#! /bin/sh set -e type=$1 . /usr/share/debconf/confmodule # Only change LC_ALL after loading debconf to ensure any debconf templates # are properly localized. export LC_ALL=C # Select the right target architecture for grub-install ARCH=$(dpkg --print-architecture) case ${ARCH} in amd64) EFI_ARCH="x64";; i386) EFI_ARCH="ia32";; arm64) EFI_ARCH="aa64";; *) echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT" exit 1 ;; esac SHIM="/usr/lib/shim/shim${EFI_ARCH}.efi.signed" if [ ! -f "$SHIM" ]; then echo "No signed shim ($SHIM) included for arch $ARCH. Exit." exit 0 fi SHIM_SIGS="@@SHIM_SIGNATURES@@" # Known error possibilities ERR_NONE=0 ERR_NO_VALID_SIG=1 ERR_REVOKED=2 # Set the default error - no sigs found yet SB_BOOT_ERROR=$ERR_NO_VALID_SIG case "$type" in install|upgrade) echo "shim-signed: checking if we can safely install $SHIM" if ! type mokutil > /dev/null 2>&1; then echo " Mokutil is not installed, assuming things will be OK." SB_BOOT_ERROR=$ERR_NONE else # Check that we can safely boot this shim. # We don't care if the platform is in setup mode. SB_STATE=$(mokutil --sb-state 2>&1 | grep -v \ -e "Platform is in Setup Mode" \ -e "SecureBoot validation is disabled in shim") # If SB is not enabled (etc.) then this shim is fine case "${SB_STATE}" in "SecureBoot disabled"|"This system doesn't support Secure Boot") echo " ${SB_STATE}; shim installation is safe." SB_BOOT_ERROR=$ERR_NONE ;; "EFI variables are not supported on this system"|"Cannot determine secure boot state") echo " ${SB_STATE}; assuming shim installation is safe." SB_BOOT_ERROR=$ERR_NONE ;; "SecureBoot enabled") echo " ${SB_STATE}; need to check for signatures." SB_BOOT_ERROR=$ERR_NO_VALID_SIG ;; *) echo "Unexpected output from mokutil:" echo '"""' echo "${SB_STATE}" echo '"""' echo "Please report this as a bug agsinst shim-signed, including the above information." exit 1 ;; esac fi if [ $SB_BOOT_ERROR != $ERR_NONE ]; then echo "Checking shim signatures on $SHIM:" # Secure Boot is enabled - we need to check that our shim # is signed by a key in the DB list. # Check against all the keys in the DB list for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do for sig in ${SHIM_SIGS}; do if [ "$dbkey" = "$sig" ]; then echo "- signed by DB key $dbkey, should boot OK" SB_BOOT_ERROR=$ERR_NONE fi done done # Next, check against the blacklisted keys in DBX - any # blacklisted sig will block boot of a shim signed with # that sig. for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do for sig in ${SHIM_SIGS}; do if [ "$dbxkey" = "$sig" ]; then echo "- signed by DBX key $dbxkey, will be blocked from booting" SB_BOOT_ERROR=$ERR_REVOKED fi done done fi if [ $SB_BOOT_ERROR != $ERR_NONE ]; then if [ $SB_BOOT_ERROR = $ERR_NO_VALID_SIG ]; then TEMPLATENAME=shim-signed/no-valid-sigs elif [ $SB_BOOT_ERROR = $ERR_REVOKED ]; then TEMPLATENAME=shim-signed/revoked-sig fi db_version 2.0 db_fset "$TEMPLATENAME" seen false db_reset "$TEMPLATENAME" db_input critical "$TEMPLATENAME" || true db_go db_stop exit 1 fi esac #DEBHELPER# exit 0