- '--help'; then
+ echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
+ echo
+ echo "\t--enable\tPrompt to enable Secure Boot validation."
+ echo "\t--disable\tPrompt to disable Secure Boot validation (default)."
+ echo "\t--help\t\tThis help text."
+ exit 0
+fi
+
+if [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
+ setup_mok_validation $enable_secureboot
+else
+ echo "No DKMS packages installed: not changing Secure Boot validation state."
+fi
+
+exit 0