1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
#!/bin/sh
set -e
#set -x
if test $# = 0 \
&& test x"$SHIM_NOTRIGGER" = x \
&& test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \
&& dpkg-trigger --check-supported 2>/dev/null
then
if dpkg-trigger --no-await shim-secureboot-policy; then
if test x"$SHIM_TRIGGER_DEBUG" != x; then
echo "shim: wrapper deferring policy update (trigger activated)"
fi
exit 0
fi
fi
. /usr/share/debconf/confmodule
setup_mok_validation()
{
local sb_enabled moksb moksbstatert
local efivars secureboot_var moksb_var moksbstatert_var
local enable_sb action
enable_sb=$1
efivars=/sys/firmware/efi/efivars
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
action=disable
if [ $enable_sb -eq 1 ]; then
action=enable
fi
if [ -d $efivars ] && [ -f $efivars/$secureboot_var ]; then
sb_enabled=$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF; }')
moksb=0
moksbstatert=0
if [ -f $efivars/$moksb_var ]; then
# if MokSB exists we've likely already run mokutil since last boot
moksb=1
fi
if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
elif [ -f $efivars/$moksbstatert_var ]; then
# MokSBStateRT set to 1 means validation is disabled
moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
awk '{ print $NF; }')
fi
if [ $sb_enabled -eq 1 ]; then
if [ $moksb -eq 0 ] && [ $moksbstatert -eq 0 ] || [ $enable_sb -eq 1 ]; then
STATE=1
db_settitle shim/title/secureboot
while true; do
case "$STATE" in
1)
db_capb
db_fset shim/secureboot_explanation seen false
db_input critical shim/secureboot_explanation || true
db_go
# Allow the user to skip disabling Secure Boot.
db_fset shim/${action}_secureboot seen false
db_input critical shim/${action}_secureboot || true
;;
2)
db_get shim/${action}_secureboot
if [ "$RET" = "false" ]; then
break
fi
db_input critical shim/secureboot_key || true
db_input critical shim/secureboot_key_again || true
;;
3)
db_get shim/secureboot_key
key="$RET"
db_get shim/secureboot_key_again
again="$RET"
db_capb
if [ "$key" != "$again" ]; then
db_fset shim/error/secureboot_key_mismatch seen false
db_input critical shim/error/secureboot_key_mismatch || true
STATE=$(($STATE - 2))
else
length=$((`echo "$key" | wc -c` - 1))
if [ $length -lt 8 ] || [ $length -gt 16 ]; then
db_fset shim/error/bad_secureboot_key seen false
db_input critical shim/error/bad_secureboot_key || true
STATE=$(($STATE - 2))
elif [ $length -ne 0 ]; then
printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true
fi
fi
# Always clear secureboot key.
db_set shim/secureboot_key ''
db_fset shim/secureboot_key seen false
db_set shim/secureboot_key_again ''
db_fset shim/secureboot_key_again seen false
;;
*)
break
;;
esac;
if db_go; then
STATE=$(($STATE + 1))
else
STATE=$(($STATE - 1))
fi
db_capb backup
done
db_capb
fi
fi
fi
}
args=$@
enable_secureboot=0
if echo "$args" | grep -qc -- '--enable'; then
enable_secureboot=1
elif echo "$args" | grep -qc -- '--disable'; then
enable_secureboot=0
elif echo "$args" | grep -qc -- '--help'; then
echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
echo
echo "\t--enable\tPrompt to enable Secure Boot validation."
echo "\t--disable\tPrompt to disable Secure Boot validation (default)."
echo "\t--help\t\tThis help text."
exit 0
fi
if [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
setup_mok_validation $enable_secureboot
else
echo "No DKMS packages installed: not changing Secure Boot validation state."
fi
exit 0
|