summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2017-04-14 21:44:06 +0000
committerSteve McIntyre <steve@einval.com>2019-03-06 21:15:15 +0000
commitbf3018eb1399f512672127987fbc134e898d3102 (patch)
tree7d6f95ae8a61bb363e67e3001b7f8bfec86dfa60 /debian
downloadshim-signed-bf3018eb1399f512672127987fbc134e898d3102.tar.gz
shim-signed-bf3018eb1399f512672127987fbc134e898d3102.zip
Import Debian version 1.28debian/1.28
shim-signed (1.28) unstable; urgency=medium * Initial Debian upload, based on Ubuntu package.
Diffstat (limited to 'debian')
-rw-r--r--debian/bzr-builddeb.conf2
-rw-r--r--debian/changelog5
-rw-r--r--debian/compat1
-rw-r--r--debian/control21
-rw-r--r--debian/copyright33
-rw-r--r--debian/lintian-overrides1
-rw-r--r--debian/po/POTFILES.in1
-rw-r--r--debian/po/templates.pot110
-rwxr-xr-xdebian/rules19
-rw-r--r--debian/shim-signed.install3
-rw-r--r--debian/shim-signed.links1
-rw-r--r--debian/shim-signed.postinst45
-rw-r--r--debian/shim-signed.triggers1
-rw-r--r--debian/source/format1
-rw-r--r--debian/source_shim-signed.py55
-rw-r--r--debian/templates56
16 files changed, 355 insertions, 0 deletions
diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf
new file mode 100644
index 0000000..3a08d60
--- /dev/null
+++ b/debian/bzr-builddeb.conf
@@ -0,0 +1,2 @@
+[BUILDDEB]
+native = True
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..315a981
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+shim-signed (1.28) unstable; urgency=medium
+
+ * Initial Debian upload, based on Ubuntu package.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 14 Apr 2017 21:44:06 +0000
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..dfd26bd
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,21 @@
+Source: shim-signed
+Section: utils
+Priority: optional
+Maintainer: Steve Langasek <vorlon@debian.org>
+Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
+Standards-Version: 3.9.4
+
+Package: shim-signed
+Architecture: amd64
+Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Recommends: secureboot-db
+Built-Using: shim (= ${shim:Version})
+Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database. Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the version of the bootloader binary signed by the
+ Microsoft UEFI CA.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..d9f1275
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,33 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: shim
+Upstream-Contact: Matthew Garrett <mjg@redhat.com>
+Source: https://github.com/mjg59/shim.git
+
+Files: *
+Copyright: 2012 Red Hat, Inc
+ 2009-2012 Intel Corporation
+License: BSD-2-Clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
new file mode 100644
index 0000000..5ce68fc
--- /dev/null
+++ b/debian/lintian-overrides
@@ -0,0 +1 @@
+shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 0000000..cef83a3
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] templates
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 0000000..5cbebf0
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,110 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the shim-signed package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: shim-signed\n"
+"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n"
+"POT-Creation-Date: 2016-05-04 16:57-0500\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: text
+#. Description
+#: ../templates:1001
+msgid "Configuring Secure Boot"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:2001
+msgid "Invalid password"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:2001
+msgid ""
+"The Secure Boot key you've entered is not valid. The password used must be "
+"between 8 and 16 characters."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid "Disable UEFI Secure Boot?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible "
+"with the use of third-party drivers."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"The system will assist you in disabling UEFI Secure Boot. To ensure that "
+"this change is being made by you as an authorized user, and not by an "
+"attacker, you must choose a password now and then use the same password "
+"after reboot to confirm the change."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"If you choose to proceed but do not confirm the password upon reboot, Ubuntu "
+"will still be able to boot on your system but these third-party drivers will "
+"not be available for your hardware."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:4001
+msgid "Password:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:4001
+msgid ""
+"Please enter a password for disabling Secure Boot. It will be asked again "
+"after a reboot."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:5001
+msgid "Re-enter password to verify:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:5001
+msgid ""
+"Please enter the same password again to verify you have typed it correctly."
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:6001
+msgid "Password input error"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:6001
+msgid "The two passwords you entered were not the same. Please try again."
+msgstr ""
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..418ca9c
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,19 @@
+#! /usr/bin/make -f
+
+VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
+SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
+
+%:
+ dh $@
+
+docdir := debian/shim-signed/usr/share/doc/shim-signed
+
+override_dh_installchangelogs:
+ dh_installchangelogs
+ # Quieten lintian, which otherwise gets confused by our odd version
+ # number.
+ ln $(docdir)/changelog $(docdir)/changelog.Debian
+
+override_dh_gencontrol:
+ dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
+ -Vshim:Version=$(SHIM_VERSION)
diff --git a/debian/shim-signed.install b/debian/shim-signed.install
new file mode 100644
index 0000000..5082806
--- /dev/null
+++ b/debian/shim-signed.install
@@ -0,0 +1,3 @@
+shimx64.efi.signed /usr/lib/shim
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/
diff --git a/debian/shim-signed.links b/debian/shim-signed.links
new file mode 100644
index 0000000..2e3ccf9
--- /dev/null
+++ b/debian/shim-signed.links
@@ -0,0 +1 @@
+usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py
diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
new file mode 100644
index 0000000..89d445d
--- /dev/null
+++ b/debian/shim-signed.postinst
@@ -0,0 +1,45 @@
+#! /bin/sh
+set -e
+
+# Must load the confmodule for our template to be installed correctly.
+. /usr/share/debconf/confmodule
+
+config_item ()
+{
+ if [ -f /etc/default/grub ]; then
+ . /etc/default/grub || return
+ for x in /etc/default/grub.d/*.cfg; do
+ if [ -e "$x" ]; then
+ . "$x"
+ fi
+ done
+ fi
+ eval echo "\$$1"
+}
+
+case $1 in
+ triggered)
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+ configure)
+ bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+ cut -d' ' -f1)"
+ case $bootloader_id in
+ kubuntu) bootloader_id=ubuntu ;;
+ esac
+ if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
+ && which grub-install >/dev/null 2>&1
+ then
+ grub-install --target=x86_64-efi
+ if dpkg --compare-versions "$2" lt-nl "1.22~"; then
+ rm -f /boot/efi/EFI/ubuntu/MokManager.efi
+ fi
+ fi
+
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers
new file mode 100644
index 0000000..2b33128
--- /dev/null
+++ b/debian/shim-signed.triggers
@@ -0,0 +1 @@
+interest-noawait shim-secureboot-policy
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py
new file mode 100644
index 0000000..d03504f
--- /dev/null
+++ b/debian/source_shim-signed.py
@@ -0,0 +1,55 @@
+'''apport package hook for shim and shim-signed
+
+(c) 2015 Canonical Ltd.
+Author: Brian Murray <brian@ubuntu.com>
+'''
+
+import errno
+import os
+
+from apport.hookutils import (
+ command_available,
+ command_output,
+ attach_file,
+ attach_root_command_outputs)
+
+efiarch = {'amd64': 'x64',
+ 'i386': 'ia32',
+ 'arm64': 'aarch64'
+ }
+grubarch = {'amd64': 'x86_64',
+ 'i386': 'i386',
+ 'arm64': 'arm64'
+ }
+
+def add_info(report, ui):
+ efiboot = '/boot/efi/EFI/ubuntu'
+ if command_available('efibootmgr'):
+ report['EFIBootMgr'] = command_output(['efibootmgr', '-v'])
+ else:
+ report['EFIBootMgr'] = 'efibootmgr not available'
+ commands = {}
+ try:
+ directory = os.stat(efiboot)
+ except OSError as e:
+ if e.errno == errno.ENOENT:
+ report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing'
+ return
+ if e.errno == errno.EACCES:
+ directory= True
+ if directory:
+ arch = report['Architecture']
+ commands['BootEFIContents'] = 'ls %s' % efiboot
+ commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch])
+ commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch])
+ attach_root_command_outputs(report, commands)
+
+ efivars_dir = '/sys/firmware/efi/efivars'
+ sb_var = os.path.join(efivars_dir,
+ 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c')
+ mok_var = os.path.join(efivars_dir,
+ 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23')
+
+ attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
+ attach_file(report, sb_var)
+ attach_file(report, mok_var)
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 0000000..604cda1
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,56 @@
+Template: shim/title/secureboot
+Type: text
+_Description: Configuring Secure Boot
+
+Template: shim/error/bad_secureboot_key
+Type: error
+_Description: Invalid password
+ The Secure Boot key you've entered is not valid. The password used must be
+ between 8 and 16 characters.
+
+Template: shim/disable_secureboot
+Type: boolean
+Default: true
+_Description: Disable UEFI Secure Boot?
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/enable_secureboot
+Type: boolean
+Default: false
+_Description: Enable UEFI Secure Boot?
+ If Secure Boot is enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_explanation
+Type: note
+_Description: Your system has UEFI Secure Boot enabled.
+ UEFI Secure Boot is not compatible with the use of third-party drivers.
+ .
+ The system will assist you in toggling UEFI Secure Boot. To ensure that this
+ change is being made by you as an authorized user, and not by an attacker,
+ you must choose a password now and then use the same password after reboot
+ to confirm the change.
+ .
+ If you choose to proceed but do not confirm the password upon reboot, Ubuntu
+ will still be able to boot on your system but the Secure Boot state will not
+ be changed.
+ .
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_key
+Type: string
+_Description: Enter a password for Secure Boot. It will be asked again after a reboot.
+
+Template: shim/secureboot_key_again
+Type: string
+_Description: Enter the same password again to verify you have typed it correctly.
+
+Template: shim/error/secureboot_key_mismatch
+Type: error
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.