shim

Merge ~dannf/shim/+git/shim-signed:arm64-fixes into ~ubuntu-core-dev/shim/+git/shim-signed:master

  1. Git
  2. lp:~dannf/shim/+git/shim-signed
  3. arm64-fixes
  4. Merge into master
Proposed by dann frazier
Status: Merged
Approved by: Julian Andres Klode
Approved revision: 811a3db2224e28e5e409132c79e9474a823ea21f
Merged at revision: 874a699147ee7e8b8a8f232c673ef96490ce0109
Proposed branch: ~dannf/shim/+git/shim-signed:arm64-fixes
Merge into: ~ubuntu-core-dev/shim/+git/shim-signed:master
Diff against target: 130 lines (+53/-15)
4 files modified
debian/changelog (+9/-0)
debian/kernel-postinst.d/zz-shim (+9/-4)
debian/shim-signed.postinst (+12/-8)
is-not-revoked (+23/-3)
Reviewer Review Type Date Requested Status
Julian Andres Klode Approve
Review via email: mp+436567@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Julian Andres Klode (juliank) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 538baed..1de6e4e 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+shim-signed (1.53) UNRELEASED; urgency=medium
7+
8+ * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
9+ (LP: #2004208)
10+ * is-not-revoked: Support vmlinux.gz files as used on arm64.
11+ (LP: #2004201)
12+
13+ -- dann frazier <dannf@ubuntu.com> Mon, 30 Jan 2023 15:55:05 -0700
14+
15 shim-signed (1.52) kinetic; urgency=medium
16
17 * New upstream version 15.7 (LP: #1996503)
18diff --git a/debian/kernel-postinst.d/zz-shim b/debian/kernel-postinst.d/zz-shim
19index 93a41e6..4a02c2e 100755
20--- a/debian/kernel-postinst.d/zz-shim
21+++ b/debian/kernel-postinst.d/zz-shim
22@@ -1,6 +1,11 @@
23 #!/bin/sh
24-# Try to update shim alternative if pointing to previous shim
25-if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then
26- dpkg-trigger shim-kernel-check
27-fi
28
29+efi_archs="x64 aa64"
30+
31+# Try to update shim alternative if pointing to previous shim
32+for efi_arch in ${efi_archs}; do
33+ test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
34+ if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then
35+ dpkg-trigger shim-kernel-check
36+ fi
37+done
38diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
39index 497ba66..b957ba9 100755
40--- a/debian/shim-signed.postinst
41+++ b/debian/shim-signed.postinst
42@@ -7,6 +7,7 @@ set -e
43 efivars=/sys/firmware/efi/efivars
44 secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
45 moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
46+efi_archs="x64 aa64"
47
48 on_secure_boot() {
49 # Validate any queued actions before we go try to do them.
50@@ -61,14 +62,14 @@ find_revoked() {
51 }
52
53 setup_alternatives() {
54- for efi_arch in x64 aa64; do
55+ for efi_arch in ${efi_archs}; do
56 test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
57 if ! on_secure_boot || ! find_revoked; then
58- update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100
59- update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50
60+ update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100
61+ update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50
62 else
63- update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50
64- update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100
65+ update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50
66+ update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100
67 fi
68 done
69 }
70@@ -132,9 +133,12 @@ case "$1:$2" in
71 triggered:shim-kernel-check)
72 setup_alternatives
73 # If we did not switch to the latest shim, do not reinstall shim and grub.
74- if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then
75- exit 0
76- fi
77+ for efi_arch in ${efi_archs}; do
78+ test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
79+ if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then
80+ exit 0
81+ fi
82+ done
83 bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
84 cut -d' ' -f1)"
85 case $bootloader_id in
86diff --git a/is-not-revoked b/is-not-revoked
87index 1ed1423..923f8b7 100755
88--- a/is-not-revoked
89+++ b/is-not-revoked
90@@ -11,6 +11,19 @@ if [ "$1" = "-q" ]; then
91 shift
92 fi
93
94+compress_type() {
95+ local file="$1"
96+ magic="$(od -x -N2 "$file" | head -1 | cut -d' ' -f2)"
97+ case $magic in
98+ 8b1f)
99+ echo "gzip"
100+ ;;
101+ *)
102+ echo "none"
103+ ;;
104+ esac
105+}
106+
107 for signed_binary in "$@"; do
108 if [ ! -e "$signed_binary" ]; then
109 echo "E: $signed_binary: file not found">&2
110@@ -18,10 +31,17 @@ for signed_binary in "$@"; do
111 continue
112 fi
113
114- sbverify --list "$signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers
115+ if [ "$(compress_type "$signed_binary")" = "gzip" ]; then
116+ _signed_binary="$(mktemp)"
117+ trap 'rm -f "$_signed_binary"' EXIT
118+ gunzip < "$signed_binary" > "$_signed_binary"
119+ else
120+ _signed_binary="$signed_binary"
121+ fi
122+ sbverify --list "$_signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers
123 if [ -z "$signers" ]; then
124- echo "E: $signed_binary: Could not finder signing subject, sbverify output follows:">&2
125- sbverify --list "$signed_binary" >&2
126+ echo "E: $signed_binary: Could not find signing subject, sbverify output follows:">&2
127+ sbverify --list "$_signed_binary" >&2
128 exit=1
129 continue
130 fi

Subscribers

People subscribed via source and target branches