diff -Nru shim-signed-1.21.4/debian/changelog shim-signed-1.27~16.10.1/debian/changelog --- shim-signed-1.21.4/debian/changelog 2016-10-13 17:49:17.000000000 +0000 +++ shim-signed-1.27~16.10.1/debian/changelog 2017-03-23 20:58:44.000000000 +0000 @@ -1,13 +1,42 @@ -shim-signed (1.21.4) yakkety; urgency=medium +shim-signed (1.27~16.10.1) yakkety; urgency=medium + + * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.10. (LP: #1637290) + + -- Mathieu Trudel-Lapierre Thu, 23 Mar 2017 16:58:44 -0400 + +shim-signed (1.27) zesty; urgency=medium + + [ Steve Langasek ] + * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from + Microsoft. + * update-secureboot-policy: + - detect when we have no debconf prompting and error out instead of ending + up in an infinite loop. LP: #1673817. + - refactor to make the code easier to follow. + - remove a confusing boolean that would always re-prompt on a request to + --enable, but not on a request to --disable. + + [ Mathieu Trudel-Lapierre ] + * update-secureboot-policy: + - some more fixes to properly handle non-interactive mode. (LP: #1673817) + + -- Mathieu Trudel-Lapierre Tue, 21 Mar 2017 14:28:46 -0400 + +shim-signed (1.23) zesty; urgency=medium + + * debian/control: bump the Depends on grub2-common since that's needed to + install with the new updated EFI binaries filenames. + + -- Mathieu Trudel-Lapierre Fri, 21 Oct 2016 13:31:05 -0400 + +shim-signed (1.22) yakkety; urgency=medium * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft. - (LP: #1637290, #1581299) + (LP: #1581299) * Update paths now that the shim binary has been renamed to include the target architecture. * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu; since it's being replaced by mm$arch.efi. - * debian/control: bump the Depends on grub2-common since that's needed to - install with the new updated EFI binaries filenames. -- Mathieu Trudel-Lapierre Thu, 13 Oct 2016 13:49:17 -0400 diff -Nru shim-signed-1.21.4/debian/shim-signed.postinst shim-signed-1.27~16.10.1/debian/shim-signed.postinst --- shim-signed-1.21.4/debian/shim-signed.postinst 2016-10-13 17:49:17.000000000 +0000 +++ shim-signed-1.27~16.10.1/debian/shim-signed.postinst 2016-10-21 02:51:04.000000000 +0000 @@ -31,7 +31,7 @@ && which grub-install >/dev/null 2>&1 then grub-install --target=x86_64-efi - if dpkg --compare-versions "$2" lt-nl "1.21.4~"; then + if dpkg --compare-versions "$2" lt-nl "1.22~"; then rm -f /boot/efi/EFI/ubuntu/MokManager.efi fi fi Binary files /tmp/tmpH6oPT7/ogANynjQl3/shim-signed-1.21.4/shimx64.efi.signed and /tmp/tmpH6oPT7/kkXUz3B2Xp/shim-signed-1.27~16.10.1/shimx64.efi.signed differ diff -Nru shim-signed-1.21.4/update-secureboot-policy shim-signed-1.27~16.10.1/update-secureboot-policy --- shim-signed-1.21.4/update-secureboot-policy 2016-08-02 18:47:13.000000000 +0000 +++ shim-signed-1.27~16.10.1/update-secureboot-policy 2017-03-21 18:28:05.000000000 +0000 @@ -1,6 +1,5 @@ #!/bin/sh set -e -#set -x if test $# = 0 \ && test x"$SHIM_NOTRIGGER" = x \ @@ -19,7 +18,7 @@ setup_mok_validation() { - local sb_enabled moksb moksbstatert + local moksbstatert local efivars secureboot_var moksb_var moksbstatert_var local enable_sb action enable_sb=$1 @@ -33,89 +32,97 @@ action=enable fi - if [ -d $efivars ] && [ -f $efivars/$secureboot_var ]; then - sb_enabled=$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF; }') - moksb=0 - moksbstatert=0 - if [ -f $efivars/$moksb_var ]; then - # if MokSB exists we've likely already run mokutil since last boot - moksb=1 - fi - if [ -f /proc/sys/kernel/moksbstate_disabled ]; then - moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) - elif [ -f $efivars/$moksbstatert_var ]; then - # MokSBStateRT set to 1 means validation is disabled - moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ - awk '{ print $NF; }') - fi - if [ $sb_enabled -eq 1 ]; then - if [ $moksb -eq 0 ] && [ $moksbstatert -eq 0 ] || [ $enable_sb -eq 1 ]; then - STATE=1 - db_settitle shim/title/secureboot - while true; do - case "$STATE" in - 1) - db_capb - db_fset shim/secureboot_explanation seen false - db_input critical shim/secureboot_explanation || true - db_go - - # Allow the user to skip disabling Secure Boot. - db_fset shim/${action}_secureboot seen false - db_input critical shim/${action}_secureboot || true - ;; - 2) - db_get shim/${action}_secureboot - if [ "$RET" = "false" ]; then - break - fi - - db_input critical shim/secureboot_key || true - db_input critical shim/secureboot_key_again || true - ;; - 3) - db_get shim/secureboot_key - key="$RET" - db_get shim/secureboot_key_again - again="$RET" - - db_capb - if [ "$key" != "$again" ]; then - db_fset shim/error/secureboot_key_mismatch seen false - db_input critical shim/error/secureboot_key_mismatch || true - STATE=$(($STATE - 2)) - else - length=$((`echo "$key" | wc -c` - 1)) - if [ $length -lt 8 ] || [ $length -gt 16 ]; then - db_fset shim/error/bad_secureboot_key seen false - db_input critical shim/error/bad_secureboot_key || true - STATE=$(($STATE - 2)) - elif [ $length -ne 0 ]; then - printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true - fi - fi - - # Always clear secureboot key. - db_set shim/secureboot_key '' - db_fset shim/secureboot_key seen false - db_set shim/secureboot_key_again '' - db_fset shim/secureboot_key_again seen false - ;; - *) - break - ;; - esac; - - if db_go; then - STATE=$(($STATE + 1)) - else - STATE=$(($STATE - 1)) - fi - db_capb backup - done + if ! [ -f $efivars/$secureboot_var ] \ + || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] + then + echo "Secure Boot not enabled on this system." >&2 + return 0 + fi + moksbstatert=0 + if [ -f $efivars/$moksb_var ]; then + # if MokSB exists we've likely already run mokutil since last boot + echo "The Secure Boot policy was already changed since last reboot; nothing to do." >&2 + return 0 + fi + if [ -f /proc/sys/kernel/moksbstate_disabled ]; then + moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) + elif [ -f $efivars/$moksbstatert_var ]; then + # MokSBStateRT set to 1 means validation is disabled + moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ + awk '{ print $NF; }') + fi + # poor man's xor + if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then + STATE=1 + db_settitle shim/title/secureboot + while true; do + case "$STATE" in + 1) db_capb + db_fset shim/secureboot_explanation seen false + db_input critical shim/secureboot_explanation || true + db_go + + # Allow the user to skip disabling Secure Boot. + db_fset shim/${action}_secureboot seen false + db_input critical shim/${action}_secureboot || true + ;; + 2) + db_get shim/${action}_secureboot + if [ "$RET" = "false" ]; then + break + fi + + db_input critical shim/secureboot_key || true + seen_key=$RET + db_input critical shim/secureboot_key_again || true + ;; + 3) + db_get shim/secureboot_key + key="$RET" + db_get shim/secureboot_key_again + again="$RET" + + if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then + echo "Running in non-interactive mode, doing nothing." >&2 + exit 1 + fi + + db_capb + if [ "$key" != "$again" ]; then + db_fset shim/error/secureboot_key_mismatch seen false + db_input critical shim/error/secureboot_key_mismatch || true + STATE=$(($STATE - 2)) + else + length=$((`echo "$key" | wc -c` - 1)) + if [ $length -lt 8 ] || [ $length -gt 16 ]; then + db_fset shim/error/bad_secureboot_key seen false + db_input critical shim/error/bad_secureboot_key || true + STATE=$(($STATE - 2)) + elif [ $length -ne 0 ]; then + printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true + fi + fi + + # Always clear secureboot key. + db_set shim/secureboot_key '' + db_fset shim/secureboot_key seen false + db_set shim/secureboot_key_again '' + db_fset shim/secureboot_key_again seen false + ;; + *) + break + ;; + esac + + if db_go; then + STATE=$(($STATE + 1)) + else + STATE=$(($STATE - 1)) fi - fi + db_capb backup + done + db_capb fi }