diff options
| author | Steve Langasek <vorlon@debian.org> | 2017-04-14 21:44:06 +0000 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2019-03-06 21:15:15 +0000 |
| commit | bf3018eb1399f512672127987fbc134e898d3102 (patch) | |
| tree | 7d6f95ae8a61bb363e67e3001b7f8bfec86dfa60 /debian | |
| download | shim-signed-bf3018eb1399f512672127987fbc134e898d3102.tar.gz shim-signed-bf3018eb1399f512672127987fbc134e898d3102.zip | |
Import Debian version 1.28debian/1.28
shim-signed (1.28) unstable; urgency=medium
* Initial Debian upload, based on Ubuntu package.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/bzr-builddeb.conf | 2 | ||||
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 21 | ||||
| -rw-r--r-- | debian/copyright | 33 | ||||
| -rw-r--r-- | debian/lintian-overrides | 1 | ||||
| -rw-r--r-- | debian/po/POTFILES.in | 1 | ||||
| -rw-r--r-- | debian/po/templates.pot | 110 | ||||
| -rwxr-xr-x | debian/rules | 19 | ||||
| -rw-r--r-- | debian/shim-signed.install | 3 | ||||
| -rw-r--r-- | debian/shim-signed.links | 1 | ||||
| -rw-r--r-- | debian/shim-signed.postinst | 45 | ||||
| -rw-r--r-- | debian/shim-signed.triggers | 1 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/source_shim-signed.py | 55 | ||||
| -rw-r--r-- | debian/templates | 56 |
16 files changed, 355 insertions, 0 deletions
diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf new file mode 100644 index 0000000..3a08d60 --- /dev/null +++ b/debian/bzr-builddeb.conf @@ -0,0 +1,2 @@ +[BUILDDEB] +native = True diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..315a981 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +shim-signed (1.28) unstable; urgency=medium + + * Initial Debian upload, based on Ubuntu package. + + -- Steve Langasek <vorlon@debian.org> Fri, 14 Apr 2017 21:44:06 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..dfd26bd --- /dev/null +++ b/debian/control @@ -0,0 +1,21 @@ +Source: shim-signed +Section: utils +Priority: optional +Maintainer: Steve Langasek <vorlon@debian.org> +Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf +Standards-Version: 3.9.4 + +Package: shim-signed +Architecture: amd64 +Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil +Recommends: secureboot-db +Built-Using: shim (= ${shim:Version}) +Description: Secure Boot chain-loading bootloader (Microsoft-signed binary) + This package provides a minimalist boot loader which allows verifying + signatures of other UEFI binaries against either the Secure Boot DB/DBX or + against a built-in signature database. Its purpose is to allow a small, + infrequently-changing binary to be signed by the UEFI CA, while allowing + an OS distributor to revision their main bootloader independently of the CA. + . + This package contains the version of the bootloader binary signed by the + Microsoft UEFI CA. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..d9f1275 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,33 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: shim +Upstream-Contact: Matthew Garrett <mjg@redhat.com> +Source: https://github.com/mjg59/shim.git + +Files: * +Copyright: 2012 Red Hat, Inc + 2009-2012 Intel Corporation +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000..5ce68fc --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1 @@ +shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..cef83a3 --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..5cbebf0 --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,110 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the shim-signed package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: shim-signed\n" +"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n" +"POT-Creation-Date: 2016-05-04 16:57-0500\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: text +#. Description +#: ../templates:1001 +msgid "Configuring Secure Boot" +msgstr "" + +#. Type: error +#. Description +#: ../templates:2001 +msgid "Invalid password" +msgstr "" + +#. Type: error +#. Description +#: ../templates:2001 +msgid "" +"The Secure Boot key you've entered is not valid. The password used must be " +"between 8 and 16 characters." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Disable UEFI Secure Boot?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible " +"with the use of third-party drivers." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The system will assist you in disabling UEFI Secure Boot. To ensure that " +"this change is being made by you as an authorized user, and not by an " +"attacker, you must choose a password now and then use the same password " +"after reboot to confirm the change." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"If you choose to proceed but do not confirm the password upon reboot, Ubuntu " +"will still be able to boot on your system but these third-party drivers will " +"not be available for your hardware." +msgstr "" + +#. Type: password +#. Description +#: ../templates:4001 +msgid "Password:" +msgstr "" + +#. Type: password +#. Description +#: ../templates:4001 +msgid "" +"Please enter a password for disabling Secure Boot. It will be asked again " +"after a reboot." +msgstr "" + +#. Type: password +#. Description +#: ../templates:5001 +msgid "Re-enter password to verify:" +msgstr "" + +#. Type: password +#. Description +#: ../templates:5001 +msgid "" +"Please enter the same password again to verify you have typed it correctly." +msgstr "" + +#. Type: error +#. Description +#: ../templates:6001 +msgid "Password input error" +msgstr "" + +#. Type: error +#. Description +#: ../templates:6001 +msgid "The two passwords you entered were not the same. Please try again." +msgstr "" diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..418ca9c --- /dev/null +++ b/debian/rules @@ -0,0 +1,19 @@ +#! /usr/bin/make -f + +VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2) +SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim) + +%: + dh $@ + +docdir := debian/shim-signed/usr/share/doc/shim-signed + +override_dh_installchangelogs: + dh_installchangelogs + # Quieten lintian, which otherwise gets confused by our odd version + # number. + ln $(docdir)/changelog $(docdir)/changelog.Debian + +override_dh_gencontrol: + dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \ + -Vshim:Version=$(SHIM_VERSION) diff --git a/debian/shim-signed.install b/debian/shim-signed.install new file mode 100644 index 0000000..5082806 --- /dev/null +++ b/debian/shim-signed.install @@ -0,0 +1,3 @@ +shimx64.efi.signed /usr/lib/shim +debian/source_shim-signed.py /usr/share/apport/package-hooks/ +update-secureboot-policy /usr/sbin/ diff --git a/debian/shim-signed.links b/debian/shim-signed.links new file mode 100644 index 0000000..2e3ccf9 --- /dev/null +++ b/debian/shim-signed.links @@ -0,0 +1 @@ +usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst new file mode 100644 index 0000000..89d445d --- /dev/null +++ b/debian/shim-signed.postinst @@ -0,0 +1,45 @@ +#! /bin/sh +set -e + +# Must load the confmodule for our template to be installed correctly. +. /usr/share/debconf/confmodule + +config_item () +{ + if [ -f /etc/default/grub ]; then + . /etc/default/grub || return + for x in /etc/default/grub.d/*.cfg; do + if [ -e "$x" ]; then + . "$x" + fi + done + fi + eval echo "\$$1" +} + +case $1 in + triggered) + SHIM_NOTRIGGER=y update-secureboot-policy + ;; + configure) + bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ + cut -d' ' -f1)" + case $bootloader_id in + kubuntu) bootloader_id=ubuntu ;; + esac + if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \ + && which grub-install >/dev/null 2>&1 + then + grub-install --target=x86_64-efi + if dpkg --compare-versions "$2" lt-nl "1.22~"; then + rm -f /boot/efi/EFI/ubuntu/MokManager.efi + fi + fi + + SHIM_NOTRIGGER=y update-secureboot-policy + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers new file mode 100644 index 0000000..2b33128 --- /dev/null +++ b/debian/shim-signed.triggers @@ -0,0 +1 @@ +interest-noawait shim-secureboot-policy diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py new file mode 100644 index 0000000..d03504f --- /dev/null +++ b/debian/source_shim-signed.py @@ -0,0 +1,55 @@ +'''apport package hook for shim and shim-signed + +(c) 2015 Canonical Ltd. +Author: Brian Murray <brian@ubuntu.com> +''' + +import errno +import os + +from apport.hookutils import ( + command_available, + command_output, + attach_file, + attach_root_command_outputs) + +efiarch = {'amd64': 'x64', + 'i386': 'ia32', + 'arm64': 'aarch64' + } +grubarch = {'amd64': 'x86_64', + 'i386': 'i386', + 'arm64': 'arm64' + } + +def add_info(report, ui): + efiboot = '/boot/efi/EFI/ubuntu' + if command_available('efibootmgr'): + report['EFIBootMgr'] = command_output(['efibootmgr', '-v']) + else: + report['EFIBootMgr'] = 'efibootmgr not available' + commands = {} + try: + directory = os.stat(efiboot) + except OSError as e: + if e.errno == errno.ENOENT: + report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing' + return + if e.errno == errno.EACCES: + directory= True + if directory: + arch = report['Architecture'] + commands['BootEFIContents'] = 'ls %s' % efiboot + commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch]) + commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch]) + attach_root_command_outputs(report, commands) + + efivars_dir = '/sys/firmware/efi/efivars' + sb_var = os.path.join(efivars_dir, + 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c') + mok_var = os.path.join(efivars_dir, + 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23') + + attach_file(report, '/proc/sys/kernel/moksbstate_disabled') + attach_file(report, sb_var) + attach_file(report, mok_var) diff --git a/debian/templates b/debian/templates new file mode 100644 index 0000000..604cda1 --- /dev/null +++ b/debian/templates @@ -0,0 +1,56 @@ +Template: shim/title/secureboot +Type: text +_Description: Configuring Secure Boot + +Template: shim/error/bad_secureboot_key +Type: error +_Description: Invalid password + The Secure Boot key you've entered is not valid. The password used must be + between 8 and 16 characters. + +Template: shim/disable_secureboot +Type: boolean +Default: true +_Description: Disable UEFI Secure Boot? + If Secure Boot remains enabled on your system, your system may still boot but + any hardware that requires third-party drivers to work correctly may not be + usable. + +Template: shim/enable_secureboot +Type: boolean +Default: false +_Description: Enable UEFI Secure Boot? + If Secure Boot is enabled on your system, your system may still boot but + any hardware that requires third-party drivers to work correctly may not be + usable. + +Template: shim/secureboot_explanation +Type: note +_Description: Your system has UEFI Secure Boot enabled. + UEFI Secure Boot is not compatible with the use of third-party drivers. + . + The system will assist you in toggling UEFI Secure Boot. To ensure that this + change is being made by you as an authorized user, and not by an attacker, + you must choose a password now and then use the same password after reboot + to confirm the change. + . + If you choose to proceed but do not confirm the password upon reboot, Ubuntu + will still be able to boot on your system but the Secure Boot state will not + be changed. + . + If Secure Boot remains enabled on your system, your system may still boot but + any hardware that requires third-party drivers to work correctly may not be + usable. + +Template: shim/secureboot_key +Type: string +_Description: Enter a password for Secure Boot. It will be asked again after a reboot. + +Template: shim/secureboot_key_again +Type: string +_Description: Enter the same password again to verify you have typed it correctly. + +Template: shim/error/secureboot_key_mismatch +Type: error +_Description: Password input error + The two passwords you entered were not the same. Please try again. |
