1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
#!/bin/sh
set -e
if test $# = 0 \
&& test x"$SHIM_NOTRIGGER" = x \
&& test x"$DPKG_MAINTSCRIPT_PACKAGE" != x \
&& dpkg-trigger --check-supported 2>/dev/null
then
if dpkg-trigger --no-await shim-secureboot-policy; then
if test x"$SHIM_TRIGGER_DEBUG" != x; then
echo "shim: wrapper deferring policy update (trigger activated)"
fi
exit 0
fi
fi
. /usr/share/debconf/confmodule
setup_mok_validation()
{
local moksbstatert
local efivars secureboot_var moksb_var moksbstatert_var
local enable_sb action
enable_sb=$1
efivars=/sys/firmware/efi/efivars
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
dkms_mok_pubkey=/var/lib/dkms/mok.pub
action=disable
if [ $enable_sb -eq 1 ]; then
action=enable
fi
if ! [ -f $efivars/$secureboot_var ] \
|| [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
then
echo "Secure Boot not enabled on this system." >&2
return 0
fi
moksbstatert=0
if [ -f $efivars/$moksb_var ]; then
# if MokSB exists we've likely already run mokutil since last boot
echo "The Secure Boot policy was already changed since last reboot; nothing to do." >&2
return 0
fi
if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
elif [ -f $efivars/$moksbstatert_var ]; then
# MokSBStateRT set to 1 means validation is disabled
moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
awk '{ print $NF; }')
fi
# poor man's xor
if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then
echo "$0: Checking status of DKMS module signing:" >&2
# We have DKMS and secure boot is enabled. Check to see if we
# have a DKMS key and if it's enrolled in MOK. If it is, we
# should be fine.
if [ -f $dkms_mok_pubkey ]; then
echo " [ OK ] System DKMS key found in $dkms_mok_pubkey" >&2
registered_ok=0
# Gran the serial number of the DKMS key
dkms_key=$(openssl x509 -in $dkms_mok_pubkey -text | \
awk '/Serial Number/ {getline;print tolower($1)}')
# And compare it to all the keys that MOK knows about -
# any match is good enough.
for mok_key in $(mokutil --list-enrolled | \
awk '/Serial Number/ {getline;print tolower($1)}'); do
if [ "$dkms_key"x = "$mok_key"x ]; then
echo " [ OK ] System DKMS key is registered via MOK" >&2
registered_ok=1
fi
done
if [ $registered_ok != 1 ]; then
echo " E: System's DKMS key is NOT installed in MOK." >&2
else
signed_ok=1
# Now check all the DKMS modules we can find are
# signed with this key.
for mod in $(find /var/lib/dkms/ -name '*.ko'); do
mod_key=$(modinfo $mod | awk '/sig_key:/ {print tolower($2)}')
if [ "$mod_key"x != "$dkms_key"x ]; then
echo " E: $mod is not signed with the DKMS key" >&2
signed_ok=0
fi
done
if [ $signed_ok = 1 ]; then
echo " [ OK ] All DKMS modules signed with the DKMS key" >&2
echo "All OK, nothing to do." >&2
return 0
else
echo " Some modules not signed with the DKMS key. Rebuild?." >&2
fi
fi
fi
STATE=1
db_settitle shim/title/secureboot
while true; do
case "$STATE" in
1)
db_capb
db_fset shim/secureboot_explanation seen false
db_input critical shim/secureboot_explanation || true
db_go
# Allow the user to skip disabling Secure Boot.
db_fset shim/${action}_secureboot seen false
db_input critical shim/${action}_secureboot || true
;;
2)
db_get shim/${action}_secureboot
if [ "$RET" = "false" ]; then
break
fi
db_input critical shim/secureboot_key || true
seen_key=$RET
db_input critical shim/secureboot_key_again || true
;;
3)
db_get shim/secureboot_key
key="$RET"
db_get shim/secureboot_key_again
again="$RET"
if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
echo "Running in non-interactive mode, doing nothing." >&2
exit 1
fi
db_capb
if [ "$key" != "$again" ]; then
db_fset shim/error/secureboot_key_mismatch seen false
db_input critical shim/error/secureboot_key_mismatch || true
STATE=$(($STATE - 2))
else
length=$((`echo "$key" | wc -c` - 1))
if [ $length -lt 8 ] || [ $length -gt 16 ]; then
db_fset shim/error/bad_secureboot_key seen false
db_input critical shim/error/bad_secureboot_key || true
STATE=$(($STATE - 2))
elif [ $length -ne 0 ]; then
printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true
fi
fi
# Always clear secureboot key.
db_set shim/secureboot_key ''
db_fset shim/secureboot_key seen false
db_set shim/secureboot_key_again ''
db_fset shim/secureboot_key_again seen false
;;
*)
break
;;
esac
if db_go; then
STATE=$(($STATE + 1))
else
STATE=$(($STATE - 1))
fi
db_capb backup
done
db_capb
fi
}
args=$@
enable_secureboot=0
if echo "$args" | grep -qc -- '--enable'; then
enable_secureboot=1
elif echo "$args" | grep -qc -- '--disable'; then
enable_secureboot=0
elif echo "$args" | grep -qc -- '--help'; then
echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
echo
echo "\t--enable\tPrompt to enable Secure Boot validation."
echo "\t--disable\tPrompt to disable Secure Boot validation (default)."
echo "\t--help\t\tThis help text."
exit 0
fi
if [ -d /var/lib/dkms ] &&
[ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
setup_mok_validation $enable_secureboot
else
echo "No DKMS packages installed: not changing Secure Boot validation state."
fi
exit 0
|
