summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/control4
-rwxr-xr-xdebian/rules3
-rw-r--r--debian/shim-signed.preinst.in157
-rw-r--r--debian/shim-signed.templates29
4 files changed, 116 insertions, 77 deletions
diff --git a/debian/control b/debian/control
index dbf5481..9003419 100644
--- a/debian/control
+++ b/debian/control
@@ -16,10 +16,12 @@ Build-Depends: debhelper (>= 13),
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/efi-team/shim-signed
Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git
+Rules-Requires-Root: no
Package: shim-signed
Architecture: amd64 arm64
Multi-Arch: same
+Pre-Depends: debconf
Depends: ${misc:Depends},
mokutil,
shim-signed-common (>= ${source:Version}),
@@ -37,7 +39,7 @@ Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
an OS distributor to revision their main bootloader independently of the CA.
.
This package contains the version of the bootloader binary signed by the
- Microsoft UEFI CA.
+ Microsoft UEFI CA(s).
Package: shim-signed-common
Multi-Arch: foreign
diff --git a/debian/rules b/debian/rules
index 6649988..ee6cc9f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -22,9 +22,6 @@ endif
docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common
-override_dh_installdebconf:
- dh_installdebconf -p shim-signed-common
-
override_dh_installdeb:
ifeq ($(VENDOR),Debian)
# Remove apport files from Debian builds, they're not useful
diff --git a/debian/shim-signed.preinst.in b/debian/shim-signed.preinst.in
index bc66b0f..6f3e13c 100644
--- a/debian/shim-signed.preinst.in
+++ b/debian/shim-signed.preinst.in
@@ -2,19 +2,27 @@
set -e
+type=$1
+
+. /usr/share/debconf/confmodule
+
+# Only change LC_ALL after loading debconf to ensure any debconf templates
+# are properly localized.
+export LC_ALL=C
+
# Select the right target architecture for grub-install
ARCH=$(dpkg --print-architecture)
case ${ARCH} in
amd64)
- EFI_ARCH="x64";;
+ EFI_ARCH="x64";;
i386)
- EFI_ARCH="ia32";;
+ EFI_ARCH="ia32";;
arm64)
- EFI_ARCH="aa64";;
+ EFI_ARCH="aa64";;
*)
- echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
- exit 1
- ;;
+ echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
+ exit 1
+ ;;
esac
SHIM="/usr/lib/shim/shim${EFI_ARCH}.efi.signed"
@@ -24,79 +32,82 @@ if [ ! -f "$SHIM" ]; then
fi
SHIM_SIGS="@@SHIM_SIGNATURES@@"
-# Set the default error message
-SB_BOOT_ERROR="Secure Boot is enabled and we don't have a valid signature on $SHIM"
+# Known error possibilities
+ERR_NONE=0
+ERR_NO_VALID_SIG=1
+ERR_REVOKED=2
-case "$1" in
+# Set the default error - no sigs found yet
+SB_BOOT_ERROR=$ERR_NO_VALID_SIG
+
+case "$type" in
install|upgrade)
- echo "shim-signed: checking if we can safely install $SHIM"
-
- if ! type mokutil > /dev/null 2>&1; then
- echo " Mokutil is not installed, assuming things will be OK."
- SB_BOOT_ERROR=""
- else
- # Check that we can safely boot this shim.
- SB_STATE=$(mokutil --sb-state 2>&1 || true)
- # If SB is not enabled (etc.) then this shim is fine
- case $SB_STATE in
- "SecureBoot disabled"|"This system doesn't support Secure Boot")
- echo " $SB_STATE; shim installation is safe."
- SB_BOOT_ERROR=""
- ;;
- "EFI variables are not supported on this system")
- echo " $SB_STATE; assuming shim installation is safe."
- SB_BOOT_ERROR=""
- ;;
- esac
- fi
+ echo "shim-signed: checking if we can safely install $SHIM"
- if [ "$SB_BOOT_ERROR"x != ""x ]; then
- echo "Checking shim signatures on $SHIM:"
-
- # Secure Boot is enabled - we need to check that our shim
- # is signed by a key in the DB list.
-
- # Check against all the keys in the DB list
- for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do
- for sig in ${SHIM_SIGS}; do
- if [ "$dbkey" = "$sig" ]; then
- echo "- signed by DB key $dbkey, should boot OK"
- SB_BOOT_ERROR=""
- fi
- done
- done
-
- # Also check against the blacklisted keys in DBX - any
- # blacklisted sig will block boot of a shim signed with
- # that sig.
- for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do
- for sig in ${SHIM_SIGS}; do
- if [ "$dbxkey" = "$sig" ]; then
- echo "- signed by DBX key $dbxkey, will be blocked from booting"
- echo "SecureBoot is enabled and $SHIM is blocked due to revocation of $dbxkey,"
- fi
- done
- done
- fi
+ if ! type mokutil > /dev/null 2>&1; then
+ echo " Mokutil is not installed, assuming things will be OK."
+ SB_BOOT_ERROR=$ERR_NONE
+ else
+ # Check that we can safely boot this shim.
+ SB_STATE=$(mokutil --sb-state 2>&1 || true)
+ # If SB is not enabled (etc.) then this shim is fine
+ case $SB_STATE in
+ "SecureBoot disabled"|"This system doesn't support Secure Boot")
+ echo " $SB_STATE; shim installation is safe."
+ SB_BOOT_ERROR=$ERR_NONE
+ ;;
+ "EFI variables are not supported on this system")
+ echo " $SB_STATE; assuming shim installation is safe."
+ SB_BOOT_ERROR=$ERR_NONE
+ ;;
+ esac
+ fi
- if [ "$SB_BOOT_ERROR"x != ""x ]; then
- # SB is enabled but we can't boot this shim
- echo "***********************************************************"
- echo "$SB_BOOT_ERROR"
- echo
- echo "You probably need to update the trusted certificates list (DB). See"
- echo
- echo " https://wiki.debian.org/SecureBoot/UpdateCA"
- echo
- echo "for more information."
- echo
- echo "ABORT - this system will not currently boot with this shim installed."
- echo "***********************************************************"
- exit 1
- fi
+ if [ $SB_BOOT_ERROR != $ERR_NONE ]; then
+ echo "Checking shim signatures on $SHIM:"
+
+ # Secure Boot is enabled - we need to check that our shim
+ # is signed by a key in the DB list.
+
+ # Check against all the keys in the DB list
+ for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do
+ for sig in ${SHIM_SIGS}; do
+ if [ "$dbkey" = "$sig" ]; then
+ echo "- signed by DB key $dbkey, should boot OK"
+ SB_BOOT_ERROR=$ERR_NONE
+ fi
+ done
+ done
- ;;
+ # Next, check against the blacklisted keys in DBX - any
+ # blacklisted sig will block boot of a shim signed with
+ # that sig.
+ for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do
+ for sig in ${SHIM_SIGS}; do
+ if [ "$dbxkey" = "$sig" ]; then
+ echo "- signed by DBX key $dbxkey, will be blocked from booting"
+ SB_BOOT_ERROR=$ERR_REVOKED
+ fi
+ done
+ done
+ fi
+
+ if [ $SB_BOOT_ERROR != $ERR_NONE ]; then
+ if [ $SB_BOOT_ERROR = $ERR_NO_VALID_SIG ]; then
+ TEMPLATENAME=shim-signed/no-valid-sigs
+ elif [ $SB_BOOT_ERROR = $ERR_REVOKED ]; then
+ TEMPLATENAME=shim-signed/revoked-sig
+ fi
+
+ db_version 2.0
+ db_fset "$TEMPLATENAME" seen false
+ db_reset "$TEMPLATENAME"
+ db_input critical "$TEMPLATENAME" || true
+ db_go
+ db_stop
+ exit 1
+ fi
esac
#DEBHELPER#
diff --git a/debian/shim-signed.templates b/debian/shim-signed.templates
new file mode 100644
index 0000000..16c65d1
--- /dev/null
+++ b/debian/shim-signed.templates
@@ -0,0 +1,29 @@
+Template: shim-signed/no-valid-sigs
+Type: error
+_Description: No valid UEFI Secure Boot signatures found
+ UEFI Secure Boot is enabled on your system, but the signed shim
+ binary in this package is not signed with a key that your system
+ trusts. This is a FATAL ERROR - your system will not currently
+ boot with this signed shim installed.
+ .
+ To fix this error, you probably need to update the trusted
+ certificates list (DB) on your system. See
+ .
+ https://wiki.debian.org/SecureBoot/UpdateCA
+ .
+ for more information about how to do this.
+
+Template: shim-signed/revoked-sig
+Type: error
+_Description: Shim signed with a revoked key
+ UEFI Secure Boot is enabled on your system, but the signed shim
+ binary in this package is signed by a key that has been revoked on
+ your system. This is a FATAL ERROR - your system will not currently
+ boot with this shim installed.
+ .
+ To fix this error, you probably need to update the trusted
+ certificates revocation list (DBX) on your system. See
+ .
+ https://wiki.debian.org/SecureBoot/UpdateCA
+ .
+ for more information about how to do this.