File: update-secureboot-policy

package info (click to toggle)
shim-signed 1.33
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,404 kB
  • sloc: sh: 180; python: 48; makefile: 36
file content (152 lines) | stat: -rwxr-xr-x 5,256 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/sh
set -e

if  test $# = 0                                                 \
    && test x"$SHIM_NOTRIGGER" = x                              \
 && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x                      \
 && dpkg-trigger --check-supported 2>/dev/null
then
        if dpkg-trigger --no-await shim-secureboot-policy; then
                if test x"$SHIM_TRIGGER_DEBUG" != x; then
                        echo "shim: wrapper deferring policy update (trigger activated)"
                fi
                exit 0
        fi
fi

. /usr/share/debconf/confmodule

setup_mok_validation()
{
    local moksbstatert
    local efivars secureboot_var moksb_var moksbstatert_var
    local enable_sb action
    enable_sb=$1
    efivars=/sys/firmware/efi/efivars
    secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
    moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
    moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
    action=disable

    if [ $enable_sb -eq 1 ]; then
        action=enable
    fi

    if ! [ -f $efivars/$secureboot_var ] \
       || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
    then
        echo "Secure Boot not enabled on this system." >&2
        return 0
    fi
    moksbstatert=0
    if [ -f $efivars/$moksb_var ]; then
        # if MokSB exists we've likely already run mokutil since last boot
        echo "The Secure Boot policy was already changed since last reboot; nothing to do." >&2
        return 0
    fi
    if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
        moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
    elif [ -f $efivars/$moksbstatert_var ]; then
        # MokSBStateRT set to 1 means validation is disabled
        moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
                       awk '{ print $NF; }')
    fi
    # poor man's xor
    if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then
        STATE=1
        db_settitle shim/title/secureboot
        while true; do
            case "$STATE" in
            1)
                db_capb
                db_fset shim/secureboot_explanation seen false
                db_input critical shim/secureboot_explanation || true
                db_go

                # Allow the user to skip disabling Secure Boot.
                db_fset shim/${action}_secureboot seen false
                db_input critical shim/${action}_secureboot || true
                ;;
            2)
                db_get shim/${action}_secureboot
                if [ "$RET" = "false" ]; then
                    break
                fi

                db_input critical shim/secureboot_key || true
                seen_key=$RET
                db_input critical shim/secureboot_key_again || true
                ;;
            3)
                db_get shim/secureboot_key
                key="$RET"
                db_get shim/secureboot_key_again
                again="$RET"

                if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
                    echo "Running in non-interactive mode, doing nothing." >&2
                    exit 1
                fi

                db_capb
                if [ "$key" != "$again" ]; then
                    db_fset shim/error/secureboot_key_mismatch seen false
                    db_input critical shim/error/secureboot_key_mismatch || true
                    STATE=$(($STATE - 2))
                else
                    length=$((`echo "$key" | wc -c` - 1))
                    if [ $length -lt 8 ] || [ $length -gt 16 ]; then
                        db_fset shim/error/bad_secureboot_key seen false
                        db_input critical shim/error/bad_secureboot_key || true
                        STATE=$(($STATE - 2))
                    elif [ $length -ne 0 ]; then
                        printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true
                    fi
                fi

                # Always clear secureboot key.
                db_set shim/secureboot_key ''
                db_fset shim/secureboot_key seen false
                db_set shim/secureboot_key_again ''
                db_fset shim/secureboot_key_again seen false
                ;;
            *)
                break
                ;;
            esac

            if db_go; then
                STATE=$(($STATE + 1))
            else
                STATE=$(($STATE - 1))
            fi
            db_capb backup
        done
        db_capb
    fi
}

args=$@
enable_secureboot=0

if echo "$args" | grep -qc -- '--enable'; then
	enable_secureboot=1
elif echo "$args" | grep -qc -- '--disable'; then
	enable_secureboot=0
elif echo "$args" | grep -qc -- '--help'; then
	echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
	echo
	echo "\t--enable\tPrompt to enable Secure Boot validation."
	echo "\t--disable\tPrompt to disable Secure Boot validation (default)."
	echo "\t--help\t\tThis help text."
	exit 0
fi

if [ -d /var/lib/dkms ] &&
       [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
    setup_mok_validation $enable_secureboot
else
	echo "No DKMS packages installed: not changing Secure Boot validation state."
fi

exit 0