shim

Merge ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed into ~ubuntu-core-dev/shim/+git/shim:master

Git
lp:~ubuntu-core-dev/shim/+git/shim-signed
xnox/dual-signed
Merge into master

Proposed by Dimitri John Ledkov on 2020-08-04

Status:

Superseded

Proposed branch:

~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed

Merge into:

~ubuntu-core-dev/shim/+git/shim:master

Diff against target:

1637 lines (+1444/-0) (has conflicts)

24 files modified

CanonicalMasterCA.crt (+25/-0)
Makefile (+39/-0)
MicCorUEFCA2011_2011-06-27.crt (+35/-0)
debian/bzr-builddeb.conf (+2/-0)
debian/changelog (+424/-0)
debian/control (+24/-0)
debian/copyright (+9/-0)
debian/lintian-overrides (+1/-0)
debian/po (+1/-0)
debian/real-po/POTFILES.in (+1/-0)
debian/real-po/templates.pot (+110/-0)
debian/rules (+30/-0)
debian/shim-signed.dirs (+2/-0)
debian/shim-signed.install (+7/-0)
debian/shim-signed.links (+1/-0)
debian/shim-signed.postinst (+100/-0)
debian/shim-signed.postrm (+10/-0)
debian/shim-signed.triggers (+1/-0)
debian/source/format (+4/-0)
debian/source_shim-signed.py (+58/-0)
debian/templates (+53/-0)
download-signed (+183/-0)
openssl.cnf (+27/-0)
update-secureboot-policy (+297/-0)

Conflict in Makefile
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/copyright
Conflict in debian/rules
Conflict in debian/source/format

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Core Development Team		2020-08-04	Pending
Review via email: mp+388660@code.launchpad.net

This proposal has been superseded by a proposal from 2020-08-04.

Commit message

Construct and ship dual-signed shim.

Currently using shim-canonical provided signed artefacts.

Unmerged commits

8ba0dc3... by Dimitri John Ledkov on 2020-08-04: Construct and ship dual-signed shim.
b384346... by Dimitri John Ledkov on 2020-06-22: Construct and ship dual-signed shim.
2786832... by Dimitri John Ledkov on 2020-06-22: Add download-signed script from linux-signed package
972530c... by Julian Andres Klode on 2020-08-03: releasing package shim-signed version 1.42
19b9216... by Julian Andres Klode on 2020-08-03: Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
68eae8b... by Steve Langasek on 2020-02-05: releasing package shim-signed version 1.41
de258c9... by Steve Langasek on 2019-12-15: releasing package shim-signed version 1.40
716983a... by Steve Langasek on 2019-12-15: Add a versioned dependency on the mokutil that introduces --timeout.
fba9ff6... by Steve Langasek on 2019-12-15: Pass --timeout -1 to mokutil so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422.
54a591e... by dann frazier on 2018-11-14: releasing package shim-signed version 1.39

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Ubuntu Core Development Team

 diff --git a/CanonicalMasterCA.crt b/CanonicalMasterCA.crt
 new file mode 100644
 index 0000000..55c06d5
 --- /dev/null
 +++ b/CanonicalMasterCA.crt
@@ -0,0 +1,25 @@
++-----BEGIN CERTIFICATE-----
++MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
++VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx
++FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk
++LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX
++DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m
++IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x
++NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo
++b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h
++7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7
++v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO
+++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr
++yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk
++YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO
++BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj
++MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB
++Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu
++b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB
++CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd
++B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH
++WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx
++U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd
++7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p
++9JkU284DDgtmxBxtvbgnd8FClL38agq8
++-----END CERTIFICATE-----
 diff --git a/Makefile b/Makefile
 index 49e14a2..80f7885 100644
 --- a/Makefile
 +++ b/Makefile
@@ -1,3 +1,4 @@
++<<<<<<< Makefile
  default : all
  NAME		= shim
@@ -263,3 +264,41 @@ archive: tag
  .PHONY : install-deps shim.key
  export ARCH CC LD OBJCOPY EFI_INCLUDE
++=======
++SHIM_CANONICAL_VERSION=$(shell dpkg-query -W -f'$${Version}' shim-canonical-unsigned)
++
++check:
++	mkdir -p build
++	# Verifying that the image is signed with the correct key.
++	#sbverify --cert cyphermox.crt shimx64.efi.signed
++	sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_BASE).signed
++	# Verifying that we have the correct binary.
++	sbattach --detach build/detached-sig $(SHIM_BASE).signed
++	cp /usr/lib/shim/$(SHIM_BASE) build/$(SHIM_BASE).signed
++	sbattach --attach build/detached-sig build/$(SHIM_BASE).signed
++	cmp $(SHIM_BASE).signed build/$(SHIM_BASE).signed
++	####
++	# Construct dual-signed shim
++	./download-signed shim-canonical-unsigned $(SHIM_CANONICAL_VERSION) shim-canonical signed
++	# Verify that the downloaded binary has signatures chained to Canonical Master CA
++	sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
++	# Detach Canonical signature
++	sbattach --detach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
++	rm $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
++	# Compare that shims are all the same now
++	cmp /usr/lib/shim/$(SHIM_BASE) $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	# Reattach Canonical signature
++	sbattach --attach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	# Verify that attachment worked
++	sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	# Attach Microsoft signature
++	sbattach --attach build/detached-sig $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	# Validate that this shim is now dualsigned
++	sbverify --list $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
++	cp $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).dualsigned
++
++clean:
++	rm -rf build $(SHIM_CANONICAL_VERSION) $shim_boot.csv BOOT$(EFI_ARCH).CSV
++>>>>>>> Makefile
 diff --git a/MicCorUEFCA2011_2011-06-27.crt b/MicCorUEFCA2011_2011-06-27.crt
 new file mode 100644
 index 0000000..d7c29ef
 --- /dev/null
 +++ b/MicCorUEFCA2011_2011-06-27.crt
@@ -0,0 +1,35 @@
++-----BEGIN CERTIFICATE-----
++MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG
++A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
++HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z
++b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN
++MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR
++BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
++Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0
++aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
++AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug
+++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI
++rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ
++E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp
++XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L
++71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB
++AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW
++BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA
++QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD
++4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p
++Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f
++MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw
++Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv
++b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q
++aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz
++Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g
++Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX
++i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM
++sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh
++aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk
++BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs
++deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5
++QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7
++5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu
++AkXuZcK2o35pFnUHkpv1prxZg1g=
++-----END CERTIFICATE-----
 diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf
 new file mode 100644
 index 0000000..3a08d60
 --- /dev/null
 +++ b/debian/bzr-builddeb.conf
@@ -0,0 +1,2 @@
++[BUILDDEB]
++native = True
 diff --git a/debian/changelog b/debian/changelog
 index 1e18261..6f2af53 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,4 @@
++<<<<<<< debian/changelog
  shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium
    * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression
@@ -303,3 +304,426 @@ shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
    * Include the Canonical Secure Boot master CA.
   -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700
++=======
++shim-signed (1.43) UNRELEASED; urgency=medium
++
++  * Add download-signed script from linux-signed package
++  * Construct and ship dual-signed shim.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 04 Aug 2020 14:23:29 +0100
++
++shim-signed (1.42) groovy; urgency=medium
++
++  * Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 03 Aug 2020 12:36:10 +0200
++
++shim-signed (1.41) focal; urgency=medium
++
++  * Update to the signed 15+1552672080.a4a1fbe-0ubuntu1 binary from Microsoft.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 05 Feb 2020 13:04:08 -0800
++
++shim-signed (1.40) focal; urgency=medium
++
++  * Pass --timeout -1 to mokutil so that users don't end up with broken
++    systems by missing MokManager on reboot after install.  LP: #1856422.
++  * Add a versioned dependency on the mokutil that introduces --timeout.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 14 Dec 2019 20:26:42 -0800
++
++shim-signed (1.39) disco; urgency=medium
++
++  * debian/source_shim-signed.py: Correct EFI architecture name for arm64.
++  * Parameterize code to remove hardcoded x86-isms.
++  * Add arm64 support.
++
++ -- dann frazier <dannf@ubuntu.com>  Wed, 14 Nov 2018 11:13:42 -0700
++
++shim-signed (1.38) cosmic; urgency=medium
++
++  * Don't fail non-interactive upgrade of nvidia module and module removals
++    (LP: #1726803)
++
++ -- Balint Reczey <rbalint@ubuntu.com>  Thu, 11 Oct 2018 18:12:37 +0200
++
++shim-signed (1.37) cosmic; urgency=medium
++
++  * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
++  * debian/real-po: replace debian/po to make sure things are translatable
++    via Launchpad.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 29 Aug 2018 15:43:41 -0400
++
++shim-signed (1.36) cosmic; urgency=medium
++
++  * debian/shim-signed.postinst: use --auto-nvram with grub-install in case
++    we're installing on a NVRAM-unavailable platform.
++  * debian/control: bump the dependency for grub2-common to make sure
++    grub-install supports --auto-nvram.
++  * debian/control: switch the grub-efi-amd64-bin dependency to
++    grub-efi-amd64-signed.
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Wed, 06 Jun 2018 20:25:57 +0200
++
++shim-signed (1.35) cosmic; urgency=medium
++
++  * update-secureboot-policy: fix quoting for key/again password handling to
++    mokutil. (LP: #1770579)
++  * update-secureboot-policy: don't allow backtracking at the "main" question
++    for whether to enroll a new MOK. (LP: #1767091)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 31 May 2018 17:46:46 -0400
++
++shim-signed (1.34.9) bionic; urgency=medium
++
++  * debian/shim-signed.postinst: check for MOK existence rather than ignoring
++    failures in the trigger. (LP: #1766627)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 24 Apr 2018 13:24:24 -0400
++
++shim-signed (1.34.8) bionic; urgency=medium
++
++  * debian/shim-signed.postinst: shim-signed's trigger to enroll a new MOK
++    should not fail the upgrade if there was no MOK to enroll. (LP: #1766627)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 24 Apr 2018 12:31:25 -0400
++
++shim-signed (1.34.7) bionic; urgency=medium
++
++  * debian/shim-signed.postinst: it's not guaranteed that all linux-image
++    packages currently installed have dkms modules built for them.
++    Gracefully handle any failures in the path for signing existing dkms
++    modules on upgrade due to absent modules.  LP: #1766391.
++  * Add a dependency on sbsigntool for kmodsign, which we use directly.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Apr 2018 21:47:50 -0700
++
++shim-signed (1.34.6) bionic; urgency=medium
++
++  * debian/shim-signed.postinst: bump lower version for batch-signing module
++    to 1.34.6, to make sure everything is properly signed if people got one
++    of the previous shim-signed packages.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 23 Apr 2018 19:52:19 -0400
++
++shim-signed (1.34.5) bionic; urgency=medium
++
++  * Don't try to save new dkms list if we're still dealing with password
++    validation for enrollment. (LP: #1766312)
++  * Specify kernel version when installing/uninstalling modules while doing
++    batch signing on upgrade.
++  * Do a better job at finding kernel modules from DKMS if they are in sub-
++    directories.
++  * Don't prompt if DKMS is installed but there are no DKMS-built modules
++    installed. (LP: #1766261)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 23 Apr 2018 15:29:44 -0400
++
++shim-signed (1.34.4) bionic; urgency=medium
++
++  * Handle the case that there are no kernel modules available for a given
++    dkms package.  This probably indicates there is a problem with the dkms
++    module's installation, but that should not cause this package's
++    installation to fail.  LP: #1765954.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 21 Apr 2018 10:13:41 -0700
++
++shim-signed (1.34.3) bionic; urgency=medium
++
++  * Only take the first 31 bytes of the hostname.  LP: #1765905.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 21 Apr 2018 01:14:12 -0700
++
++shim-signed (1.34.2) bionic; urgency=medium
++
++  * Handle the case of multiple .kos per dkms module and .kos whose name
++    does not match the dkms package name.  LP: #1765647.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 21 Apr 2018 01:01:56 -0700
++
++shim-signed (1.34.1) bionic; urgency=medium
++
++  * update-secureboot-policy: don't skip creating a MOK if Secure Boot is not
++    enabled in firmware, but do guard against prompting users on a system that
++    doesn't have efivars mounted or where SB is disabled. (LP: #1765515)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 19 Apr 2018 17:56:50 -0400
++
++shim-signed (1.34) bionic; urgency=medium
++
++  * update-secureboot-policy: (LP: #1748983)
++    - Factor out validate_password() and clear_passwords() for reuse.
++    - Add --new-key option to generate a self-signed MOK.
++    - Add --enroll-key option to allow enrolling a new MOK in shim.
++    - Drop --enable and --disable options; users should call mokutil directly
++      instead.
++  * debian/shim-signed.postinst:
++    - When triggered, explicitly try to enroll the available MOK.
++  * debian/shim-signed.install, openssl.cnf: Install some default configuration
++    for creating our self-signed key.
++  * debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
++  * debian/templates: update templates for update-secureboot-policy changes.
++  * debian/control: add versioned Breaks: for dkms.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 18 Apr 2018 22:35:46 -0400
++
++shim-signed (1.33.1) bionic; urgency=medium
++
++  * Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245)
++  * Stop generating and install BOOT.CSV, shim will do that by itself now.
++  * Add Vcs-* fields.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 21 Dec 2017 14:33:37 -0500
++
++shim-signed (1.32) artful; urgency=medium
++
++  * Handle cleanup of /var/lib/shim-signed on package purge.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 23 Jun 2017 22:30:42 -0700
++
++shim-signed (1.31) artful; urgency=medium
++
++  * Fix regression in postinst when /var/lib/dkms does not exist.
++    LP: #1700195.
++  * Sort the list of dkms modules when recording.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 23 Jun 2017 22:13:40 -0700
++
++shim-signed (1.30) artful; urgency=medium
++
++  * update-secureboot-policy: track the installed DKMS modules so we can skip
++    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
++    modules have been installed, just honour the user's previous decision to
++    not disable shim validation). (LP: #1695578)
++  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
++    packages are installed. (LP: #1673904)
++  * debian/source_shim-signed.py: add the textual representation of SecureBoot
++    and MokSBStateRT EFI variables rather than just adding the files directly;
++    also, make sure we include the relevant EFI bits from kernel log.
++    (LP: #1680279)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 23 Jun 2017 14:37:21 -0400
++
++shim-signed (1.29) artful; urgency=medium
++
++  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
++  * debian/rules: make sure we can do per-arch EFI files.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 26 Apr 2017 21:36:57 -0400
++
++shim-signed (1.28) zesty; urgency=medium
++
++  * Adjust apport hook to include key files that tell us about the system's
++    current SB state.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 05 Apr 2017 15:14:49 -0700
++
++shim-signed (1.27) zesty; urgency=medium
++
++  [ Steve Langasek ]
++  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
++    Microsoft.
++  * update-secureboot-policy:
++    - detect when we have no debconf prompting and error out instead of ending
++      up in an infinite loop.  LP: #1673817.
++    - refactor to make the code easier to follow.
++    - remove a confusing boolean that would always re-prompt on a request to
++      --enable, but not on a request to --disable.
++
++  [ Mathieu Trudel-Lapierre ]
++  * update-secureboot-policy:
++    - some more fixes to properly handle non-interactive mode. (LP: #1673817)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 21 Mar 2017 14:28:46 -0400
++
++shim-signed (1.23) zesty; urgency=medium
++
++  * debian/control: bump the Depends on grub2-common since that's needed to
++    install with the new updated EFI binaries filenames.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 21 Oct 2016 13:31:05 -0400
++
++shim-signed (1.22) yakkety; urgency=medium
++
++  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
++  * Update paths now that the shim binary has been renamed to include the
++    target architecture.
++  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
++    since it's being replaced by mm$arch.efi.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 13 Oct 2016 13:49:17 -0400
++
++shim-signed (1.21.3) vivid; urgency=medium
++
++  * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 06 Oct 2016 19:20:36 -0400
++
++shim-signed (1.21.2) vivid; urgency=medium
++
++  * Revert to signed shim from 0.8-0ubuntu2. (LP: #1624096)
++    - shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 03 Oct 2016 17:17:54 -0400
++
++shim-signed (1.20) yakkety; urgency=medium
++
++  * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
++    (LP: #1581299)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 08 Aug 2016 11:14:21 -0400
++
++shim-signed (1.19) yakkety; urgency=medium
++
++  * update-secureboot-policy:
++    - Add a --help option, document other options. (LP: #1604936)
++    - Rework prompting to display our Secure Boot warning and explanation
++      text more prominently, rather than forcing graphical users to hit
++      "Help" to see the full explanation for why we ask about disabling
++      Secure Boot. (LP: #1595611)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 02 Aug 2016 11:01:50 -0400
++
++shim-signed (1.18) yakkety; urgency=medium
++
++  * update-secureboot-policy:  If /proc/sys/kernel/moksbstate_disabled is
++    present, prefer this unconditionally over MokSBStateRT.  LP: #1604873.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 20 Jul 2016 08:31:17 -0700
++
++shim-signed (1.17) yakkety; urgency=medium
++
++  * update-secureboot-policy: rework setting capabilities to stop having
++    the backup capability while showing an error message; which won't affect
++    the Dialog debconf frontend but otherwise made the GTK frontend confusing.
++  * update-secureboot-policy: all debconf prompts should be at priority
++    critical: there is no good default to pick, we must prompt the user.
++  * debian/templates: make the password inputs be standard inputs; this is an
++    unfortunate workaround to aptdaemon not having access to the debconf
++    password database on desktop; since the frontend runs as an unprivileged
++    user. See bug LP#1599981 (LP: #1599051)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 07 Jul 2016 16:58:45 -0400
++
++shim-signed (1.16) yakkety; urgency=medium
++
++  * debian/shim-signed.postinst: call for the trigger on update of shim-signed.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 28 Jun 2016 17:34:23 -0400
++
++shim-signed (1.15) yakkety; urgency=medium
++
++  * update-secureboot-policy: validate the state of MokSBStateRT against what
++    the kernel believes it to be via /proc/sys/kernel/moksbstate_disabled,
++    in case we have the kernel which knows about shim's validation policy but
++    an old shim that doesn't export MokSBStateRT.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 17 Jun 2016 16:47:40 +0300
++
++shim-signed (1.14) yakkety; urgency=medium
++
++  * update-secureboot-policy:
++    - Make it easier for users to really re-enable Secure Boot via an --enable
++      option.
++    - Don't prompt for action if there are no DKMS packages installed, as per
++      checking if there are any subdirectories in /var/lib/dkms.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 07 Jun 2016 16:09:53 -0400
++
++shim-signed (1.13) yakkety; urgency=medium
++
++  * update-secureboot-policy: have a trigger-ready script available to deal
++    with the necessity to change Secure Boot policy on a system.
++  * debian/shim-signed.templates: ship the necessary templates for secureboot.
++  * debian/shim-signed.postinst: Run our trigger script to update Secure Boot
++    policy when necessary at the end of installs, without calling dpkg-trigger
++    again.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 16 May 2016 15:29:27 -0400
++
++shim-signed (1.12) xenial; urgency=medium
++
++  * debian/control: add Depends on mokutil, to ship a way for users to
++    control shim features, such as enrolling new keys.
++
++ -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Wed, 16 Dec 2015 10:19:23 -0500
++
++shim-signed (1.11) wily; urgency=medium
++
++  * Add in an apport package hook for shim-signed and shim. (LP: #1490030)
++
++ -- Brian Murray <brian@ubuntu.com>  Fri, 11 Sep 2015 15:04:31 -0700
++
++shim-signed (1.10) wily; urgency=medium
++
++  * Add a versioned dependency on grub2-common, so that partial upgrades from
++    Ubuntu 12.04 don't break due to a lack of --target option to grub-install.
++    LP: #1474203.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 14 Jul 2015 10:46:41 -0700
++
++shim-signed (1.9) wily; urgency=medium
++
++  * Update to the signed 0.8-0ubuntu2 binary from Microsoft.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 07 Jun 2015 19:27:35 +0000
++
++shim-signed (1.8) utopic; urgency=medium
++
++  * Update to the signed 0.7-0ubuntu4 binary from Microsoft.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 21 Oct 2014 18:23:15 -0400
++
++shim-signed (1.6) trusty; urgency=low
++
++  * Also add a build-dependency on grub2-common, to ensure that our
++    grub-install is the correct one - since grub-efi-amd64-bin is
++    coinstallable with grub1.  LP: #1259558.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 10 Dec 2013 09:10:23 -0800
++
++shim-signed (1.5) trusty; urgency=low
++
++  * Pass --target=x86_64-efi to grub-install from the postinst and depend on
++    grub-efi-amd64-bin, so that package upgrades will do the right thing
++    even if the system has been rebooted under BIOS.  LP: #1246910.
++  * Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
++    the path under /boot/efi; fix this up so shim-signed upgrades properly
++    on Kubuntu systems.  LP: #1242417.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 31 Oct 2013 17:06:21 -0700
++
++shim-signed (1.4) trusty; urgency=low
++
++  * Add a dependency on shim, so that we can pull in MokManager for use.
++  * Update to the signed 0.4-0ubuntu4 binary from Microsoft.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 30 Oct 2013 15:04:23 -0700
++
++shim-signed (1.3) saucy; urgency=low
++
++  * Build-depend on sbsigntool (>= 0.6-0ubuntu4) and check the integrity of
++    our signed binary at build time.
++  * Update to the signed 0.4-0ubuntu3 binary from Microsoft.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 07 Sep 2013 22:09:22 +0000
++
++shim-signed (1.2) raring; urgency=low
++
++  * Recommend secureboot-db (LP: #1087843).
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Sat, 16 Feb 2013 00:02:00 +0000
++
++shim-signed (1.1) quantal-proposed; urgency=low
++
++  * Rev shim-signed for updated shim.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 12 Oct 2012 01:42:07 +0000
++
++shim-signed (1.0) quantal; urgency=low
++
++  * Initial release, based on grub2-signed package.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 09 Oct 2012 15:48:37 -0700
++>>>>>>> debian/changelog
 diff --git a/debian/control b/debian/control
 index c8b8ffa..d30cce8 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,3 +1,4 @@
++<<<<<<< debian/control
  Source: shim
  Section: admin
  Priority: optional
@@ -12,8 +13,31 @@ Architecture: amd64 arm64
  Depends: ${shlibs:Depends}, ${misc:Depends}
  Breaks: shim-signed (<< 1.33~)
  Description: boot loader to chain-load signed boot loaders under Secure Boot
++=======
++Source: shim-signed
++Section: utils
++Priority: optional
++Maintainer: Steve Langasek <steve.langasek@ubuntu.com>
++Build-Depends: debhelper (>= 9), dh-exec, shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
++Standards-Version: 3.9.4
++Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed
++Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed
++
++Package: shim-signed
++Architecture: amd64 arm64
++Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-signed | grub-efi-arm64-signed, grub2-common (>= 2.02-2ubuntu9), mokutil (>= 0.3.0+1538710437.fb6250f-0ubuntu2), sbsigntool
++Recommends: secureboot-db
++Built-Using: shim (= ${shim:Version})
++Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
++>>>>>>> debian/control
   This package provides a minimalist boot loader which allows verifying
   signatures of other UEFI binaries against either the Secure Boot DB/DBX or
   against a built-in signature database.  Its purpose is to allow a small,
   infrequently-changing binary to be signed by the UEFI CA, while allowing
   an OS distributor to revision their main bootloader independently of the CA.
++<<<<<<< debian/control
++=======
++ .
++ This package contains the version of the bootloader binary signed by the
++ Microsoft UEFI CA.
++>>>>>>> debian/control
 diff --git a/debian/copyright b/debian/copyright
 index 64b3f57..1debf7d 100644
 --- a/debian/copyright
 +++ b/debian/copyright
@@ -1,5 +1,6 @@
  Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
  Upstream-Name: shim
++<<<<<<< debian/copyright
  Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
  Source: https://github.com/rhboot/shim
@@ -227,6 +228,14 @@ License: BSD-3-Clause-Intel
   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++=======
++Upstream-Contact: Matthew Garrett <mjg@redhat.com>
++Source: https://github.com/mjg59/shim.git
++
++Files: *
++Copyright: 2012 Red Hat, Inc
++	2009-2012 Intel Corporation
++>>>>>>> debian/copyright
  License: BSD-2-Clause
   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
 diff --git a/debian/lintian-overrides b/debian/lintian-overrides
 new file mode 100644
 index 0000000..5ce68fc
 --- /dev/null
 +++ b/debian/lintian-overrides
@@ -0,0 +1 @@
++shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
 diff --git a/debian/po b/debian/po
 new file mode 120000
 index 0000000..081d461
 --- /dev/null
 +++ b/debian/po
@@ -0,0 +1 @@
++real-po
 \ No newline at end of file
 diff --git a/debian/real-po/POTFILES.in b/debian/real-po/POTFILES.in
 new file mode 100644
 index 0000000..cef83a3
 --- /dev/null
 +++ b/debian/real-po/POTFILES.in
@@ -0,0 +1 @@
++[type: gettext/rfc822deb] templates
 diff --git a/debian/real-po/templates.pot b/debian/real-po/templates.pot
 new file mode 100644
 index 0000000..5cbebf0
 --- /dev/null
 +++ b/debian/real-po/templates.pot
@@ -0,0 +1,110 @@
++# SOME DESCRIPTIVE TITLE.
++# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
++# This file is distributed under the same license as the shim-signed package.
++# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
++#
++#, fuzzy
++msgid ""
++msgstr ""
++"Project-Id-Version: shim-signed\n"
++"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n"
++"POT-Creation-Date: 2016-05-04 16:57-0500\n"
++"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
++"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
++"Language-Team: LANGUAGE <LL@li.org>\n"
++"Language: \n"
++"MIME-Version: 1.0\n"
++"Content-Type: text/plain; charset=CHARSET\n"
++"Content-Transfer-Encoding: 8bit\n"
++
++#. Type: text
++#. Description
++#: ../templates:1001
++msgid "Configuring Secure Boot"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../templates:2001
++msgid "Invalid password"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../templates:2001
++msgid ""
++"The Secure Boot key you've entered is not valid. The password used must be "
++"between 8 and 16 characters."
++msgstr ""
++
++#. Type: boolean
++#. Description
++#: ../templates:3001
++msgid "Disable UEFI Secure Boot?"
++msgstr ""
++
++#. Type: boolean
++#. Description
++#: ../templates:3001
++msgid ""
++"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible "
++"with the use of third-party drivers."
++msgstr ""
++
++#. Type: boolean
++#. Description
++#: ../templates:3001
++msgid ""
++"The system will assist you in disabling UEFI Secure Boot. To ensure that "
++"this change is being made by you as an authorized user, and not by an "
++"attacker, you must choose a password now and then use the same password "
++"after reboot to confirm the change."
++msgstr ""
++
++#. Type: boolean
++#. Description
++#: ../templates:3001
++msgid ""
++"If you choose to proceed but do not confirm the password upon reboot, Ubuntu "
++"will still be able to boot on your system but these third-party drivers will "
++"not be available for your hardware."
++msgstr ""
++
++#. Type: password
++#. Description
++#: ../templates:4001
++msgid "Password:"
++msgstr ""
++
++#. Type: password
++#. Description
++#: ../templates:4001
++msgid ""
++"Please enter a password for disabling Secure Boot. It will be asked again "
++"after a reboot."
++msgstr ""
++
++#. Type: password
++#. Description
++#: ../templates:5001
++msgid "Re-enter password to verify:"
++msgstr ""
++
++#. Type: password
++#. Description
++#: ../templates:5001
++msgid ""
++"Please enter the same password again to verify you have typed it correctly."
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../templates:6001
++msgid "Password input error"
++msgstr ""
++
++#. Type: error
++#. Description
++#: ../templates:6001
++msgid "The two passwords you entered were not the same. Please try again."
++msgstr ""
 diff --git a/debian/rules b/debian/rules
 index aa94e7c..c8a6f99 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -1,3 +1,4 @@
++<<<<<<< debian/rules
  #!/usr/bin/make -f
  # Other vendors, add your certs here.  No sense in using
@@ -46,3 +47,32 @@ override_dh_auto_install:
  override_dh_fixperms:
  	dh_fixperms
  	chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi
++=======
++#! /usr/bin/make -f
++
++VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
++SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
++
++ifeq ($(DEB_TARGET_ARCH),amd64)
++export EFI_ARCH := X64
++endif
++ifeq ($(DEB_TARGET_ARCH),arm64)
++export EFI_ARCH := AA64
++endif
++export SHIM_BASE = shim$(shell echo $(EFI_ARCH) | tr A-Z a-z).efi
++
++%:
++	dh $@
++
++docdir := debian/shim-signed/usr/share/doc/shim-signed
++
++override_dh_installchangelogs:
++	dh_installchangelogs
++	# Quieten lintian, which otherwise gets confused by our odd version
++	# number.
++	ln $(docdir)/changelog $(docdir)/changelog.Debian
++
++override_dh_gencontrol:
++	dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
++		-Vshim:Version=$(SHIM_VERSION)
++>>>>>>> debian/rules
 diff --git a/debian/shim-signed.dirs b/debian/shim-signed.dirs
 new file mode 100644
 index 0000000..7e25a1f
 --- /dev/null
 +++ b/debian/shim-signed.dirs
@@ -0,0 +1,2 @@
++var/lib/shim-signed
++var/lib/shim-signed/mok
 diff --git a/debian/shim-signed.install b/debian/shim-signed.install
 new file mode 100755
 index 0000000..93d4e26
 --- /dev/null
 +++ b/debian/shim-signed.install
@@ -0,0 +1,7 @@
++#! /usr/bin/dh-exec
++
++${SHIM_BASE}.signed /usr/lib/shim
++build/${SHIM_BASE}.dualsigned /usr/lib/shim
++openssl.cnf /usr/lib/shim/mok
++debian/source_shim-signed.py /usr/share/apport/package-hooks/
++update-secureboot-policy /usr/sbin/
 diff --git a/debian/shim-signed.links b/debian/shim-signed.links
 new file mode 100644
 index 0000000..2e3ccf9
 --- /dev/null
 +++ b/debian/shim-signed.links
@@ -0,0 +1 @@
++usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py
 diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
 new file mode 100644
 index 0000000..d554f89
 --- /dev/null
 +++ b/debian/shim-signed.postinst
@@ -0,0 +1,100 @@
++#! /bin/sh
++set -e
++
++# Must load the confmodule for our template to be installed correctly.
++. /usr/share/debconf/confmodule
++
++config_item ()
++{
++    if [ -f /etc/default/grub ]; then
++	. /etc/default/grub || return
++	for x in /etc/default/grub.d/*.cfg; do
++	    if [ -e "$x" ]; then
++		. "$x"
++	    fi
++	done
++    fi
++    eval echo "\$$1"
++}
++
++sign_dkms_modules()
++{
++	for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`;
++	do
++		for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\  '{print $1"/"$2}'`;
++		do
++			dkms uninstall -k "$kern" "$dkms" || :
++			if ! dkms status -k "$kern" "$dkms" | grep -q 'built$'
++			then
++				cat <<EOF
++
++shim-signed: failed to prepare dkms module for signing; ignoring.
++  module: $dkms
++  kernel: $kern
++EOF
++				continue
++			fi
++			mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko")
++			for mod in $mods; do
++				kmodsign sha512 \
++					/var/lib/shim-signed/mok/MOK.priv \
++					/var/lib/shim-signed/mok/MOK.der \
++					$mod
++			done
++			dkms install -k "$kern" "${dkms}"
++		done
++	done
++}
++
++case $(dpkg --print-architecture) in
++    amd64)
++	grubarch=x86_64-efi
++	;;
++    arm64)
++	grubarch=arm64-efi
++	;;
++esac
++case $1 in
++    triggered)
++	if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then
++	    SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
++	fi
++	;;
++    configure)
++	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
++			 cut -d' ' -f1)"
++	case $bootloader_id in
++	    kubuntu) bootloader_id=ubuntu ;;
++	esac
++	if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
++	   && which grub-install >/dev/null 2>&1
++	then
++	    grub-install --target=${grubarch} --auto-nvram
++            if dpkg --compare-versions "$2" lt-nl "1.22~"; then
++                rm -f /boot/efi/EFI/ubuntu/MokManager.efi
++            fi
++	fi
++
++	# Upgrade case, capture pre-existing DKMS packages.
++	if dpkg --compare-versions "$2" lt-nl "1.30" \
++	   && [ -d /var/lib/dkms ]
++	then
++		find /var/lib/dkms -maxdepth 1 -type d -print \
++		| LC_ALL=C sort	> /var/lib/shim-signed/dkms-list
++	fi
++
++	# Upgrade case, migrate all existing kernels/dkms module combinations
++	# to self-signed modules.
++	if dpkg --compare-versions "$2" lt "1.34.7" \
++	   && [ -d /var/lib/dkms ]
++	then
++		SHIM_NOTRIGGER=y update-secureboot-policy --new-key
++		sign_dkms_modules
++		SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
++	fi
++	;;
++esac
++
++#DEBHELPER#
++
++exit 0
 diff --git a/debian/shim-signed.postrm b/debian/shim-signed.postrm
 new file mode 100644
 index 0000000..4933982
 --- /dev/null
 +++ b/debian/shim-signed.postrm
@@ -0,0 +1,10 @@
++#!/bin/sh
++set -e
++
++case $1 in
++	purge)
++		rm -rf /var/lib/shim-signed
++		;;
++esac
++
++#DEBHELPER#
 diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers
 new file mode 100644
 index 0000000..2b33128
 --- /dev/null
 +++ b/debian/shim-signed.triggers
@@ -0,0 +1 @@
++interest-noawait shim-secureboot-policy
 diff --git a/debian/source/format b/debian/source/format
 index 163aaf8..74559ab 100644
 --- a/debian/source/format
 +++ b/debian/source/format
@@ -1 +1,5 @@
++<<<<<<< debian/source/format
 .0 (quilt)
++=======
++3.0 (native)
++>>>>>>> debian/source/format
 diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py
 new file mode 100644
 index 0000000..6df7f28
 --- /dev/null
 +++ b/debian/source_shim-signed.py
@@ -0,0 +1,58 @@
++'''apport package hook for shim and shim-signed
++
++(c) 2015 Canonical Ltd.
++Author: Brian Murray <brian@ubuntu.com>
++'''
++
++import errno
++import os
++import re
++
++from apport.hookutils import (
++    command_available,
++    command_output,
++    recent_syslog,
++    attach_file,
++    attach_root_command_outputs)
++
++efiarch = {'amd64': 'x64',
++           'i386': 'ia32',
++           'arm64': 'aa64'
++          }
++grubarch = {'amd64': 'x86_64',
++            'i386': 'i386',
++            'arm64': 'arm64'
++           }
++
++def add_info(report, ui):
++    efiboot = '/boot/efi/EFI/ubuntu'
++    if command_available('efibootmgr'):
++        report['EFIBootMgr'] = command_output(['efibootmgr', '-v'])
++    else:
++        report['EFIBootMgr'] = 'efibootmgr not available'
++    commands = {}
++    try:
++        directory = os.stat(efiboot)
++    except OSError as e:
++        if e.errno == errno.ENOENT:
++            report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing'
++            return
++        if e.errno == errno.EACCES:
++            directory= True
++    if directory:
++        arch = report['Architecture']
++        commands['BootEFIContents'] = 'ls %s' % efiboot
++        commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch])
++        commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch])
++
++    efivars_dir = '/sys/firmware/efi/efivars'
++    sb_var = os.path.join(efivars_dir,
++                          'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c')
++    mok_var = os.path.join(efivars_dir,
++                           'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23')
++
++    attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
++    commands['SecureBoot'] = 'od -An -t u1 %s' % sb_var
++    commands['MokSBStateRT'] = 'od -An -t u1 %s' % mok_var
++    attach_root_command_outputs(report, commands)
++    report['EFITables'] = recent_syslog(re.compile(r'(efi|esrt):|Secure boot'))
 diff --git a/debian/templates b/debian/templates
 new file mode 100644
 index 0000000..0d2d968
 --- /dev/null
 +++ b/debian/templates
@@ -0,0 +1,53 @@
++Template: shim/title/secureboot
++Type: text
++_Description: Configuring Secure Boot
++
++Template: shim/error/bad_secureboot_key
++Type: error
++_Description: Invalid password
++ The Secure Boot key you've entered is not valid. The password used must be
++ between 8 and 16 characters.
++
++Template: shim/enable_secureboot
++Type: boolean
++Default: false
++_Description: Enroll a new Machine-Owner Key?
++ A new Machine-Owner key has been generated for this system to use when
++ signing third-party drivers. This key now needs to be enrolled in your
++ firmware, which will be done at the next reboot.
++ .
++ If Secure Boot validation was previously disabled on your system, validation
++ will also be re-enabled as part of this key enrollment process.
++
++Template: shim/secureboot_explanation
++Type: note
++_Description: Your system has UEFI Secure Boot enabled.
++ UEFI Secure Boot requires additional configuration to work with third-party
++ drivers.
++ .
++ The system will assist you in configuring UEFI Secure Boot. To permit the
++ use of third-party drivers, a new Machine-Owner Key (MOK) has been generated.
++ This key now needs to be enrolled in your system's firmware.
++ .
++ To ensure that this change is being made by you as an authorized user, and
++ not by an attacker, you must choose a password now and then confirm the
++ change after reboot using the same password, in both the "Enroll MOK" and
++ "Change Secure Boot state" menus that will be presented to you when this
++ system reboots.
++ .
++ If you proceed but do not confirm the password upon reboot, Ubuntu
++ will still be able to boot on your system but any hardware that requires
++ third-party drivers to work correctly may not be usable.
++
++Template: shim/secureboot_key
++Type: string
++_Description: Enter a password for Secure Boot. It will be asked again after a reboot.
++
++Template: shim/secureboot_key_again
++Type: string
++_Description: Enter the same password again to verify you have typed it correctly.
++
++Template: shim/error/secureboot_key_mismatch
++Type: error
++_Description: Password input error
++ The two passwords you entered were not the same. Please try again.
 diff --git a/download-signed b/download-signed
 new file mode 100755
 index 0000000..0793696
 --- /dev/null
 +++ b/download-signed
@@ -0,0 +1,183 @@
++#! /usr/bin/python3
++
++import hashlib
++import argparse
++import os
++import re
++import sys
++import tarfile
++from urllib import request
++from urllib.error import HTTPError
++from urllib.parse import (
++    urlparse,
++    urlunparse,
++    )
++
++import apt
++
++# package_name: package containing the objects we signed
++# package_version: package version containing the objects we signed
++# src_package: source package name in dists
++# signed_type: 'signed' or 'uefi' schema in the url
++
++parser = argparse.ArgumentParser()
++parser.add_argument(
++    "package_name",
++    help="package containining the objects we signed")
++parser.add_argument(
++    "package_version",
++    help="package version containing the objects we signed, or 'current'")
++parser.add_argument(
++    "src_package",
++    help="source package name in dists")
++parser.add_argument(
++    "signed_type",
++    nargs='?',
++    default='signed',
++    help="subdirectory type in the url, 'signed' or 'uefi'")
++args = parser.parse_args()
++
++
++class SignedDownloader:
++    """Download a block of signed information from dists.
++
++    Find a block of signed information as published in dists/*/signed
++    and download the contents.  Use the contained checksum files to
++    identify the members and to validate them once downloaded.
++    """
++
++    def __init__(self, package_name, package_version, src_package, signed_type='signed'):
++        self.package_name = package_name
++        self.package_version = package_version
++        self.src_package = src_package
++
++        # Find the package in the available archive repositories.  Use a _binary_
++        # package name and version to locate the appropriate archive.  Then use the
++        # URI there to look for and find the appropriate binary.
++        cache = apt.Cache()
++
++        self.package = None
++        if self.package_version == "current":
++            self.package = cache[package_name].candidate
++        else:
++            for version in cache[package_name].versions:
++                if version.version == self.package_version:
++                    self.package = version
++                    break
++
++        if not self.package:
++            raise KeyError("{0}: package version not found".format(self.package_name))
++
++        origin = self.package.origins[0]
++        pool_parsed = urlparse(self.package.uri)
++        self.package_dir = "%s/%s/%s/%s-%s/%s/" % (
++            origin.archive, 'main', signed_type,
++            self.src_package, self.package.architecture, self.package_version)
++
++        # Prepare the master url stem and pull out any username/password.  If present
++        # replace the default opener with one which offers that password.
++        dists_parsed_master = list(pool_parsed)
++        if '@' in dists_parsed_master[1]:
++            (username_password, host) = pool_parsed[1].split('@', 1)
++            (username, password) = username_password.split(':', 1)
++
++            dists_parsed_master[1] = host
++
++            # Work out the authentication domain.
++            domain_parsed = [ dists_parsed_master[0], dists_parsed_master[1], '/', None, None, None ]
++            auth_uri = urlunparse(domain_parsed)
++
++            # create a password manager
++            password_mgr = request.HTTPPasswordMgrWithDefaultRealm()
++
++            # Add the username and password.
++            # If we knew the realm, we could use it instead of None.
++            password_mgr.add_password(None, auth_uri, username, password)
++
++            handler = request.HTTPBasicAuthHandler(password_mgr)
++
++            # create "opener" (OpenerDirector instance)
++            opener = request.build_opener(handler)
++
++            # Now all calls to urllib.request.urlopen use our opener.
++            request.install_opener(opener)
++
++        self.dists_parsed = dists_parsed_master
++
++    def download_one(self, member, filename, hash_factory=None):
++        directory = os.path.dirname(filename)
++        if not os.path.exists(directory):
++            os.makedirs(directory)
++
++        dists_parsed = list(self.dists_parsed)
++        dists_parsed[2] = re.sub(r"/pool/.*", "/dists/" + self.package_dir + \
++            member, dists_parsed[2])
++        dists_uri = urlunparse(dists_parsed)
++
++        print("Downloading %s ... " % dists_uri, end='')
++        sys.stdout.flush()
++        try:
++            with request.urlopen(dists_uri) as dists, open(filename, "wb") as out:
++                hashobj = None
++                if hash_factory:
++                    hashobj = hash_factory()
++                for chunk in iter(lambda: dists.read(256 * 1024), b''):
++                    if hashobj:
++                        hashobj.update(chunk)
++                    out.write(chunk)
++                checksum = True
++                if hashobj:
++                    checksum = hashobj.hexdigest()
++        except HTTPError as e:
++            if e.code == 404:
++                print("not found")
++            else:
++                raise
++        else:
++            print("found")
++            return checksum
++        return None
++
++    def download(self, base):
++        """Download an entire signed result from dists."""
++
++        # Download the checksums and use that to download the contents.
++        sums = 'SHA256SUMS'
++        sums_local = os.path.join(base, self.package_version, sums)
++        if not self.download_one(sums, sums_local):
++            print('download-signed: {0}: not found'.format(sums))
++            sys.exit(1)
++
++        # Read the checksum file and download the files it mentions.
++        here = os.path.abspath(base)
++        with open(sums_local) as sfd:
++            for line in sfd:
++                line = line.strip()
++                (checksum_expected, member) = (line[0:64], line[66:])
++                filename = os.path.abspath(os.path.join(base, self.package_version, member))
++                if not filename.startswith(here):
++                    print('download-signed: {0}: member outside output directory'.format(member))
++                    sys.exit(1)
++
++                # Download and checksum this member.
++                checksum_actual = self.download_one(member, filename, hashlib.sha256)
++                if checksum_expected != checksum_actual:
++                    print('download-signed: {0}: member checksum invalid'.format(member))
++                    sys.exit(1)
++
++        # If this is a tarball result then extract it.
++        here = os.path.abspath(os.path.join(base, self.package_version))
++        tarball_filename = os.path.join(base, self.package_version, 'signed.tar.gz')
++        if os.path.exists(tarball_filename):
++            with tarfile.open(tarball_filename) as tarball:
++                for tarinfo in tarball:
++                    if not filename.startswith(here):
++                        print('download-signed: {0}: tarball member outside output directory'.format(member))
++                        sys.exit(1)
++                for tarinfo in tarball:
++                    print('Extracting {0} ...'.format(tarinfo.name))
++                    tarball.extract(tarinfo, base)
++
++
++downloader = SignedDownloader(**vars(args))
++downloader.download('.')
 diff --git a/openssl.cnf b/openssl.cnf
 new file mode 100644
 index 0000000..5a4f734
 --- /dev/null
 +++ b/openssl.cnf
@@ -0,0 +1,27 @@
++HOME                    = /var/lib/shim-signed/mok
++RANDFILE                = /var/lib/shim-signed/mok/.rnd
++
++[ req ]
++distinguished_name      = req_distinguished_name
++x509_extensions         = v3_ca
++string_mask             = utf8only
++
++[ req_distinguished_name ]
++
++[ v3_ca ]
++subjectKeyIdentifier    = hash
++authorityKeyIdentifier  = keyid:always,issuer
++basicConstraints        = critical,CA:FALSE
++
++# We use extended key usage information to limit what this auto-generated
++# key can be used for.
++#
++# codeSigning:  specifies that this key is used to sign code.
++#
++# 1.3.6.1.4.1.2312.16.1.2:  defines this key as used for module signing
++#                           only. See https://lkml.org/lkml/2015/8/26/741.
++#
++extendedKeyUsage        = codeSigning,1.3.6.1.4.1.2312.16.1.2
++
++nsComment               = "OpenSSL Generated Certificate"
++
 diff --git a/shimaa64.efi.signed b/shimaa64.efi.signed
 new file mode 100644
 index 0000000..f14323e
 Binary files /dev/null and b/shimaa64.efi.signed differ
 diff --git a/shimx64.efi.signed b/shimx64.efi.signed
 new file mode 100644
 index 0000000..0ac0d6f
 Binary files /dev/null and b/shimx64.efi.signed differ
 diff --git a/update-secureboot-policy b/update-secureboot-policy
 new file mode 100755
 index 0000000..7ec61a7
 --- /dev/null
 +++ b/update-secureboot-policy
@@ -0,0 +1,297 @@
++#!/bin/sh
++set -e
++
++if  test $# = 0                                                 \
++    && test x"$SHIM_NOTRIGGER" = x                              \
++ && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x                      \
++ && dpkg-trigger --check-supported 2>/dev/null
++then
++        if dpkg-trigger --no-await shim-secureboot-policy; then
++                if test x"$SHIM_TRIGGER_DEBUG" != x; then
++                        echo "shim: wrapper deferring policy update (trigger activated)"
++                fi
++                exit 0
++        fi
++fi
++
++if [ "$(id -u)" -ne 0 ]; then
++	echo "$0: Permission denied"
++	exit 1
++fi
++
++do_enroll=0
++do_toggle=0
++
++efivars=/sys/firmware/efi/efivars
++secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
++moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
++
++SB_KEY="/var/lib/shim-signed/mok/MOK.der"
++SB_PRIV="/var/lib/shim-signed/mok/MOK.priv"
++
++OLD_DKMS_LIST="/var/lib/shim-signed/dkms-list"
++NEW_DKMS_LIST="${OLD_DKMS_LIST}.new"
++
++touch $OLD_DKMS_LIST
++
++dkms_list=$(find /var/lib/dkms -maxdepth 1 -type d -print 2>/dev/null \
++            | LC_ALL=C sort)
++dkms_modules=$(echo "$dkms_list" | wc -l)
++
++. /usr/share/debconf/confmodule
++
++update_dkms_list()
++{
++    echo "$dkms_list" > $NEW_DKMS_LIST
++}
++
++save_dkms_list()
++{
++    mv "$NEW_DKMS_LIST" "$OLD_DKMS_LIST"
++}
++
++clear_new_dkms_list()
++{
++    rm "$NEW_DKMS_LIST"
++}
++
++new_dkms_module()
++{
++    # handle nvidia module specially because it changed path
++    if ! grep -q "/var/lib/dkms/nvidia" "$OLD_DKMS_LIST" && grep -q "/var/lib/dkms/nvidia" "$NEW_DKMS_LIST" ; then
++        # nvidia module is newly added
++        return 0
++    fi
++
++    # return 0 if there is any other new module
++    env LC_ALL=C comm -1 -3 $OLD_DKMS_LIST $NEW_DKMS_LIST | grep -q -v "/var/lib/dkms/nvidia"
++}
++
++show_dkms_list_changes()
++{
++    diff -u $OLD_DKMS_LIST $NEW_DKMS_LIST >&2
++}
++
++validate_password()
++{
++    db_capb
++    if [ "$key" != "$again" ]; then
++        db_fset shim/error/secureboot_key_mismatch seen false
++        db_input critical shim/error/secureboot_key_mismatch || true
++        STATE=$(($STATE - 2))
++    else
++        length=$((`echo "$key" | wc -c` - 1))
++        if [ $length -lt 8 ] || [ $length -gt 16 ]; then
++            db_fset shim/error/bad_secureboot_key seen false
++            db_input critical shim/error/bad_secureboot_key || true
++            STATE=$(($STATE - 2))
++        elif [ $length -ne 0 ]; then
++            return 0
++        fi
++    fi
++
++    return 1
++}
++
++clear_passwords()
++{
++    # Always clear secureboot key.
++    db_set shim/secureboot_key ''
++    db_fset shim/secureboot_key seen false
++    db_set shim/secureboot_key_again ''
++    db_fset shim/secureboot_key_again seen false
++}
++
++toggle_validation()
++{
++    local key="$1"
++    local again="$2"
++
++    echo "Enabling shim validation."
++    printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --enable-validation >/dev/null || true
++}
++
++enroll_mok()
++{
++    local key="$1"
++    local again="$2"
++
++    echo "Adding '$SB_KEY' to shim:"
++    printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true
++}
++
++do_it()
++{
++    STATE=1
++    db_settitle shim/title/secureboot
++    while true; do
++        case "$STATE" in
++        1)
++            db_capb
++            db_fset shim/secureboot_explanation seen false
++            db_input critical shim/secureboot_explanation || true
++            ;;
++        2)
++            if [ "$do_toggle" -eq 1 ]; then
++                # Force no backtracking here; otherwise the GNOME backend
++                # might allow it due to displaying the explanation just before.
++                # Fixes LP: #1767091
++                db_capb
++                # Allow the user to skip toggling Secure Boot.
++                db_fset shim/enable_secureboot seen false
++                db_input critical shim/enable_secureboot || true
++                db_go
++
++                db_get shim/enable_secureboot
++                if [ "$RET" = "false" ]; then
++                    break
++                fi
++            fi
++            ;;
++        3)
++
++            db_input critical shim/secureboot_key || true
++            seen_key=$RET
++            db_input critical shim/secureboot_key_again || true
++            ;;
++        4)
++            db_get shim/secureboot_key
++            key="$RET"
++            db_get shim/secureboot_key_again
++            again="$RET"
++
++            if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
++                echo "Running in non-interactive mode, doing nothing." >&2
++
++                if new_dkms_module; then
++                    show_dkms_list_changes
++                    clear_new_dkms_list
++                    exit 1
++                else
++                    exit 0
++                fi
++            fi
++
++            if validate_password; then
++                if [ $do_toggle -eq 1 ]; then
++                    toggle_validation "$key" "$again"
++                fi
++                if [ $do_enroll -eq 1 ]; then
++                    enroll_mok "$key" "$again"
++                fi
++                save_dkms_list
++            fi
++
++            clear_passwords
++            ;;
++        *)
++            break
++            ;;
++        esac
++
++        if db_go; then
++            STATE=$(($STATE + 1))
++        else
++            STATE=$(($STATE - 1))
++        fi
++        db_capb backup
++    done
++    db_capb
++}
++
++validate_actions() {
++    # Validate any queued actions before we go try to do them.
++    local moksbstatert=0
++
++    if ! [ -d $efivars ]; then
++        echo "$efivars not found, aborting." >&2
++        exit 0
++    fi
++
++    if ! [ -f $efivars/$secureboot_var ] \
++        || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
++    then
++        echo "Secure Boot not enabled on this system." >&2
++        exit 0
++    fi
++
++    if [ $dkms_modules -lt 2 ]; then
++        echo "No DKMS modules installed." >&2
++        exit 0
++    fi
++
++    if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
++        moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
++    elif [ -f $efivars/$moksbstatert_var ]; then
++        # MokSBStateRT set to 1 means validation is disabled
++        moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
++                       awk '{ print $NF; }')
++    fi
++
++    # We were asked to enroll a key. This only makes sense if validation
++    # is enabled.
++    if [ $do_enroll -eq 1 ] && [ $moksbstatert -eq 1 ]; then
++        do_toggle=1
++    fi
++}
++
++create_mok()
++{
++    if [ -e "$SB_KEY" ]; then
++        return
++    fi
++
++    echo "Generating a new Secure Boot signing key:"
++    openssl req -config /usr/lib/shim/mok/openssl.cnf \
++        -subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \
++        -new -x509 -newkey rsa:2048 \
++        -nodes -days 36500 -outform DER \
++        -keyout "$SB_PRIV" \
++        -out "$SB_KEY"
++}
++
++update_dkms_list
++
++case "$1" in
++'--enable'|'--disable')
++    echo "Please run mokutil directly to change shim validation behavior."
++    exit 0
++    ;;
++
++'--new-key')
++    create_mok
++    exit 0
++    ;;
++
++'--enroll-key')
++    if [ -e "$SB_KEY" ]; then
++        if mokutil --test-key "$SB_KEY" | \
++                grep -qc 'is not'; then
++            do_enroll=1
++        fi
++    else
++        echo "No MOK found."
++        exit 1
++    fi
++    ;;
++
++*)
++    echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
++    echo
++    echo "\t--new-key\tCreate a new MOK."
++    echo "\t--enroll-key\tEnroll the new MOK for this system in shim."
++    echo "\t--help\t\tThis help text."
++    exit 0
++
++esac
++
++validate_actions
++
++if [ $(($do_toggle + $do_enroll)) -lt 1 ]; then
++    echo "Nothing to do."
++    exit 0
++fi
++
++do_it
++
++exit 0