%PDF-
%PDF-
Mini Shell
Mini Shell
| Direktori : /usr/sbin/ |
|
|
|
| Current File : //usr/sbin/update-secureboot-policy |
#!/bin/sh
set -e
if test $# = 0 \
&& test x"$SHIM_NOTRIGGER" = x \
&& test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \
&& dpkg-trigger --check-supported 2>/dev/null
then
if dpkg-trigger --no-await shim-secureboot-policy; then
if test x"$SHIM_TRIGGER_DEBUG" != x; then
echo "shim: wrapper deferring policy update (trigger activated)"
fi
exit 0
fi
fi
if [ "$(id -u)" -ne 0 ]; then
echo "$0: Permission denied"
exit 1
fi
do_enroll=0
do_toggle=0
efivars=/sys/firmware/efi/efivars
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
SB_KEY="/var/lib/shim-signed/mok/MOK.der"
SB_PRIV="/var/lib/shim-signed/mok/MOK.priv"
OLD_DKMS_LIST="/var/lib/shim-signed/dkms-list"
NEW_DKMS_LIST="${OLD_DKMS_LIST}.new"
touch $OLD_DKMS_LIST
dkms_list=$(find /var/lib/dkms -maxdepth 1 -type d -print 2>/dev/null \
| LC_ALL=C sort)
dkms_modules=$(echo "$dkms_list" | wc -l)
. /usr/share/debconf/confmodule
update_dkms_list()
{
echo "$dkms_list" > $NEW_DKMS_LIST
}
save_dkms_list()
{
mv "$NEW_DKMS_LIST" "$OLD_DKMS_LIST"
}
clear_new_dkms_list()
{
rm "$NEW_DKMS_LIST"
}
new_dkms_module()
{
# handle nvidia module specially because it changed path
if ! grep -q "/var/lib/dkms/nvidia" "$OLD_DKMS_LIST" && grep -q "/var/lib/dkms/nvidia" "$NEW_DKMS_LIST" ; then
# nvidia module is newly added
return 0
fi
# return 0 if there is any other new module
env LC_ALL=C comm -1 -3 $OLD_DKMS_LIST $NEW_DKMS_LIST | grep -q -v "/var/lib/dkms/nvidia"
}
show_dkms_list_changes()
{
diff -u $OLD_DKMS_LIST $NEW_DKMS_LIST >&2
}
validate_password()
{
db_capb
if [ "$key" != "$again" ]; then
db_fset shim/error/secureboot_key_mismatch seen false
db_input critical shim/error/secureboot_key_mismatch || true
STATE=$(($STATE - 2))
else
length=$((`echo "$key" | wc -c` - 1))
if [ $length -lt 8 ] || [ $length -gt 16 ]; then
db_fset shim/error/bad_secureboot_key seen false
db_input critical shim/error/bad_secureboot_key || true
STATE=$(($STATE - 2))
elif [ $length -ne 0 ]; then
return 0
fi
fi
return 1
}
clear_passwords()
{
# Always clear secureboot key.
db_set shim/secureboot_key ''
db_fset shim/secureboot_key seen false
db_set shim/secureboot_key_again ''
db_fset shim/secureboot_key_again seen false
}
toggle_validation()
{
local key="$1"
local again="$2"
echo "Enabling shim validation."
printf '%s\n%s\n' "$key" "$again" | mokutil --enable-validation >/dev/null || true
mokutil --timeout -1 >/dev/null || true
}
enroll_mok()
{
local key="$1"
local again="$2"
echo "Adding '$SB_KEY' to shim:"
printf '%s\n%s\n' "$key" "$again" | mokutil --import "$SB_KEY" >/dev/null || true
mokutil --timeout -1 >/dev/null || true
}
do_it()
{
STATE=1
db_settitle shim/title/secureboot
while true; do
case "$STATE" in
1)
db_capb
db_fset shim/secureboot_explanation seen false
db_input critical shim/secureboot_explanation || true
;;
2)
if [ "$do_toggle" -eq 1 ]; then
# Force no backtracking here; otherwise the GNOME backend
# might allow it due to displaying the explanation just before.
# Fixes LP: #1767091
db_capb
# Allow the user to skip toggling Secure Boot.
db_fset shim/enable_secureboot seen false
db_input critical shim/enable_secureboot || true
db_go
db_get shim/enable_secureboot
if [ "$RET" = "false" ]; then
break
fi
fi
;;
3)
db_input critical shim/secureboot_key || true
seen_key=$RET
db_input critical shim/secureboot_key_again || true
;;
4)
db_get shim/secureboot_key
key="$RET"
db_get shim/secureboot_key_again
again="$RET"
if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
echo "Running in non-interactive mode, doing nothing." >&2
if new_dkms_module; then
show_dkms_list_changes
clear_new_dkms_list
exit 1
else
exit 0
fi
fi
if validate_password; then
if [ $do_toggle -eq 1 ]; then
toggle_validation "$key" "$again"
fi
if [ $do_enroll -eq 1 ]; then
enroll_mok "$key" "$again"
fi
save_dkms_list
fi
clear_passwords
;;
*)
break
;;
esac
if db_go; then
STATE=$(($STATE + 1))
else
STATE=$(($STATE - 1))
fi
db_capb backup
done
db_capb
}
validate_actions() {
# Validate any queued actions before we go try to do them.
local moksbstatert=0
if ! [ -d $efivars ]; then
echo "$efivars not found, aborting." >&2
exit 0
fi
if ! [ -f $efivars/$secureboot_var ] \
|| [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
then
echo "Secure Boot not enabled on this system." >&2
exit 0
fi
if [ $dkms_modules -lt 2 ]; then
echo "No DKMS modules installed." >&2
exit 0
fi
if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
elif [ -f $efivars/$moksbstatert_var ]; then
# MokSBStateRT set to 1 means validation is disabled
moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
awk '{ print $NF; }')
fi
# We were asked to enroll a key. This only makes sense if validation
# is enabled.
if [ $do_enroll -eq 1 ] && [ $moksbstatert -eq 1 ]; then
do_toggle=1
fi
}
create_mok()
{
if [ -e "$SB_KEY" ]; then
return
fi
echo "Generating a new Secure Boot signing key:"
openssl req -config /usr/lib/shim/mok/openssl.cnf \
-subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \
-new -x509 -newkey rsa:2048 \
-nodes -days 36500 -outform DER \
-keyout "$SB_PRIV" \
-out "$SB_KEY"
}
update_dkms_list
case "$1" in
'--enable'|'--disable')
echo "Please run mokutil directly to change shim validation behavior."
exit 0
;;
'--new-key')
create_mok
exit 0
;;
'--enroll-key')
if [ -e "$SB_KEY" ]; then
if mokutil --test-key "$SB_KEY" | \
grep -qc 'is not'; then
do_enroll=1
fi
else
echo "No MOK found."
exit 1
fi
;;
*)
echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
echo
echo "\t--new-key\tCreate a new MOK."
echo "\t--enroll-key\tEnroll the new MOK for this system in shim."
echo "\t--help\t\tThis help text."
exit 0
esac
validate_actions
if [ $(($do_toggle + $do_enroll)) -lt 1 ]; then
echo "Nothing to do."
exit 0
fi
do_it
exit 0
Zerion Mini Shell 1.0