diff options
| author | Steve McIntyre <steve@einval.com> | 2026-05-18 00:52:29 +0100 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2026-05-18 00:56:13 +0100 |
| commit | 04a3449adcd413433c45774ac7b150ededaa1c4e (patch) | |
| tree | 70e63e1554fead69373ec5ce943801c70bee1a9b /debian | |
| parent | 1f2132eaedee079ebcf6d135ac63161fb7c79729 (diff) | |
| download | shim-signed-04a3449adcd413433c45774ac7b150ededaa1c4e.tar.gz shim-signed-04a3449adcd413433c45774ac7b150ededaa1c4e.zip | |
Switch to using debconf to display signature errors
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/control | 4 | ||||
| -rwxr-xr-x | debian/rules | 3 | ||||
| -rw-r--r-- | debian/shim-signed.preinst.in | 157 | ||||
| -rw-r--r-- | debian/shim-signed.templates | 29 |
4 files changed, 116 insertions, 77 deletions
diff --git a/debian/control b/debian/control index dbf5481..9003419 100644 --- a/debian/control +++ b/debian/control @@ -16,10 +16,12 @@ Build-Depends: debhelper (>= 13), Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/efi-team/shim-signed Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git +Rules-Requires-Root: no Package: shim-signed Architecture: amd64 arm64 Multi-Arch: same +Pre-Depends: debconf Depends: ${misc:Depends}, mokutil, shim-signed-common (>= ${source:Version}), @@ -37,7 +39,7 @@ Description: Secure Boot chain-loading bootloader (Microsoft-signed binary) an OS distributor to revision their main bootloader independently of the CA. . This package contains the version of the bootloader binary signed by the - Microsoft UEFI CA. + Microsoft UEFI CA(s). Package: shim-signed-common Multi-Arch: foreign diff --git a/debian/rules b/debian/rules index 6649988..ee6cc9f 100755 --- a/debian/rules +++ b/debian/rules @@ -22,9 +22,6 @@ endif docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common -override_dh_installdebconf: - dh_installdebconf -p shim-signed-common - override_dh_installdeb: ifeq ($(VENDOR),Debian) # Remove apport files from Debian builds, they're not useful diff --git a/debian/shim-signed.preinst.in b/debian/shim-signed.preinst.in index bc66b0f..6f3e13c 100644 --- a/debian/shim-signed.preinst.in +++ b/debian/shim-signed.preinst.in @@ -2,19 +2,27 @@ set -e +type=$1 + +. /usr/share/debconf/confmodule + +# Only change LC_ALL after loading debconf to ensure any debconf templates +# are properly localized. +export LC_ALL=C + # Select the right target architecture for grub-install ARCH=$(dpkg --print-architecture) case ${ARCH} in amd64) - EFI_ARCH="x64";; + EFI_ARCH="x64";; i386) - EFI_ARCH="ia32";; + EFI_ARCH="ia32";; arm64) - EFI_ARCH="aa64";; + EFI_ARCH="aa64";; *) - echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT" - exit 1 - ;; + echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT" + exit 1 + ;; esac SHIM="/usr/lib/shim/shim${EFI_ARCH}.efi.signed" @@ -24,79 +32,82 @@ if [ ! -f "$SHIM" ]; then fi SHIM_SIGS="@@SHIM_SIGNATURES@@" -# Set the default error message -SB_BOOT_ERROR="Secure Boot is enabled and we don't have a valid signature on $SHIM" +# Known error possibilities +ERR_NONE=0 +ERR_NO_VALID_SIG=1 +ERR_REVOKED=2 -case "$1" in +# Set the default error - no sigs found yet +SB_BOOT_ERROR=$ERR_NO_VALID_SIG + +case "$type" in install|upgrade) - echo "shim-signed: checking if we can safely install $SHIM" - - if ! type mokutil > /dev/null 2>&1; then - echo " Mokutil is not installed, assuming things will be OK." - SB_BOOT_ERROR="" - else - # Check that we can safely boot this shim. - SB_STATE=$(mokutil --sb-state 2>&1 || true) - # If SB is not enabled (etc.) then this shim is fine - case $SB_STATE in - "SecureBoot disabled"|"This system doesn't support Secure Boot") - echo " $SB_STATE; shim installation is safe." - SB_BOOT_ERROR="" - ;; - "EFI variables are not supported on this system") - echo " $SB_STATE; assuming shim installation is safe." - SB_BOOT_ERROR="" - ;; - esac - fi + echo "shim-signed: checking if we can safely install $SHIM" - if [ "$SB_BOOT_ERROR"x != ""x ]; then - echo "Checking shim signatures on $SHIM:" - - # Secure Boot is enabled - we need to check that our shim - # is signed by a key in the DB list. - - # Check against all the keys in the DB list - for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do - for sig in ${SHIM_SIGS}; do - if [ "$dbkey" = "$sig" ]; then - echo "- signed by DB key $dbkey, should boot OK" - SB_BOOT_ERROR="" - fi - done - done - - # Also check against the blacklisted keys in DBX - any - # blacklisted sig will block boot of a shim signed with - # that sig. - for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do - for sig in ${SHIM_SIGS}; do - if [ "$dbxkey" = "$sig" ]; then - echo "- signed by DBX key $dbxkey, will be blocked from booting" - echo "SecureBoot is enabled and $SHIM is blocked due to revocation of $dbxkey," - fi - done - done - fi + if ! type mokutil > /dev/null 2>&1; then + echo " Mokutil is not installed, assuming things will be OK." + SB_BOOT_ERROR=$ERR_NONE + else + # Check that we can safely boot this shim. + SB_STATE=$(mokutil --sb-state 2>&1 || true) + # If SB is not enabled (etc.) then this shim is fine + case $SB_STATE in + "SecureBoot disabled"|"This system doesn't support Secure Boot") + echo " $SB_STATE; shim installation is safe." + SB_BOOT_ERROR=$ERR_NONE + ;; + "EFI variables are not supported on this system") + echo " $SB_STATE; assuming shim installation is safe." + SB_BOOT_ERROR=$ERR_NONE + ;; + esac + fi - if [ "$SB_BOOT_ERROR"x != ""x ]; then - # SB is enabled but we can't boot this shim - echo "***********************************************************" - echo "$SB_BOOT_ERROR" - echo - echo "You probably need to update the trusted certificates list (DB). See" - echo - echo " https://wiki.debian.org/SecureBoot/UpdateCA" - echo - echo "for more information." - echo - echo "ABORT - this system will not currently boot with this shim installed." - echo "***********************************************************" - exit 1 - fi + if [ $SB_BOOT_ERROR != $ERR_NONE ]; then + echo "Checking shim signatures on $SHIM:" + + # Secure Boot is enabled - we need to check that our shim + # is signed by a key in the DB list. + + # Check against all the keys in the DB list + for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do + for sig in ${SHIM_SIGS}; do + if [ "$dbkey" = "$sig" ]; then + echo "- signed by DB key $dbkey, should boot OK" + SB_BOOT_ERROR=$ERR_NONE + fi + done + done - ;; + # Next, check against the blacklisted keys in DBX - any + # blacklisted sig will block boot of a shim signed with + # that sig. + for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do + for sig in ${SHIM_SIGS}; do + if [ "$dbxkey" = "$sig" ]; then + echo "- signed by DBX key $dbxkey, will be blocked from booting" + SB_BOOT_ERROR=$ERR_REVOKED + fi + done + done + fi + + if [ $SB_BOOT_ERROR != $ERR_NONE ]; then + if [ $SB_BOOT_ERROR = $ERR_NO_VALID_SIG ]; then + TEMPLATENAME=shim-signed/no-valid-sigs + elif [ $SB_BOOT_ERROR = $ERR_REVOKED ]; then + TEMPLATENAME=shim-signed/revoked-sig + fi + + db_version 2.0 + db_fset "$TEMPLATENAME" seen false + db_reset "$TEMPLATENAME" + db_input critical "$TEMPLATENAME" || true + db_go + db_stop + exit 1 + fi esac #DEBHELPER# diff --git a/debian/shim-signed.templates b/debian/shim-signed.templates new file mode 100644 index 0000000..16c65d1 --- /dev/null +++ b/debian/shim-signed.templates @@ -0,0 +1,29 @@ +Template: shim-signed/no-valid-sigs +Type: error +_Description: No valid UEFI Secure Boot signatures found + UEFI Secure Boot is enabled on your system, but the signed shim + binary in this package is not signed with a key that your system + trusts. This is a FATAL ERROR - your system will not currently + boot with this signed shim installed. + . + To fix this error, you probably need to update the trusted + certificates list (DB) on your system. See + . + https://wiki.debian.org/SecureBoot/UpdateCA + . + for more information about how to do this. + +Template: shim-signed/revoked-sig +Type: error +_Description: Shim signed with a revoked key + UEFI Secure Boot is enabled on your system, but the signed shim + binary in this package is signed by a key that has been revoked on + your system. This is a FATAL ERROR - your system will not currently + boot with this shim installed. + . + To fix this error, you probably need to update the trusted + certificates revocation list (DBX) on your system. See + . + https://wiki.debian.org/SecureBoot/UpdateCA + . + for more information about how to do this. |
