Merge ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed into ~ubuntu-core-dev/shim/+git/shim:master
- Git
- lp:~ubuntu-core-dev/shim/+git/shim-signed
- xnox/dual-signed
- Merge into master
Status: | Superseded | ||||
---|---|---|---|---|---|
Proposed branch: | ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed | ||||
Merge into: | ~ubuntu-core-dev/shim/+git/shim:master | ||||
Diff against target: |
1637 lines (+1444/-0) (has conflicts) 24 files modified
CanonicalMasterCA.crt (+25/-0) Makefile (+39/-0) MicCorUEFCA2011_2011-06-27.crt (+35/-0) debian/bzr-builddeb.conf (+2/-0) debian/changelog (+424/-0) debian/control (+24/-0) debian/copyright (+9/-0) debian/lintian-overrides (+1/-0) debian/po (+1/-0) debian/real-po/POTFILES.in (+1/-0) debian/real-po/templates.pot (+110/-0) debian/rules (+30/-0) debian/shim-signed.dirs (+2/-0) debian/shim-signed.install (+7/-0) debian/shim-signed.links (+1/-0) debian/shim-signed.postinst (+100/-0) debian/shim-signed.postrm (+10/-0) debian/shim-signed.triggers (+1/-0) debian/source/format (+4/-0) debian/source_shim-signed.py (+58/-0) debian/templates (+53/-0) download-signed (+183/-0) openssl.cnf (+27/-0) update-secureboot-policy (+297/-0) Conflict in Makefile Conflict in debian/changelog Conflict in debian/control Conflict in debian/copyright Conflict in debian/rules Conflict in debian/source/format |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Core Development Team | Pending | ||
Review via email: mp+388660@code.launchpad.net |
This proposal has been superseded by a proposal from 2020-08-04.
Commit message
Construct and ship dual-signed shim.
Currently using shim-canonical provided signed artefacts.
Description of the change
Unmerged commits
- 8ba0dc3... by Dimitri John Ledkov
-
Construct and ship dual-signed shim.
- b384346... by Dimitri John Ledkov
-
Construct and ship dual-signed shim.
- 2786832... by Dimitri John Ledkov
-
Add download-signed script from linux-signed package
- 972530c... by Julian Andres Klode
-
releasing package shim-signed version 1.42
- 19b9216... by Julian Andres Klode
-
Update to the signed 15+1552672080.
a4a1fbe- 0ubuntu2 binary from Microsoft. - 68eae8b... by Steve Langasek
-
releasing package shim-signed version 1.41
- de258c9... by Steve Langasek
-
releasing package shim-signed version 1.40
- 716983a... by Steve Langasek
-
Add a versioned dependency on the mokutil that introduces --timeout.
- fba9ff6... by Steve Langasek
-
Pass --timeout -1 to mokutil so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422.
- 54a591e... by dann frazier
-
releasing package shim-signed version 1.39
Preview Diff
1 | diff --git a/CanonicalMasterCA.crt b/CanonicalMasterCA.crt |
2 | new file mode 100644 |
3 | index 0000000..55c06d5 |
4 | --- /dev/null |
5 | +++ b/CanonicalMasterCA.crt |
6 | @@ -0,0 +1,25 @@ |
7 | +-----BEGIN CERTIFICATE----- |
8 | +MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD |
9 | +VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx |
10 | +FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk |
11 | +LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX |
12 | +DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m |
13 | +IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x |
14 | +NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo |
15 | +b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h |
16 | +7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7 |
17 | +v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO |
18 | ++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr |
19 | +yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk |
20 | +YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO |
21 | +BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj |
22 | +MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB |
23 | +Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu |
24 | +b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB |
25 | +CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd |
26 | +B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH |
27 | +WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx |
28 | +U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd |
29 | +7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p |
30 | +9JkU284DDgtmxBxtvbgnd8FClL38agq8 |
31 | +-----END CERTIFICATE----- |
32 | diff --git a/Makefile b/Makefile |
33 | index 49e14a2..80f7885 100644 |
34 | --- a/Makefile |
35 | +++ b/Makefile |
36 | @@ -1,3 +1,4 @@ |
37 | +<<<<<<< Makefile |
38 | default : all |
39 | |
40 | NAME = shim |
41 | @@ -263,3 +264,41 @@ archive: tag |
42 | .PHONY : install-deps shim.key |
43 | |
44 | export ARCH CC LD OBJCOPY EFI_INCLUDE |
45 | +======= |
46 | +SHIM_CANONICAL_VERSION=$(shell dpkg-query -W -f'$${Version}' shim-canonical-unsigned) |
47 | + |
48 | +check: |
49 | + mkdir -p build |
50 | + # Verifying that the image is signed with the correct key. |
51 | + #sbverify --cert cyphermox.crt shimx64.efi.signed |
52 | + sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_BASE).signed |
53 | + # Verifying that we have the correct binary. |
54 | + sbattach --detach build/detached-sig $(SHIM_BASE).signed |
55 | + cp /usr/lib/shim/$(SHIM_BASE) build/$(SHIM_BASE).signed |
56 | + sbattach --attach build/detached-sig build/$(SHIM_BASE).signed |
57 | + cmp $(SHIM_BASE).signed build/$(SHIM_BASE).signed |
58 | + #### |
59 | + # Construct dual-signed shim |
60 | + ./download-signed shim-canonical-unsigned $(SHIM_CANONICAL_VERSION) shim-canonical signed |
61 | + # Verify that the downloaded binary has signatures chained to Canonical Master CA |
62 | + sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed |
63 | + # Detach Canonical signature |
64 | + sbattach --detach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed |
65 | + rm $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed |
66 | + # Compare that shims are all the same now |
67 | + cmp /usr/lib/shim/$(SHIM_BASE) $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
68 | + # Reattach Canonical signature |
69 | + sbattach --attach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
70 | + # Verify that attachment worked |
71 | + sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
72 | + # Attach Microsoft signature |
73 | + sbattach --attach build/detached-sig $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
74 | + # Validate that this shim is now dualsigned |
75 | + sbverify --list $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
76 | + sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
77 | + sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) |
78 | + cp $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).dualsigned |
79 | + |
80 | +clean: |
81 | + rm -rf build $(SHIM_CANONICAL_VERSION) $shim_boot.csv BOOT$(EFI_ARCH).CSV |
82 | +>>>>>>> Makefile |
83 | diff --git a/MicCorUEFCA2011_2011-06-27.crt b/MicCorUEFCA2011_2011-06-27.crt |
84 | new file mode 100644 |
85 | index 0000000..d7c29ef |
86 | --- /dev/null |
87 | +++ b/MicCorUEFCA2011_2011-06-27.crt |
88 | @@ -0,0 +1,35 @@ |
89 | +-----BEGIN CERTIFICATE----- |
90 | +MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG |
91 | +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx |
92 | +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z |
93 | +b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN |
94 | +MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR |
95 | +BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p |
96 | +Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0 |
97 | +aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB |
98 | +AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug |
99 | ++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI |
100 | +rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ |
101 | +E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp |
102 | +XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L |
103 | +71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB |
104 | +AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW |
105 | +BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA |
106 | +QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD |
107 | +4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p |
108 | +Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f |
109 | +MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw |
110 | +Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv |
111 | +b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q |
112 | +aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz |
113 | +Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g |
114 | +Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX |
115 | +i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM |
116 | +sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh |
117 | +aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk |
118 | +BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs |
119 | +deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5 |
120 | +QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7 |
121 | +5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu |
122 | +AkXuZcK2o35pFnUHkpv1prxZg1g= |
123 | +-----END CERTIFICATE----- |
124 | diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf |
125 | new file mode 100644 |
126 | index 0000000..3a08d60 |
127 | --- /dev/null |
128 | +++ b/debian/bzr-builddeb.conf |
129 | @@ -0,0 +1,2 @@ |
130 | +[BUILDDEB] |
131 | +native = True |
132 | diff --git a/debian/changelog b/debian/changelog |
133 | index 1e18261..6f2af53 100644 |
134 | --- a/debian/changelog |
135 | +++ b/debian/changelog |
136 | @@ -1,3 +1,4 @@ |
137 | +<<<<<<< debian/changelog |
138 | shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium |
139 | |
140 | * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression |
141 | @@ -303,3 +304,426 @@ shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low |
142 | * Include the Canonical Secure Boot master CA. |
143 | |
144 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 |
145 | +======= |
146 | +shim-signed (1.43) UNRELEASED; urgency=medium |
147 | + |
148 | + * Add download-signed script from linux-signed package |
149 | + * Construct and ship dual-signed shim. |
150 | + |
151 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Aug 2020 14:23:29 +0100 |
152 | + |
153 | +shim-signed (1.42) groovy; urgency=medium |
154 | + |
155 | + * Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft. |
156 | + |
157 | + -- Julian Andres Klode <juliank@ubuntu.com> Mon, 03 Aug 2020 12:36:10 +0200 |
158 | + |
159 | +shim-signed (1.41) focal; urgency=medium |
160 | + |
161 | + * Update to the signed 15+1552672080.a4a1fbe-0ubuntu1 binary from Microsoft. |
162 | + |
163 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Feb 2020 13:04:08 -0800 |
164 | + |
165 | +shim-signed (1.40) focal; urgency=medium |
166 | + |
167 | + * Pass --timeout -1 to mokutil so that users don't end up with broken |
168 | + systems by missing MokManager on reboot after install. LP: #1856422. |
169 | + * Add a versioned dependency on the mokutil that introduces --timeout. |
170 | + |
171 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 14 Dec 2019 20:26:42 -0800 |
172 | + |
173 | +shim-signed (1.39) disco; urgency=medium |
174 | + |
175 | + * debian/source_shim-signed.py: Correct EFI architecture name for arm64. |
176 | + * Parameterize code to remove hardcoded x86-isms. |
177 | + * Add arm64 support. |
178 | + |
179 | + -- dann frazier <dannf@ubuntu.com> Wed, 14 Nov 2018 11:13:42 -0700 |
180 | + |
181 | +shim-signed (1.38) cosmic; urgency=medium |
182 | + |
183 | + * Don't fail non-interactive upgrade of nvidia module and module removals |
184 | + (LP: #1726803) |
185 | + |
186 | + -- Balint Reczey <rbalint@ubuntu.com> Thu, 11 Oct 2018 18:12:37 +0200 |
187 | + |
188 | +shim-signed (1.37) cosmic; urgency=medium |
189 | + |
190 | + * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft. |
191 | + * debian/real-po: replace debian/po to make sure things are translatable |
192 | + via Launchpad. |
193 | + |
194 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 29 Aug 2018 15:43:41 -0400 |
195 | + |
196 | +shim-signed (1.36) cosmic; urgency=medium |
197 | + |
198 | + * debian/shim-signed.postinst: use --auto-nvram with grub-install in case |
199 | + we're installing on a NVRAM-unavailable platform. |
200 | + * debian/control: bump the dependency for grub2-common to make sure |
201 | + grub-install supports --auto-nvram. |
202 | + * debian/control: switch the grub-efi-amd64-bin dependency to |
203 | + grub-efi-amd64-signed. |
204 | + |
205 | + -- Ćukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com> Wed, 06 Jun 2018 20:25:57 +0200 |
206 | + |
207 | +shim-signed (1.35) cosmic; urgency=medium |
208 | + |
209 | + * update-secureboot-policy: fix quoting for key/again password handling to |
210 | + mokutil. (LP: #1770579) |
211 | + * update-secureboot-policy: don't allow backtracking at the "main" question |
212 | + for whether to enroll a new MOK. (LP: #1767091) |
213 | + |
214 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 31 May 2018 17:46:46 -0400 |
215 | + |
216 | +shim-signed (1.34.9) bionic; urgency=medium |
217 | + |
218 | + * debian/shim-signed.postinst: check for MOK existence rather than ignoring |
219 | + failures in the trigger. (LP: #1766627) |
220 | + |
221 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 24 Apr 2018 13:24:24 -0400 |
222 | + |
223 | +shim-signed (1.34.8) bionic; urgency=medium |
224 | + |
225 | + * debian/shim-signed.postinst: shim-signed's trigger to enroll a new MOK |
226 | + should not fail the upgrade if there was no MOK to enroll. (LP: #1766627) |
227 | + |
228 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 24 Apr 2018 12:31:25 -0400 |
229 | + |
230 | +shim-signed (1.34.7) bionic; urgency=medium |
231 | + |
232 | + * debian/shim-signed.postinst: it's not guaranteed that all linux-image |
233 | + packages currently installed have dkms modules built for them. |
234 | + Gracefully handle any failures in the path for signing existing dkms |
235 | + modules on upgrade due to absent modules. LP: #1766391. |
236 | + * Add a dependency on sbsigntool for kmodsign, which we use directly. |
237 | + |
238 | + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Apr 2018 21:47:50 -0700 |
239 | + |
240 | +shim-signed (1.34.6) bionic; urgency=medium |
241 | + |
242 | + * debian/shim-signed.postinst: bump lower version for batch-signing module |
243 | + to 1.34.6, to make sure everything is properly signed if people got one |
244 | + of the previous shim-signed packages. |
245 | + |
246 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 23 Apr 2018 19:52:19 -0400 |
247 | + |
248 | +shim-signed (1.34.5) bionic; urgency=medium |
249 | + |
250 | + * Don't try to save new dkms list if we're still dealing with password |
251 | + validation for enrollment. (LP: #1766312) |
252 | + * Specify kernel version when installing/uninstalling modules while doing |
253 | + batch signing on upgrade. |
254 | + * Do a better job at finding kernel modules from DKMS if they are in sub- |
255 | + directories. |
256 | + * Don't prompt if DKMS is installed but there are no DKMS-built modules |
257 | + installed. (LP: #1766261) |
258 | + |
259 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 23 Apr 2018 15:29:44 -0400 |
260 | + |
261 | +shim-signed (1.34.4) bionic; urgency=medium |
262 | + |
263 | + * Handle the case that there are no kernel modules available for a given |
264 | + dkms package. This probably indicates there is a problem with the dkms |
265 | + module's installation, but that should not cause this package's |
266 | + installation to fail. LP: #1765954. |
267 | + |
268 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 10:13:41 -0700 |
269 | + |
270 | +shim-signed (1.34.3) bionic; urgency=medium |
271 | + |
272 | + * Only take the first 31 bytes of the hostname. LP: #1765905. |
273 | + |
274 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 01:14:12 -0700 |
275 | + |
276 | +shim-signed (1.34.2) bionic; urgency=medium |
277 | + |
278 | + * Handle the case of multiple .kos per dkms module and .kos whose name |
279 | + does not match the dkms package name. LP: #1765647. |
280 | + |
281 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 01:01:56 -0700 |
282 | + |
283 | +shim-signed (1.34.1) bionic; urgency=medium |
284 | + |
285 | + * update-secureboot-policy: don't skip creating a MOK if Secure Boot is not |
286 | + enabled in firmware, but do guard against prompting users on a system that |
287 | + doesn't have efivars mounted or where SB is disabled. (LP: #1765515) |
288 | + |
289 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 19 Apr 2018 17:56:50 -0400 |
290 | + |
291 | +shim-signed (1.34) bionic; urgency=medium |
292 | + |
293 | + * update-secureboot-policy: (LP: #1748983) |
294 | + - Factor out validate_password() and clear_passwords() for reuse. |
295 | + - Add --new-key option to generate a self-signed MOK. |
296 | + - Add --enroll-key option to allow enrolling a new MOK in shim. |
297 | + - Drop --enable and --disable options; users should call mokutil directly |
298 | + instead. |
299 | + * debian/shim-signed.postinst: |
300 | + - When triggered, explicitly try to enroll the available MOK. |
301 | + * debian/shim-signed.install, openssl.cnf: Install some default configuration |
302 | + for creating our self-signed key. |
303 | + * debian/shim-signed.dirs: make sure we have a directory where to put a MOK. |
304 | + * debian/templates: update templates for update-secureboot-policy changes. |
305 | + * debian/control: add versioned Breaks: for dkms. |
306 | + |
307 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 18 Apr 2018 22:35:46 -0400 |
308 | + |
309 | +shim-signed (1.33.1) bionic; urgency=medium |
310 | + |
311 | + * Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245) |
312 | + * Stop generating and install BOOT.CSV, shim will do that by itself now. |
313 | + * Add Vcs-* fields. |
314 | + |
315 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 21 Dec 2017 14:33:37 -0500 |
316 | + |
317 | +shim-signed (1.32) artful; urgency=medium |
318 | + |
319 | + * Handle cleanup of /var/lib/shim-signed on package purge. |
320 | + |
321 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 23 Jun 2017 22:30:42 -0700 |
322 | + |
323 | +shim-signed (1.31) artful; urgency=medium |
324 | + |
325 | + * Fix regression in postinst when /var/lib/dkms does not exist. |
326 | + LP: #1700195. |
327 | + * Sort the list of dkms modules when recording. |
328 | + |
329 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 23 Jun 2017 22:13:40 -0700 |
330 | + |
331 | +shim-signed (1.30) artful; urgency=medium |
332 | + |
333 | + * update-secureboot-policy: track the installed DKMS modules so we can skip |
334 | + failing unattended upgrades if they hasn't changed (ie. if no new DKMS |
335 | + modules have been installed, just honour the user's previous decision to |
336 | + not disable shim validation). (LP: #1695578) |
337 | + * update-secureboot-policy: allow re-enabling shim validation when no DKMS |
338 | + packages are installed. (LP: #1673904) |
339 | + * debian/source_shim-signed.py: add the textual representation of SecureBoot |
340 | + and MokSBStateRT EFI variables rather than just adding the files directly; |
341 | + also, make sure we include the relevant EFI bits from kernel log. |
342 | + (LP: #1680279) |
343 | + |
344 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 23 Jun 2017 14:37:21 -0400 |
345 | + |
346 | +shim-signed (1.29) artful; urgency=medium |
347 | + |
348 | + * Makefile: Generate BOOT$arch.CSV, for use with fallback. |
349 | + * debian/rules: make sure we can do per-arch EFI files. |
350 | + |
351 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 26 Apr 2017 21:36:57 -0400 |
352 | + |
353 | +shim-signed (1.28) zesty; urgency=medium |
354 | + |
355 | + * Adjust apport hook to include key files that tell us about the system's |
356 | + current SB state. |
357 | + |
358 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Apr 2017 15:14:49 -0700 |
359 | + |
360 | +shim-signed (1.27) zesty; urgency=medium |
361 | + |
362 | + [ Steve Langasek ] |
363 | + * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from |
364 | + Microsoft. |
365 | + * update-secureboot-policy: |
366 | + - detect when we have no debconf prompting and error out instead of ending |
367 | + up in an infinite loop. LP: #1673817. |
368 | + - refactor to make the code easier to follow. |
369 | + - remove a confusing boolean that would always re-prompt on a request to |
370 | + --enable, but not on a request to --disable. |
371 | + |
372 | + [ Mathieu Trudel-Lapierre ] |
373 | + * update-secureboot-policy: |
374 | + - some more fixes to properly handle non-interactive mode. (LP: #1673817) |
375 | + |
376 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 21 Mar 2017 14:28:46 -0400 |
377 | + |
378 | +shim-signed (1.23) zesty; urgency=medium |
379 | + |
380 | + * debian/control: bump the Depends on grub2-common since that's needed to |
381 | + install with the new updated EFI binaries filenames. |
382 | + |
383 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 21 Oct 2016 13:31:05 -0400 |
384 | + |
385 | +shim-signed (1.22) yakkety; urgency=medium |
386 | + |
387 | + * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft. |
388 | + * Update paths now that the shim binary has been renamed to include the |
389 | + target architecture. |
390 | + * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu; |
391 | + since it's being replaced by mm$arch.efi. |
392 | + |
393 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 13 Oct 2016 13:49:17 -0400 |
394 | + |
395 | +shim-signed (1.21.3) vivid; urgency=medium |
396 | + |
397 | + * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3. |
398 | + |
399 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 06 Oct 2016 19:20:36 -0400 |
400 | + |
401 | +shim-signed (1.21.2) vivid; urgency=medium |
402 | + |
403 | + * Revert to signed shim from 0.8-0ubuntu2. (LP: #1624096) |
404 | + - shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily. |
405 | + |
406 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 03 Oct 2016 17:17:54 -0400 |
407 | + |
408 | +shim-signed (1.20) yakkety; urgency=medium |
409 | + |
410 | + * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft. |
411 | + (LP: #1581299) |
412 | + |
413 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 08 Aug 2016 11:14:21 -0400 |
414 | + |
415 | +shim-signed (1.19) yakkety; urgency=medium |
416 | + |
417 | + * update-secureboot-policy: |
418 | + - Add a --help option, document other options. (LP: #1604936) |
419 | + - Rework prompting to display our Secure Boot warning and explanation |
420 | + text more prominently, rather than forcing graphical users to hit |
421 | + "Help" to see the full explanation for why we ask about disabling |
422 | + Secure Boot. (LP: #1595611) |
423 | + |
424 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 02 Aug 2016 11:01:50 -0400 |
425 | + |
426 | +shim-signed (1.18) yakkety; urgency=medium |
427 | + |
428 | + * update-secureboot-policy: If /proc/sys/kernel/moksbstate_disabled is |
429 | + present, prefer this unconditionally over MokSBStateRT. LP: #1604873. |
430 | + |
431 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Jul 2016 08:31:17 -0700 |
432 | + |
433 | +shim-signed (1.17) yakkety; urgency=medium |
434 | + |
435 | + * update-secureboot-policy: rework setting capabilities to stop having |
436 | + the backup capability while showing an error message; which won't affect |
437 | + the Dialog debconf frontend but otherwise made the GTK frontend confusing. |
438 | + * update-secureboot-policy: all debconf prompts should be at priority |
439 | + critical: there is no good default to pick, we must prompt the user. |
440 | + * debian/templates: make the password inputs be standard inputs; this is an |
441 | + unfortunate workaround to aptdaemon not having access to the debconf |
442 | + password database on desktop; since the frontend runs as an unprivileged |
443 | + user. See bug LP#1599981 (LP: #1599051) |
444 | + |
445 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 07 Jul 2016 16:58:45 -0400 |
446 | + |
447 | +shim-signed (1.16) yakkety; urgency=medium |
448 | + |
449 | + * debian/shim-signed.postinst: call for the trigger on update of shim-signed. |
450 | + |
451 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 28 Jun 2016 17:34:23 -0400 |
452 | + |
453 | +shim-signed (1.15) yakkety; urgency=medium |
454 | + |
455 | + * update-secureboot-policy: validate the state of MokSBStateRT against what |
456 | + the kernel believes it to be via /proc/sys/kernel/moksbstate_disabled, |
457 | + in case we have the kernel which knows about shim's validation policy but |
458 | + an old shim that doesn't export MokSBStateRT. |
459 | + |
460 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 17 Jun 2016 16:47:40 +0300 |
461 | + |
462 | +shim-signed (1.14) yakkety; urgency=medium |
463 | + |
464 | + * update-secureboot-policy: |
465 | + - Make it easier for users to really re-enable Secure Boot via an --enable |
466 | + option. |
467 | + - Don't prompt for action if there are no DKMS packages installed, as per |
468 | + checking if there are any subdirectories in /var/lib/dkms. |
469 | + |
470 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 07 Jun 2016 16:09:53 -0400 |
471 | + |
472 | +shim-signed (1.13) yakkety; urgency=medium |
473 | + |
474 | + * update-secureboot-policy: have a trigger-ready script available to deal |
475 | + with the necessity to change Secure Boot policy on a system. |
476 | + * debian/shim-signed.templates: ship the necessary templates for secureboot. |
477 | + * debian/shim-signed.postinst: Run our trigger script to update Secure Boot |
478 | + policy when necessary at the end of installs, without calling dpkg-trigger |
479 | + again. |
480 | + |
481 | + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 16 May 2016 15:29:27 -0400 |
482 | + |
483 | +shim-signed (1.12) xenial; urgency=medium |
484 | + |
485 | + * debian/control: add Depends on mokutil, to ship a way for users to |
486 | + control shim features, such as enrolling new keys. |
487 | + |
488 | + -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Wed, 16 Dec 2015 10:19:23 -0500 |
489 | + |
490 | +shim-signed (1.11) wily; urgency=medium |
491 | + |
492 | + * Add in an apport package hook for shim-signed and shim. (LP: #1490030) |
493 | + |
494 | + -- Brian Murray <brian@ubuntu.com> Fri, 11 Sep 2015 15:04:31 -0700 |
495 | + |
496 | +shim-signed (1.10) wily; urgency=medium |
497 | + |
498 | + * Add a versioned dependency on grub2-common, so that partial upgrades from |
499 | + Ubuntu 12.04 don't break due to a lack of --target option to grub-install. |
500 | + LP: #1474203. |
501 | + |
502 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 14 Jul 2015 10:46:41 -0700 |
503 | + |
504 | +shim-signed (1.9) wily; urgency=medium |
505 | + |
506 | + * Update to the signed 0.8-0ubuntu2 binary from Microsoft. |
507 | + |
508 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 07 Jun 2015 19:27:35 +0000 |
509 | + |
510 | +shim-signed (1.8) utopic; urgency=medium |
511 | + |
512 | + * Update to the signed 0.7-0ubuntu4 binary from Microsoft. |
513 | + |
514 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 21 Oct 2014 18:23:15 -0400 |
515 | + |
516 | +shim-signed (1.6) trusty; urgency=low |
517 | + |
518 | + * Also add a build-dependency on grub2-common, to ensure that our |
519 | + grub-install is the correct one - since grub-efi-amd64-bin is |
520 | + coinstallable with grub1. LP: #1259558. |
521 | + |
522 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 10 Dec 2013 09:10:23 -0800 |
523 | + |
524 | +shim-signed (1.5) trusty; urgency=low |
525 | + |
526 | + * Pass --target=x86_64-efi to grub-install from the postinst and depend on |
527 | + grub-efi-amd64-bin, so that package upgrades will do the right thing |
528 | + even if the system has been rebooted under BIOS. LP: #1246910. |
529 | + * Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match |
530 | + the path under /boot/efi; fix this up so shim-signed upgrades properly |
531 | + on Kubuntu systems. LP: #1242417. |
532 | + |
533 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2013 17:06:21 -0700 |
534 | + |
535 | +shim-signed (1.4) trusty; urgency=low |
536 | + |
537 | + * Add a dependency on shim, so that we can pull in MokManager for use. |
538 | + * Update to the signed 0.4-0ubuntu4 binary from Microsoft. |
539 | + |
540 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 30 Oct 2013 15:04:23 -0700 |
541 | + |
542 | +shim-signed (1.3) saucy; urgency=low |
543 | + |
544 | + * Build-depend on sbsigntool (>= 0.6-0ubuntu4) and check the integrity of |
545 | + our signed binary at build time. |
546 | + * Update to the signed 0.4-0ubuntu3 binary from Microsoft. |
547 | + |
548 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 07 Sep 2013 22:09:22 +0000 |
549 | + |
550 | +shim-signed (1.2) raring; urgency=low |
551 | + |
552 | + * Recommend secureboot-db (LP: #1087843). |
553 | + |
554 | + -- Colin Watson <cjwatson@ubuntu.com> Sat, 16 Feb 2013 00:02:00 +0000 |
555 | + |
556 | +shim-signed (1.1) quantal-proposed; urgency=low |
557 | + |
558 | + * Rev shim-signed for updated shim. |
559 | + |
560 | + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 12 Oct 2012 01:42:07 +0000 |
561 | + |
562 | +shim-signed (1.0) quantal; urgency=low |
563 | + |
564 | + * Initial release, based on grub2-signed package. |
565 | + |
566 | + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 09 Oct 2012 15:48:37 -0700 |
567 | +>>>>>>> debian/changelog |
568 | diff --git a/debian/control b/debian/control |
569 | index c8b8ffa..d30cce8 100644 |
570 | --- a/debian/control |
571 | +++ b/debian/control |
572 | @@ -1,3 +1,4 @@ |
573 | +<<<<<<< debian/control |
574 | Source: shim |
575 | Section: admin |
576 | Priority: optional |
577 | @@ -12,8 +13,31 @@ Architecture: amd64 arm64 |
578 | Depends: ${shlibs:Depends}, ${misc:Depends} |
579 | Breaks: shim-signed (<< 1.33~) |
580 | Description: boot loader to chain-load signed boot loaders under Secure Boot |
581 | +======= |
582 | +Source: shim-signed |
583 | +Section: utils |
584 | +Priority: optional |
585 | +Maintainer: Steve Langasek <steve.langasek@ubuntu.com> |
586 | +Build-Depends: debhelper (>= 9), dh-exec, shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf |
587 | +Standards-Version: 3.9.4 |
588 | +Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed |
589 | +Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed |
590 | + |
591 | +Package: shim-signed |
592 | +Architecture: amd64 arm64 |
593 | +Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-signed | grub-efi-arm64-signed, grub2-common (>= 2.02-2ubuntu9), mokutil (>= 0.3.0+1538710437.fb6250f-0ubuntu2), sbsigntool |
594 | +Recommends: secureboot-db |
595 | +Built-Using: shim (= ${shim:Version}) |
596 | +Description: Secure Boot chain-loading bootloader (Microsoft-signed binary) |
597 | +>>>>>>> debian/control |
598 | This package provides a minimalist boot loader which allows verifying |
599 | signatures of other UEFI binaries against either the Secure Boot DB/DBX or |
600 | against a built-in signature database. Its purpose is to allow a small, |
601 | infrequently-changing binary to be signed by the UEFI CA, while allowing |
602 | an OS distributor to revision their main bootloader independently of the CA. |
603 | +<<<<<<< debian/control |
604 | +======= |
605 | + . |
606 | + This package contains the version of the bootloader binary signed by the |
607 | + Microsoft UEFI CA. |
608 | +>>>>>>> debian/control |
609 | diff --git a/debian/copyright b/debian/copyright |
610 | index 64b3f57..1debf7d 100644 |
611 | --- a/debian/copyright |
612 | +++ b/debian/copyright |
613 | @@ -1,5 +1,6 @@ |
614 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ |
615 | Upstream-Name: shim |
616 | +<<<<<<< debian/copyright |
617 | Upstream-Contact: Matthew Garrett <mjg59@coreos.com> |
618 | Source: https://github.com/rhboot/shim |
619 | |
620 | @@ -227,6 +228,14 @@ License: BSD-3-Clause-Intel |
621 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
622 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
623 | |
624 | +======= |
625 | +Upstream-Contact: Matthew Garrett <mjg@redhat.com> |
626 | +Source: https://github.com/mjg59/shim.git |
627 | + |
628 | +Files: * |
629 | +Copyright: 2012 Red Hat, Inc |
630 | + 2009-2012 Intel Corporation |
631 | +>>>>>>> debian/copyright |
632 | License: BSD-2-Clause |
633 | Redistribution and use in source and binary forms, with or without |
634 | modification, are permitted provided that the following conditions |
635 | diff --git a/debian/lintian-overrides b/debian/lintian-overrides |
636 | new file mode 100644 |
637 | index 0000000..5ce68fc |
638 | --- /dev/null |
639 | +++ b/debian/lintian-overrides |
640 | @@ -0,0 +1 @@ |
641 | +shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy |
642 | diff --git a/debian/po b/debian/po |
643 | new file mode 120000 |
644 | index 0000000..081d461 |
645 | --- /dev/null |
646 | +++ b/debian/po |
647 | @@ -0,0 +1 @@ |
648 | +real-po |
649 | \ No newline at end of file |
650 | diff --git a/debian/real-po/POTFILES.in b/debian/real-po/POTFILES.in |
651 | new file mode 100644 |
652 | index 0000000..cef83a3 |
653 | --- /dev/null |
654 | +++ b/debian/real-po/POTFILES.in |
655 | @@ -0,0 +1 @@ |
656 | +[type: gettext/rfc822deb] templates |
657 | diff --git a/debian/real-po/templates.pot b/debian/real-po/templates.pot |
658 | new file mode 100644 |
659 | index 0000000..5cbebf0 |
660 | --- /dev/null |
661 | +++ b/debian/real-po/templates.pot |
662 | @@ -0,0 +1,110 @@ |
663 | +# SOME DESCRIPTIVE TITLE. |
664 | +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER |
665 | +# This file is distributed under the same license as the shim-signed package. |
666 | +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. |
667 | +# |
668 | +#, fuzzy |
669 | +msgid "" |
670 | +msgstr "" |
671 | +"Project-Id-Version: shim-signed\n" |
672 | +"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n" |
673 | +"POT-Creation-Date: 2016-05-04 16:57-0500\n" |
674 | +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" |
675 | +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" |
676 | +"Language-Team: LANGUAGE <LL@li.org>\n" |
677 | +"Language: \n" |
678 | +"MIME-Version: 1.0\n" |
679 | +"Content-Type: text/plain; charset=CHARSET\n" |
680 | +"Content-Transfer-Encoding: 8bit\n" |
681 | + |
682 | +#. Type: text |
683 | +#. Description |
684 | +#: ../templates:1001 |
685 | +msgid "Configuring Secure Boot" |
686 | +msgstr "" |
687 | + |
688 | +#. Type: error |
689 | +#. Description |
690 | +#: ../templates:2001 |
691 | +msgid "Invalid password" |
692 | +msgstr "" |
693 | + |
694 | +#. Type: error |
695 | +#. Description |
696 | +#: ../templates:2001 |
697 | +msgid "" |
698 | +"The Secure Boot key you've entered is not valid. The password used must be " |
699 | +"between 8 and 16 characters." |
700 | +msgstr "" |
701 | + |
702 | +#. Type: boolean |
703 | +#. Description |
704 | +#: ../templates:3001 |
705 | +msgid "Disable UEFI Secure Boot?" |
706 | +msgstr "" |
707 | + |
708 | +#. Type: boolean |
709 | +#. Description |
710 | +#: ../templates:3001 |
711 | +msgid "" |
712 | +"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible " |
713 | +"with the use of third-party drivers." |
714 | +msgstr "" |
715 | + |
716 | +#. Type: boolean |
717 | +#. Description |
718 | +#: ../templates:3001 |
719 | +msgid "" |
720 | +"The system will assist you in disabling UEFI Secure Boot. To ensure that " |
721 | +"this change is being made by you as an authorized user, and not by an " |
722 | +"attacker, you must choose a password now and then use the same password " |
723 | +"after reboot to confirm the change." |
724 | +msgstr "" |
725 | + |
726 | +#. Type: boolean |
727 | +#. Description |
728 | +#: ../templates:3001 |
729 | +msgid "" |
730 | +"If you choose to proceed but do not confirm the password upon reboot, Ubuntu " |
731 | +"will still be able to boot on your system but these third-party drivers will " |
732 | +"not be available for your hardware." |
733 | +msgstr "" |
734 | + |
735 | +#. Type: password |
736 | +#. Description |
737 | +#: ../templates:4001 |
738 | +msgid "Password:" |
739 | +msgstr "" |
740 | + |
741 | +#. Type: password |
742 | +#. Description |
743 | +#: ../templates:4001 |
744 | +msgid "" |
745 | +"Please enter a password for disabling Secure Boot. It will be asked again " |
746 | +"after a reboot." |
747 | +msgstr "" |
748 | + |
749 | +#. Type: password |
750 | +#. Description |
751 | +#: ../templates:5001 |
752 | +msgid "Re-enter password to verify:" |
753 | +msgstr "" |
754 | + |
755 | +#. Type: password |
756 | +#. Description |
757 | +#: ../templates:5001 |
758 | +msgid "" |
759 | +"Please enter the same password again to verify you have typed it correctly." |
760 | +msgstr "" |
761 | + |
762 | +#. Type: error |
763 | +#. Description |
764 | +#: ../templates:6001 |
765 | +msgid "Password input error" |
766 | +msgstr "" |
767 | + |
768 | +#. Type: error |
769 | +#. Description |
770 | +#: ../templates:6001 |
771 | +msgid "The two passwords you entered were not the same. Please try again." |
772 | +msgstr "" |
773 | diff --git a/debian/rules b/debian/rules |
774 | index aa94e7c..c8a6f99 100755 |
775 | --- a/debian/rules |
776 | +++ b/debian/rules |
777 | @@ -1,3 +1,4 @@ |
778 | +<<<<<<< debian/rules |
779 | #!/usr/bin/make -f |
780 | |
781 | # Other vendors, add your certs here. No sense in using |
782 | @@ -46,3 +47,32 @@ override_dh_auto_install: |
783 | override_dh_fixperms: |
784 | dh_fixperms |
785 | chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi |
786 | +======= |
787 | +#! /usr/bin/make -f |
788 | + |
789 | +VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2) |
790 | +SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim) |
791 | + |
792 | +ifeq ($(DEB_TARGET_ARCH),amd64) |
793 | +export EFI_ARCH := X64 |
794 | +endif |
795 | +ifeq ($(DEB_TARGET_ARCH),arm64) |
796 | +export EFI_ARCH := AA64 |
797 | +endif |
798 | +export SHIM_BASE = shim$(shell echo $(EFI_ARCH) | tr A-Z a-z).efi |
799 | + |
800 | +%: |
801 | + dh $@ |
802 | + |
803 | +docdir := debian/shim-signed/usr/share/doc/shim-signed |
804 | + |
805 | +override_dh_installchangelogs: |
806 | + dh_installchangelogs |
807 | + # Quieten lintian, which otherwise gets confused by our odd version |
808 | + # number. |
809 | + ln $(docdir)/changelog $(docdir)/changelog.Debian |
810 | + |
811 | +override_dh_gencontrol: |
812 | + dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \ |
813 | + -Vshim:Version=$(SHIM_VERSION) |
814 | +>>>>>>> debian/rules |
815 | diff --git a/debian/shim-signed.dirs b/debian/shim-signed.dirs |
816 | new file mode 100644 |
817 | index 0000000..7e25a1f |
818 | --- /dev/null |
819 | +++ b/debian/shim-signed.dirs |
820 | @@ -0,0 +1,2 @@ |
821 | +var/lib/shim-signed |
822 | +var/lib/shim-signed/mok |
823 | diff --git a/debian/shim-signed.install b/debian/shim-signed.install |
824 | new file mode 100755 |
825 | index 0000000..93d4e26 |
826 | --- /dev/null |
827 | +++ b/debian/shim-signed.install |
828 | @@ -0,0 +1,7 @@ |
829 | +#! /usr/bin/dh-exec |
830 | + |
831 | +${SHIM_BASE}.signed /usr/lib/shim |
832 | +build/${SHIM_BASE}.dualsigned /usr/lib/shim |
833 | +openssl.cnf /usr/lib/shim/mok |
834 | +debian/source_shim-signed.py /usr/share/apport/package-hooks/ |
835 | +update-secureboot-policy /usr/sbin/ |
836 | diff --git a/debian/shim-signed.links b/debian/shim-signed.links |
837 | new file mode 100644 |
838 | index 0000000..2e3ccf9 |
839 | --- /dev/null |
840 | +++ b/debian/shim-signed.links |
841 | @@ -0,0 +1 @@ |
842 | +usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py |
843 | diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst |
844 | new file mode 100644 |
845 | index 0000000..d554f89 |
846 | --- /dev/null |
847 | +++ b/debian/shim-signed.postinst |
848 | @@ -0,0 +1,100 @@ |
849 | +#! /bin/sh |
850 | +set -e |
851 | + |
852 | +# Must load the confmodule for our template to be installed correctly. |
853 | +. /usr/share/debconf/confmodule |
854 | + |
855 | +config_item () |
856 | +{ |
857 | + if [ -f /etc/default/grub ]; then |
858 | + . /etc/default/grub || return |
859 | + for x in /etc/default/grub.d/*.cfg; do |
860 | + if [ -e "$x" ]; then |
861 | + . "$x" |
862 | + fi |
863 | + done |
864 | + fi |
865 | + eval echo "\$$1" |
866 | +} |
867 | + |
868 | +sign_dkms_modules() |
869 | +{ |
870 | + for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`; |
871 | + do |
872 | + for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\ '{print $1"/"$2}'`; |
873 | + do |
874 | + dkms uninstall -k "$kern" "$dkms" || : |
875 | + if ! dkms status -k "$kern" "$dkms" | grep -q 'built$' |
876 | + then |
877 | + cat <<EOF |
878 | + |
879 | +shim-signed: failed to prepare dkms module for signing; ignoring. |
880 | + module: $dkms |
881 | + kernel: $kern |
882 | +EOF |
883 | + continue |
884 | + fi |
885 | + mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko") |
886 | + for mod in $mods; do |
887 | + kmodsign sha512 \ |
888 | + /var/lib/shim-signed/mok/MOK.priv \ |
889 | + /var/lib/shim-signed/mok/MOK.der \ |
890 | + $mod |
891 | + done |
892 | + dkms install -k "$kern" "${dkms}" |
893 | + done |
894 | + done |
895 | +} |
896 | + |
897 | +case $(dpkg --print-architecture) in |
898 | + amd64) |
899 | + grubarch=x86_64-efi |
900 | + ;; |
901 | + arm64) |
902 | + grubarch=arm64-efi |
903 | + ;; |
904 | +esac |
905 | +case $1 in |
906 | + triggered) |
907 | + if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then |
908 | + SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key |
909 | + fi |
910 | + ;; |
911 | + configure) |
912 | + bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ |
913 | + cut -d' ' -f1)" |
914 | + case $bootloader_id in |
915 | + kubuntu) bootloader_id=ubuntu ;; |
916 | + esac |
917 | + if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \ |
918 | + && which grub-install >/dev/null 2>&1 |
919 | + then |
920 | + grub-install --target=${grubarch} --auto-nvram |
921 | + if dpkg --compare-versions "$2" lt-nl "1.22~"; then |
922 | + rm -f /boot/efi/EFI/ubuntu/MokManager.efi |
923 | + fi |
924 | + fi |
925 | + |
926 | + # Upgrade case, capture pre-existing DKMS packages. |
927 | + if dpkg --compare-versions "$2" lt-nl "1.30" \ |
928 | + && [ -d /var/lib/dkms ] |
929 | + then |
930 | + find /var/lib/dkms -maxdepth 1 -type d -print \ |
931 | + | LC_ALL=C sort > /var/lib/shim-signed/dkms-list |
932 | + fi |
933 | + |
934 | + # Upgrade case, migrate all existing kernels/dkms module combinations |
935 | + # to self-signed modules. |
936 | + if dpkg --compare-versions "$2" lt "1.34.7" \ |
937 | + && [ -d /var/lib/dkms ] |
938 | + then |
939 | + SHIM_NOTRIGGER=y update-secureboot-policy --new-key |
940 | + sign_dkms_modules |
941 | + SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key |
942 | + fi |
943 | + ;; |
944 | +esac |
945 | + |
946 | +#DEBHELPER# |
947 | + |
948 | +exit 0 |
949 | diff --git a/debian/shim-signed.postrm b/debian/shim-signed.postrm |
950 | new file mode 100644 |
951 | index 0000000..4933982 |
952 | --- /dev/null |
953 | +++ b/debian/shim-signed.postrm |
954 | @@ -0,0 +1,10 @@ |
955 | +#!/bin/sh |
956 | +set -e |
957 | + |
958 | +case $1 in |
959 | + purge) |
960 | + rm -rf /var/lib/shim-signed |
961 | + ;; |
962 | +esac |
963 | + |
964 | +#DEBHELPER# |
965 | diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers |
966 | new file mode 100644 |
967 | index 0000000..2b33128 |
968 | --- /dev/null |
969 | +++ b/debian/shim-signed.triggers |
970 | @@ -0,0 +1 @@ |
971 | +interest-noawait shim-secureboot-policy |
972 | diff --git a/debian/source/format b/debian/source/format |
973 | index 163aaf8..74559ab 100644 |
974 | --- a/debian/source/format |
975 | +++ b/debian/source/format |
976 | @@ -1 +1,5 @@ |
977 | +<<<<<<< debian/source/format |
978 | 3.0 (quilt) |
979 | +======= |
980 | +3.0 (native) |
981 | +>>>>>>> debian/source/format |
982 | diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py |
983 | new file mode 100644 |
984 | index 0000000..6df7f28 |
985 | --- /dev/null |
986 | +++ b/debian/source_shim-signed.py |
987 | @@ -0,0 +1,58 @@ |
988 | +'''apport package hook for shim and shim-signed |
989 | + |
990 | +(c) 2015 Canonical Ltd. |
991 | +Author: Brian Murray <brian@ubuntu.com> |
992 | +''' |
993 | + |
994 | +import errno |
995 | +import os |
996 | +import re |
997 | + |
998 | +from apport.hookutils import ( |
999 | + command_available, |
1000 | + command_output, |
1001 | + recent_syslog, |
1002 | + attach_file, |
1003 | + attach_root_command_outputs) |
1004 | + |
1005 | +efiarch = {'amd64': 'x64', |
1006 | + 'i386': 'ia32', |
1007 | + 'arm64': 'aa64' |
1008 | + } |
1009 | +grubarch = {'amd64': 'x86_64', |
1010 | + 'i386': 'i386', |
1011 | + 'arm64': 'arm64' |
1012 | + } |
1013 | + |
1014 | +def add_info(report, ui): |
1015 | + efiboot = '/boot/efi/EFI/ubuntu' |
1016 | + if command_available('efibootmgr'): |
1017 | + report['EFIBootMgr'] = command_output(['efibootmgr', '-v']) |
1018 | + else: |
1019 | + report['EFIBootMgr'] = 'efibootmgr not available' |
1020 | + commands = {} |
1021 | + try: |
1022 | + directory = os.stat(efiboot) |
1023 | + except OSError as e: |
1024 | + if e.errno == errno.ENOENT: |
1025 | + report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing' |
1026 | + return |
1027 | + if e.errno == errno.EACCES: |
1028 | + directory= True |
1029 | + if directory: |
1030 | + arch = report['Architecture'] |
1031 | + commands['BootEFIContents'] = 'ls %s' % efiboot |
1032 | + commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch]) |
1033 | + commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch]) |
1034 | + |
1035 | + efivars_dir = '/sys/firmware/efi/efivars' |
1036 | + sb_var = os.path.join(efivars_dir, |
1037 | + 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c') |
1038 | + mok_var = os.path.join(efivars_dir, |
1039 | + 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23') |
1040 | + |
1041 | + attach_file(report, '/proc/sys/kernel/moksbstate_disabled') |
1042 | + commands['SecureBoot'] = 'od -An -t u1 %s' % sb_var |
1043 | + commands['MokSBStateRT'] = 'od -An -t u1 %s' % mok_var |
1044 | + attach_root_command_outputs(report, commands) |
1045 | + report['EFITables'] = recent_syslog(re.compile(r'(efi|esrt):|Secure boot')) |
1046 | diff --git a/debian/templates b/debian/templates |
1047 | new file mode 100644 |
1048 | index 0000000..0d2d968 |
1049 | --- /dev/null |
1050 | +++ b/debian/templates |
1051 | @@ -0,0 +1,53 @@ |
1052 | +Template: shim/title/secureboot |
1053 | +Type: text |
1054 | +_Description: Configuring Secure Boot |
1055 | + |
1056 | +Template: shim/error/bad_secureboot_key |
1057 | +Type: error |
1058 | +_Description: Invalid password |
1059 | + The Secure Boot key you've entered is not valid. The password used must be |
1060 | + between 8 and 16 characters. |
1061 | + |
1062 | +Template: shim/enable_secureboot |
1063 | +Type: boolean |
1064 | +Default: false |
1065 | +_Description: Enroll a new Machine-Owner Key? |
1066 | + A new Machine-Owner key has been generated for this system to use when |
1067 | + signing third-party drivers. This key now needs to be enrolled in your |
1068 | + firmware, which will be done at the next reboot. |
1069 | + . |
1070 | + If Secure Boot validation was previously disabled on your system, validation |
1071 | + will also be re-enabled as part of this key enrollment process. |
1072 | + |
1073 | +Template: shim/secureboot_explanation |
1074 | +Type: note |
1075 | +_Description: Your system has UEFI Secure Boot enabled. |
1076 | + UEFI Secure Boot requires additional configuration to work with third-party |
1077 | + drivers. |
1078 | + . |
1079 | + The system will assist you in configuring UEFI Secure Boot. To permit the |
1080 | + use of third-party drivers, a new Machine-Owner Key (MOK) has been generated. |
1081 | + This key now needs to be enrolled in your system's firmware. |
1082 | + . |
1083 | + To ensure that this change is being made by you as an authorized user, and |
1084 | + not by an attacker, you must choose a password now and then confirm the |
1085 | + change after reboot using the same password, in both the "Enroll MOK" and |
1086 | + "Change Secure Boot state" menus that will be presented to you when this |
1087 | + system reboots. |
1088 | + . |
1089 | + If you proceed but do not confirm the password upon reboot, Ubuntu |
1090 | + will still be able to boot on your system but any hardware that requires |
1091 | + third-party drivers to work correctly may not be usable. |
1092 | + |
1093 | +Template: shim/secureboot_key |
1094 | +Type: string |
1095 | +_Description: Enter a password for Secure Boot. It will be asked again after a reboot. |
1096 | + |
1097 | +Template: shim/secureboot_key_again |
1098 | +Type: string |
1099 | +_Description: Enter the same password again to verify you have typed it correctly. |
1100 | + |
1101 | +Template: shim/error/secureboot_key_mismatch |
1102 | +Type: error |
1103 | +_Description: Password input error |
1104 | + The two passwords you entered were not the same. Please try again. |
1105 | diff --git a/download-signed b/download-signed |
1106 | new file mode 100755 |
1107 | index 0000000..0793696 |
1108 | --- /dev/null |
1109 | +++ b/download-signed |
1110 | @@ -0,0 +1,183 @@ |
1111 | +#! /usr/bin/python3 |
1112 | + |
1113 | +import hashlib |
1114 | +import argparse |
1115 | +import os |
1116 | +import re |
1117 | +import sys |
1118 | +import tarfile |
1119 | +from urllib import request |
1120 | +from urllib.error import HTTPError |
1121 | +from urllib.parse import ( |
1122 | + urlparse, |
1123 | + urlunparse, |
1124 | + ) |
1125 | + |
1126 | +import apt |
1127 | + |
1128 | +# package_name: package containing the objects we signed |
1129 | +# package_version: package version containing the objects we signed |
1130 | +# src_package: source package name in dists |
1131 | +# signed_type: 'signed' or 'uefi' schema in the url |
1132 | + |
1133 | +parser = argparse.ArgumentParser() |
1134 | +parser.add_argument( |
1135 | + "package_name", |
1136 | + help="package containining the objects we signed") |
1137 | +parser.add_argument( |
1138 | + "package_version", |
1139 | + help="package version containing the objects we signed, or 'current'") |
1140 | +parser.add_argument( |
1141 | + "src_package", |
1142 | + help="source package name in dists") |
1143 | +parser.add_argument( |
1144 | + "signed_type", |
1145 | + nargs='?', |
1146 | + default='signed', |
1147 | + help="subdirectory type in the url, 'signed' or 'uefi'") |
1148 | +args = parser.parse_args() |
1149 | + |
1150 | + |
1151 | +class SignedDownloader: |
1152 | + """Download a block of signed information from dists. |
1153 | + |
1154 | + Find a block of signed information as published in dists/*/signed |
1155 | + and download the contents. Use the contained checksum files to |
1156 | + identify the members and to validate them once downloaded. |
1157 | + """ |
1158 | + |
1159 | + def __init__(self, package_name, package_version, src_package, signed_type='signed'): |
1160 | + self.package_name = package_name |
1161 | + self.package_version = package_version |
1162 | + self.src_package = src_package |
1163 | + |
1164 | + # Find the package in the available archive repositories. Use a _binary_ |
1165 | + # package name and version to locate the appropriate archive. Then use the |
1166 | + # URI there to look for and find the appropriate binary. |
1167 | + cache = apt.Cache() |
1168 | + |
1169 | + self.package = None |
1170 | + if self.package_version == "current": |
1171 | + self.package = cache[package_name].candidate |
1172 | + else: |
1173 | + for version in cache[package_name].versions: |
1174 | + if version.version == self.package_version: |
1175 | + self.package = version |
1176 | + break |
1177 | + |
1178 | + if not self.package: |
1179 | + raise KeyError("{0}: package version not found".format(self.package_name)) |
1180 | + |
1181 | + origin = self.package.origins[0] |
1182 | + pool_parsed = urlparse(self.package.uri) |
1183 | + self.package_dir = "%s/%s/%s/%s-%s/%s/" % ( |
1184 | + origin.archive, 'main', signed_type, |
1185 | + self.src_package, self.package.architecture, self.package_version) |
1186 | + |
1187 | + # Prepare the master url stem and pull out any username/password. If present |
1188 | + # replace the default opener with one which offers that password. |
1189 | + dists_parsed_master = list(pool_parsed) |
1190 | + if '@' in dists_parsed_master[1]: |
1191 | + (username_password, host) = pool_parsed[1].split('@', 1) |
1192 | + (username, password) = username_password.split(':', 1) |
1193 | + |
1194 | + dists_parsed_master[1] = host |
1195 | + |
1196 | + # Work out the authentication domain. |
1197 | + domain_parsed = [ dists_parsed_master[0], dists_parsed_master[1], '/', None, None, None ] |
1198 | + auth_uri = urlunparse(domain_parsed) |
1199 | + |
1200 | + # create a password manager |
1201 | + password_mgr = request.HTTPPasswordMgrWithDefaultRealm() |
1202 | + |
1203 | + # Add the username and password. |
1204 | + # If we knew the realm, we could use it instead of None. |
1205 | + password_mgr.add_password(None, auth_uri, username, password) |
1206 | + |
1207 | + handler = request.HTTPBasicAuthHandler(password_mgr) |
1208 | + |
1209 | + # create "opener" (OpenerDirector instance) |
1210 | + opener = request.build_opener(handler) |
1211 | + |
1212 | + # Now all calls to urllib.request.urlopen use our opener. |
1213 | + request.install_opener(opener) |
1214 | + |
1215 | + self.dists_parsed = dists_parsed_master |
1216 | + |
1217 | + def download_one(self, member, filename, hash_factory=None): |
1218 | + directory = os.path.dirname(filename) |
1219 | + if not os.path.exists(directory): |
1220 | + os.makedirs(directory) |
1221 | + |
1222 | + dists_parsed = list(self.dists_parsed) |
1223 | + dists_parsed[2] = re.sub(r"/pool/.*", "/dists/" + self.package_dir + \ |
1224 | + member, dists_parsed[2]) |
1225 | + dists_uri = urlunparse(dists_parsed) |
1226 | + |
1227 | + print("Downloading %s ... " % dists_uri, end='') |
1228 | + sys.stdout.flush() |
1229 | + try: |
1230 | + with request.urlopen(dists_uri) as dists, open(filename, "wb") as out: |
1231 | + hashobj = None |
1232 | + if hash_factory: |
1233 | + hashobj = hash_factory() |
1234 | + for chunk in iter(lambda: dists.read(256 * 1024), b''): |
1235 | + if hashobj: |
1236 | + hashobj.update(chunk) |
1237 | + out.write(chunk) |
1238 | + checksum = True |
1239 | + if hashobj: |
1240 | + checksum = hashobj.hexdigest() |
1241 | + except HTTPError as e: |
1242 | + if e.code == 404: |
1243 | + print("not found") |
1244 | + else: |
1245 | + raise |
1246 | + else: |
1247 | + print("found") |
1248 | + return checksum |
1249 | + return None |
1250 | + |
1251 | + def download(self, base): |
1252 | + """Download an entire signed result from dists.""" |
1253 | + |
1254 | + # Download the checksums and use that to download the contents. |
1255 | + sums = 'SHA256SUMS' |
1256 | + sums_local = os.path.join(base, self.package_version, sums) |
1257 | + if not self.download_one(sums, sums_local): |
1258 | + print('download-signed: {0}: not found'.format(sums)) |
1259 | + sys.exit(1) |
1260 | + |
1261 | + # Read the checksum file and download the files it mentions. |
1262 | + here = os.path.abspath(base) |
1263 | + with open(sums_local) as sfd: |
1264 | + for line in sfd: |
1265 | + line = line.strip() |
1266 | + (checksum_expected, member) = (line[0:64], line[66:]) |
1267 | + filename = os.path.abspath(os.path.join(base, self.package_version, member)) |
1268 | + if not filename.startswith(here): |
1269 | + print('download-signed: {0}: member outside output directory'.format(member)) |
1270 | + sys.exit(1) |
1271 | + |
1272 | + # Download and checksum this member. |
1273 | + checksum_actual = self.download_one(member, filename, hashlib.sha256) |
1274 | + if checksum_expected != checksum_actual: |
1275 | + print('download-signed: {0}: member checksum invalid'.format(member)) |
1276 | + sys.exit(1) |
1277 | + |
1278 | + # If this is a tarball result then extract it. |
1279 | + here = os.path.abspath(os.path.join(base, self.package_version)) |
1280 | + tarball_filename = os.path.join(base, self.package_version, 'signed.tar.gz') |
1281 | + if os.path.exists(tarball_filename): |
1282 | + with tarfile.open(tarball_filename) as tarball: |
1283 | + for tarinfo in tarball: |
1284 | + if not filename.startswith(here): |
1285 | + print('download-signed: {0}: tarball member outside output directory'.format(member)) |
1286 | + sys.exit(1) |
1287 | + for tarinfo in tarball: |
1288 | + print('Extracting {0} ...'.format(tarinfo.name)) |
1289 | + tarball.extract(tarinfo, base) |
1290 | + |
1291 | + |
1292 | +downloader = SignedDownloader(**vars(args)) |
1293 | +downloader.download('.') |
1294 | diff --git a/openssl.cnf b/openssl.cnf |
1295 | new file mode 100644 |
1296 | index 0000000..5a4f734 |
1297 | --- /dev/null |
1298 | +++ b/openssl.cnf |
1299 | @@ -0,0 +1,27 @@ |
1300 | +HOME = /var/lib/shim-signed/mok |
1301 | +RANDFILE = /var/lib/shim-signed/mok/.rnd |
1302 | + |
1303 | +[ req ] |
1304 | +distinguished_name = req_distinguished_name |
1305 | +x509_extensions = v3_ca |
1306 | +string_mask = utf8only |
1307 | + |
1308 | +[ req_distinguished_name ] |
1309 | + |
1310 | +[ v3_ca ] |
1311 | +subjectKeyIdentifier = hash |
1312 | +authorityKeyIdentifier = keyid:always,issuer |
1313 | +basicConstraints = critical,CA:FALSE |
1314 | + |
1315 | +# We use extended key usage information to limit what this auto-generated |
1316 | +# key can be used for. |
1317 | +# |
1318 | +# codeSigning: specifies that this key is used to sign code. |
1319 | +# |
1320 | +# 1.3.6.1.4.1.2312.16.1.2: defines this key as used for module signing |
1321 | +# only. See https://lkml.org/lkml/2015/8/26/741. |
1322 | +# |
1323 | +extendedKeyUsage = codeSigning,1.3.6.1.4.1.2312.16.1.2 |
1324 | + |
1325 | +nsComment = "OpenSSL Generated Certificate" |
1326 | + |
1327 | diff --git a/shimaa64.efi.signed b/shimaa64.efi.signed |
1328 | new file mode 100644 |
1329 | index 0000000..f14323e |
1330 | Binary files /dev/null and b/shimaa64.efi.signed differ |
1331 | diff --git a/shimx64.efi.signed b/shimx64.efi.signed |
1332 | new file mode 100644 |
1333 | index 0000000..0ac0d6f |
1334 | Binary files /dev/null and b/shimx64.efi.signed differ |
1335 | diff --git a/update-secureboot-policy b/update-secureboot-policy |
1336 | new file mode 100755 |
1337 | index 0000000..7ec61a7 |
1338 | --- /dev/null |
1339 | +++ b/update-secureboot-policy |
1340 | @@ -0,0 +1,297 @@ |
1341 | +#!/bin/sh |
1342 | +set -e |
1343 | + |
1344 | +if test $# = 0 \ |
1345 | + && test x"$SHIM_NOTRIGGER" = x \ |
1346 | + && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \ |
1347 | + && dpkg-trigger --check-supported 2>/dev/null |
1348 | +then |
1349 | + if dpkg-trigger --no-await shim-secureboot-policy; then |
1350 | + if test x"$SHIM_TRIGGER_DEBUG" != x; then |
1351 | + echo "shim: wrapper deferring policy update (trigger activated)" |
1352 | + fi |
1353 | + exit 0 |
1354 | + fi |
1355 | +fi |
1356 | + |
1357 | +if [ "$(id -u)" -ne 0 ]; then |
1358 | + echo "$0: Permission denied" |
1359 | + exit 1 |
1360 | +fi |
1361 | + |
1362 | +do_enroll=0 |
1363 | +do_toggle=0 |
1364 | + |
1365 | +efivars=/sys/firmware/efi/efivars |
1366 | +secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c |
1367 | +moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 |
1368 | + |
1369 | +SB_KEY="/var/lib/shim-signed/mok/MOK.der" |
1370 | +SB_PRIV="/var/lib/shim-signed/mok/MOK.priv" |
1371 | + |
1372 | +OLD_DKMS_LIST="/var/lib/shim-signed/dkms-list" |
1373 | +NEW_DKMS_LIST="${OLD_DKMS_LIST}.new" |
1374 | + |
1375 | +touch $OLD_DKMS_LIST |
1376 | + |
1377 | +dkms_list=$(find /var/lib/dkms -maxdepth 1 -type d -print 2>/dev/null \ |
1378 | + | LC_ALL=C sort) |
1379 | +dkms_modules=$(echo "$dkms_list" | wc -l) |
1380 | + |
1381 | +. /usr/share/debconf/confmodule |
1382 | + |
1383 | +update_dkms_list() |
1384 | +{ |
1385 | + echo "$dkms_list" > $NEW_DKMS_LIST |
1386 | +} |
1387 | + |
1388 | +save_dkms_list() |
1389 | +{ |
1390 | + mv "$NEW_DKMS_LIST" "$OLD_DKMS_LIST" |
1391 | +} |
1392 | + |
1393 | +clear_new_dkms_list() |
1394 | +{ |
1395 | + rm "$NEW_DKMS_LIST" |
1396 | +} |
1397 | + |
1398 | +new_dkms_module() |
1399 | +{ |
1400 | + # handle nvidia module specially because it changed path |
1401 | + if ! grep -q "/var/lib/dkms/nvidia" "$OLD_DKMS_LIST" && grep -q "/var/lib/dkms/nvidia" "$NEW_DKMS_LIST" ; then |
1402 | + # nvidia module is newly added |
1403 | + return 0 |
1404 | + fi |
1405 | + |
1406 | + # return 0 if there is any other new module |
1407 | + env LC_ALL=C comm -1 -3 $OLD_DKMS_LIST $NEW_DKMS_LIST | grep -q -v "/var/lib/dkms/nvidia" |
1408 | +} |
1409 | + |
1410 | +show_dkms_list_changes() |
1411 | +{ |
1412 | + diff -u $OLD_DKMS_LIST $NEW_DKMS_LIST >&2 |
1413 | +} |
1414 | + |
1415 | +validate_password() |
1416 | +{ |
1417 | + db_capb |
1418 | + if [ "$key" != "$again" ]; then |
1419 | + db_fset shim/error/secureboot_key_mismatch seen false |
1420 | + db_input critical shim/error/secureboot_key_mismatch || true |
1421 | + STATE=$(($STATE - 2)) |
1422 | + else |
1423 | + length=$((`echo "$key" | wc -c` - 1)) |
1424 | + if [ $length -lt 8 ] || [ $length -gt 16 ]; then |
1425 | + db_fset shim/error/bad_secureboot_key seen false |
1426 | + db_input critical shim/error/bad_secureboot_key || true |
1427 | + STATE=$(($STATE - 2)) |
1428 | + elif [ $length -ne 0 ]; then |
1429 | + return 0 |
1430 | + fi |
1431 | + fi |
1432 | + |
1433 | + return 1 |
1434 | +} |
1435 | + |
1436 | +clear_passwords() |
1437 | +{ |
1438 | + # Always clear secureboot key. |
1439 | + db_set shim/secureboot_key '' |
1440 | + db_fset shim/secureboot_key seen false |
1441 | + db_set shim/secureboot_key_again '' |
1442 | + db_fset shim/secureboot_key_again seen false |
1443 | +} |
1444 | + |
1445 | +toggle_validation() |
1446 | +{ |
1447 | + local key="$1" |
1448 | + local again="$2" |
1449 | + |
1450 | + echo "Enabling shim validation." |
1451 | + printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --enable-validation >/dev/null || true |
1452 | +} |
1453 | + |
1454 | +enroll_mok() |
1455 | +{ |
1456 | + local key="$1" |
1457 | + local again="$2" |
1458 | + |
1459 | + echo "Adding '$SB_KEY' to shim:" |
1460 | + printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true |
1461 | +} |
1462 | + |
1463 | +do_it() |
1464 | +{ |
1465 | + STATE=1 |
1466 | + db_settitle shim/title/secureboot |
1467 | + while true; do |
1468 | + case "$STATE" in |
1469 | + 1) |
1470 | + db_capb |
1471 | + db_fset shim/secureboot_explanation seen false |
1472 | + db_input critical shim/secureboot_explanation || true |
1473 | + ;; |
1474 | + 2) |
1475 | + if [ "$do_toggle" -eq 1 ]; then |
1476 | + # Force no backtracking here; otherwise the GNOME backend |
1477 | + # might allow it due to displaying the explanation just before. |
1478 | + # Fixes LP: #1767091 |
1479 | + db_capb |
1480 | + # Allow the user to skip toggling Secure Boot. |
1481 | + db_fset shim/enable_secureboot seen false |
1482 | + db_input critical shim/enable_secureboot || true |
1483 | + db_go |
1484 | + |
1485 | + db_get shim/enable_secureboot |
1486 | + if [ "$RET" = "false" ]; then |
1487 | + break |
1488 | + fi |
1489 | + fi |
1490 | + ;; |
1491 | + 3) |
1492 | + |
1493 | + db_input critical shim/secureboot_key || true |
1494 | + seen_key=$RET |
1495 | + db_input critical shim/secureboot_key_again || true |
1496 | + ;; |
1497 | + 4) |
1498 | + db_get shim/secureboot_key |
1499 | + key="$RET" |
1500 | + db_get shim/secureboot_key_again |
1501 | + again="$RET" |
1502 | + |
1503 | + if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then |
1504 | + echo "Running in non-interactive mode, doing nothing." >&2 |
1505 | + |
1506 | + if new_dkms_module; then |
1507 | + show_dkms_list_changes |
1508 | + clear_new_dkms_list |
1509 | + exit 1 |
1510 | + else |
1511 | + exit 0 |
1512 | + fi |
1513 | + fi |
1514 | + |
1515 | + if validate_password; then |
1516 | + if [ $do_toggle -eq 1 ]; then |
1517 | + toggle_validation "$key" "$again" |
1518 | + fi |
1519 | + if [ $do_enroll -eq 1 ]; then |
1520 | + enroll_mok "$key" "$again" |
1521 | + fi |
1522 | + save_dkms_list |
1523 | + fi |
1524 | + |
1525 | + clear_passwords |
1526 | + ;; |
1527 | + *) |
1528 | + break |
1529 | + ;; |
1530 | + esac |
1531 | + |
1532 | + if db_go; then |
1533 | + STATE=$(($STATE + 1)) |
1534 | + else |
1535 | + STATE=$(($STATE - 1)) |
1536 | + fi |
1537 | + db_capb backup |
1538 | + done |
1539 | + db_capb |
1540 | +} |
1541 | + |
1542 | +validate_actions() { |
1543 | + # Validate any queued actions before we go try to do them. |
1544 | + local moksbstatert=0 |
1545 | + |
1546 | + if ! [ -d $efivars ]; then |
1547 | + echo "$efivars not found, aborting." >&2 |
1548 | + exit 0 |
1549 | + fi |
1550 | + |
1551 | + if ! [ -f $efivars/$secureboot_var ] \ |
1552 | + || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] |
1553 | + then |
1554 | + echo "Secure Boot not enabled on this system." >&2 |
1555 | + exit 0 |
1556 | + fi |
1557 | + |
1558 | + if [ $dkms_modules -lt 2 ]; then |
1559 | + echo "No DKMS modules installed." >&2 |
1560 | + exit 0 |
1561 | + fi |
1562 | + |
1563 | + if [ -f /proc/sys/kernel/moksbstate_disabled ]; then |
1564 | + moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) |
1565 | + elif [ -f $efivars/$moksbstatert_var ]; then |
1566 | + # MokSBStateRT set to 1 means validation is disabled |
1567 | + moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ |
1568 | + awk '{ print $NF; }') |
1569 | + fi |
1570 | + |
1571 | + # We were asked to enroll a key. This only makes sense if validation |
1572 | + # is enabled. |
1573 | + if [ $do_enroll -eq 1 ] && [ $moksbstatert -eq 1 ]; then |
1574 | + do_toggle=1 |
1575 | + fi |
1576 | +} |
1577 | + |
1578 | +create_mok() |
1579 | +{ |
1580 | + if [ -e "$SB_KEY" ]; then |
1581 | + return |
1582 | + fi |
1583 | + |
1584 | + echo "Generating a new Secure Boot signing key:" |
1585 | + openssl req -config /usr/lib/shim/mok/openssl.cnf \ |
1586 | + -subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \ |
1587 | + -new -x509 -newkey rsa:2048 \ |
1588 | + -nodes -days 36500 -outform DER \ |
1589 | + -keyout "$SB_PRIV" \ |
1590 | + -out "$SB_KEY" |
1591 | +} |
1592 | + |
1593 | +update_dkms_list |
1594 | + |
1595 | +case "$1" in |
1596 | +'--enable'|'--disable') |
1597 | + echo "Please run mokutil directly to change shim validation behavior." |
1598 | + exit 0 |
1599 | + ;; |
1600 | + |
1601 | +'--new-key') |
1602 | + create_mok |
1603 | + exit 0 |
1604 | + ;; |
1605 | + |
1606 | +'--enroll-key') |
1607 | + if [ -e "$SB_KEY" ]; then |
1608 | + if mokutil --test-key "$SB_KEY" | \ |
1609 | + grep -qc 'is not'; then |
1610 | + do_enroll=1 |
1611 | + fi |
1612 | + else |
1613 | + echo "No MOK found." |
1614 | + exit 1 |
1615 | + fi |
1616 | + ;; |
1617 | + |
1618 | +*) |
1619 | + echo "update-secureboot-policy: toggle UEFI Secure Boot in shim" |
1620 | + echo |
1621 | + echo "\t--new-key\tCreate a new MOK." |
1622 | + echo "\t--enroll-key\tEnroll the new MOK for this system in shim." |
1623 | + echo "\t--help\t\tThis help text." |
1624 | + exit 0 |
1625 | + |
1626 | +esac |
1627 | + |
1628 | +validate_actions |
1629 | + |
1630 | +if [ $(($do_toggle + $do_enroll)) -lt 1 ]; then |
1631 | + echo "Nothing to do." |
1632 | + exit 0 |
1633 | +fi |
1634 | + |
1635 | +do_it |
1636 | + |
1637 | +exit 0 |