AlaK4X
Linux lhjmq-records 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64



Your IP : 18.191.171.86


Current Path : /var/lib/dpkg/info/
Upload File :
Current File : /var/lib/dpkg/info/shim-signed.postinst

#! /bin/sh
set -e

# Must load the confmodule for our template to be installed correctly.
. /usr/share/debconf/confmodule

efivars=/sys/firmware/efi/efivars
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
efi_archs="x64 aa64"

on_secure_boot() {
	# Validate any queued actions before we go try to do them.
	local moksbstatert=0

	if ! [ -d $efivars ]; then
		return 1
	fi

	if ! [ -f $efivars/$secureboot_var ] \
		|| [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
	then
		return 1
	fi

	if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
		moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
	elif [ -f $efivars/$moksbstatert_var ]; then
		# MokSBStateRT set to 1 means validation is disabled
		moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
					   awk '{ print $NF; }')
	fi

	if [ $moksbstatert -eq 1 ]; then
		return 1
	fi

	return 0
}

# Check that our current kernel and every newer one has not been revoked
find_revoked() {
	uname_r="$(uname -r)"
	exit=1
	for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do
		# no kernels :(
		if [ "$kernel" = "/boot/vmlinuz-*" ]; then
			break
		fi
		this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')"
		if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then
			continue
		fi
		if [ -e "$kernel.efi.signed" ]; then
			continue
		fi
		if ! /usr/lib/shim/is-not-revoked "$kernel"; then
			exit=0
		fi
	done
	return $exit
}

setup_alternatives() {
	for efi_arch in ${efi_archs}; do
		test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
		if ! on_secure_boot || ! find_revoked; then
			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100
			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50
		else
			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50
			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100
		fi
	done
}

config_item ()
{
    if [ -f /etc/default/grub ]; then
	. /etc/default/grub || return
	for x in /etc/default/grub.d/*.cfg; do
	    if [ -e "$x" ]; then
		. "$x"
	    fi
	done
    fi
    eval echo "\$$1"
}

sign_dkms_modules()
{
	for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`;
	do
		for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\  '{print $1"/"$2}'`;
		do
			dkms uninstall -k "$kern" "$dkms" || :
			if ! dkms status -k "$kern" "$dkms" | grep -q 'built$'
			then
				cat <<EOF

shim-signed: failed to prepare dkms module for signing; ignoring.
  module: $dkms
  kernel: $kern
EOF
				continue
			fi
			mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko")
			for mod in $mods; do
				kmodsign sha512 \
					/var/lib/shim-signed/mok/MOK.priv \
					/var/lib/shim-signed/mok/MOK.der \
					$mod
			done
			dkms install -k "$kern" "${dkms}"
		done
	done
}

case $(dpkg --print-architecture) in
    amd64)
	grubarch=x86_64-efi
	;;
    arm64)
	grubarch=arm64-efi
	;;
esac
case "$1:$2" in
    triggered:shim-secureboot-policy)
	if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then
	    SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
	fi
	;;
    triggered:shim-kernel-check)
	setup_alternatives
	# If we did not switch to the latest shim, do not reinstall shim and grub.
	for efi_arch in ${efi_archs}; do
		test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue
		if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then
			exit 0
		fi
	done
	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
			 cut -d' ' -f1)"
	case $bootloader_id in
	    kubuntu) bootloader_id=ubuntu ;;
	esac
	# Check /boot/grub to see if we previously installed to an ESP. We don't
	# want to trigger the install code just by installing the package,
	# normally the installer installs grub itself first.
	if [ -e /boot/grub/${grubarch}/core.efi ]; then
	    /usr/lib/grub/grub-multi-install --target=${grubarch} --auto-nvram
	fi
    ;;
    configure:*)
	setup_alternatives
	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
			 cut -d' ' -f1)"
	case $bootloader_id in
	    kubuntu) bootloader_id=ubuntu ;;
	esac
	# Check /boot/grub to see if we previously installed to an ESP. We don't
	# want to trigger the install code just by installing the package,
	# normally the installer installs grub itself first.
	if [ -e /boot/grub/${grubarch}/core.efi ]; then
	    /usr/lib/grub/grub-multi-install --target=${grubarch} --auto-nvram
            if dpkg --compare-versions "$2" lt-nl "1.22~"; then
                rm -f /boot/efi/EFI/ubuntu/MokManager.efi
            fi
	fi

	# Upgrade case, capture pre-existing DKMS packages.
	if dpkg --compare-versions "$2" lt-nl "1.30" \
	   && [ -d /var/lib/dkms ]
	then
		find /var/lib/dkms -maxdepth 1 -type d -print \
		| LC_ALL=C sort	> /var/lib/shim-signed/dkms-list
	fi

	# Upgrade case, migrate all existing kernels/dkms module combinations
	# to self-signed modules.
	if dpkg --compare-versions "$2" lt "1.34.7" \
	   && [ -d /var/lib/dkms ]
	then
		SHIM_NOTRIGGER=y update-secureboot-policy --new-key
		sign_dkms_modules
		SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
	fi
	;;
esac



exit 0