Ubuntu Pastebin

Paste from cyphermox at Mon, 11 Jan 2016 17:22:54 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Subject: Add support for UEFI Secure Boot validation toggling through shim
Last-Update: 2016-01-11

This allows one to install third-party drivers and still have their system
work (albeit without full Secure Boot validation), automatizing the step
of disabling validation in shim.

Users still have the possibility to notice this and skip the step, thus
not disabling Secure Boot (but then, they will not be able to load the
dkms drivers that were added).

---
 dkms_common.postinst |   62 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

Index: b/dkms_common.postinst
===================================================================
--- a/dkms_common.postinst
+++ b/dkms_common.postinst
@@ -6,6 +6,8 @@
 
 set -e
 
+. /usr/share/debconf/confmodule
+
 uname_s=$(uname -s)
 
 _get_kernel_dir() {
@@ -293,3 +295,63 @@ for KERNEL in $KERNELS; do
     fi
 done
 
+efivars=/sys/firmware/efi/efivars
+secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
+if [ -d $efivars ] && [ -f $efivars/$secureboot_var ]; then
+    sb_enabled=$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF; }')
+    if [ $sb_enabled -eq 1 ]; then
+        db_fset dkms/text/efi_secureboot seen false
+        db_fset dkms/disable_validation seen false
+
+        db_capb backup
+        STATE=1
+        while true; do
+            case "$STATE" in
+                1)
+                    # Show UEFI Secure Boot description/info
+                    db_input high dkms/text/efi_secureboot || true
+                    ;;
+                2)
+                    # Allow the user to skip disabling Secure Boot.
+                    db_input high dkms/disable_validation || true
+                    ;;
+                3)
+                    db_get dkms/disable_validation
+                    if [ "$RET" = "false" ]; then
+                        break
+                    fi
+
+                    # Always reset seen for the Secure Boot key so the user is
+                    # forced to enter it
+                    db_fset dkms/secureboot_key seen false
+                    db_input high dkms/secureboot_key || true
+                    ;;
+                4)
+                    db_get dkms/secureboot_key
+                    length=`echo $RET | wc -c`
+                    if [ $length -lt 8 ] || [ $length -gt 16 ]; then
+                        db_fset dkms/text/bad_secureboot_key seen false
+                        db_input critical dkms/text/bad_secureboot_key
+                        STATE=$(($STATE - 2))
+                    elif [ $length -ne 0 ]; then
+                        echo "${RET}\n${RET}" | mokutil --disable-validation
+                    fi
+
+                    # Always clear secureboot key.
+                    db_set dkms/secureboot_key ''
+                    ;;
+                *)
+                    break
+                    ;;
+            esac;
+
+            if db_go; then
+                STATE=$(($STATE + 1))
+            else
+                STATE=$(($STATE - 1))
+            fi
+        done
+        db_capb
+    fi
+fi
+
Download as text