cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adfbd9ea73fc04955d459a3e37101263067ebdb
server/var/lib/dpkg/info/shim-signed.postinst
cutemeli 2adfbd9ea7 .gitignore angepasst
2026-01-07 20:52:11 +01:00

194 lines
5.5 KiB
Bash
Executable File
Raw Blame History

#! /bin/sh
set -e
# Must load the confmodule for our template to be installed correctly.
. /usr/share/debconf/confmodule
efivars=/sys/firmware/efi/efivars
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
efi_archs="x64 aa64"
on_secure_boot() {
# Validate any queued actions before we go try to do them.
local moksbstatert=0
if ! [ -d $efivars ]; then
return 1
fi
if ! [ -f $efivars/$secureboot_var ] \
|| [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
then
return 1
fi
if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
elif [ -f $efivars/$moksbstatert_var ]; then
# MokSBStateRT set to 1 means validation is disabled
moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
awk '{ print $NF; }')
fi
if [ $moksbstatert -eq 1 ]; then
return 1
fi
return 0
}
# Check that our current kernel and every newer one has not been revoked
find_revoked() {
uname_r="$(uname -r)"
exit=1
for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do
# no kernels :(
if [ "$kernel" = "/boot/vmlinuz-*" ]; then
break
fi
this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')"
if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then
continue
fi
if [ -e "$kernel.efi.signed" ]; then
continue
fi
if ! /usr/lib/shim/is-not-revoked "$kernel"; then
exit=0
fi
done
return $exit
}
setup_alternatives() {
for efi_arch in ${efi_archs}; do
test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
if ! on_secure_boot || ! find_revoked; then
update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100
update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50
else
update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50
update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100
fi
done
}
config_item ()
{
if [ -f /etc/default/grub ]; then
. /etc/default/grub || return
for x in /etc/default/grub.d/*.cfg; do
if [ -e "$x" ]; then
. "$x"
fi
done
fi
eval echo "\$$1"
}
sign_dkms_modules()
{
for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`;
do
for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\ '{print $1"/"$2}'`;
do
dkms uninstall -k "$kern" "$dkms" || :
if ! dkms status -k "$kern" "$dkms" | grep -q 'built$'
then
cat <<EOF
shim-signed: failed to prepare dkms module for signing; ignoring.
module: $dkms
kernel: $kern
EOF
continue
fi
mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko")
for mod in $mods; do
kmodsign sha512 \
/var/lib/shim-signed/mok/MOK.priv \
/var/lib/shim-signed/mok/MOK.der \
$mod
done
dkms install -k "$kern" "${dkms}"
done
done
}
case $(dpkg --print-architecture) in
amd64)
grubarch=x86_64-efi
;;
arm64)
grubarch=arm64-efi
;;
esac
case "$1:$2" in
triggered:shim-secureboot-policy)
if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then
SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
fi
;;
triggered:shim-kernel-check)
setup_alternatives
# If we did not switch to the latest shim, do not reinstall shim and grub.
for efi_arch in ${efi_archs}; do
test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then
exit 0
fi
done
bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
cut -d' ' -f1)"
case $bootloader_id in
kubuntu) bootloader_id=ubuntu ;;
esac
# Check /boot/grub to see if we previously installed to an ESP. We don't
# want to trigger the install code just by installing the package,
# normally the installer installs grub itself first.
if [ -e /boot/grub/${grubarch}/core.efi ]; then
/usr/lib/grub/grub-multi-install --target=${grubarch}
fi
;;
configure:*)
setup_alternatives
bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
cut -d' ' -f1)"
case $bootloader_id in
kubuntu) bootloader_id=ubuntu ;;
esac
# Check /boot/grub to see if we previously installed to an ESP. We don't
# want to trigger the install code just by installing the package,
# normally the installer installs grub itself first.
if [ -e /boot/grub/${grubarch}/core.efi ]; then
/usr/lib/grub/grub-multi-install --target=${grubarch}
if dpkg --compare-versions "$2" lt-nl "1.22~"; then
rm -f /boot/efi/EFI/ubuntu/MokManager.efi
fi
fi
# Upgrade case, capture pre-existing DKMS packages.
if dpkg --compare-versions "$2" lt-nl "1.30" \
&& [ -d /var/lib/dkms ]
then
find /var/lib/dkms -maxdepth 1 -type d -print \
| LC_ALL=C sort > /var/lib/shim-signed/dkms-list
fi
# Upgrade case, migrate all existing kernels/dkms module combinations
# to self-signed modules.
if dpkg --compare-versions "$2" lt "1.34.7" \
&& [ -d /var/lib/dkms ]
then
SHIM_NOTRIGGER=y update-secureboot-policy --new-key
sign_dkms_modules
SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
fi
;;
esac
exit 0
Reference in New Issue View Git Blame Copy Permalink