shim

Merge ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed into ~ubuntu-core-dev/shim/+git/shim:master

  1. Git
  2. lp:~ubuntu-core-dev/shim/+git/shim-signed
  3. xnox/dual-signed
  4. Merge into master
Proposed by Dimitri John Ledkov
Status: Superseded
Proposed branch: ~ubuntu-core-dev/shim/+git/shim-signed:xnox/dual-signed
Merge into: ~ubuntu-core-dev/shim/+git/shim:master
Diff against target: 1637 lines (+1444/-0) (has conflicts)
24 files modified
CanonicalMasterCA.crt (+25/-0)
Makefile (+39/-0)
MicCorUEFCA2011_2011-06-27.crt (+35/-0)
debian/bzr-builddeb.conf (+2/-0)
debian/changelog (+424/-0)
debian/control (+24/-0)
debian/copyright (+9/-0)
debian/lintian-overrides (+1/-0)
debian/po (+1/-0)
debian/real-po/POTFILES.in (+1/-0)
debian/real-po/templates.pot (+110/-0)
debian/rules (+30/-0)
debian/shim-signed.dirs (+2/-0)
debian/shim-signed.install (+7/-0)
debian/shim-signed.links (+1/-0)
debian/shim-signed.postinst (+100/-0)
debian/shim-signed.postrm (+10/-0)
debian/shim-signed.triggers (+1/-0)
debian/source/format (+4/-0)
debian/source_shim-signed.py (+58/-0)
debian/templates (+53/-0)
download-signed (+183/-0)
openssl.cnf (+27/-0)
update-secureboot-policy (+297/-0)
Conflict in Makefile
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/copyright
Conflict in debian/rules
Conflict in debian/source/format
Reviewer Review Type Date Requested Status
Ubuntu Core Development Team Pending
Review via email: mp+388660@code.launchpad.net

This proposal has been superseded by a proposal from 2020-08-04.

Commit message

Construct and ship dual-signed shim.

Currently using shim-canonical provided signed artefacts.

To post a comment you must log in.

Unmerged commits

8ba0dc3... by Dimitri John Ledkov

Construct and ship dual-signed shim.

b384346... by Dimitri John Ledkov

Construct and ship dual-signed shim.

2786832... by Dimitri John Ledkov

Add download-signed script from linux-signed package

972530c... by Julian Andres Klode

releasing package shim-signed version 1.42

19b9216... by Julian Andres Klode

Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.

68eae8b... by Steve Langasek

releasing package shim-signed version 1.41

de258c9... by Steve Langasek

releasing package shim-signed version 1.40

716983a... by Steve Langasek

Add a versioned dependency on the mokutil that introduces --timeout.

fba9ff6... by Steve Langasek

Pass --timeout -1 to mokutil so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422.

54a591e... by dann frazier

releasing package shim-signed version 1.39

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/CanonicalMasterCA.crt b/CanonicalMasterCA.crt
0new file mode 1006440new file mode 100644
index 0000000..55c06d5
--- /dev/null
+++ b/CanonicalMasterCA.crt
@@ -0,0 +1,25 @@
1-----BEGIN CERTIFICATE-----
2MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
3VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx
4FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk
5LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX
6DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m
7IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x
8NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo
9b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h
107Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7
11v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO
12+ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr
13yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk
14YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO
15BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj
16MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB
17Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu
18b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB
19CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd
20B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH
21WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx
22U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd
237ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p
249JkU284DDgtmxBxtvbgnd8FClL38agq8
25-----END CERTIFICATE-----
diff --git a/Makefile b/Makefile
index 49e14a2..80f7885 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
1<<<<<<< Makefile
1default : all2default : all
23
3NAME = shim4NAME = shim
@@ -263,3 +264,41 @@ archive: tag
263.PHONY : install-deps shim.key264.PHONY : install-deps shim.key
264265
265export ARCH CC LD OBJCOPY EFI_INCLUDE266export ARCH CC LD OBJCOPY EFI_INCLUDE
267=======
268SHIM_CANONICAL_VERSION=$(shell dpkg-query -W -f'$${Version}' shim-canonical-unsigned)
269
270check:
271 mkdir -p build
272 # Verifying that the image is signed with the correct key.
273 #sbverify --cert cyphermox.crt shimx64.efi.signed
274 sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_BASE).signed
275 # Verifying that we have the correct binary.
276 sbattach --detach build/detached-sig $(SHIM_BASE).signed
277 cp /usr/lib/shim/$(SHIM_BASE) build/$(SHIM_BASE).signed
278 sbattach --attach build/detached-sig build/$(SHIM_BASE).signed
279 cmp $(SHIM_BASE).signed build/$(SHIM_BASE).signed
280 ####
281 # Construct dual-signed shim
282 ./download-signed shim-canonical-unsigned $(SHIM_CANONICAL_VERSION) shim-canonical signed
283 # Verify that the downloaded binary has signatures chained to Canonical Master CA
284 sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
285 # Detach Canonical signature
286 sbattach --detach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
287 rm $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
288 # Compare that shims are all the same now
289 cmp /usr/lib/shim/$(SHIM_BASE) $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
290 # Reattach Canonical signature
291 sbattach --attach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
292 # Verify that attachment worked
293 sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
294 # Attach Microsoft signature
295 sbattach --attach build/detached-sig $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
296 # Validate that this shim is now dualsigned
297 sbverify --list $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
298 sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
299 sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
300 cp $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).dualsigned
301
302clean:
303 rm -rf build $(SHIM_CANONICAL_VERSION) $shim_boot.csv BOOT$(EFI_ARCH).CSV
304>>>>>>> Makefile
diff --git a/MicCorUEFCA2011_2011-06-27.crt b/MicCorUEFCA2011_2011-06-27.crt
266new file mode 100644305new file mode 100644
index 0000000..d7c29ef
--- /dev/null
+++ b/MicCorUEFCA2011_2011-06-27.crt
@@ -0,0 +1,35 @@
1-----BEGIN CERTIFICATE-----
2MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG
3A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
4HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z
5b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN
6MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR
7BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
8Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0
9aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
10AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug
11+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI
12rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ
13E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp
14XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L
1571RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB
16AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW
17BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA
18QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD
194X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p
20Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f
21MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw
22Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv
23b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q
24aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz
25Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g
26Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX
27i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM
28sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh
29aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk
30BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs
31deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5
32QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7
335wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu
34AkXuZcK2o35pFnUHkpv1prxZg1g=
35-----END CERTIFICATE-----
diff --git a/debian/bzr-builddeb.conf b/debian/bzr-builddeb.conf
0new file mode 10064436new file mode 100644
index 0000000..3a08d60
--- /dev/null
+++ b/debian/bzr-builddeb.conf
@@ -0,0 +1,2 @@
1[BUILDDEB]
2native = True
diff --git a/debian/changelog b/debian/changelog
index 1e18261..6f2af53 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,4 @@
1<<<<<<< debian/changelog
1shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium2shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium
23
3 * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression4 * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression
@@ -303,3 +304,426 @@ shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
303 * Include the Canonical Secure Boot master CA.304 * Include the Canonical Secure Boot master CA.
304305
305 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700306 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
307=======
308shim-signed (1.43) UNRELEASED; urgency=medium
309
310 * Add download-signed script from linux-signed package
311 * Construct and ship dual-signed shim.
312
313 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Aug 2020 14:23:29 +0100
314
315shim-signed (1.42) groovy; urgency=medium
316
317 * Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
318
319 -- Julian Andres Klode <juliank@ubuntu.com> Mon, 03 Aug 2020 12:36:10 +0200
320
321shim-signed (1.41) focal; urgency=medium
322
323 * Update to the signed 15+1552672080.a4a1fbe-0ubuntu1 binary from Microsoft.
324
325 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Feb 2020 13:04:08 -0800
326
327shim-signed (1.40) focal; urgency=medium
328
329 * Pass --timeout -1 to mokutil so that users don't end up with broken
330 systems by missing MokManager on reboot after install. LP: #1856422.
331 * Add a versioned dependency on the mokutil that introduces --timeout.
332
333 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 14 Dec 2019 20:26:42 -0800
334
335shim-signed (1.39) disco; urgency=medium
336
337 * debian/source_shim-signed.py: Correct EFI architecture name for arm64.
338 * Parameterize code to remove hardcoded x86-isms.
339 * Add arm64 support.
340
341 -- dann frazier <dannf@ubuntu.com> Wed, 14 Nov 2018 11:13:42 -0700
342
343shim-signed (1.38) cosmic; urgency=medium
344
345 * Don't fail non-interactive upgrade of nvidia module and module removals
346 (LP: #1726803)
347
348 -- Balint Reczey <rbalint@ubuntu.com> Thu, 11 Oct 2018 18:12:37 +0200
349
350shim-signed (1.37) cosmic; urgency=medium
351
352 * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
353 * debian/real-po: replace debian/po to make sure things are translatable
354 via Launchpad.
355
356 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 29 Aug 2018 15:43:41 -0400
357
358shim-signed (1.36) cosmic; urgency=medium
359
360 * debian/shim-signed.postinst: use --auto-nvram with grub-install in case
361 we're installing on a NVRAM-unavailable platform.
362 * debian/control: bump the dependency for grub2-common to make sure
363 grub-install supports --auto-nvram.
364 * debian/control: switch the grub-efi-amd64-bin dependency to
365 grub-efi-amd64-signed.
366
367 -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com> Wed, 06 Jun 2018 20:25:57 +0200
368
369shim-signed (1.35) cosmic; urgency=medium
370
371 * update-secureboot-policy: fix quoting for key/again password handling to
372 mokutil. (LP: #1770579)
373 * update-secureboot-policy: don't allow backtracking at the "main" question
374 for whether to enroll a new MOK. (LP: #1767091)
375
376 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 31 May 2018 17:46:46 -0400
377
378shim-signed (1.34.9) bionic; urgency=medium
379
380 * debian/shim-signed.postinst: check for MOK existence rather than ignoring
381 failures in the trigger. (LP: #1766627)
382
383 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 24 Apr 2018 13:24:24 -0400
384
385shim-signed (1.34.8) bionic; urgency=medium
386
387 * debian/shim-signed.postinst: shim-signed's trigger to enroll a new MOK
388 should not fail the upgrade if there was no MOK to enroll. (LP: #1766627)
389
390 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 24 Apr 2018 12:31:25 -0400
391
392shim-signed (1.34.7) bionic; urgency=medium
393
394 * debian/shim-signed.postinst: it's not guaranteed that all linux-image
395 packages currently installed have dkms modules built for them.
396 Gracefully handle any failures in the path for signing existing dkms
397 modules on upgrade due to absent modules. LP: #1766391.
398 * Add a dependency on sbsigntool for kmodsign, which we use directly.
399
400 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Apr 2018 21:47:50 -0700
401
402shim-signed (1.34.6) bionic; urgency=medium
403
404 * debian/shim-signed.postinst: bump lower version for batch-signing module
405 to 1.34.6, to make sure everything is properly signed if people got one
406 of the previous shim-signed packages.
407
408 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 23 Apr 2018 19:52:19 -0400
409
410shim-signed (1.34.5) bionic; urgency=medium
411
412 * Don't try to save new dkms list if we're still dealing with password
413 validation for enrollment. (LP: #1766312)
414 * Specify kernel version when installing/uninstalling modules while doing
415 batch signing on upgrade.
416 * Do a better job at finding kernel modules from DKMS if they are in sub-
417 directories.
418 * Don't prompt if DKMS is installed but there are no DKMS-built modules
419 installed. (LP: #1766261)
420
421 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 23 Apr 2018 15:29:44 -0400
422
423shim-signed (1.34.4) bionic; urgency=medium
424
425 * Handle the case that there are no kernel modules available for a given
426 dkms package. This probably indicates there is a problem with the dkms
427 module's installation, but that should not cause this package's
428 installation to fail. LP: #1765954.
429
430 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 10:13:41 -0700
431
432shim-signed (1.34.3) bionic; urgency=medium
433
434 * Only take the first 31 bytes of the hostname. LP: #1765905.
435
436 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 01:14:12 -0700
437
438shim-signed (1.34.2) bionic; urgency=medium
439
440 * Handle the case of multiple .kos per dkms module and .kos whose name
441 does not match the dkms package name. LP: #1765647.
442
443 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 21 Apr 2018 01:01:56 -0700
444
445shim-signed (1.34.1) bionic; urgency=medium
446
447 * update-secureboot-policy: don't skip creating a MOK if Secure Boot is not
448 enabled in firmware, but do guard against prompting users on a system that
449 doesn't have efivars mounted or where SB is disabled. (LP: #1765515)
450
451 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 19 Apr 2018 17:56:50 -0400
452
453shim-signed (1.34) bionic; urgency=medium
454
455 * update-secureboot-policy: (LP: #1748983)
456 - Factor out validate_password() and clear_passwords() for reuse.
457 - Add --new-key option to generate a self-signed MOK.
458 - Add --enroll-key option to allow enrolling a new MOK in shim.
459 - Drop --enable and --disable options; users should call mokutil directly
460 instead.
461 * debian/shim-signed.postinst:
462 - When triggered, explicitly try to enroll the available MOK.
463 * debian/shim-signed.install, openssl.cnf: Install some default configuration
464 for creating our self-signed key.
465 * debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
466 * debian/templates: update templates for update-secureboot-policy changes.
467 * debian/control: add versioned Breaks: for dkms.
468
469 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 18 Apr 2018 22:35:46 -0400
470
471shim-signed (1.33.1) bionic; urgency=medium
472
473 * Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245)
474 * Stop generating and install BOOT.CSV, shim will do that by itself now.
475 * Add Vcs-* fields.
476
477 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 21 Dec 2017 14:33:37 -0500
478
479shim-signed (1.32) artful; urgency=medium
480
481 * Handle cleanup of /var/lib/shim-signed on package purge.
482
483 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 23 Jun 2017 22:30:42 -0700
484
485shim-signed (1.31) artful; urgency=medium
486
487 * Fix regression in postinst when /var/lib/dkms does not exist.
488 LP: #1700195.
489 * Sort the list of dkms modules when recording.
490
491 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 23 Jun 2017 22:13:40 -0700
492
493shim-signed (1.30) artful; urgency=medium
494
495 * update-secureboot-policy: track the installed DKMS modules so we can skip
496 failing unattended upgrades if they hasn't changed (ie. if no new DKMS
497 modules have been installed, just honour the user's previous decision to
498 not disable shim validation). (LP: #1695578)
499 * update-secureboot-policy: allow re-enabling shim validation when no DKMS
500 packages are installed. (LP: #1673904)
501 * debian/source_shim-signed.py: add the textual representation of SecureBoot
502 and MokSBStateRT EFI variables rather than just adding the files directly;
503 also, make sure we include the relevant EFI bits from kernel log.
504 (LP: #1680279)
505
506 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 23 Jun 2017 14:37:21 -0400
507
508shim-signed (1.29) artful; urgency=medium
509
510 * Makefile: Generate BOOT$arch.CSV, for use with fallback.
511 * debian/rules: make sure we can do per-arch EFI files.
512
513 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 26 Apr 2017 21:36:57 -0400
514
515shim-signed (1.28) zesty; urgency=medium
516
517 * Adjust apport hook to include key files that tell us about the system's
518 current SB state.
519
520 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Apr 2017 15:14:49 -0700
521
522shim-signed (1.27) zesty; urgency=medium
523
524 [ Steve Langasek ]
525 * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
526 Microsoft.
527 * update-secureboot-policy:
528 - detect when we have no debconf prompting and error out instead of ending
529 up in an infinite loop. LP: #1673817.
530 - refactor to make the code easier to follow.
531 - remove a confusing boolean that would always re-prompt on a request to
532 --enable, but not on a request to --disable.
533
534 [ Mathieu Trudel-Lapierre ]
535 * update-secureboot-policy:
536 - some more fixes to properly handle non-interactive mode. (LP: #1673817)
537
538 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 21 Mar 2017 14:28:46 -0400
539
540shim-signed (1.23) zesty; urgency=medium
541
542 * debian/control: bump the Depends on grub2-common since that's needed to
543 install with the new updated EFI binaries filenames.
544
545 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 21 Oct 2016 13:31:05 -0400
546
547shim-signed (1.22) yakkety; urgency=medium
548
549 * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
550 * Update paths now that the shim binary has been renamed to include the
551 target architecture.
552 * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
553 since it's being replaced by mm$arch.efi.
554
555 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 13 Oct 2016 13:49:17 -0400
556
557shim-signed (1.21.3) vivid; urgency=medium
558
559 * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.
560
561 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 06 Oct 2016 19:20:36 -0400
562
563shim-signed (1.21.2) vivid; urgency=medium
564
565 * Revert to signed shim from 0.8-0ubuntu2. (LP: #1624096)
566 - shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.
567
568 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 03 Oct 2016 17:17:54 -0400
569
570shim-signed (1.20) yakkety; urgency=medium
571
572 * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
573 (LP: #1581299)
574
575 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 08 Aug 2016 11:14:21 -0400
576
577shim-signed (1.19) yakkety; urgency=medium
578
579 * update-secureboot-policy:
580 - Add a --help option, document other options. (LP: #1604936)
581 - Rework prompting to display our Secure Boot warning and explanation
582 text more prominently, rather than forcing graphical users to hit
583 "Help" to see the full explanation for why we ask about disabling
584 Secure Boot. (LP: #1595611)
585
586 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 02 Aug 2016 11:01:50 -0400
587
588shim-signed (1.18) yakkety; urgency=medium
589
590 * update-secureboot-policy: If /proc/sys/kernel/moksbstate_disabled is
591 present, prefer this unconditionally over MokSBStateRT. LP: #1604873.
592
593 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 Jul 2016 08:31:17 -0700
594
595shim-signed (1.17) yakkety; urgency=medium
596
597 * update-secureboot-policy: rework setting capabilities to stop having
598 the backup capability while showing an error message; which won't affect
599 the Dialog debconf frontend but otherwise made the GTK frontend confusing.
600 * update-secureboot-policy: all debconf prompts should be at priority
601 critical: there is no good default to pick, we must prompt the user.
602 * debian/templates: make the password inputs be standard inputs; this is an
603 unfortunate workaround to aptdaemon not having access to the debconf
604 password database on desktop; since the frontend runs as an unprivileged
605 user. See bug LP#1599981 (LP: #1599051)
606
607 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 07 Jul 2016 16:58:45 -0400
608
609shim-signed (1.16) yakkety; urgency=medium
610
611 * debian/shim-signed.postinst: call for the trigger on update of shim-signed.
612
613 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 28 Jun 2016 17:34:23 -0400
614
615shim-signed (1.15) yakkety; urgency=medium
616
617 * update-secureboot-policy: validate the state of MokSBStateRT against what
618 the kernel believes it to be via /proc/sys/kernel/moksbstate_disabled,
619 in case we have the kernel which knows about shim's validation policy but
620 an old shim that doesn't export MokSBStateRT.
621
622 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 17 Jun 2016 16:47:40 +0300
623
624shim-signed (1.14) yakkety; urgency=medium
625
626 * update-secureboot-policy:
627 - Make it easier for users to really re-enable Secure Boot via an --enable
628 option.
629 - Don't prompt for action if there are no DKMS packages installed, as per
630 checking if there are any subdirectories in /var/lib/dkms.
631
632 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 07 Jun 2016 16:09:53 -0400
633
634shim-signed (1.13) yakkety; urgency=medium
635
636 * update-secureboot-policy: have a trigger-ready script available to deal
637 with the necessity to change Secure Boot policy on a system.
638 * debian/shim-signed.templates: ship the necessary templates for secureboot.
639 * debian/shim-signed.postinst: Run our trigger script to update Secure Boot
640 policy when necessary at the end of installs, without calling dpkg-trigger
641 again.
642
643 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Mon, 16 May 2016 15:29:27 -0400
644
645shim-signed (1.12) xenial; urgency=medium
646
647 * debian/control: add Depends on mokutil, to ship a way for users to
648 control shim features, such as enrolling new keys.
649
650 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Wed, 16 Dec 2015 10:19:23 -0500
651
652shim-signed (1.11) wily; urgency=medium
653
654 * Add in an apport package hook for shim-signed and shim. (LP: #1490030)
655
656 -- Brian Murray <brian@ubuntu.com> Fri, 11 Sep 2015 15:04:31 -0700
657
658shim-signed (1.10) wily; urgency=medium
659
660 * Add a versioned dependency on grub2-common, so that partial upgrades from
661 Ubuntu 12.04 don't break due to a lack of --target option to grub-install.
662 LP: #1474203.
663
664 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 14 Jul 2015 10:46:41 -0700
665
666shim-signed (1.9) wily; urgency=medium
667
668 * Update to the signed 0.8-0ubuntu2 binary from Microsoft.
669
670 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 07 Jun 2015 19:27:35 +0000
671
672shim-signed (1.8) utopic; urgency=medium
673
674 * Update to the signed 0.7-0ubuntu4 binary from Microsoft.
675
676 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 21 Oct 2014 18:23:15 -0400
677
678shim-signed (1.6) trusty; urgency=low
679
680 * Also add a build-dependency on grub2-common, to ensure that our
681 grub-install is the correct one - since grub-efi-amd64-bin is
682 coinstallable with grub1. LP: #1259558.
683
684 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 10 Dec 2013 09:10:23 -0800
685
686shim-signed (1.5) trusty; urgency=low
687
688 * Pass --target=x86_64-efi to grub-install from the postinst and depend on
689 grub-efi-amd64-bin, so that package upgrades will do the right thing
690 even if the system has been rebooted under BIOS. LP: #1246910.
691 * Kubuntu sets GRUB_DISTRIBUTOR to a different value which doesn't match
692 the path under /boot/efi; fix this up so shim-signed upgrades properly
693 on Kubuntu systems. LP: #1242417.
694
695 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 31 Oct 2013 17:06:21 -0700
696
697shim-signed (1.4) trusty; urgency=low
698
699 * Add a dependency on shim, so that we can pull in MokManager for use.
700 * Update to the signed 0.4-0ubuntu4 binary from Microsoft.
701
702 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 30 Oct 2013 15:04:23 -0700
703
704shim-signed (1.3) saucy; urgency=low
705
706 * Build-depend on sbsigntool (>= 0.6-0ubuntu4) and check the integrity of
707 our signed binary at build time.
708 * Update to the signed 0.4-0ubuntu3 binary from Microsoft.
709
710 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 07 Sep 2013 22:09:22 +0000
711
712shim-signed (1.2) raring; urgency=low
713
714 * Recommend secureboot-db (LP: #1087843).
715
716 -- Colin Watson <cjwatson@ubuntu.com> Sat, 16 Feb 2013 00:02:00 +0000
717
718shim-signed (1.1) quantal-proposed; urgency=low
719
720 * Rev shim-signed for updated shim.
721
722 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 12 Oct 2012 01:42:07 +0000
723
724shim-signed (1.0) quantal; urgency=low
725
726 * Initial release, based on grub2-signed package.
727
728 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 09 Oct 2012 15:48:37 -0700
729>>>>>>> debian/changelog
diff --git a/debian/control b/debian/control
index c8b8ffa..d30cce8 100644
--- a/debian/control
+++ b/debian/control
@@ -1,3 +1,4 @@
1<<<<<<< debian/control
1Source: shim2Source: shim
2Section: admin3Section: admin
3Priority: optional4Priority: optional
@@ -12,8 +13,31 @@ Architecture: amd64 arm64
12Depends: ${shlibs:Depends}, ${misc:Depends}13Depends: ${shlibs:Depends}, ${misc:Depends}
13Breaks: shim-signed (<< 1.33~)14Breaks: shim-signed (<< 1.33~)
14Description: boot loader to chain-load signed boot loaders under Secure Boot15Description: boot loader to chain-load signed boot loaders under Secure Boot
16=======
17Source: shim-signed
18Section: utils
19Priority: optional
20Maintainer: Steve Langasek <steve.langasek@ubuntu.com>
21Build-Depends: debhelper (>= 9), dh-exec, shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
22Standards-Version: 3.9.4
23Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed
24Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed
25
26Package: shim-signed
27Architecture: amd64 arm64
28Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-signed | grub-efi-arm64-signed, grub2-common (>= 2.02-2ubuntu9), mokutil (>= 0.3.0+1538710437.fb6250f-0ubuntu2), sbsigntool
29Recommends: secureboot-db
30Built-Using: shim (= ${shim:Version})
31Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
32>>>>>>> debian/control
15 This package provides a minimalist boot loader which allows verifying33 This package provides a minimalist boot loader which allows verifying
16 signatures of other UEFI binaries against either the Secure Boot DB/DBX or34 signatures of other UEFI binaries against either the Secure Boot DB/DBX or
17 against a built-in signature database. Its purpose is to allow a small,35 against a built-in signature database. Its purpose is to allow a small,
18 infrequently-changing binary to be signed by the UEFI CA, while allowing36 infrequently-changing binary to be signed by the UEFI CA, while allowing
19 an OS distributor to revision their main bootloader independently of the CA.37 an OS distributor to revision their main bootloader independently of the CA.
38<<<<<<< debian/control
39=======
40 .
41 This package contains the version of the bootloader binary signed by the
42 Microsoft UEFI CA.
43>>>>>>> debian/control
diff --git a/debian/copyright b/debian/copyright
index 64b3f57..1debf7d 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,5 +1,6 @@
1Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/1Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
2Upstream-Name: shim2Upstream-Name: shim
3<<<<<<< debian/copyright
3Upstream-Contact: Matthew Garrett <mjg59@coreos.com>4Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
4Source: https://github.com/rhboot/shim5Source: https://github.com/rhboot/shim
56
@@ -227,6 +228,14 @@ License: BSD-3-Clause-Intel
227 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS228 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
228 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.229 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
229230
231=======
232Upstream-Contact: Matthew Garrett <mjg@redhat.com>
233Source: https://github.com/mjg59/shim.git
234
235Files: *
236Copyright: 2012 Red Hat, Inc
237 2009-2012 Intel Corporation
238>>>>>>> debian/copyright
230License: BSD-2-Clause239License: BSD-2-Clause
231 Redistribution and use in source and binary forms, with or without240 Redistribution and use in source and binary forms, with or without
232 modification, are permitted provided that the following conditions241 modification, are permitted provided that the following conditions
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
233new file mode 100644242new file mode 100644
index 0000000..5ce68fc
--- /dev/null
+++ b/debian/lintian-overrides
@@ -0,0 +1 @@
1shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff --git a/debian/po b/debian/po
0new file mode 1200002new file mode 120000
index 0000000..081d461
--- /dev/null
+++ b/debian/po
@@ -0,0 +1 @@
1real-po
0\ No newline at end of file2\ No newline at end of file
diff --git a/debian/real-po/POTFILES.in b/debian/real-po/POTFILES.in
1new file mode 1006443new file mode 100644
index 0000000..cef83a3
--- /dev/null
+++ b/debian/real-po/POTFILES.in
@@ -0,0 +1 @@
1[type: gettext/rfc822deb] templates
diff --git a/debian/real-po/templates.pot b/debian/real-po/templates.pot
0new file mode 1006442new file mode 100644
index 0000000..5cbebf0
--- /dev/null
+++ b/debian/real-po/templates.pot
@@ -0,0 +1,110 @@
1# SOME DESCRIPTIVE TITLE.
2# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
3# This file is distributed under the same license as the shim-signed package.
4# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
5#
6#, fuzzy
7msgid ""
8msgstr ""
9"Project-Id-Version: shim-signed\n"
10"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n"
11"POT-Creation-Date: 2016-05-04 16:57-0500\n"
12"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
13"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
14"Language-Team: LANGUAGE <LL@li.org>\n"
15"Language: \n"
16"MIME-Version: 1.0\n"
17"Content-Type: text/plain; charset=CHARSET\n"
18"Content-Transfer-Encoding: 8bit\n"
19
20#. Type: text
21#. Description
22#: ../templates:1001
23msgid "Configuring Secure Boot"
24msgstr ""
25
26#. Type: error
27#. Description
28#: ../templates:2001
29msgid "Invalid password"
30msgstr ""
31
32#. Type: error
33#. Description
34#: ../templates:2001
35msgid ""
36"The Secure Boot key you've entered is not valid. The password used must be "
37"between 8 and 16 characters."
38msgstr ""
39
40#. Type: boolean
41#. Description
42#: ../templates:3001
43msgid "Disable UEFI Secure Boot?"
44msgstr ""
45
46#. Type: boolean
47#. Description
48#: ../templates:3001
49msgid ""
50"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible "
51"with the use of third-party drivers."
52msgstr ""
53
54#. Type: boolean
55#. Description
56#: ../templates:3001
57msgid ""
58"The system will assist you in disabling UEFI Secure Boot. To ensure that "
59"this change is being made by you as an authorized user, and not by an "
60"attacker, you must choose a password now and then use the same password "
61"after reboot to confirm the change."
62msgstr ""
63
64#. Type: boolean
65#. Description
66#: ../templates:3001
67msgid ""
68"If you choose to proceed but do not confirm the password upon reboot, Ubuntu "
69"will still be able to boot on your system but these third-party drivers will "
70"not be available for your hardware."
71msgstr ""
72
73#. Type: password
74#. Description
75#: ../templates:4001
76msgid "Password:"
77msgstr ""
78
79#. Type: password
80#. Description
81#: ../templates:4001
82msgid ""
83"Please enter a password for disabling Secure Boot. It will be asked again "
84"after a reboot."
85msgstr ""
86
87#. Type: password
88#. Description
89#: ../templates:5001
90msgid "Re-enter password to verify:"
91msgstr ""
92
93#. Type: password
94#. Description
95#: ../templates:5001
96msgid ""
97"Please enter the same password again to verify you have typed it correctly."
98msgstr ""
99
100#. Type: error
101#. Description
102#: ../templates:6001
103msgid "Password input error"
104msgstr ""
105
106#. Type: error
107#. Description
108#: ../templates:6001
109msgid "The two passwords you entered were not the same. Please try again."
110msgstr ""
diff --git a/debian/rules b/debian/rules
index aa94e7c..c8a6f99 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,3 +1,4 @@
1<<<<<<< debian/rules
1#!/usr/bin/make -f2#!/usr/bin/make -f
23
3# Other vendors, add your certs here. No sense in using4# Other vendors, add your certs here. No sense in using
@@ -46,3 +47,32 @@ override_dh_auto_install:
46override_dh_fixperms:47override_dh_fixperms:
47 dh_fixperms48 dh_fixperms
48 chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi49 chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi
50=======
51#! /usr/bin/make -f
52
53VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
54SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
55
56ifeq ($(DEB_TARGET_ARCH),amd64)
57export EFI_ARCH := X64
58endif
59ifeq ($(DEB_TARGET_ARCH),arm64)
60export EFI_ARCH := AA64
61endif
62export SHIM_BASE = shim$(shell echo $(EFI_ARCH) | tr A-Z a-z).efi
63
64%:
65 dh $@
66
67docdir := debian/shim-signed/usr/share/doc/shim-signed
68
69override_dh_installchangelogs:
70 dh_installchangelogs
71 # Quieten lintian, which otherwise gets confused by our odd version
72 # number.
73 ln $(docdir)/changelog $(docdir)/changelog.Debian
74
75override_dh_gencontrol:
76 dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
77 -Vshim:Version=$(SHIM_VERSION)
78>>>>>>> debian/rules
diff --git a/debian/shim-signed.dirs b/debian/shim-signed.dirs
49new file mode 10064479new file mode 100644
index 0000000..7e25a1f
--- /dev/null
+++ b/debian/shim-signed.dirs
@@ -0,0 +1,2 @@
1var/lib/shim-signed
2var/lib/shim-signed/mok
diff --git a/debian/shim-signed.install b/debian/shim-signed.install
0new file mode 1007553new file mode 100755
index 0000000..93d4e26
--- /dev/null
+++ b/debian/shim-signed.install
@@ -0,0 +1,7 @@
1#! /usr/bin/dh-exec
2
3${SHIM_BASE}.signed /usr/lib/shim
4build/${SHIM_BASE}.dualsigned /usr/lib/shim
5openssl.cnf /usr/lib/shim/mok
6debian/source_shim-signed.py /usr/share/apport/package-hooks/
7update-secureboot-policy /usr/sbin/
diff --git a/debian/shim-signed.links b/debian/shim-signed.links
0new file mode 1006448new file mode 100644
index 0000000..2e3ccf9
--- /dev/null
+++ b/debian/shim-signed.links
@@ -0,0 +1 @@
1usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py
diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
0new file mode 1006442new file mode 100644
index 0000000..d554f89
--- /dev/null
+++ b/debian/shim-signed.postinst
@@ -0,0 +1,100 @@
1#! /bin/sh
2set -e
3
4# Must load the confmodule for our template to be installed correctly.
5. /usr/share/debconf/confmodule
6
7config_item ()
8{
9 if [ -f /etc/default/grub ]; then
10 . /etc/default/grub || return
11 for x in /etc/default/grub.d/*.cfg; do
12 if [ -e "$x" ]; then
13 . "$x"
14 fi
15 done
16 fi
17 eval echo "\$$1"
18}
19
20sign_dkms_modules()
21{
22 for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`;
23 do
24 for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\ '{print $1"/"$2}'`;
25 do
26 dkms uninstall -k "$kern" "$dkms" || :
27 if ! dkms status -k "$kern" "$dkms" | grep -q 'built$'
28 then
29 cat <<EOF
30
31shim-signed: failed to prepare dkms module for signing; ignoring.
32 module: $dkms
33 kernel: $kern
34EOF
35 continue
36 fi
37 mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko")
38 for mod in $mods; do
39 kmodsign sha512 \
40 /var/lib/shim-signed/mok/MOK.priv \
41 /var/lib/shim-signed/mok/MOK.der \
42 $mod
43 done
44 dkms install -k "$kern" "${dkms}"
45 done
46 done
47}
48
49case $(dpkg --print-architecture) in
50 amd64)
51 grubarch=x86_64-efi
52 ;;
53 arm64)
54 grubarch=arm64-efi
55 ;;
56esac
57case $1 in
58 triggered)
59 if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then
60 SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
61 fi
62 ;;
63 configure)
64 bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
65 cut -d' ' -f1)"
66 case $bootloader_id in
67 kubuntu) bootloader_id=ubuntu ;;
68 esac
69 if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
70 && which grub-install >/dev/null 2>&1
71 then
72 grub-install --target=${grubarch} --auto-nvram
73 if dpkg --compare-versions "$2" lt-nl "1.22~"; then
74 rm -f /boot/efi/EFI/ubuntu/MokManager.efi
75 fi
76 fi
77
78 # Upgrade case, capture pre-existing DKMS packages.
79 if dpkg --compare-versions "$2" lt-nl "1.30" \
80 && [ -d /var/lib/dkms ]
81 then
82 find /var/lib/dkms -maxdepth 1 -type d -print \
83 | LC_ALL=C sort > /var/lib/shim-signed/dkms-list
84 fi
85
86 # Upgrade case, migrate all existing kernels/dkms module combinations
87 # to self-signed modules.
88 if dpkg --compare-versions "$2" lt "1.34.7" \
89 && [ -d /var/lib/dkms ]
90 then
91 SHIM_NOTRIGGER=y update-secureboot-policy --new-key
92 sign_dkms_modules
93 SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
94 fi
95 ;;
96esac
97
98#DEBHELPER#
99
100exit 0
diff --git a/debian/shim-signed.postrm b/debian/shim-signed.postrm
0new file mode 100644101new file mode 100644
index 0000000..4933982
--- /dev/null
+++ b/debian/shim-signed.postrm
@@ -0,0 +1,10 @@
1#!/bin/sh
2set -e
3
4case $1 in
5 purge)
6 rm -rf /var/lib/shim-signed
7 ;;
8esac
9
10#DEBHELPER#
diff --git a/debian/shim-signed.triggers b/debian/shim-signed.triggers
0new file mode 10064411new file mode 100644
index 0000000..2b33128
--- /dev/null
+++ b/debian/shim-signed.triggers
@@ -0,0 +1 @@
1interest-noawait shim-secureboot-policy
diff --git a/debian/source/format b/debian/source/format
index 163aaf8..74559ab 100644
--- a/debian/source/format
+++ b/debian/source/format
@@ -1 +1,5 @@
1<<<<<<< debian/source/format
13.0 (quilt)23.0 (quilt)
3=======
43.0 (native)
5>>>>>>> debian/source/format
diff --git a/debian/source_shim-signed.py b/debian/source_shim-signed.py
2new file mode 1006446new file mode 100644
index 0000000..6df7f28
--- /dev/null
+++ b/debian/source_shim-signed.py
@@ -0,0 +1,58 @@
1'''apport package hook for shim and shim-signed
2
3(c) 2015 Canonical Ltd.
4Author: Brian Murray <brian@ubuntu.com>
5'''
6
7import errno
8import os
9import re
10
11from apport.hookutils import (
12 command_available,
13 command_output,
14 recent_syslog,
15 attach_file,
16 attach_root_command_outputs)
17
18efiarch = {'amd64': 'x64',
19 'i386': 'ia32',
20 'arm64': 'aa64'
21 }
22grubarch = {'amd64': 'x86_64',
23 'i386': 'i386',
24 'arm64': 'arm64'
25 }
26
27def add_info(report, ui):
28 efiboot = '/boot/efi/EFI/ubuntu'
29 if command_available('efibootmgr'):
30 report['EFIBootMgr'] = command_output(['efibootmgr', '-v'])
31 else:
32 report['EFIBootMgr'] = 'efibootmgr not available'
33 commands = {}
34 try:
35 directory = os.stat(efiboot)
36 except OSError as e:
37 if e.errno == errno.ENOENT:
38 report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing'
39 return
40 if e.errno == errno.EACCES:
41 directory= True
42 if directory:
43 arch = report['Architecture']
44 commands['BootEFIContents'] = 'ls %s' % efiboot
45 commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch])
46 commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch])
47
48 efivars_dir = '/sys/firmware/efi/efivars'
49 sb_var = os.path.join(efivars_dir,
50 'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c')
51 mok_var = os.path.join(efivars_dir,
52 'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23')
53
54 attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
55 commands['SecureBoot'] = 'od -An -t u1 %s' % sb_var
56 commands['MokSBStateRT'] = 'od -An -t u1 %s' % mok_var
57 attach_root_command_outputs(report, commands)
58 report['EFITables'] = recent_syslog(re.compile(r'(efi|esrt):|Secure boot'))
diff --git a/debian/templates b/debian/templates
0new file mode 10064459new file mode 100644
index 0000000..0d2d968
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,53 @@
1Template: shim/title/secureboot
2Type: text
3_Description: Configuring Secure Boot
4
5Template: shim/error/bad_secureboot_key
6Type: error
7_Description: Invalid password
8 The Secure Boot key you've entered is not valid. The password used must be
9 between 8 and 16 characters.
10
11Template: shim/enable_secureboot
12Type: boolean
13Default: false
14_Description: Enroll a new Machine-Owner Key?
15 A new Machine-Owner key has been generated for this system to use when
16 signing third-party drivers. This key now needs to be enrolled in your
17 firmware, which will be done at the next reboot.
18 .
19 If Secure Boot validation was previously disabled on your system, validation
20 will also be re-enabled as part of this key enrollment process.
21
22Template: shim/secureboot_explanation
23Type: note
24_Description: Your system has UEFI Secure Boot enabled.
25 UEFI Secure Boot requires additional configuration to work with third-party
26 drivers.
27 .
28 The system will assist you in configuring UEFI Secure Boot. To permit the
29 use of third-party drivers, a new Machine-Owner Key (MOK) has been generated.
30 This key now needs to be enrolled in your system's firmware.
31 .
32 To ensure that this change is being made by you as an authorized user, and
33 not by an attacker, you must choose a password now and then confirm the
34 change after reboot using the same password, in both the "Enroll MOK" and
35 "Change Secure Boot state" menus that will be presented to you when this
36 system reboots.
37 .
38 If you proceed but do not confirm the password upon reboot, Ubuntu
39 will still be able to boot on your system but any hardware that requires
40 third-party drivers to work correctly may not be usable.
41
42Template: shim/secureboot_key
43Type: string
44_Description: Enter a password for Secure Boot. It will be asked again after a reboot.
45
46Template: shim/secureboot_key_again
47Type: string
48_Description: Enter the same password again to verify you have typed it correctly.
49
50Template: shim/error/secureboot_key_mismatch
51Type: error
52_Description: Password input error
53 The two passwords you entered were not the same. Please try again.
diff --git a/download-signed b/download-signed
0new file mode 10075554new file mode 100755
index 0000000..0793696
--- /dev/null
+++ b/download-signed
@@ -0,0 +1,183 @@
1#! /usr/bin/python3
2
3import hashlib
4import argparse
5import os
6import re
7import sys
8import tarfile
9from urllib import request
10from urllib.error import HTTPError
11from urllib.parse import (
12 urlparse,
13 urlunparse,
14 )
15
16import apt
17
18# package_name: package containing the objects we signed
19# package_version: package version containing the objects we signed
20# src_package: source package name in dists
21# signed_type: 'signed' or 'uefi' schema in the url
22
23parser = argparse.ArgumentParser()
24parser.add_argument(
25 "package_name",
26 help="package containining the objects we signed")
27parser.add_argument(
28 "package_version",
29 help="package version containing the objects we signed, or 'current'")
30parser.add_argument(
31 "src_package",
32 help="source package name in dists")
33parser.add_argument(
34 "signed_type",
35 nargs='?',
36 default='signed',
37 help="subdirectory type in the url, 'signed' or 'uefi'")
38args = parser.parse_args()
39
40
41class SignedDownloader:
42 """Download a block of signed information from dists.
43
44 Find a block of signed information as published in dists/*/signed
45 and download the contents. Use the contained checksum files to
46 identify the members and to validate them once downloaded.
47 """
48
49 def __init__(self, package_name, package_version, src_package, signed_type='signed'):
50 self.package_name = package_name
51 self.package_version = package_version
52 self.src_package = src_package
53
54 # Find the package in the available archive repositories. Use a _binary_
55 # package name and version to locate the appropriate archive. Then use the
56 # URI there to look for and find the appropriate binary.
57 cache = apt.Cache()
58
59 self.package = None
60 if self.package_version == "current":
61 self.package = cache[package_name].candidate
62 else:
63 for version in cache[package_name].versions:
64 if version.version == self.package_version:
65 self.package = version
66 break
67
68 if not self.package:
69 raise KeyError("{0}: package version not found".format(self.package_name))
70
71 origin = self.package.origins[0]
72 pool_parsed = urlparse(self.package.uri)
73 self.package_dir = "%s/%s/%s/%s-%s/%s/" % (
74 origin.archive, 'main', signed_type,
75 self.src_package, self.package.architecture, self.package_version)
76
77 # Prepare the master url stem and pull out any username/password. If present
78 # replace the default opener with one which offers that password.
79 dists_parsed_master = list(pool_parsed)
80 if '@' in dists_parsed_master[1]:
81 (username_password, host) = pool_parsed[1].split('@', 1)
82 (username, password) = username_password.split(':', 1)
83
84 dists_parsed_master[1] = host
85
86 # Work out the authentication domain.
87 domain_parsed = [ dists_parsed_master[0], dists_parsed_master[1], '/', None, None, None ]
88 auth_uri = urlunparse(domain_parsed)
89
90 # create a password manager
91 password_mgr = request.HTTPPasswordMgrWithDefaultRealm()
92
93 # Add the username and password.
94 # If we knew the realm, we could use it instead of None.
95 password_mgr.add_password(None, auth_uri, username, password)
96
97 handler = request.HTTPBasicAuthHandler(password_mgr)
98
99 # create "opener" (OpenerDirector instance)
100 opener = request.build_opener(handler)
101
102 # Now all calls to urllib.request.urlopen use our opener.
103 request.install_opener(opener)
104
105 self.dists_parsed = dists_parsed_master
106
107 def download_one(self, member, filename, hash_factory=None):
108 directory = os.path.dirname(filename)
109 if not os.path.exists(directory):
110 os.makedirs(directory)
111
112 dists_parsed = list(self.dists_parsed)
113 dists_parsed[2] = re.sub(r"/pool/.*", "/dists/" + self.package_dir + \
114 member, dists_parsed[2])
115 dists_uri = urlunparse(dists_parsed)
116
117 print("Downloading %s ... " % dists_uri, end='')
118 sys.stdout.flush()
119 try:
120 with request.urlopen(dists_uri) as dists, open(filename, "wb") as out:
121 hashobj = None
122 if hash_factory:
123 hashobj = hash_factory()
124 for chunk in iter(lambda: dists.read(256 * 1024), b''):
125 if hashobj:
126 hashobj.update(chunk)
127 out.write(chunk)
128 checksum = True
129 if hashobj:
130 checksum = hashobj.hexdigest()
131 except HTTPError as e:
132 if e.code == 404:
133 print("not found")
134 else:
135 raise
136 else:
137 print("found")
138 return checksum
139 return None
140
141 def download(self, base):
142 """Download an entire signed result from dists."""
143
144 # Download the checksums and use that to download the contents.
145 sums = 'SHA256SUMS'
146 sums_local = os.path.join(base, self.package_version, sums)
147 if not self.download_one(sums, sums_local):
148 print('download-signed: {0}: not found'.format(sums))
149 sys.exit(1)
150
151 # Read the checksum file and download the files it mentions.
152 here = os.path.abspath(base)
153 with open(sums_local) as sfd:
154 for line in sfd:
155 line = line.strip()
156 (checksum_expected, member) = (line[0:64], line[66:])
157 filename = os.path.abspath(os.path.join(base, self.package_version, member))
158 if not filename.startswith(here):
159 print('download-signed: {0}: member outside output directory'.format(member))
160 sys.exit(1)
161
162 # Download and checksum this member.
163 checksum_actual = self.download_one(member, filename, hashlib.sha256)
164 if checksum_expected != checksum_actual:
165 print('download-signed: {0}: member checksum invalid'.format(member))
166 sys.exit(1)
167
168 # If this is a tarball result then extract it.
169 here = os.path.abspath(os.path.join(base, self.package_version))
170 tarball_filename = os.path.join(base, self.package_version, 'signed.tar.gz')
171 if os.path.exists(tarball_filename):
172 with tarfile.open(tarball_filename) as tarball:
173 for tarinfo in tarball:
174 if not filename.startswith(here):
175 print('download-signed: {0}: tarball member outside output directory'.format(member))
176 sys.exit(1)
177 for tarinfo in tarball:
178 print('Extracting {0} ...'.format(tarinfo.name))
179 tarball.extract(tarinfo, base)
180
181
182downloader = SignedDownloader(**vars(args))
183downloader.download('.')
diff --git a/openssl.cnf b/openssl.cnf
0new file mode 100644184new file mode 100644
index 0000000..5a4f734
--- /dev/null
+++ b/openssl.cnf
@@ -0,0 +1,27 @@
1HOME = /var/lib/shim-signed/mok
2RANDFILE = /var/lib/shim-signed/mok/.rnd
3
4[ req ]
5distinguished_name = req_distinguished_name
6x509_extensions = v3_ca
7string_mask = utf8only
8
9[ req_distinguished_name ]
10
11[ v3_ca ]
12subjectKeyIdentifier = hash
13authorityKeyIdentifier = keyid:always,issuer
14basicConstraints = critical,CA:FALSE
15
16# We use extended key usage information to limit what this auto-generated
17# key can be used for.
18#
19# codeSigning: specifies that this key is used to sign code.
20#
21# 1.3.6.1.4.1.2312.16.1.2: defines this key as used for module signing
22# only. See https://lkml.org/lkml/2015/8/26/741.
23#
24extendedKeyUsage = codeSigning,1.3.6.1.4.1.2312.16.1.2
25
26nsComment = "OpenSSL Generated Certificate"
27
diff --git a/shimaa64.efi.signed b/shimaa64.efi.signed
0new file mode 10064428new file mode 100644
index 0000000..f14323e
1Binary files /dev/null and b/shimaa64.efi.signed differ29Binary files /dev/null and b/shimaa64.efi.signed differ
diff --git a/shimx64.efi.signed b/shimx64.efi.signed
2new file mode 10064430new file mode 100644
index 0000000..0ac0d6f
3Binary files /dev/null and b/shimx64.efi.signed differ31Binary files /dev/null and b/shimx64.efi.signed differ
diff --git a/update-secureboot-policy b/update-secureboot-policy
4new file mode 10075532new file mode 100755
index 0000000..7ec61a7
--- /dev/null
+++ b/update-secureboot-policy
@@ -0,0 +1,297 @@
1#!/bin/sh
2set -e
3
4if test $# = 0 \
5 && test x"$SHIM_NOTRIGGER" = x \
6 && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \
7 && dpkg-trigger --check-supported 2>/dev/null
8then
9 if dpkg-trigger --no-await shim-secureboot-policy; then
10 if test x"$SHIM_TRIGGER_DEBUG" != x; then
11 echo "shim: wrapper deferring policy update (trigger activated)"
12 fi
13 exit 0
14 fi
15fi
16
17if [ "$(id -u)" -ne 0 ]; then
18 echo "$0: Permission denied"
19 exit 1
20fi
21
22do_enroll=0
23do_toggle=0
24
25efivars=/sys/firmware/efi/efivars
26secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
27moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
28
29SB_KEY="/var/lib/shim-signed/mok/MOK.der"
30SB_PRIV="/var/lib/shim-signed/mok/MOK.priv"
31
32OLD_DKMS_LIST="/var/lib/shim-signed/dkms-list"
33NEW_DKMS_LIST="${OLD_DKMS_LIST}.new"
34
35touch $OLD_DKMS_LIST
36
37dkms_list=$(find /var/lib/dkms -maxdepth 1 -type d -print 2>/dev/null \
38 | LC_ALL=C sort)
39dkms_modules=$(echo "$dkms_list" | wc -l)
40
41. /usr/share/debconf/confmodule
42
43update_dkms_list()
44{
45 echo "$dkms_list" > $NEW_DKMS_LIST
46}
47
48save_dkms_list()
49{
50 mv "$NEW_DKMS_LIST" "$OLD_DKMS_LIST"
51}
52
53clear_new_dkms_list()
54{
55 rm "$NEW_DKMS_LIST"
56}
57
58new_dkms_module()
59{
60 # handle nvidia module specially because it changed path
61 if ! grep -q "/var/lib/dkms/nvidia" "$OLD_DKMS_LIST" && grep -q "/var/lib/dkms/nvidia" "$NEW_DKMS_LIST" ; then
62 # nvidia module is newly added
63 return 0
64 fi
65
66 # return 0 if there is any other new module
67 env LC_ALL=C comm -1 -3 $OLD_DKMS_LIST $NEW_DKMS_LIST | grep -q -v "/var/lib/dkms/nvidia"
68}
69
70show_dkms_list_changes()
71{
72 diff -u $OLD_DKMS_LIST $NEW_DKMS_LIST >&2
73}
74
75validate_password()
76{
77 db_capb
78 if [ "$key" != "$again" ]; then
79 db_fset shim/error/secureboot_key_mismatch seen false
80 db_input critical shim/error/secureboot_key_mismatch || true
81 STATE=$(($STATE - 2))
82 else
83 length=$((`echo "$key" | wc -c` - 1))
84 if [ $length -lt 8 ] || [ $length -gt 16 ]; then
85 db_fset shim/error/bad_secureboot_key seen false
86 db_input critical shim/error/bad_secureboot_key || true
87 STATE=$(($STATE - 2))
88 elif [ $length -ne 0 ]; then
89 return 0
90 fi
91 fi
92
93 return 1
94}
95
96clear_passwords()
97{
98 # Always clear secureboot key.
99 db_set shim/secureboot_key ''
100 db_fset shim/secureboot_key seen false
101 db_set shim/secureboot_key_again ''
102 db_fset shim/secureboot_key_again seen false
103}
104
105toggle_validation()
106{
107 local key="$1"
108 local again="$2"
109
110 echo "Enabling shim validation."
111 printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --enable-validation >/dev/null || true
112}
113
114enroll_mok()
115{
116 local key="$1"
117 local again="$2"
118
119 echo "Adding '$SB_KEY' to shim:"
120 printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true
121}
122
123do_it()
124{
125 STATE=1
126 db_settitle shim/title/secureboot
127 while true; do
128 case "$STATE" in
129 1)
130 db_capb
131 db_fset shim/secureboot_explanation seen false
132 db_input critical shim/secureboot_explanation || true
133 ;;
134 2)
135 if [ "$do_toggle" -eq 1 ]; then
136 # Force no backtracking here; otherwise the GNOME backend
137 # might allow it due to displaying the explanation just before.
138 # Fixes LP: #1767091
139 db_capb
140 # Allow the user to skip toggling Secure Boot.
141 db_fset shim/enable_secureboot seen false
142 db_input critical shim/enable_secureboot || true
143 db_go
144
145 db_get shim/enable_secureboot
146 if [ "$RET" = "false" ]; then
147 break
148 fi
149 fi
150 ;;
151 3)
152
153 db_input critical shim/secureboot_key || true
154 seen_key=$RET
155 db_input critical shim/secureboot_key_again || true
156 ;;
157 4)
158 db_get shim/secureboot_key
159 key="$RET"
160 db_get shim/secureboot_key_again
161 again="$RET"
162
163 if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
164 echo "Running in non-interactive mode, doing nothing." >&2
165
166 if new_dkms_module; then
167 show_dkms_list_changes
168 clear_new_dkms_list
169 exit 1
170 else
171 exit 0
172 fi
173 fi
174
175 if validate_password; then
176 if [ $do_toggle -eq 1 ]; then
177 toggle_validation "$key" "$again"
178 fi
179 if [ $do_enroll -eq 1 ]; then
180 enroll_mok "$key" "$again"
181 fi
182 save_dkms_list
183 fi
184
185 clear_passwords
186 ;;
187 *)
188 break
189 ;;
190 esac
191
192 if db_go; then
193 STATE=$(($STATE + 1))
194 else
195 STATE=$(($STATE - 1))
196 fi
197 db_capb backup
198 done
199 db_capb
200}
201
202validate_actions() {
203 # Validate any queued actions before we go try to do them.
204 local moksbstatert=0
205
206 if ! [ -d $efivars ]; then
207 echo "$efivars not found, aborting." >&2
208 exit 0
209 fi
210
211 if ! [ -f $efivars/$secureboot_var ] \
212 || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
213 then
214 echo "Secure Boot not enabled on this system." >&2
215 exit 0
216 fi
217
218 if [ $dkms_modules -lt 2 ]; then
219 echo "No DKMS modules installed." >&2
220 exit 0
221 fi
222
223 if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
224 moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
225 elif [ -f $efivars/$moksbstatert_var ]; then
226 # MokSBStateRT set to 1 means validation is disabled
227 moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
228 awk '{ print $NF; }')
229 fi
230
231 # We were asked to enroll a key. This only makes sense if validation
232 # is enabled.
233 if [ $do_enroll -eq 1 ] && [ $moksbstatert -eq 1 ]; then
234 do_toggle=1
235 fi
236}
237
238create_mok()
239{
240 if [ -e "$SB_KEY" ]; then
241 return
242 fi
243
244 echo "Generating a new Secure Boot signing key:"
245 openssl req -config /usr/lib/shim/mok/openssl.cnf \
246 -subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \
247 -new -x509 -newkey rsa:2048 \
248 -nodes -days 36500 -outform DER \
249 -keyout "$SB_PRIV" \
250 -out "$SB_KEY"
251}
252
253update_dkms_list
254
255case "$1" in
256'--enable'|'--disable')
257 echo "Please run mokutil directly to change shim validation behavior."
258 exit 0
259 ;;
260
261'--new-key')
262 create_mok
263 exit 0
264 ;;
265
266'--enroll-key')
267 if [ -e "$SB_KEY" ]; then
268 if mokutil --test-key "$SB_KEY" | \
269 grep -qc 'is not'; then
270 do_enroll=1
271 fi
272 else
273 echo "No MOK found."
274 exit 1
275 fi
276 ;;
277
278*)
279 echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
280 echo
281 echo "\t--new-key\tCreate a new MOK."
282 echo "\t--enroll-key\tEnroll the new MOK for this system in shim."
283 echo "\t--help\t\tThis help text."
284 exit 0
285
286esac
287
288validate_actions
289
290if [ $(($do_toggle + $do_enroll)) -lt 1 ]; then
291 echo "Nothing to do."
292 exit 0
293fi
294
295do_it
296
297exit 0

Subscribers

People subscribed via source and target branches