shim

Merge ~dannf/shim/+git/shim-signed:arm64-fixes into ~ubuntu-core-dev/shim/+git/shim-signed:master

  1. Git
  2. lp:~dannf/shim/+git/shim-signed
  3. arm64-fixes
  4. Merge into master
Proposed by dann frazier
Status: Merged
Approved by: Julian Andres Klode
Approved revision: 811a3db2224e28e5e409132c79e9474a823ea21f
Merged at revision: 874a699147ee7e8b8a8f232c673ef96490ce0109
Proposed branch: ~dannf/shim/+git/shim-signed:arm64-fixes
Merge into: ~ubuntu-core-dev/shim/+git/shim-signed:master
Diff against target: 130 lines (+53/-15)
4 files modified
debian/changelog (+9/-0)
debian/kernel-postinst.d/zz-shim (+9/-4)
debian/shim-signed.postinst (+12/-8)
is-not-revoked (+23/-3)
Reviewer Review Type Date Requested Status
Julian Andres Klode Approve
Review via email: mp+436567@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Julian Andres Klode (juliank) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 538baed..1de6e4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1shim-signed (1.53) UNRELEASED; urgency=medium
2
3 * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
4 (LP: #2004208)
5 * is-not-revoked: Support vmlinux.gz files as used on arm64.
6 (LP: #2004201)
7
8 -- dann frazier <dannf@ubuntu.com> Mon, 30 Jan 2023 15:55:05 -0700
9
1shim-signed (1.52) kinetic; urgency=medium10shim-signed (1.52) kinetic; urgency=medium
211
3 * New upstream version 15.7 (LP: #1996503)12 * New upstream version 15.7 (LP: #1996503)
diff --git a/debian/kernel-postinst.d/zz-shim b/debian/kernel-postinst.d/zz-shim
index 93a41e6..4a02c2e 100755
--- a/debian/kernel-postinst.d/zz-shim
+++ b/debian/kernel-postinst.d/zz-shim
@@ -1,6 +1,11 @@
1#!/bin/sh1#!/bin/sh
2# Try to update shim alternative if pointing to previous shim
3if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then
4 dpkg-trigger shim-kernel-check
5fi
62
3efi_archs="x64 aa64"
4
5# Try to update shim alternative if pointing to previous shim
6for efi_arch in ${efi_archs}; do
7 test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
8 if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then
9 dpkg-trigger shim-kernel-check
10 fi
11done
diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
index 497ba66..b957ba9 100755
--- a/debian/shim-signed.postinst
+++ b/debian/shim-signed.postinst
@@ -7,6 +7,7 @@ set -e
7efivars=/sys/firmware/efi/efivars7efivars=/sys/firmware/efi/efivars
8secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c8secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
9moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b239moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
10efi_archs="x64 aa64"
1011
11on_secure_boot() {12on_secure_boot() {
12 # Validate any queued actions before we go try to do them.13 # Validate any queued actions before we go try to do them.
@@ -61,14 +62,14 @@ find_revoked() {
61}62}
6263
63setup_alternatives() {64setup_alternatives() {
64 for efi_arch in x64 aa64; do65 for efi_arch in ${efi_archs}; do
65 test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue66 test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
66 if ! on_secure_boot || ! find_revoked; then67 if ! on_secure_boot || ! find_revoked; then
67 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 10068 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100
68 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 5069 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50
69 else70 else
70 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 5071 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50
71 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 10072 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100
72 fi73 fi
73 done74 done
74}75}
@@ -132,9 +133,12 @@ case "$1:$2" in
132 triggered:shim-kernel-check)133 triggered:shim-kernel-check)
133 setup_alternatives134 setup_alternatives
134 # If we did not switch to the latest shim, do not reinstall shim and grub.135 # If we did not switch to the latest shim, do not reinstall shim and grub.
135 if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then136 for efi_arch in ${efi_archs}; do
136 exit 0137 test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
137 fi138 if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then
139 exit 0
140 fi
141 done
138 bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \142 bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
139 cut -d' ' -f1)"143 cut -d' ' -f1)"
140 case $bootloader_id in144 case $bootloader_id in
diff --git a/is-not-revoked b/is-not-revoked
index 1ed1423..923f8b7 100755
--- a/is-not-revoked
+++ b/is-not-revoked
@@ -11,6 +11,19 @@ if [ "$1" = "-q" ]; then
11 shift11 shift
12fi12fi
1313
14compress_type() {
15 local file="$1"
16 magic="$(od -x -N2 "$file" | head -1 | cut -d' ' -f2)"
17 case $magic in
18 8b1f)
19 echo "gzip"
20 ;;
21 *)
22 echo "none"
23 ;;
24 esac
25}
26
14for signed_binary in "$@"; do27for signed_binary in "$@"; do
15 if [ ! -e "$signed_binary" ]; then28 if [ ! -e "$signed_binary" ]; then
16 echo "E: $signed_binary: file not found">&229 echo "E: $signed_binary: file not found">&2
@@ -18,10 +31,17 @@ for signed_binary in "$@"; do
18 continue31 continue
19 fi32 fi
2033
21 sbverify --list "$signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers34 if [ "$(compress_type "$signed_binary")" = "gzip" ]; then
35 _signed_binary="$(mktemp)"
36 trap 'rm -f "$_signed_binary"' EXIT
37 gunzip < "$signed_binary" > "$_signed_binary"
38 else
39 _signed_binary="$signed_binary"
40 fi
41 sbverify --list "$_signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers
22 if [ -z "$signers" ]; then42 if [ -z "$signers" ]; then
23 echo "E: $signed_binary: Could not finder signing subject, sbverify output follows:">&243 echo "E: $signed_binary: Could not find signing subject, sbverify output follows:">&2
24 sbverify --list "$signed_binary" >&244 sbverify --list "$_signed_binary" >&2
25 exit=145 exit=1
26 continue46 continue
27 fi47 fi

Subscribers

People subscribed via source and target branches