Merge ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed into ~ubuntu-core-dev/shim/+git/shim:master
- Git
- lp:~ubuntu-core-dev/shim/+git/shim-signed
- xnox/dual-signed
- Merge into master
Status: | Superseded | ||||
---|---|---|---|---|---|
Proposed branch: | ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed | ||||
Merge into: | ~ubuntu-core-dev/shim/+git/shim:master | ||||
Diff against target: |
1637 lines (+1444/-0) (has conflicts) 24 files modified
CanonicalMasterCA.crt (+25/-0) Makefile (+39/-0) MicCorUEFCA2011_2011-06-27.crt (+35/-0) debian/bzr-builddeb.conf (+2/-0) debian/changelog (+424/-0) debian/control (+24/-0) debian/copyright (+9/-0) debian/lintian-overrides (+1/-0) debian/po (+1/-0) debian/real-po/POTFILES.in (+1/-0) debian/real-po/templates.pot (+110/-0) debian/rules (+30/-0) debian/shim-signed.dirs (+2/-0) debian/shim-signed.install (+7/-0) debian/shim-signed.links (+1/-0) debian/shim-signed.postinst (+100/-0) debian/shim-signed.postrm (+10/-0) debian/shim-signed.triggers (+1/-0) debian/source/format (+4/-0) debian/source_shim-signed.py (+58/-0) debian/templates (+53/-0) download-signed (+183/-0) openssl.cnf (+27/-0) update-secureboot-policy (+297/-0) Conflict in Makefile Conflict in debian/changelog Conflict in debian/control Conflict in debian/copyright Conflict in debian/rules Conflict in debian/source/format |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Core Development Team | Pending | ||
Review via email: mp+388660@code.launchpad.net |
This proposal has been superseded by a proposal from 2020-08-04.
Commit message
Construct and ship dual-signed shim.
Currently using shim-canonical provided signed artefacts.
Description of the change
Unmerged commits
- 8ba0dc3... by Dimitri John Ledkov
-
Construct and ship dual-signed shim.
- b384346... by Dimitri John Ledkov
-
Construct and ship dual-signed shim.
- 2786832... by Dimitri John Ledkov
-
Add download-signed script from linux-signed package
- 972530c... by Julian Andres Klode
-
releasing package shim-signed version 1.42
- 19b9216... by Julian Andres Klode
-
Update to the signed 15+1552672080.
a4a1fbe- 0ubuntu2 binary from Microsoft. - 68eae8b... by Steve Langasek
-
releasing package shim-signed version 1.41
- de258c9... by Steve Langasek
-
releasing package shim-signed version 1.40
- 716983a... by Steve Langasek
-
Add a versioned dependency on the mokutil that introduces --timeout.
- fba9ff6... by Steve Langasek
-
Pass --timeout -1 to mokutil so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422.
- 54a591e... by dann frazier
-
releasing package shim-signed version 1.39
Preview Diff
1 | diff --git a/CanonicalMasterCA.crt b/CanonicalMasterCA.crt | |||
2 | 0 | new file mode 100644 | 0 | new file mode 100644 |
3 | index 0000000..55c06d5 | |||
4 | --- /dev/null | |||
5 | +++ b/CanonicalMasterCA.crt | |||
6 | @@ -0,0 +1,25 @@ | |||
7 | 1 | -----BEGIN CERTIFICATE----- | ||
8 | 2 | MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD | ||
9 | 3 | VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx | ||
10 | 4 | FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk | ||
11 | 5 | LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX | ||
12 | 6 | DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m | ||
13 | 7 | IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x | ||
14 | 8 | NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo | ||
15 | 9 | b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h | ||
16 | 10 | 7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7 | ||
17 | 11 | v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO | ||
18 | 12 | +ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr | ||
19 | 13 | yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk | ||
20 | 14 | YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO | ||
21 | 15 | BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj | ||
22 | 16 | MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB | ||
23 | 17 | Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu | ||
24 | 18 | b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB | ||
25 | 19 | CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd | ||
26 | 20 | B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH | ||
27 | 21 | WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx | ||
28 | 22 | U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd | ||
29 | 23 | 7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p | ||
30 | 24 | 9JkU284DDgtmxBxtvbgnd8FClL38agq8 | ||
31 | 25 | -----END CERTIFICATE----- | ||
32 | diff --git a/Makefile b/Makefile | |||
33 | index 49e14a2..80f7885 100644 | |||
34 | --- a/Makefile | |||
35 | +++ b/Makefile | |||
36 | @@ -1,3 +1,4 @@ | |||
37 | 1 | <<<<<<< Makefile | ||
38 | 1 | default : all | 2 | default : all |
39 | 2 | 3 | ||
40 | 3 | NAME = shim | 4 | NAME = shim |
41 | @@ -263,3 +264,41 @@ archive: tag | |||
42 | 263 | .PHONY : install-deps shim.key | 264 | .PHONY : install-deps shim.key |
43 | 264 | 265 | ||
44 | 265 | export ARCH CC LD OBJCOPY EFI_INCLUDE | 266 | export ARCH CC LD OBJCOPY EFI_INCLUDE |
45 | 267 | ======= | ||
46 | 268 | SHIM_CANONICAL_VERSION=$(shell dpkg-query -W -f'$${Version}' shim-canonical-unsigned) | ||
47 | 269 | |||
48 | 270 | check: | ||
49 | 271 | mkdir -p build | ||
50 | 272 | # Verifying that the image is signed with the correct key. | ||
51 | 273 | #sbverify --cert cyphermox.crt shimx64.efi.signed | ||
52 | 274 | sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_BASE).signed | ||
53 | 275 | # Verifying that we have the correct binary. | ||
54 | 276 | sbattach --detach build/detached-sig $(SHIM_BASE).signed | ||
55 | 277 | cp /usr/lib/shim/$(SHIM_BASE) build/$(SHIM_BASE).signed | ||
56 | 278 | sbattach --attach build/detached-sig build/$(SHIM_BASE).signed | ||
57 | 279 | cmp $(SHIM_BASE).signed build/$(SHIM_BASE).signed | ||
58 | 280 | #### | ||
59 | 281 | # Construct dual-signed shim | ||
60 | 282 | ./download-signed shim-canonical-unsigned $(SHIM_CANONICAL_VERSION) shim-canonical signed | ||
61 | 283 | # Verify that the downloaded binary has signatures chained to Canonical Master CA | ||
62 | 284 | sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed | ||
63 | 285 | # Detach Canonical signature | ||
64 | 286 | sbattach --detach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed | ||
65 | 287 | rm $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed | ||
66 | 288 | # Compare that shims are all the same now | ||
67 | 289 | cmp /usr/lib/shim/$(SHIM_BASE) $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
68 | 290 | # Reattach Canonical signature | ||
69 | 291 | sbattach --attach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
70 | 292 | # Verify that attachment worked | ||
71 | 293 | sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
72 | 294 | # Attach Microsoft signature | ||
73 | 295 | sbattach --attach build/detached-sig $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
74 | 296 | # Validate that this shim is now dualsigned | ||
75 | 297 | sbverify --list $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
76 | 298 | sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
77 | 299 | sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) | ||
78 | 300 | cp $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).dualsigned | ||
79 | 301 | |||
80 | 302 | clean: | ||
81 | 303 | rm -rf build $(SHIM_CANONICAL_VERSION) $shim_boot.csv BOOT$(EFI_ARCH).CSV | ||
82 | 304 | >>>>>>> Makefile | ||
83 | diff --git a/MicCorUEFCA2011_2011-06-27.crt b/MicCorUEFCA2011_2011-06-27.crt | |||
84 | 266 | new file mode 100644 | 305 | new file mode 100644 |
85 | index 0000000..d7c29ef | |||
86 | --- /dev/null | |||
87 | +++ b/MicCorUEFCA2011_2011-06-27.crt | |||
88 | @@ -0,0 +1,35 @@ | |||
89 | 1 | -----BEGIN CERTIFICATE----- | ||
90 | 2 | MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG | ||
91 | 3 | A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx | ||
92 | 4 | HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z | ||
93 | 5 | b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN | ||
94 | 6 | MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR | ||
95 | 7 | BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p | ||
96 | 8 | Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0 | ||
97 | 9 | aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | ||
98 | 10 | AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug | ||
99 | 11 | +01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI | ||
100 | 12 | rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ | ||
101 | 13 | E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp | ||
102 | 14 | XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L | ||
103 | 15 | 71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB | ||
104 | 16 | AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW | ||
105 | 17 | BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA | ||
106 | 18 | QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD | ||
107 | 19 | 4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p | ||
108 | 20 | Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f | ||
109 | 21 | MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw | ||
110 | 22 | Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv | ||
111 | 23 | b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q | ||
112 | 24 | aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz | ||
113 | 25 | Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g | ||
114 | 26 | Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX | ||
115 | 27 | i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM | ||
116 | 28 | sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh | ||
117 | 29 | aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk | ||
118 | 30 | BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs | ||
119 | 31 | deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5 | ||
120 | 32 | QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7 | ||
121 | 33 | 5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu | ||
122 | 34 | AkXuZcK2o35pFnUHkpv1prxZg1g= | ||
123 | 35 | -----END CERTIFICATE----- | ||
124 | diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf | |||
125 | 0 | new file mode 100644 | 36 | new file mode 100644 |
126 | index 0000000..3a08d60 | |||
127 | --- /dev/null | |||
128 | +++ b/debian/bzr-builddeb.conf | |||
129 | @@ -0,0 +1,2 @@ | |||
130 | 1 | [BUILDDEB] | ||
131 | 2 | native = True | ||
132 | diff --git a/debian/changelog b/debian/changelog | |||
133 | index 1e18261..6f2af53 100644 | |||
134 | --- a/debian/changelog | |||
135 | +++ b/debian/changelog | |||
136 | @@ -1,3 +1,4 @@ | |||
137 | 1 | <<<<<<< debian/changelog | ||
138 | 1 | shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium | 2 | shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium |
139 | 2 | 3 | ||
140 | 3 | * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression | 4 | * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression |
141 | @@ -303,3 +304,426 @@ shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low | |||
142 | 303 | * Include the Canonical Secure Boot master CA. | 304 | * Include the Canonical Secure Boot master CA. |
143 | 304 | 305 | ||
144 | 305 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 | 306 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 |
145 | 307 | ======= | ||
146 | 308 | shim-signed (1.43) UNRELEASED; urgency=medium | ||
147 | 309 | |||
148 | 310 | * Add download-signed script from linux-signed package | ||
149 | 311 | * Construct and ship dual-signed shim. | ||
150 | 312 | |||
151 | 313 | -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Aug 2020 14:23:29 +0100 | ||
152 | 314 | |||
153 | 315 | shim-signed (1.42) groovy; urgency=medium | ||
154 | 316 | |||
155 | 317 | * Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft. | ||
156 | 318 | |||
157 | 319 | -- Julian Andres Klode <juliank@ubuntu.com> Mon, 03 Aug 2020 12:36:10 +0200 | ||
158 | 320 | |||
159 | 321 | shim-signed (1.41) focal; urgency=medium | ||
160 | 322 | |||
161 | 323 | * Update to the signed 15+1552672080.a4a1fbe-0ubuntu1 binary from Microsoft. | ||
162 | 324 | |||
163 | 325 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Feb 2020 13:04:08 -0800 | ||
164 | 326 | |||
165 | 327 | shim-signed (1.40) focal; urgency=medium | ||
166 | 328 | |||
167 | 329 | * Pass --timeout -1 to mokutil so that users don't end up with broken | ||
168 | 330 | systems by missing MokManager on reboot after install. LP: #1856422. | ||
169 | 331 | * Add a versioned dependency on the mokutil that introduces --timeout. | ||
170 | 332 | |||
171 | 333 | -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 14 Dec 2019 20:26:42 -0800 | ||
172 | 334 | |||
173 | 335 | shim-signed (1.39) disco; urgency=medium | ||
174 | 336 | |||
175 | 337 | * debian/source_shim-signed.py: Correct EFI architecture name for arm64. | ||
176 | 338 | * Parameterize code to remove hardcoded x86-isms. | ||
177 | 339 | * Add arm64 support. | ||
178 | 340 | |||
179 | 341 | -- dann frazier <dannf@ubuntu.com> Wed, 14 Nov 2018 11:13:42 -0700 | ||
180 | 342 | |||
181 | 343 | shim-signed (1.38) cosmic; urgency=medium | ||
182 | 344 | |||
183 | 345 | * Don't fail non-interactive upgrade of nvidia module and module removals | ||
184 | 346 | (LP: #1726803) | ||
185 | 347 | |||
186 | 348 | -- Balint Reczey <rbalint@ubuntu.com> Thu, 11 Oct 2018 18:12:37 +0200 | ||
187 | 349 | |||
188 | 350 | shim-signed (1.37) cosmic; urgency=medium | ||
189 | 351 | |||
190 | 352 | * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft. | ||
191 | 353 | * debian/real-po: replace debian/po to make sure things are translatable | ||
192 | 354 | via Launchpad. | ||
193 | 355 | |||
194 | 356 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 29 Aug 2018 15:43:41 -0400 | ||
195 | 357 | |||
196 | 358 | shim-signed (1.36) cosmic; urgency=medium | ||
197 | 359 | |||
198 | 360 | * debian/shim-signed.postinst: use --auto-nvram with grub-install in case | ||
199 | 361 | we're installing on a NVRAM-unavailable platform. | ||
200 | 362 | * debian/control: bump the dependency for grub2-common to make sure | ||
201 | 363 | grub-install supports --auto-nvram. | ||
202 | 364 | * debian/control: switch the grub-efi-amd64-bin dependency to | ||
203 | 365 | grub-efi-amd64-signed. | ||
204 | 366 | |||
205 | 367 | -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com> Wed, 06 Jun 2018 20:25:57 +0200 | ||
206 | 368 | |||
207 | 369 | shim-signed (1.35) cosmic; urgency=medium | ||
208 | 370 | |||
209 | 371 | * update-secureboot-policy: fix quoting for key/again password handling to | ||
210 | 372 | mokutil. (LP: #1770579) | ||
211 | 373 | * update-secureboot-policy: don't allow backtracking at the "main" question | ||
212 | 374 | for whether to enroll a new MOK. (LP: #1767091) | ||
213 | 375 | |||
214 | 376 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 31 May 2018 17:46:46 -0400 | ||
215 | 377 | |||
216 | 378 | shim-signed (1.34.9) bionic; urgency=medium | ||
217 | 379 | |||
218 | 380 | * debian/shim-signed.postinst: check for MOK existence rather than ignoring | ||
219 | 381 | failures in the trigger. (LP: #1766627) | ||
220 | 382 | |||
221 | 383 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 24 Apr 2018 13:24:24 -0400 | ||
222 | 384 | |||
223 | 385 | shim-signed (1.34.8) bionic; urgency=medium | ||
224 | 386 | |||
225 | 387 | * debian/shim-signed.postinst: shim-signed's trigger to enroll a new MOK | ||
226 | 388 | should not fail the upgrade if there was no MOK to enroll. (LP: #1766627) | ||
227 | 389 | |||
228 | 390 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 24 Apr 2018 12:31:25 -0400 | ||
229 | 391 | |||
230 | 392 | shim-signed (1.34.7) bionic; urgency=medium | ||
231 | 393 | |||
232 | 394 | * debian/shim-signed.postinst: it's not guaranteed that all linux-image | ||
233 | 395 | packages currently installed have dkms modules built for them. | ||
234 | 396 | Gracefully handle any failures in the path for signing existing dkms | ||
235 | 397 | modules on upgrade due to absent modules. LP: #1766391. | ||
236 | 398 | * Add a dependency on sbsigntool for kmodsign, which we use directly. | ||
237 | 399 | |||
238 | 400 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Apr 2018 21:47:50 -0700 | ||
239 | 401 | |||
240 | 402 | shim-signed (1.34.6) bionic; urgency=medium | ||
241 | 403 | |||
242 | 404 | * debian/shim-signed.postinst: bump lower version for batch-signing module | ||
243 | 405 | to 1.34.6, to make sure everything is properly signed if people got one | ||
244 | 406 | of the previous shim-signed packages. | ||
245 | 407 | |||
246 | 408 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 23 Apr 2018 19:52:19 -0400 | ||
247 | 409 | |||
248 | 410 | shim-signed (1.34.5) bionic; urgency=medium | ||
249 | 411 | |||
250 | 412 | * Don't try to save new dkms list if we're still dealing with password | ||
251 | 413 | validation for enrollment. (LP: #1766312) | ||
252 | 414 | * Specify kernel version when installing/uninstalling modules while doing | ||
253 | 415 | batch signing on upgrade. | ||
254 | 416 | * Do a better job at finding kernel modules from DKMS if they are in sub- | ||
255 | 417 | directories. | ||
256 | 418 | * Don't prompt if DKMS is installed but there are no DKMS-built modules | ||
257 | 419 | installed. (LP: #1766261) | ||
258 | 420 | |||
259 | 421 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 23 Apr 2018 15:29:44 -0400 | ||
260 | 422 | |||
261 | 423 | shim-signed (1.34.4) bionic; urgency=medium | ||
262 | 424 | |||
263 | 425 | * Handle the case that there are no kernel modules available for a given | ||
264 | 426 | dkms package. This probably indicates there is a problem with the dkms | ||
265 | 427 | module's installation, but that should not cause this package's | ||
266 | 428 | installation to fail. LP: #1765954. | ||
267 | 429 | |||
268 | 430 | -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 10:13:41 -0700 | ||
269 | 431 | |||
270 | 432 | shim-signed (1.34.3) bionic; urgency=medium | ||
271 | 433 | |||
272 | 434 | * Only take the first 31 bytes of the hostname. LP: #1765905. | ||
273 | 435 | |||
274 | 436 | -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 01:14:12 -0700 | ||
275 | 437 | |||
276 | 438 | shim-signed (1.34.2) bionic; urgency=medium | ||
277 | 439 | |||
278 | 440 | * Handle the case of multiple .kos per dkms module and .kos whose name | ||
279 | 441 | does not match the dkms package name. LP: #1765647. | ||
280 | 442 | |||
281 | 443 | -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 01:01:56 -0700 | ||
282 | 444 | |||
283 | 445 | shim-signed (1.34.1) bionic; urgency=medium | ||
284 | 446 | |||
285 | 447 | * update-secureboot-policy: don't skip creating a MOK if Secure Boot is not | ||
286 | 448 | enabled in firmware, but do guard against prompting users on a system that | ||
287 | 449 | doesn't have efivars mounted or where SB is disabled. (LP: #1765515) | ||
288 | 450 | |||
289 | 451 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 19 Apr 2018 17:56:50 -0400 | ||
290 | 452 | |||
291 | 453 | shim-signed (1.34) bionic; urgency=medium | ||
292 | 454 | |||
293 | 455 | * update-secureboot-policy: (LP: #1748983) | ||
294 | 456 | - Factor out validate_password() and clear_passwords() for reuse. | ||
295 | 457 | - Add --new-key option to generate a self-signed MOK. | ||
296 | 458 | - Add --enroll-key option to allow enrolling a new MOK in shim. | ||
297 | 459 | - Drop --enable and --disable options; users should call mokutil directly | ||
298 | 460 | instead. | ||
299 | 461 | * debian/shim-signed.postinst: | ||
300 | 462 | - When triggered, explicitly try to enroll the available MOK. | ||
301 | 463 | * debian/shim-signed.install, openssl.cnf: Install some default configuration | ||
302 | 464 | for creating our self-signed key. | ||
303 | 465 | * debian/shim-signed.dirs: make sure we have a directory where to put a MOK. | ||
304 | 466 | * debian/templates: update templates for update-secureboot-policy changes. | ||
305 | 467 | * debian/control: add versioned Breaks: for dkms. | ||
306 | 468 | |||
307 | 469 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 18 Apr 2018 22:35:46 -0400 | ||
308 | 470 | |||
309 | 471 | shim-signed (1.33.1) bionic; urgency=medium | ||
310 | 472 | |||
311 | 473 | * Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245) | ||
312 | 474 | * Stop generating and install BOOT.CSV, shim will do that by itself now. | ||
313 | 475 | * Add Vcs-* fields. | ||
314 | 476 | |||
315 | 477 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 21 Dec 2017 14:33:37 -0500 | ||
316 | 478 | |||
317 | 479 | shim-signed (1.32) artful; urgency=medium | ||
318 | 480 | |||
319 | 481 | * Handle cleanup of /var/lib/shim-signed on package purge. | ||
320 | 482 | |||
321 | 483 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 23 Jun 2017 22:30:42 -0700 | ||
322 | 484 | |||
323 | 485 | shim-signed (1.31) artful; urgency=medium | ||
324 | 486 | |||
325 | 487 | * Fix regression in postinst when /var/lib/dkms does not exist. | ||
326 | 488 | LP: #1700195. | ||
327 | 489 | * Sort the list of dkms modules when recording. | ||
328 | 490 | |||
329 | 491 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 23 Jun 2017 22:13:40 -0700 | ||
330 | 492 | |||
331 | 493 | shim-signed (1.30) artful; urgency=medium | ||
332 | 494 | |||
333 | 495 | * update-secureboot-policy: track the installed DKMS modules so we can skip | ||
334 | 496 | failing unattended upgrades if they hasn't changed (ie. if no new DKMS | ||
335 | 497 | modules have been installed, just honour the user's previous decision to | ||
336 | 498 | not disable shim validation). (LP: #1695578) | ||
337 | 499 | * update-secureboot-policy: allow re-enabling shim validation when no DKMS | ||
338 | 500 | packages are installed. (LP: #1673904) | ||
339 | 501 | * debian/source_shim-signed.py: add the textual representation of SecureBoot | ||
340 | 502 | and MokSBStateRT EFI variables rather than just adding the files directly; | ||
341 | 503 | also, make sure we include the relevant EFI bits from kernel log. | ||
342 | 504 | (LP: #1680279) | ||
343 | 505 | |||
344 | 506 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 23 Jun 2017 14:37:21 -0400 | ||
345 | 507 | |||
346 | 508 | shim-signed (1.29) artful; urgency=medium | ||
347 | 509 | |||
348 | 510 | * Makefile: Generate BOOT$arch.CSV, for use with fallback. | ||
349 | 511 | * debian/rules: make sure we can do per-arch EFI files. | ||
350 | 512 | |||
351 | 513 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 26 Apr 2017 21:36:57 -0400 | ||
352 | 514 | |||
353 | 515 | shim-signed (1.28) zesty; urgency=medium | ||
354 | 516 | |||
355 | 517 | * Adjust apport hook to include key files that tell us about the system's | ||
356 | 518 | current SB state. | ||
357 | 519 | |||
358 | 520 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Apr 2017 15:14:49 -0700 | ||
359 | 521 | |||
360 | 522 | shim-signed (1.27) zesty; urgency=medium | ||
361 | 523 | |||
362 | 524 | [ Steve Langasek ] | ||
363 | 525 | * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from | ||
364 | 526 | Microsoft. | ||
365 | 527 | * update-secureboot-policy: | ||
366 | 528 | - detect when we have no debconf prompting and error out instead of ending | ||
367 | 529 | up in an infinite loop. LP: #1673817. | ||
368 | 530 | - refactor to make the code easier to follow. | ||
369 | 531 | - remove a confusing boolean that would always re-prompt on a request to | ||
370 | 532 | --enable, but not on a request to --disable. | ||
371 | 533 | |||
372 | 534 | [ Mathieu Trudel-Lapierre ] | ||
373 | 535 | * update-secureboot-policy: | ||
374 | 536 | - some more fixes to properly handle non-interactive mode. (LP: #1673817) | ||
375 | 537 | |||
376 | 538 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 21 Mar 2017 14:28:46 -0400 | ||
377 | 539 | |||
378 | 540 | shim-signed (1.23) zesty; urgency=medium | ||
379 | 541 | |||
380 | 542 | * debian/control: bump the Depends on grub2-common since that's needed to | ||
381 | 543 | install with the new updated EFI binaries filenames. | ||
382 | 544 | |||
383 | 545 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 21 Oct 2016 13:31:05 -0400 | ||
384 | 546 | |||
385 | 547 | shim-signed (1.22) yakkety; urgency=medium | ||
386 | 548 | |||
387 | 549 | * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft. | ||
388 | 550 | * Update paths now that the shim binary has been renamed to include the | ||
389 | 551 | target architecture. | ||
390 | 552 | * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu; | ||
391 | 553 | since it's being replaced by mm$arch.efi. | ||
392 | 554 | |||
393 | 555 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 13 Oct 2016 13:49:17 -0400 | ||
394 | 556 | |||
395 | 557 | shim-signed (1.21.3) vivid; urgency=medium | ||
396 | 558 | |||
397 | 559 | * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3. | ||
398 | 560 | |||
399 | 561 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 06 Oct 2016 19:20:36 -0400 | ||
400 | 562 | |||
401 | 563 | shim-signed (1.21.2) vivid; urgency=medium | ||
402 | 564 | |||
403 | 565 | * Revert to signed shim from 0.8-0ubuntu2. (LP: #1624096) | ||
404 | 566 | - shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily. | ||
405 | 567 | |||
406 | 568 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 03 Oct 2016 17:17:54 -0400 | ||
407 | 569 | |||
408 | 570 | shim-signed (1.20) yakkety; urgency=medium | ||
409 | 571 | |||
410 | 572 | * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft. | ||
411 | 573 | (LP: #1581299) | ||
412 | 574 | |||
413 | 575 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 08 Aug 2016 11:14:21 -0400 | ||
414 | 576 | |||
415 | 577 | shim-signed (1.19) yakkety; urgency=medium | ||
416 | 578 | |||
417 | 579 | * update-secureboot-policy: | ||
418 | 580 | - Add a --help option, document other options. (LP: #1604936) | ||
419 | 581 | - Rework prompting to display our Secure Boot warning and explanation | ||
420 | 582 | text more prominently, rather than forcing graphical users to hit | ||
421 | 583 | "Help" to see the full explanation for why we ask about disabling | ||
422 | 584 | Secure Boot. (LP: #1595611) | ||
423 | 585 | |||
424 | 586 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 02 Aug 2016 11:01:50 -0400 | ||
425 | 587 | |||
426 | 588 | shim-signed (1.18) yakkety; urgency=medium | ||
427 | 589 | |||
428 | 590 | * update-secureboot-policy: If /proc/sys/kernel/moksbstate_disabled is | ||
429 | 591 | present, prefer this unconditionally over MokSBStateRT. LP: #1604873. | ||
430 | 592 | |||
431 | 593 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Jul 2016 08:31:17 -0700 | ||
432 | 594 | |||
433 | 595 | shim-signed (1.17) yakkety; urgency=medium | ||
434 | 596 | |||
435 | 597 | * update-secureboot-policy: rework setting capabilities to stop having | ||
436 | 598 | the backup capability while showing an error message; which won't affect | ||
437 | 599 | the Dialog debconf frontend but otherwise made the GTK frontend confusing. | ||
438 | 600 | * update-secureboot-policy: all debconf prompts should be at priority | ||
439 | 601 | critical: there is no good default to pick, we must prompt the user. | ||
440 | 602 | * debian/templates: make the password inputs be standard inputs; this is an | ||
441 | 603 | unfortunate workaround to aptdaemon not having access to the debconf | ||
442 | 604 | password database on desktop; since the frontend runs as an unprivileged | ||
443 | 605 | user. See bug LP#1599981 (LP: #1599051) | ||
444 | 606 | |||
445 | 607 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 07 Jul 2016 16:58:45 -0400 | ||
446 | 608 | |||
447 | 609 | shim-signed (1.16) yakkety; urgency=medium | ||
448 | 610 | |||
449 | 611 | * debian/shim-signed.postinst: call for the trigger on update of shim-signed. | ||
450 | 612 | |||
451 | 613 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 28 Jun 2016 17:34:23 -0400 | ||
452 | 614 | |||
453 | 615 | shim-signed (1.15) yakkety; urgency=medium | ||
454 | 616 | |||
455 | 617 | * update-secureboot-policy: validate the state of MokSBStateRT against what | ||
456 | 618 | the kernel believes it to be via /proc/sys/kernel/moksbstate_disabled, | ||
457 | 619 | in case we have the kernel which knows about shim's validation policy but | ||
458 | 620 | an old shim that doesn't export MokSBStateRT. | ||
459 | 621 | |||
460 | 622 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 17 Jun 2016 16:47:40 +0300 | ||
461 | 623 | |||
462 | 624 | shim-signed (1.14) yakkety; urgency=medium | ||
463 | 625 | |||
464 | 626 | * update-secureboot-policy: | ||
465 | 627 | - Make it easier for users to really re-enable Secure Boot via an --enable | ||
466 | 628 | option. | ||
467 | 629 | - Don't prompt for action if there are no DKMS packages installed, as per | ||
468 | 630 | checking if there are any subdirectories in /var/lib/dkms. | ||
469 | 631 | |||
470 | 632 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 07 Jun 2016 16:09:53 -0400 | ||
471 | 633 | |||
472 | 634 | shim-signed (1.13) yakkety; urgency=medium | ||
473 | 635 | |||
474 | 636 | * update-secureboot-policy: have a trigger-ready script available to deal | ||
475 | 637 | with the necessity to change Secure Boot policy on a system. | ||
476 | 638 | * debian/shim-signed.templates: ship the necessary templates for secureboot. | ||
477 | 639 | * debian/shim-signed.postinst: Run our trigger script to update Secure Boot | ||
478 | 640 | policy when necessary at the end of installs, without calling dpkg-trigger | ||
479 | 641 | again. | ||
480 | 642 | |||
481 | 643 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 16 May 2016 15:29:27 -0400 | ||
482 | 644 | |||
483 | 645 | shim-signed (1.12) xenial; urgency=medium | ||
484 | 646 | |||
485 | 647 | * debian/control: add Depends on mokutil, to ship a way for users to | ||
486 | 648 | control shim features, such as enrolling new keys. | ||
487 | 649 | |||
488 | 650 | -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Wed, 16 Dec 2015 10:19:23 -0500 | ||
489 | 651 | |||
490 | 652 | shim-signed (1.11) wily; urgency=medium | ||
491 | 653 | |||
492 | 654 | * Add in an apport package hook for shim-signed and shim. (LP: #1490030) | ||
493 | 655 | |||
494 | 656 | -- Brian Murray <brian@ubuntu.com> Fri, 11 Sep 2015 15:04:31 -0700 | ||
495 | 657 | |||
496 | 658 | shim-signed (1.10) wily; urgency=medium | ||
497 | 659 | |||
498 | 660 | * Add a versioned dependency on grub2-common, so that partial upgrades from | ||
499 | 661 | Ubuntu 12.04 don't break due to a lack of --target option to grub-install. | ||
500 | 662 | LP: #1474203. | ||
501 | 663 | |||
502 | 664 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 14 Jul 2015 10:46:41 -0700 | ||
503 | 665 | |||
504 | 666 | shim-signed (1.9) wily; urgency=medium | ||
505 | 667 | |||
506 | 668 | * Update to the signed 0.8-0ubuntu2 binary from Microsoft. | ||
507 | 669 | |||
508 | 670 | -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 07 Jun 2015 19:27:35 +0000 | ||
509 | 671 | |||
510 | 672 | shim-signed (1.8) utopic; urgency=medium | ||
511 | 673 | |||
512 | 674 | * Update to the signed 0.7-0ubuntu4 binary from Microsoft. | ||
513 | 675 | |||
514 | 676 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 21 Oct 2014 18:23:15 -0400 | ||
515 | 677 | |||
516 | 678 | shim-signed (1.6) trusty; urgency=low | ||
517 | 679 | |||
518 | 680 | * Also add a build-dependency on grub2-common, to ensure that our | ||
519 | 681 | grub-install is the correct one - since grub-efi-amd64-bin is | ||
520 | 682 | coinstallable with grub1. LP: #1259558. | ||
521 | 683 | |||
522 | 684 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 10 Dec 2013 09:10:23 -0800 | ||
523 | 685 | |||
524 | 686 | shim-signed (1.5) trusty; urgency=low | ||
525 | 687 | |||
526 | 688 | * Pass --target=x86_64-efi to grub-install from the postinst and depend on | ||
527 | 689 | grub-efi-amd64-bin, so that package upgrades will do the right thing | ||
528 | 690 | even if the system has been rebooted under BIOS. LP: #1246910. | ||
529 | 691 | * Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match | ||
530 | 692 | the path under /boot/efi; fix this up so shim-signed upgrades properly | ||
531 | 693 | on Kubuntu systems. LP: #1242417. | ||
532 | 694 | |||
533 | 695 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2013 17:06:21 -0700 | ||
534 | 696 | |||
535 | 697 | shim-signed (1.4) trusty; urgency=low | ||
536 | 698 | |||
537 | 699 | * Add a dependency on shim, so that we can pull in MokManager for use. | ||
538 | 700 | * Update to the signed 0.4-0ubuntu4 binary from Microsoft. | ||
539 | 701 | |||
540 | 702 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 30 Oct 2013 15:04:23 -0700 | ||
541 | 703 | |||
542 | 704 | shim-signed (1.3) saucy; urgency=low | ||
543 | 705 | |||
544 | 706 | * Build-depend on sbsigntool (>= 0.6-0ubuntu4) and check the integrity of | ||
545 | 707 | our signed binary at build time. | ||
546 | 708 | * Update to the signed 0.4-0ubuntu3 binary from Microsoft. | ||
547 | 709 | |||
548 | 710 | -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 07 Sep 2013 22:09:22 +0000 | ||
549 | 711 | |||
550 | 712 | shim-signed (1.2) raring; urgency=low | ||
551 | 713 | |||
552 | 714 | * Recommend secureboot-db (LP: #1087843). | ||
553 | 715 | |||
554 | 716 | -- Colin Watson <cjwatson@ubuntu.com> Sat, 16 Feb 2013 00:02:00 +0000 | ||
555 | 717 | |||
556 | 718 | shim-signed (1.1) quantal-proposed; urgency=low | ||
557 | 719 | |||
558 | 720 | * Rev shim-signed for updated shim. | ||
559 | 721 | |||
560 | 722 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 12 Oct 2012 01:42:07 +0000 | ||
561 | 723 | |||
562 | 724 | shim-signed (1.0) quantal; urgency=low | ||
563 | 725 | |||
564 | 726 | * Initial release, based on grub2-signed package. | ||
565 | 727 | |||
566 | 728 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 09 Oct 2012 15:48:37 -0700 | ||
567 | 729 | >>>>>>> debian/changelog | ||
568 | diff --git a/debian/control b/debian/control | |||
569 | index c8b8ffa..d30cce8 100644 | |||
570 | --- a/debian/control | |||
571 | +++ b/debian/control | |||
572 | @@ -1,3 +1,4 @@ | |||
573 | 1 | <<<<<<< debian/control | ||
574 | 1 | Source: shim | 2 | Source: shim |
575 | 2 | Section: admin | 3 | Section: admin |
576 | 3 | Priority: optional | 4 | Priority: optional |
577 | @@ -12,8 +13,31 @@ Architecture: amd64 arm64 | |||
578 | 12 | Depends: ${shlibs:Depends}, ${misc:Depends} | 13 | Depends: ${shlibs:Depends}, ${misc:Depends} |
579 | 13 | Breaks: shim-signed (<< 1.33~) | 14 | Breaks: shim-signed (<< 1.33~) |
580 | 14 | Description: boot loader to chain-load signed boot loaders under Secure Boot | 15 | Description: boot loader to chain-load signed boot loaders under Secure Boot |
581 | 16 | ======= | ||
582 | 17 | Source: shim-signed | ||
583 | 18 | Section: utils | ||
584 | 19 | Priority: optional | ||
585 | 20 | Maintainer: Steve Langasek <steve.langasek@ubuntu.com> | ||
586 | 21 | Build-Depends: debhelper (>= 9), dh-exec, shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf | ||
587 | 22 | Standards-Version: 3.9.4 | ||
588 | 23 | Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed | ||
589 | 24 | Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed | ||
590 | 25 | |||
591 | 26 | Package: shim-signed | ||
592 | 27 | Architecture: amd64 arm64 | ||
593 | 28 | Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-signed | grub-efi-arm64-signed, grub2-common (>= 2.02-2ubuntu9), mokutil (>= 0.3.0+1538710437.fb6250f-0ubuntu2), sbsigntool | ||
594 | 29 | Recommends: secureboot-db | ||
595 | 30 | Built-Using: shim (= ${shim:Version}) | ||
596 | 31 | Description: Secure Boot chain-loading bootloader (Microsoft-signed binary) | ||
597 | 32 | >>>>>>> debian/control | ||
598 | 15 | This package provides a minimalist boot loader which allows verifying | 33 | This package provides a minimalist boot loader which allows verifying |
599 | 16 | signatures of other UEFI binaries against either the Secure Boot DB/DBX or | 34 | signatures of other UEFI binaries against either the Secure Boot DB/DBX or |
600 | 17 | against a built-in signature database. Its purpose is to allow a small, | 35 | against a built-in signature database. Its purpose is to allow a small, |
601 | 18 | infrequently-changing binary to be signed by the UEFI CA, while allowing | 36 | infrequently-changing binary to be signed by the UEFI CA, while allowing |
602 | 19 | an OS distributor to revision their main bootloader independently of the CA. | 37 | an OS distributor to revision their main bootloader independently of the CA. |
603 | 38 | <<<<<<< debian/control | ||
604 | 39 | ======= | ||
605 | 40 | . | ||
606 | 41 | This package contains the version of the bootloader binary signed by the | ||
607 | 42 | Microsoft UEFI CA. | ||
608 | 43 | >>>>>>> debian/control | ||
609 | diff --git a/debian/copyright b/debian/copyright | |||
610 | index 64b3f57..1debf7d 100644 | |||
611 | --- a/debian/copyright | |||
612 | +++ b/debian/copyright | |||
613 | @@ -1,5 +1,6 @@ | |||
614 | 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ | 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ |
615 | 2 | Upstream-Name: shim | 2 | Upstream-Name: shim |
616 | 3 | <<<<<<< debian/copyright | ||
617 | 3 | Upstream-Contact: Matthew Garrett <mjg59@coreos.com> | 4 | Upstream-Contact: Matthew Garrett <mjg59@coreos.com> |
618 | 4 | Source: https://github.com/rhboot/shim | 5 | Source: https://github.com/rhboot/shim |
619 | 5 | 6 | ||
620 | @@ -227,6 +228,14 @@ License: BSD-3-Clause-Intel | |||
621 | 227 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | 228 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
622 | 228 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 229 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
623 | 229 | 230 | ||
624 | 231 | ======= | ||
625 | 232 | Upstream-Contact: Matthew Garrett <mjg@redhat.com> | ||
626 | 233 | Source: https://github.com/mjg59/shim.git | ||
627 | 234 | |||
628 | 235 | Files: * | ||
629 | 236 | Copyright: 2012 Red Hat, Inc | ||
630 | 237 | 2009-2012 Intel Corporation | ||
631 | 238 | >>>>>>> debian/copyright | ||
632 | 230 | License: BSD-2-Clause | 239 | License: BSD-2-Clause |
633 | 231 | Redistribution and use in source and binary forms, with or without | 240 | Redistribution and use in source and binary forms, with or without |
634 | 232 | modification, are permitted provided that the following conditions | 241 | modification, are permitted provided that the following conditions |
635 | diff --git a/debian/lintian-overrides b/debian/lintian-overrides | |||
636 | 233 | new file mode 100644 | 242 | new file mode 100644 |
637 | index 0000000..5ce68fc | |||
638 | --- /dev/null | |||
639 | +++ b/debian/lintian-overrides | |||
640 | @@ -0,0 +1 @@ | |||
641 | 1 | shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy | ||
642 | diff --git a/debian/po b/debian/po | |||
643 | 0 | new file mode 120000 | 2 | new file mode 120000 |
644 | index 0000000..081d461 | |||
645 | --- /dev/null | |||
646 | +++ b/debian/po | |||
647 | @@ -0,0 +1 @@ | |||
648 | 1 | real-po | ||
649 | 0 | \ No newline at end of file | 2 | \ No newline at end of file |
650 | diff --git a/debian/real-po/POTFILES.in b/debian/real-po/POTFILES.in | |||
651 | 1 | new file mode 100644 | 3 | new file mode 100644 |
652 | index 0000000..cef83a3 | |||
653 | --- /dev/null | |||
654 | +++ b/debian/real-po/POTFILES.in | |||
655 | @@ -0,0 +1 @@ | |||
656 | 1 | [type: gettext/rfc822deb] templates | ||
657 | diff --git a/debian/real-po/templates.pot b/debian/real-po/templates.pot | |||
658 | 0 | new file mode 100644 | 2 | new file mode 100644 |
659 | index 0000000..5cbebf0 | |||
660 | --- /dev/null | |||
661 | +++ b/debian/real-po/templates.pot | |||
662 | @@ -0,0 +1,110 @@ | |||
663 | 1 | # SOME DESCRIPTIVE TITLE. | ||
664 | 2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
665 | 3 | # This file is distributed under the same license as the shim-signed package. | ||
666 | 4 | # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. | ||
667 | 5 | # | ||
668 | 6 | #, fuzzy | ||
669 | 7 | msgid "" | ||
670 | 8 | msgstr "" | ||
671 | 9 | "Project-Id-Version: shim-signed\n" | ||
672 | 10 | "Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n" | ||
673 | 11 | "POT-Creation-Date: 2016-05-04 16:57-0500\n" | ||
674 | 12 | "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" | ||
675 | 13 | "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" | ||
676 | 14 | "Language-Team: LANGUAGE <LL@li.org>\n" | ||
677 | 15 | "Language: \n" | ||
678 | 16 | "MIME-Version: 1.0\n" | ||
679 | 17 | "Content-Type: text/plain; charset=CHARSET\n" | ||
680 | 18 | "Content-Transfer-Encoding: 8bit\n" | ||
681 | 19 | |||
682 | 20 | #. Type: text | ||
683 | 21 | #. Description | ||
684 | 22 | #: ../templates:1001 | ||
685 | 23 | msgid "Configuring Secure Boot" | ||
686 | 24 | msgstr "" | ||
687 | 25 | |||
688 | 26 | #. Type: error | ||
689 | 27 | #. Description | ||
690 | 28 | #: ../templates:2001 | ||
691 | 29 | msgid "Invalid password" | ||
692 | 30 | msgstr "" | ||
693 | 31 | |||
694 | 32 | #. Type: error | ||
695 | 33 | #. Description | ||
696 | 34 | #: ../templates:2001 | ||
697 | 35 | msgid "" | ||
698 | 36 | "The Secure Boot key you've entered is not valid. The password used must be " | ||
699 | 37 | "between 8 and 16 characters." | ||
700 | 38 | msgstr "" | ||
701 | 39 | |||
702 | 40 | #. Type: boolean | ||
703 | 41 | #. Description | ||
704 | 42 | #: ../templates:3001 | ||
705 | 43 | msgid "Disable UEFI Secure Boot?" | ||
706 | 44 | msgstr "" | ||
707 | 45 | |||
708 | 46 | #. Type: boolean | ||
709 | 47 | #. Description | ||
710 | 48 | #: ../templates:3001 | ||
711 | 49 | msgid "" | ||
712 | 50 | "Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible " | ||
713 | 51 | "with the use of third-party drivers." | ||
714 | 52 | msgstr "" | ||
715 | 53 | |||
716 | 54 | #. Type: boolean | ||
717 | 55 | #. Description | ||
718 | 56 | #: ../templates:3001 | ||
719 | 57 | msgid "" | ||
720 | 58 | "The system will assist you in disabling UEFI Secure Boot. To ensure that " | ||
721 | 59 | "this change is being made by you as an authorized user, and not by an " | ||
722 | 60 | "attacker, you must choose a password now and then use the same password " | ||
723 | 61 | "after reboot to confirm the change." | ||
724 | 62 | msgstr "" | ||
725 | 63 | |||
726 | 64 | #. Type: boolean | ||
727 | 65 | #. Description | ||
728 | 66 | #: ../templates:3001 | ||
729 | 67 | msgid "" | ||
730 | 68 | "If you choose to proceed but do not confirm the password upon reboot, Ubuntu " | ||
731 | 69 | "will still be able to boot on your system but these third-party drivers will " | ||
732 | 70 | "not be available for your hardware." | ||
733 | 71 | msgstr "" | ||
734 | 72 | |||
735 | 73 | #. Type: password | ||
736 | 74 | #. Description | ||
737 | 75 | #: ../templates:4001 | ||
738 | 76 | msgid "Password:" | ||
739 | 77 | msgstr "" | ||
740 | 78 | |||
741 | 79 | #. Type: password | ||
742 | 80 | #. Description | ||
743 | 81 | #: ../templates:4001 | ||
744 | 82 | msgid "" | ||
745 | 83 | "Please enter a password for disabling Secure Boot. It will be asked again " | ||
746 | 84 | "after a reboot." | ||
747 | 85 | msgstr "" | ||
748 | 86 | |||
749 | 87 | #. Type: password | ||
750 | 88 | #. Description | ||
751 | 89 | #: ../templates:5001 | ||
752 | 90 | msgid "Re-enter password to verify:" | ||
753 | 91 | msgstr "" | ||
754 | 92 | |||
755 | 93 | #. Type: password | ||
756 | 94 | #. Description | ||
757 | 95 | #: ../templates:5001 | ||
758 | 96 | msgid "" | ||
759 | 97 | "Please enter the same password again to verify you have typed it correctly." | ||
760 | 98 | msgstr "" | ||
761 | 99 | |||
762 | 100 | #. Type: error | ||
763 | 101 | #. Description | ||
764 | 102 | #: ../templates:6001 | ||
765 | 103 | msgid "Password input error" | ||
766 | 104 | msgstr "" | ||
767 | 105 | |||
768 | 106 | #. Type: error | ||
769 | 107 | #. Description | ||
770 | 108 | #: ../templates:6001 | ||
771 | 109 | msgid "The two passwords you entered were not the same. Please try again." | ||
772 | 110 | msgstr "" | ||
773 | diff --git a/debian/rules b/debian/rules | |||
774 | index aa94e7c..c8a6f99 100755 | |||
775 | --- a/debian/rules | |||
776 | +++ b/debian/rules | |||
777 | @@ -1,3 +1,4 @@ | |||
778 | 1 | <<<<<<< debian/rules | ||
779 | 1 | #!/usr/bin/make -f | 2 | #!/usr/bin/make -f |
780 | 2 | 3 | ||
781 | 3 | # Other vendors, add your certs here. No sense in using | 4 | # Other vendors, add your certs here. No sense in using |
782 | @@ -46,3 +47,32 @@ override_dh_auto_install: | |||
783 | 46 | override_dh_fixperms: | 47 | override_dh_fixperms: |
784 | 47 | dh_fixperms | 48 | dh_fixperms |
785 | 48 | chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi | 49 | chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi |
786 | 50 | ======= | ||
787 | 51 | #! /usr/bin/make -f | ||
788 | 52 | |||
789 | 53 | VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2) | ||
790 | 54 | SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim) | ||
791 | 55 | |||
792 | 56 | ifeq ($(DEB_TARGET_ARCH),amd64) | ||
793 | 57 | export EFI_ARCH := X64 | ||
794 | 58 | endif | ||
795 | 59 | ifeq ($(DEB_TARGET_ARCH),arm64) | ||
796 | 60 | export EFI_ARCH := AA64 | ||
797 | 61 | endif | ||
798 | 62 | export SHIM_BASE = shim$(shell echo $(EFI_ARCH) | tr A-Z a-z).efi | ||
799 | 63 | |||
800 | 64 | %: | ||
801 | 65 | dh $@ | ||
802 | 66 | |||
803 | 67 | docdir := debian/shim-signed/usr/share/doc/shim-signed | ||
804 | 68 | |||
805 | 69 | override_dh_installchangelogs: | ||
806 | 70 | dh_installchangelogs | ||
807 | 71 | # Quieten lintian, which otherwise gets confused by our odd version | ||
808 | 72 | # number. | ||
809 | 73 | ln $(docdir)/changelog $(docdir)/changelog.Debian | ||
810 | 74 | |||
811 | 75 | override_dh_gencontrol: | ||
812 | 76 | dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \ | ||
813 | 77 | -Vshim:Version=$(SHIM_VERSION) | ||
814 | 78 | >>>>>>> debian/rules | ||
815 | diff --git a/debian/shim-signed.dirs b/debian/shim-signed.dirs | |||
816 | 49 | new file mode 100644 | 79 | new file mode 100644 |
817 | index 0000000..7e25a1f | |||
818 | --- /dev/null | |||
819 | +++ b/debian/shim-signed.dirs | |||
820 | @@ -0,0 +1,2 @@ | |||
821 | 1 | var/lib/shim-signed | ||
822 | 2 | var/lib/shim-signed/mok | ||
823 | diff --git a/debian/shim-signed.install b/debian/shim-signed.install | |||
824 | 0 | new file mode 100755 | 3 | new file mode 100755 |
825 | index 0000000..93d4e26 | |||
826 | --- /dev/null | |||
827 | +++ b/debian/shim-signed.install | |||
828 | @@ -0,0 +1,7 @@ | |||
829 | 1 | #! /usr/bin/dh-exec | ||
830 | 2 | |||
831 | 3 | ${SHIM_BASE}.signed /usr/lib/shim | ||
832 | 4 | build/${SHIM_BASE}.dualsigned /usr/lib/shim | ||
833 | 5 | openssl.cnf /usr/lib/shim/mok | ||
834 | 6 | debian/source_shim-signed.py /usr/share/apport/package-hooks/ | ||
835 | 7 | update-secureboot-policy /usr/sbin/ | ||
836 | diff --git a/debian/shim-signed.links b/debian/shim-signed.links | |||
837 | 0 | new file mode 100644 | 8 | new file mode 100644 |
838 | index 0000000..2e3ccf9 | |||
839 | --- /dev/null | |||
840 | +++ b/debian/shim-signed.links | |||
841 | @@ -0,0 +1 @@ | |||
842 | 1 | usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py | ||
843 | diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst | |||
844 | 0 | new file mode 100644 | 2 | new file mode 100644 |
845 | index 0000000..d554f89 | |||
846 | --- /dev/null | |||
847 | +++ b/debian/shim-signed.postinst | |||
848 | @@ -0,0 +1,100 @@ | |||
849 | 1 | #! /bin/sh | ||
850 | 2 | set -e | ||
851 | 3 | |||
852 | 4 | # Must load the confmodule for our template to be installed correctly. | ||
853 | 5 | . /usr/share/debconf/confmodule | ||
854 | 6 | |||
855 | 7 | config_item () | ||
856 | 8 | { | ||
857 | 9 | if [ -f /etc/default/grub ]; then | ||
858 | 10 | . /etc/default/grub || return | ||
859 | 11 | for x in /etc/default/grub.d/*.cfg; do | ||
860 | 12 | if [ -e "$x" ]; then | ||
861 | 13 | . "$x" | ||
862 | 14 | fi | ||
863 | 15 | done | ||
864 | 16 | fi | ||
865 | 17 | eval echo "\$$1" | ||
866 | 18 | } | ||
867 | 19 | |||
868 | 20 | sign_dkms_modules() | ||
869 | 21 | { | ||
870 | 22 | for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`; | ||
871 | 23 | do | ||
872 | 24 | for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\ '{print $1"/"$2}'`; | ||
873 | 25 | do | ||
874 | 26 | dkms uninstall -k "$kern" "$dkms" || : | ||
875 | 27 | if ! dkms status -k "$kern" "$dkms" | grep -q 'built$' | ||
876 | 28 | then | ||
877 | 29 | cat <<EOF | ||
878 | 30 | |||
879 | 31 | shim-signed: failed to prepare dkms module for signing; ignoring. | ||
880 | 32 | module: $dkms | ||
881 | 33 | kernel: $kern | ||
882 | 34 | EOF | ||
883 | 35 | continue | ||
884 | 36 | fi | ||
885 | 37 | mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko") | ||
886 | 38 | for mod in $mods; do | ||
887 | 39 | kmodsign sha512 \ | ||
888 | 40 | /var/lib/shim-signed/mok/MOK.priv \ | ||
889 | 41 | /var/lib/shim-signed/mok/MOK.der \ | ||
890 | 42 | $mod | ||
891 | 43 | done | ||
892 | 44 | dkms install -k "$kern" "${dkms}" | ||
893 | 45 | done | ||
894 | 46 | done | ||
895 | 47 | } | ||
896 | 48 | |||
897 | 49 | case $(dpkg --print-architecture) in | ||
898 | 50 | amd64) | ||
899 | 51 | grubarch=x86_64-efi | ||
900 | 52 | ;; | ||
901 | 53 | arm64) | ||
902 | 54 | grubarch=arm64-efi | ||
903 | 55 | ;; | ||
904 | 56 | esac | ||
905 | 57 | case $1 in | ||
906 | 58 | triggered) | ||
907 | 59 | if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then | ||
908 | 60 | SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key | ||
909 | 61 | fi | ||
910 | 62 | ;; | ||
911 | 63 | configure) | ||
912 | 64 | bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ | ||
913 | 65 | cut -d' ' -f1)" | ||
914 | 66 | case $bootloader_id in | ||
915 | 67 | kubuntu) bootloader_id=ubuntu ;; | ||
916 | 68 | esac | ||
917 | 69 | if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \ | ||
918 | 70 | && which grub-install >/dev/null 2>&1 | ||
919 | 71 | then | ||
920 | 72 | grub-install --target=${grubarch} --auto-nvram | ||
921 | 73 | if dpkg --compare-versions "$2" lt-nl "1.22~"; then | ||
922 | 74 | rm -f /boot/efi/EFI/ubuntu/MokManager.efi | ||
923 | 75 | fi | ||
924 | 76 | fi | ||
925 | 77 | |||
926 | 78 | # Upgrade case, capture pre-existing DKMS packages. | ||
927 | 79 | if dpkg --compare-versions "$2" lt-nl "1.30" \ | ||
928 | 80 | && [ -d /var/lib/dkms ] | ||
929 | 81 | then | ||
930 | 82 | find /var/lib/dkms -maxdepth 1 -type d -print \ | ||
931 | 83 | | LC_ALL=C sort > /var/lib/shim-signed/dkms-list | ||
932 | 84 | fi | ||
933 | 85 | |||
934 | 86 | # Upgrade case, migrate all existing kernels/dkms module combinations | ||
935 | 87 | # to self-signed modules. | ||
936 | 88 | if dpkg --compare-versions "$2" lt "1.34.7" \ | ||
937 | 89 | && [ -d /var/lib/dkms ] | ||
938 | 90 | then | ||
939 | 91 | SHIM_NOTRIGGER=y update-secureboot-policy --new-key | ||
940 | 92 | sign_dkms_modules | ||
941 | 93 | SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key | ||
942 | 94 | fi | ||
943 | 95 | ;; | ||
944 | 96 | esac | ||
945 | 97 | |||
946 | 98 | #DEBHELPER# | ||
947 | 99 | |||
948 | 100 | exit 0 | ||
949 | diff --git a/debian/shim-signed.postrm b/debian/shim-signed.postrm | |||
950 | 0 | new file mode 100644 | 101 | new file mode 100644 |
951 | index 0000000..4933982 | |||
952 | --- /dev/null | |||
953 | +++ b/debian/shim-signed.postrm | |||
954 | @@ -0,0 +1,10 @@ | |||
955 | 1 | #!/bin/sh | ||
956 | 2 | set -e | ||
957 | 3 | |||
958 | 4 | case $1 in | ||
959 | 5 | purge) | ||
960 | 6 | rm -rf /var/lib/shim-signed | ||
961 | 7 | ;; | ||
962 | 8 | esac | ||
963 | 9 | |||
964 | 10 | #DEBHELPER# | ||
965 | diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers | |||
966 | 0 | new file mode 100644 | 11 | new file mode 100644 |
967 | index 0000000..2b33128 | |||
968 | --- /dev/null | |||
969 | +++ b/debian/shim-signed.triggers | |||
970 | @@ -0,0 +1 @@ | |||
971 | 1 | interest-noawait shim-secureboot-policy | ||
972 | diff --git a/debian/source/format b/debian/source/format | |||
973 | index 163aaf8..74559ab 100644 | |||
974 | --- a/debian/source/format | |||
975 | +++ b/debian/source/format | |||
976 | @@ -1 +1,5 @@ | |||
977 | 1 | <<<<<<< debian/source/format | ||
978 | 1 | 3.0 (quilt) | 2 | 3.0 (quilt) |
979 | 3 | ======= | ||
980 | 4 | 3.0 (native) | ||
981 | 5 | >>>>>>> debian/source/format | ||
982 | diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py | |||
983 | 2 | new file mode 100644 | 6 | new file mode 100644 |
984 | index 0000000..6df7f28 | |||
985 | --- /dev/null | |||
986 | +++ b/debian/source_shim-signed.py | |||
987 | @@ -0,0 +1,58 @@ | |||
988 | 1 | '''apport package hook for shim and shim-signed | ||
989 | 2 | |||
990 | 3 | (c) 2015 Canonical Ltd. | ||
991 | 4 | Author: Brian Murray <brian@ubuntu.com> | ||
992 | 5 | ''' | ||
993 | 6 | |||
994 | 7 | import errno | ||
995 | 8 | import os | ||
996 | 9 | import re | ||
997 | 10 | |||
998 | 11 | from apport.hookutils import ( | ||
999 | 12 | command_available, | ||
1000 | 13 | command_output, | ||
1001 | 14 | recent_syslog, | ||
1002 | 15 | attach_file, | ||
1003 | 16 | attach_root_command_outputs) | ||
1004 | 17 | |||
1005 | 18 | efiarch = {'amd64': 'x64', | ||
1006 | 19 | 'i386': 'ia32', | ||
1007 | 20 | 'arm64': 'aa64' | ||
1008 | 21 | } | ||
1009 | 22 | grubarch = {'amd64': 'x86_64', | ||
1010 | 23 | 'i386': 'i386', | ||
1011 | 24 | 'arm64': 'arm64' | ||
1012 | 25 | } | ||
1013 | 26 | |||
1014 | 27 | def add_info(report, ui): | ||
1015 | 28 | efiboot = '/boot/efi/EFI/ubuntu' | ||
1016 | 29 | if command_available('efibootmgr'): | ||
1017 | 30 | report['EFIBootMgr'] = command_output(['efibootmgr', '-v']) | ||
1018 | 31 | else: | ||
1019 | 32 | report['EFIBootMgr'] = 'efibootmgr not available' | ||
1020 | 33 | commands = {} | ||
1021 | 34 | try: | ||
1022 | 35 | directory = os.stat(efiboot) | ||
1023 | 36 | except OSError as e: | ||
1024 | 37 | if e.errno == errno.ENOENT: | ||
1025 | 38 | report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing' | ||
1026 | 39 | return | ||
1027 | 40 | if e.errno == errno.EACCES: | ||
1028 | 41 | directory= True | ||
1029 | 42 | if directory: | ||
1030 | 43 | arch = report['Architecture'] | ||
1031 | 44 | commands['BootEFIContents'] = 'ls %s' % efiboot | ||
1032 | 45 | commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch]) | ||
1033 | 46 | commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch]) | ||
1034 | 47 | |||
1035 | 48 | efivars_dir = '/sys/firmware/efi/efivars' | ||
1036 | 49 | sb_var = os.path.join(efivars_dir, | ||
1037 | 50 | 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c') | ||
1038 | 51 | mok_var = os.path.join(efivars_dir, | ||
1039 | 52 | 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23') | ||
1040 | 53 | |||
1041 | 54 | attach_file(report, '/proc/sys/kernel/moksbstate_disabled') | ||
1042 | 55 | commands['SecureBoot'] = 'od -An -t u1 %s' % sb_var | ||
1043 | 56 | commands['MokSBStateRT'] = 'od -An -t u1 %s' % mok_var | ||
1044 | 57 | attach_root_command_outputs(report, commands) | ||
1045 | 58 | report['EFITables'] = recent_syslog(re.compile(r'(efi|esrt):|Secure boot')) | ||
1046 | diff --git a/debian/templates b/debian/templates | |||
1047 | 0 | new file mode 100644 | 59 | new file mode 100644 |
1048 | index 0000000..0d2d968 | |||
1049 | --- /dev/null | |||
1050 | +++ b/debian/templates | |||
1051 | @@ -0,0 +1,53 @@ | |||
1052 | 1 | Template: shim/title/secureboot | ||
1053 | 2 | Type: text | ||
1054 | 3 | _Description: Configuring Secure Boot | ||
1055 | 4 | |||
1056 | 5 | Template: shim/error/bad_secureboot_key | ||
1057 | 6 | Type: error | ||
1058 | 7 | _Description: Invalid password | ||
1059 | 8 | The Secure Boot key you've entered is not valid. The password used must be | ||
1060 | 9 | between 8 and 16 characters. | ||
1061 | 10 | |||
1062 | 11 | Template: shim/enable_secureboot | ||
1063 | 12 | Type: boolean | ||
1064 | 13 | Default: false | ||
1065 | 14 | _Description: Enroll a new Machine-Owner Key? | ||
1066 | 15 | A new Machine-Owner key has been generated for this system to use when | ||
1067 | 16 | signing third-party drivers. This key now needs to be enrolled in your | ||
1068 | 17 | firmware, which will be done at the next reboot. | ||
1069 | 18 | . | ||
1070 | 19 | If Secure Boot validation was previously disabled on your system, validation | ||
1071 | 20 | will also be re-enabled as part of this key enrollment process. | ||
1072 | 21 | |||
1073 | 22 | Template: shim/secureboot_explanation | ||
1074 | 23 | Type: note | ||
1075 | 24 | _Description: Your system has UEFI Secure Boot enabled. | ||
1076 | 25 | UEFI Secure Boot requires additional configuration to work with third-party | ||
1077 | 26 | drivers. | ||
1078 | 27 | . | ||
1079 | 28 | The system will assist you in configuring UEFI Secure Boot. To permit the | ||
1080 | 29 | use of third-party drivers, a new Machine-Owner Key (MOK) has been generated. | ||
1081 | 30 | This key now needs to be enrolled in your system's firmware. | ||
1082 | 31 | . | ||
1083 | 32 | To ensure that this change is being made by you as an authorized user, and | ||
1084 | 33 | not by an attacker, you must choose a password now and then confirm the | ||
1085 | 34 | change after reboot using the same password, in both the "Enroll MOK" and | ||
1086 | 35 | "Change Secure Boot state" menus that will be presented to you when this | ||
1087 | 36 | system reboots. | ||
1088 | 37 | . | ||
1089 | 38 | If you proceed but do not confirm the password upon reboot, Ubuntu | ||
1090 | 39 | will still be able to boot on your system but any hardware that requires | ||
1091 | 40 | third-party drivers to work correctly may not be usable. | ||
1092 | 41 | |||
1093 | 42 | Template: shim/secureboot_key | ||
1094 | 43 | Type: string | ||
1095 | 44 | _Description: Enter a password for Secure Boot. It will be asked again after a reboot. | ||
1096 | 45 | |||
1097 | 46 | Template: shim/secureboot_key_again | ||
1098 | 47 | Type: string | ||
1099 | 48 | _Description: Enter the same password again to verify you have typed it correctly. | ||
1100 | 49 | |||
1101 | 50 | Template: shim/error/secureboot_key_mismatch | ||
1102 | 51 | Type: error | ||
1103 | 52 | _Description: Password input error | ||
1104 | 53 | The two passwords you entered were not the same. Please try again. | ||
1105 | diff --git a/download-signed b/download-signed | |||
1106 | 0 | new file mode 100755 | 54 | new file mode 100755 |
1107 | index 0000000..0793696 | |||
1108 | --- /dev/null | |||
1109 | +++ b/download-signed | |||
1110 | @@ -0,0 +1,183 @@ | |||
1111 | 1 | #! /usr/bin/python3 | ||
1112 | 2 | |||
1113 | 3 | import hashlib | ||
1114 | 4 | import argparse | ||
1115 | 5 | import os | ||
1116 | 6 | import re | ||
1117 | 7 | import sys | ||
1118 | 8 | import tarfile | ||
1119 | 9 | from urllib import request | ||
1120 | 10 | from urllib.error import HTTPError | ||
1121 | 11 | from urllib.parse import ( | ||
1122 | 12 | urlparse, | ||
1123 | 13 | urlunparse, | ||
1124 | 14 | ) | ||
1125 | 15 | |||
1126 | 16 | import apt | ||
1127 | 17 | |||
1128 | 18 | # package_name: package containing the objects we signed | ||
1129 | 19 | # package_version: package version containing the objects we signed | ||
1130 | 20 | # src_package: source package name in dists | ||
1131 | 21 | # signed_type: 'signed' or 'uefi' schema in the url | ||
1132 | 22 | |||
1133 | 23 | parser = argparse.ArgumentParser() | ||
1134 | 24 | parser.add_argument( | ||
1135 | 25 | "package_name", | ||
1136 | 26 | help="package containining the objects we signed") | ||
1137 | 27 | parser.add_argument( | ||
1138 | 28 | "package_version", | ||
1139 | 29 | help="package version containing the objects we signed, or 'current'") | ||
1140 | 30 | parser.add_argument( | ||
1141 | 31 | "src_package", | ||
1142 | 32 | help="source package name in dists") | ||
1143 | 33 | parser.add_argument( | ||
1144 | 34 | "signed_type", | ||
1145 | 35 | nargs='?', | ||
1146 | 36 | default='signed', | ||
1147 | 37 | help="subdirectory type in the url, 'signed' or 'uefi'") | ||
1148 | 38 | args = parser.parse_args() | ||
1149 | 39 | |||
1150 | 40 | |||
1151 | 41 | class SignedDownloader: | ||
1152 | 42 | """Download a block of signed information from dists. | ||
1153 | 43 | |||
1154 | 44 | Find a block of signed information as published in dists/*/signed | ||
1155 | 45 | and download the contents. Use the contained checksum files to | ||
1156 | 46 | identify the members and to validate them once downloaded. | ||
1157 | 47 | """ | ||
1158 | 48 | |||
1159 | 49 | def __init__(self, package_name, package_version, src_package, signed_type='signed'): | ||
1160 | 50 | self.package_name = package_name | ||
1161 | 51 | self.package_version = package_version | ||
1162 | 52 | self.src_package = src_package | ||
1163 | 53 | |||
1164 | 54 | # Find the package in the available archive repositories. Use a _binary_ | ||
1165 | 55 | # package name and version to locate the appropriate archive. Then use the | ||
1166 | 56 | # URI there to look for and find the appropriate binary. | ||
1167 | 57 | cache = apt.Cache() | ||
1168 | 58 | |||
1169 | 59 | self.package = None | ||
1170 | 60 | if self.package_version == "current": | ||
1171 | 61 | self.package = cache[package_name].candidate | ||
1172 | 62 | else: | ||
1173 | 63 | for version in cache[package_name].versions: | ||
1174 | 64 | if version.version == self.package_version: | ||
1175 | 65 | self.package = version | ||
1176 | 66 | break | ||
1177 | 67 | |||
1178 | 68 | if not self.package: | ||
1179 | 69 | raise KeyError("{0}: package version not found".format(self.package_name)) | ||
1180 | 70 | |||
1181 | 71 | origin = self.package.origins[0] | ||
1182 | 72 | pool_parsed = urlparse(self.package.uri) | ||
1183 | 73 | self.package_dir = "%s/%s/%s/%s-%s/%s/" % ( | ||
1184 | 74 | origin.archive, 'main', signed_type, | ||
1185 | 75 | self.src_package, self.package.architecture, self.package_version) | ||
1186 | 76 | |||
1187 | 77 | # Prepare the master url stem and pull out any username/password. If present | ||
1188 | 78 | # replace the default opener with one which offers that password. | ||
1189 | 79 | dists_parsed_master = list(pool_parsed) | ||
1190 | 80 | if '@' in dists_parsed_master[1]: | ||
1191 | 81 | (username_password, host) = pool_parsed[1].split('@', 1) | ||
1192 | 82 | (username, password) = username_password.split(':', 1) | ||
1193 | 83 | |||
1194 | 84 | dists_parsed_master[1] = host | ||
1195 | 85 | |||
1196 | 86 | # Work out the authentication domain. | ||
1197 | 87 | domain_parsed = [ dists_parsed_master[0], dists_parsed_master[1], '/', None, None, None ] | ||
1198 | 88 | auth_uri = urlunparse(domain_parsed) | ||
1199 | 89 | |||
1200 | 90 | # create a password manager | ||
1201 | 91 | password_mgr = request.HTTPPasswordMgrWithDefaultRealm() | ||
1202 | 92 | |||
1203 | 93 | # Add the username and password. | ||
1204 | 94 | # If we knew the realm, we could use it instead of None. | ||
1205 | 95 | password_mgr.add_password(None, auth_uri, username, password) | ||
1206 | 96 | |||
1207 | 97 | handler = request.HTTPBasicAuthHandler(password_mgr) | ||
1208 | 98 | |||
1209 | 99 | # create "opener" (OpenerDirector instance) | ||
1210 | 100 | opener = request.build_opener(handler) | ||
1211 | 101 | |||
1212 | 102 | # Now all calls to urllib.request.urlopen use our opener. | ||
1213 | 103 | request.install_opener(opener) | ||
1214 | 104 | |||
1215 | 105 | self.dists_parsed = dists_parsed_master | ||
1216 | 106 | |||
1217 | 107 | def download_one(self, member, filename, hash_factory=None): | ||
1218 | 108 | directory = os.path.dirname(filename) | ||
1219 | 109 | if not os.path.exists(directory): | ||
1220 | 110 | os.makedirs(directory) | ||
1221 | 111 | |||
1222 | 112 | dists_parsed = list(self.dists_parsed) | ||
1223 | 113 | dists_parsed[2] = re.sub(r"/pool/.*", "/dists/" + self.package_dir + \ | ||
1224 | 114 | member, dists_parsed[2]) | ||
1225 | 115 | dists_uri = urlunparse(dists_parsed) | ||
1226 | 116 | |||
1227 | 117 | print("Downloading %s ... " % dists_uri, end='') | ||
1228 | 118 | sys.stdout.flush() | ||
1229 | 119 | try: | ||
1230 | 120 | with request.urlopen(dists_uri) as dists, open(filename, "wb") as out: | ||
1231 | 121 | hashobj = None | ||
1232 | 122 | if hash_factory: | ||
1233 | 123 | hashobj = hash_factory() | ||
1234 | 124 | for chunk in iter(lambda: dists.read(256 * 1024), b''): | ||
1235 | 125 | if hashobj: | ||
1236 | 126 | hashobj.update(chunk) | ||
1237 | 127 | out.write(chunk) | ||
1238 | 128 | checksum = True | ||
1239 | 129 | if hashobj: | ||
1240 | 130 | checksum = hashobj.hexdigest() | ||
1241 | 131 | except HTTPError as e: | ||
1242 | 132 | if e.code == 404: | ||
1243 | 133 | print("not found") | ||
1244 | 134 | else: | ||
1245 | 135 | raise | ||
1246 | 136 | else: | ||
1247 | 137 | print("found") | ||
1248 | 138 | return checksum | ||
1249 | 139 | return None | ||
1250 | 140 | |||
1251 | 141 | def download(self, base): | ||
1252 | 142 | """Download an entire signed result from dists.""" | ||
1253 | 143 | |||
1254 | 144 | # Download the checksums and use that to download the contents. | ||
1255 | 145 | sums = 'SHA256SUMS' | ||
1256 | 146 | sums_local = os.path.join(base, self.package_version, sums) | ||
1257 | 147 | if not self.download_one(sums, sums_local): | ||
1258 | 148 | print('download-signed: {0}: not found'.format(sums)) | ||
1259 | 149 | sys.exit(1) | ||
1260 | 150 | |||
1261 | 151 | # Read the checksum file and download the files it mentions. | ||
1262 | 152 | here = os.path.abspath(base) | ||
1263 | 153 | with open(sums_local) as sfd: | ||
1264 | 154 | for line in sfd: | ||
1265 | 155 | line = line.strip() | ||
1266 | 156 | (checksum_expected, member) = (line[0:64], line[66:]) | ||
1267 | 157 | filename = os.path.abspath(os.path.join(base, self.package_version, member)) | ||
1268 | 158 | if not filename.startswith(here): | ||
1269 | 159 | print('download-signed: {0}: member outside output directory'.format(member)) | ||
1270 | 160 | sys.exit(1) | ||
1271 | 161 | |||
1272 | 162 | # Download and checksum this member. | ||
1273 | 163 | checksum_actual = self.download_one(member, filename, hashlib.sha256) | ||
1274 | 164 | if checksum_expected != checksum_actual: | ||
1275 | 165 | print('download-signed: {0}: member checksum invalid'.format(member)) | ||
1276 | 166 | sys.exit(1) | ||
1277 | 167 | |||
1278 | 168 | # If this is a tarball result then extract it. | ||
1279 | 169 | here = os.path.abspath(os.path.join(base, self.package_version)) | ||
1280 | 170 | tarball_filename = os.path.join(base, self.package_version, 'signed.tar.gz') | ||
1281 | 171 | if os.path.exists(tarball_filename): | ||
1282 | 172 | with tarfile.open(tarball_filename) as tarball: | ||
1283 | 173 | for tarinfo in tarball: | ||
1284 | 174 | if not filename.startswith(here): | ||
1285 | 175 | print('download-signed: {0}: tarball member outside output directory'.format(member)) | ||
1286 | 176 | sys.exit(1) | ||
1287 | 177 | for tarinfo in tarball: | ||
1288 | 178 | print('Extracting {0} ...'.format(tarinfo.name)) | ||
1289 | 179 | tarball.extract(tarinfo, base) | ||
1290 | 180 | |||
1291 | 181 | |||
1292 | 182 | downloader = SignedDownloader(**vars(args)) | ||
1293 | 183 | downloader.download('.') | ||
1294 | diff --git a/openssl.cnf b/openssl.cnf | |||
1295 | 0 | new file mode 100644 | 184 | new file mode 100644 |
1296 | index 0000000..5a4f734 | |||
1297 | --- /dev/null | |||
1298 | +++ b/openssl.cnf | |||
1299 | @@ -0,0 +1,27 @@ | |||
1300 | 1 | HOME = /var/lib/shim-signed/mok | ||
1301 | 2 | RANDFILE = /var/lib/shim-signed/mok/.rnd | ||
1302 | 3 | |||
1303 | 4 | [ req ] | ||
1304 | 5 | distinguished_name = req_distinguished_name | ||
1305 | 6 | x509_extensions = v3_ca | ||
1306 | 7 | string_mask = utf8only | ||
1307 | 8 | |||
1308 | 9 | [ req_distinguished_name ] | ||
1309 | 10 | |||
1310 | 11 | [ v3_ca ] | ||
1311 | 12 | subjectKeyIdentifier = hash | ||
1312 | 13 | authorityKeyIdentifier = keyid:always,issuer | ||
1313 | 14 | basicConstraints = critical,CA:FALSE | ||
1314 | 15 | |||
1315 | 16 | # We use extended key usage information to limit what this auto-generated | ||
1316 | 17 | # key can be used for. | ||
1317 | 18 | # | ||
1318 | 19 | # codeSigning: specifies that this key is used to sign code. | ||
1319 | 20 | # | ||
1320 | 21 | # 1.3.6.1.4.1.2312.16.1.2: defines this key as used for module signing | ||
1321 | 22 | # only. See https://lkml.org/lkml/2015/8/26/741. | ||
1322 | 23 | # | ||
1323 | 24 | extendedKeyUsage = codeSigning,1.3.6.1.4.1.2312.16.1.2 | ||
1324 | 25 | |||
1325 | 26 | nsComment = "OpenSSL Generated Certificate" | ||
1326 | 27 | |||
1327 | diff --git a/shimaa64.efi.signed b/shimaa64.efi.signed | |||
1328 | 0 | new file mode 100644 | 28 | new file mode 100644 |
1329 | index 0000000..f14323e | |||
1330 | 1 | Binary files /dev/null and b/shimaa64.efi.signed differ | 29 | Binary files /dev/null and b/shimaa64.efi.signed differ |
1331 | diff --git a/shimx64.efi.signed b/shimx64.efi.signed | |||
1332 | 2 | new file mode 100644 | 30 | new file mode 100644 |
1333 | index 0000000..0ac0d6f | |||
1334 | 3 | Binary files /dev/null and b/shimx64.efi.signed differ | 31 | Binary files /dev/null and b/shimx64.efi.signed differ |
1335 | diff --git a/update-secureboot-policy b/update-secureboot-policy | |||
1336 | 4 | new file mode 100755 | 32 | new file mode 100755 |
1337 | index 0000000..7ec61a7 | |||
1338 | --- /dev/null | |||
1339 | +++ b/update-secureboot-policy | |||
1340 | @@ -0,0 +1,297 @@ | |||
1341 | 1 | #!/bin/sh | ||
1342 | 2 | set -e | ||
1343 | 3 | |||
1344 | 4 | if test $# = 0 \ | ||
1345 | 5 | && test x"$SHIM_NOTRIGGER" = x \ | ||
1346 | 6 | && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \ | ||
1347 | 7 | && dpkg-trigger --check-supported 2>/dev/null | ||
1348 | 8 | then | ||
1349 | 9 | if dpkg-trigger --no-await shim-secureboot-policy; then | ||
1350 | 10 | if test x"$SHIM_TRIGGER_DEBUG" != x; then | ||
1351 | 11 | echo "shim: wrapper deferring policy update (trigger activated)" | ||
1352 | 12 | fi | ||
1353 | 13 | exit 0 | ||
1354 | 14 | fi | ||
1355 | 15 | fi | ||
1356 | 16 | |||
1357 | 17 | if [ "$(id -u)" -ne 0 ]; then | ||
1358 | 18 | echo "$0: Permission denied" | ||
1359 | 19 | exit 1 | ||
1360 | 20 | fi | ||
1361 | 21 | |||
1362 | 22 | do_enroll=0 | ||
1363 | 23 | do_toggle=0 | ||
1364 | 24 | |||
1365 | 25 | efivars=/sys/firmware/efi/efivars | ||
1366 | 26 | secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | ||
1367 | 27 | moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 | ||
1368 | 28 | |||
1369 | 29 | SB_KEY="/var/lib/shim-signed/mok/MOK.der" | ||
1370 | 30 | SB_PRIV="/var/lib/shim-signed/mok/MOK.priv" | ||
1371 | 31 | |||
1372 | 32 | OLD_DKMS_LIST="/var/lib/shim-signed/dkms-list" | ||
1373 | 33 | NEW_DKMS_LIST="${OLD_DKMS_LIST}.new" | ||
1374 | 34 | |||
1375 | 35 | touch $OLD_DKMS_LIST | ||
1376 | 36 | |||
1377 | 37 | dkms_list=$(find /var/lib/dkms -maxdepth 1 -type d -print 2>/dev/null \ | ||
1378 | 38 | | LC_ALL=C sort) | ||
1379 | 39 | dkms_modules=$(echo "$dkms_list" | wc -l) | ||
1380 | 40 | |||
1381 | 41 | . /usr/share/debconf/confmodule | ||
1382 | 42 | |||
1383 | 43 | update_dkms_list() | ||
1384 | 44 | { | ||
1385 | 45 | echo "$dkms_list" > $NEW_DKMS_LIST | ||
1386 | 46 | } | ||
1387 | 47 | |||
1388 | 48 | save_dkms_list() | ||
1389 | 49 | { | ||
1390 | 50 | mv "$NEW_DKMS_LIST" "$OLD_DKMS_LIST" | ||
1391 | 51 | } | ||
1392 | 52 | |||
1393 | 53 | clear_new_dkms_list() | ||
1394 | 54 | { | ||
1395 | 55 | rm "$NEW_DKMS_LIST" | ||
1396 | 56 | } | ||
1397 | 57 | |||
1398 | 58 | new_dkms_module() | ||
1399 | 59 | { | ||
1400 | 60 | # handle nvidia module specially because it changed path | ||
1401 | 61 | if ! grep -q "/var/lib/dkms/nvidia" "$OLD_DKMS_LIST" && grep -q "/var/lib/dkms/nvidia" "$NEW_DKMS_LIST" ; then | ||
1402 | 62 | # nvidia module is newly added | ||
1403 | 63 | return 0 | ||
1404 | 64 | fi | ||
1405 | 65 | |||
1406 | 66 | # return 0 if there is any other new module | ||
1407 | 67 | env LC_ALL=C comm -1 -3 $OLD_DKMS_LIST $NEW_DKMS_LIST | grep -q -v "/var/lib/dkms/nvidia" | ||
1408 | 68 | } | ||
1409 | 69 | |||
1410 | 70 | show_dkms_list_changes() | ||
1411 | 71 | { | ||
1412 | 72 | diff -u $OLD_DKMS_LIST $NEW_DKMS_LIST >&2 | ||
1413 | 73 | } | ||
1414 | 74 | |||
1415 | 75 | validate_password() | ||
1416 | 76 | { | ||
1417 | 77 | db_capb | ||
1418 | 78 | if [ "$key" != "$again" ]; then | ||
1419 | 79 | db_fset shim/error/secureboot_key_mismatch seen false | ||
1420 | 80 | db_input critical shim/error/secureboot_key_mismatch || true | ||
1421 | 81 | STATE=$(($STATE - 2)) | ||
1422 | 82 | else | ||
1423 | 83 | length=$((`echo "$key" | wc -c` - 1)) | ||
1424 | 84 | if [ $length -lt 8 ] || [ $length -gt 16 ]; then | ||
1425 | 85 | db_fset shim/error/bad_secureboot_key seen false | ||
1426 | 86 | db_input critical shim/error/bad_secureboot_key || true | ||
1427 | 87 | STATE=$(($STATE - 2)) | ||
1428 | 88 | elif [ $length -ne 0 ]; then | ||
1429 | 89 | return 0 | ||
1430 | 90 | fi | ||
1431 | 91 | fi | ||
1432 | 92 | |||
1433 | 93 | return 1 | ||
1434 | 94 | } | ||
1435 | 95 | |||
1436 | 96 | clear_passwords() | ||
1437 | 97 | { | ||
1438 | 98 | # Always clear secureboot key. | ||
1439 | 99 | db_set shim/secureboot_key '' | ||
1440 | 100 | db_fset shim/secureboot_key seen false | ||
1441 | 101 | db_set shim/secureboot_key_again '' | ||
1442 | 102 | db_fset shim/secureboot_key_again seen false | ||
1443 | 103 | } | ||
1444 | 104 | |||
1445 | 105 | toggle_validation() | ||
1446 | 106 | { | ||
1447 | 107 | local key="$1" | ||
1448 | 108 | local again="$2" | ||
1449 | 109 | |||
1450 | 110 | echo "Enabling shim validation." | ||
1451 | 111 | printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --enable-validation >/dev/null || true | ||
1452 | 112 | } | ||
1453 | 113 | |||
1454 | 114 | enroll_mok() | ||
1455 | 115 | { | ||
1456 | 116 | local key="$1" | ||
1457 | 117 | local again="$2" | ||
1458 | 118 | |||
1459 | 119 | echo "Adding '$SB_KEY' to shim:" | ||
1460 | 120 | printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true | ||
1461 | 121 | } | ||
1462 | 122 | |||
1463 | 123 | do_it() | ||
1464 | 124 | { | ||
1465 | 125 | STATE=1 | ||
1466 | 126 | db_settitle shim/title/secureboot | ||
1467 | 127 | while true; do | ||
1468 | 128 | case "$STATE" in | ||
1469 | 129 | 1) | ||
1470 | 130 | db_capb | ||
1471 | 131 | db_fset shim/secureboot_explanation seen false | ||
1472 | 132 | db_input critical shim/secureboot_explanation || true | ||
1473 | 133 | ;; | ||
1474 | 134 | 2) | ||
1475 | 135 | if [ "$do_toggle" -eq 1 ]; then | ||
1476 | 136 | # Force no backtracking here; otherwise the GNOME backend | ||
1477 | 137 | # might allow it due to displaying the explanation just before. | ||
1478 | 138 | # Fixes LP: #1767091 | ||
1479 | 139 | db_capb | ||
1480 | 140 | # Allow the user to skip toggling Secure Boot. | ||
1481 | 141 | db_fset shim/enable_secureboot seen false | ||
1482 | 142 | db_input critical shim/enable_secureboot || true | ||
1483 | 143 | db_go | ||
1484 | 144 | |||
1485 | 145 | db_get shim/enable_secureboot | ||
1486 | 146 | if [ "$RET" = "false" ]; then | ||
1487 | 147 | break | ||
1488 | 148 | fi | ||
1489 | 149 | fi | ||
1490 | 150 | ;; | ||
1491 | 151 | 3) | ||
1492 | 152 | |||
1493 | 153 | db_input critical shim/secureboot_key || true | ||
1494 | 154 | seen_key=$RET | ||
1495 | 155 | db_input critical shim/secureboot_key_again || true | ||
1496 | 156 | ;; | ||
1497 | 157 | 4) | ||
1498 | 158 | db_get shim/secureboot_key | ||
1499 | 159 | key="$RET" | ||
1500 | 160 | db_get shim/secureboot_key_again | ||
1501 | 161 | again="$RET" | ||
1502 | 162 | |||
1503 | 163 | if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then | ||
1504 | 164 | echo "Running in non-interactive mode, doing nothing." >&2 | ||
1505 | 165 | |||
1506 | 166 | if new_dkms_module; then | ||
1507 | 167 | show_dkms_list_changes | ||
1508 | 168 | clear_new_dkms_list | ||
1509 | 169 | exit 1 | ||
1510 | 170 | else | ||
1511 | 171 | exit 0 | ||
1512 | 172 | fi | ||
1513 | 173 | fi | ||
1514 | 174 | |||
1515 | 175 | if validate_password; then | ||
1516 | 176 | if [ $do_toggle -eq 1 ]; then | ||
1517 | 177 | toggle_validation "$key" "$again" | ||
1518 | 178 | fi | ||
1519 | 179 | if [ $do_enroll -eq 1 ]; then | ||
1520 | 180 | enroll_mok "$key" "$again" | ||
1521 | 181 | fi | ||
1522 | 182 | save_dkms_list | ||
1523 | 183 | fi | ||
1524 | 184 | |||
1525 | 185 | clear_passwords | ||
1526 | 186 | ;; | ||
1527 | 187 | *) | ||
1528 | 188 | break | ||
1529 | 189 | ;; | ||
1530 | 190 | esac | ||
1531 | 191 | |||
1532 | 192 | if db_go; then | ||
1533 | 193 | STATE=$(($STATE + 1)) | ||
1534 | 194 | else | ||
1535 | 195 | STATE=$(($STATE - 1)) | ||
1536 | 196 | fi | ||
1537 | 197 | db_capb backup | ||
1538 | 198 | done | ||
1539 | 199 | db_capb | ||
1540 | 200 | } | ||
1541 | 201 | |||
1542 | 202 | validate_actions() { | ||
1543 | 203 | # Validate any queued actions before we go try to do them. | ||
1544 | 204 | local moksbstatert=0 | ||
1545 | 205 | |||
1546 | 206 | if ! [ -d $efivars ]; then | ||
1547 | 207 | echo "$efivars not found, aborting." >&2 | ||
1548 | 208 | exit 0 | ||
1549 | 209 | fi | ||
1550 | 210 | |||
1551 | 211 | if ! [ -f $efivars/$secureboot_var ] \ | ||
1552 | 212 | || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] | ||
1553 | 213 | then | ||
1554 | 214 | echo "Secure Boot not enabled on this system." >&2 | ||
1555 | 215 | exit 0 | ||
1556 | 216 | fi | ||
1557 | 217 | |||
1558 | 218 | if [ $dkms_modules -lt 2 ]; then | ||
1559 | 219 | echo "No DKMS modules installed." >&2 | ||
1560 | 220 | exit 0 | ||
1561 | 221 | fi | ||
1562 | 222 | |||
1563 | 223 | if [ -f /proc/sys/kernel/moksbstate_disabled ]; then | ||
1564 | 224 | moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) | ||
1565 | 225 | elif [ -f $efivars/$moksbstatert_var ]; then | ||
1566 | 226 | # MokSBStateRT set to 1 means validation is disabled | ||
1567 | 227 | moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ | ||
1568 | 228 | awk '{ print $NF; }') | ||
1569 | 229 | fi | ||
1570 | 230 | |||
1571 | 231 | # We were asked to enroll a key. This only makes sense if validation | ||
1572 | 232 | # is enabled. | ||
1573 | 233 | if [ $do_enroll -eq 1 ] && [ $moksbstatert -eq 1 ]; then | ||
1574 | 234 | do_toggle=1 | ||
1575 | 235 | fi | ||
1576 | 236 | } | ||
1577 | 237 | |||
1578 | 238 | create_mok() | ||
1579 | 239 | { | ||
1580 | 240 | if [ -e "$SB_KEY" ]; then | ||
1581 | 241 | return | ||
1582 | 242 | fi | ||
1583 | 243 | |||
1584 | 244 | echo "Generating a new Secure Boot signing key:" | ||
1585 | 245 | openssl req -config /usr/lib/shim/mok/openssl.cnf \ | ||
1586 | 246 | -subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \ | ||
1587 | 247 | -new -x509 -newkey rsa:2048 \ | ||
1588 | 248 | -nodes -days 36500 -outform DER \ | ||
1589 | 249 | -keyout "$SB_PRIV" \ | ||
1590 | 250 | -out "$SB_KEY" | ||
1591 | 251 | } | ||
1592 | 252 | |||
1593 | 253 | update_dkms_list | ||
1594 | 254 | |||
1595 | 255 | case "$1" in | ||
1596 | 256 | '--enable'|'--disable') | ||
1597 | 257 | echo "Please run mokutil directly to change shim validation behavior." | ||
1598 | 258 | exit 0 | ||
1599 | 259 | ;; | ||
1600 | 260 | |||
1601 | 261 | '--new-key') | ||
1602 | 262 | create_mok | ||
1603 | 263 | exit 0 | ||
1604 | 264 | ;; | ||
1605 | 265 | |||
1606 | 266 | '--enroll-key') | ||
1607 | 267 | if [ -e "$SB_KEY" ]; then | ||
1608 | 268 | if mokutil --test-key "$SB_KEY" | \ | ||
1609 | 269 | grep -qc 'is not'; then | ||
1610 | 270 | do_enroll=1 | ||
1611 | 271 | fi | ||
1612 | 272 | else | ||
1613 | 273 | echo "No MOK found." | ||
1614 | 274 | exit 1 | ||
1615 | 275 | fi | ||
1616 | 276 | ;; | ||
1617 | 277 | |||
1618 | 278 | *) | ||
1619 | 279 | echo "update-secureboot-policy: toggle UEFI Secure Boot in shim" | ||
1620 | 280 | echo | ||
1621 | 281 | echo "\t--new-key\tCreate a new MOK." | ||
1622 | 282 | echo "\t--enroll-key\tEnroll the new MOK for this system in shim." | ||
1623 | 283 | echo "\t--help\t\tThis help text." | ||
1624 | 284 | exit 0 | ||
1625 | 285 | |||
1626 | 286 | esac | ||
1627 | 287 | |||
1628 | 288 | validate_actions | ||
1629 | 289 | |||
1630 | 290 | if [ $(($do_toggle + $do_enroll)) -lt 1 ]; then | ||
1631 | 291 | echo "Nothing to do." | ||
1632 | 292 | exit 0 | ||
1633 | 293 | fi | ||
1634 | 294 | |||
1635 | 295 | do_it | ||
1636 | 296 | |||
1637 | 297 | exit 0 |