1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154 | diff -Nru dkms-2.2.0.3/debian/changelog dkms-2.2.0.3/debian/changelog
--- dkms-2.2.0.3/debian/changelog 2015-11-30 02:07:44.000000000 -0500
+++ dkms-2.2.0.3/debian/changelog 2016-01-11 10:00:57.000000000 -0500
@@ -1,3 +1,11 @@
+dkms (2.2.0.3-2ubuntu9) UNRELEASED; urgency=medium
+
+ * debian/patches/shim_secureboot_support.patch: add support for disabling
+ shim's validation for Secure Boot, so as to allow third-party drivers use
+ in the context of Secure Boot.
+
+ -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 Jan 2016 09:44:38 -0500
+
dkms (2.2.0.3-2ubuntu8) xenial; urgency=medium
* apport_python3.patch: Force unicode conversion for attaching DKMSBuildLog.
diff -Nru dkms-2.2.0.3/debian/patches/series dkms-2.2.0.3/debian/patches/series
--- dkms-2.2.0.3/debian/patches/series 2015-11-11 09:42:52.000000000 -0500
+++ dkms-2.2.0.3/debian/patches/series 2016-01-11 09:45:14.000000000 -0500
@@ -11,3 +11,4 @@
new_apport_utils.patch
1491729-0001-Add-POST_BUILD-to-the-dkms_conf_variables-list.patch
1491729-0002-Add_BUILD_DEPENDS_configuration_option.patch
+shim_secureboot_support.patch
diff -Nru dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch
--- dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch 1969-12-31 19:00:00.000000000 -0500
+++ dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch 2016-01-11 12:22:26.000000000 -0500
@@ -0,0 +1,93 @@
+From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+Subject: Add support for UEFI Secure Boot validation toggling through shim
+Last-Update: 2016-01-11
+
+This allows one to install third-party drivers and still have their system
+work (albeit without full Secure Boot validation), automatizing the step
+of disabling validation in shim.
+
+Users still have the possibility to notice this and skip the step, thus
+not disabling Secure Boot (but then, they will not be able to load the
+dkms drivers that were added).
+
+---
+ dkms_common.postinst | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 62 insertions(+)
+
+Index: b/dkms_common.postinst
+===================================================================
+--- a/dkms_common.postinst
++++ b/dkms_common.postinst
+@@ -6,6 +6,8 @@
+
+ set -e
+
++. /usr/share/debconf/confmodule
++
+ uname_s=$(uname -s)
+
+ _get_kernel_dir() {
+@@ -293,3 +295,63 @@ for KERNEL in $KERNELS; do
+ fi
+ done
+
++efivars=/sys/firmware/efi/efivars
++secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
++if [ -d $efivars ] && [ -f $efivars/$secureboot_var ]; then
++ sb_enabled=$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF; }')
++ if [ $sb_enabled -eq 1 ]; then
++ db_fset dkms/text/efi_secureboot seen false
++ db_fset dkms/disable_validation seen false
++
++ db_capb backup
++ STATE=1
++ while true; do
++ case "$STATE" in
++ 1)
++ # Show UEFI Secure Boot description/info
++ db_input high dkms/text/efi_secureboot || true
++ ;;
++ 2)
++ # Allow the user to skip disabling Secure Boot.
++ db_input high dkms/disable_validation || true
++ ;;
++ 3)
++ db_get dkms/disable_validation
++ if [ "$RET" = "false" ]; then
++ break
++ fi
++
++ # Always reset seen for the Secure Boot key so the user is
++ # forced to enter it
++ db_fset dkms/secureboot_key seen false
++ db_input high dkms/secureboot_key || true
++ ;;
++ 4)
++ db_get dkms/secureboot_key
++ length=`echo $RET | wc -c`
++ if [ $length -lt 8 ] || [ $length -gt 16 ]; then
++ db_fset dkms/text/bad_secureboot_key seen false
++ db_input critical dkms/text/bad_secureboot_key
++ STATE=$(($STATE - 2))
++ elif [ $length -ne 0 ]; then
++ echo "${RET}\n${RET}" | mokutil --disable-validation
++ fi
++
++ # Always clear secureboot key.
++ db_set dkms/secureboot_key ''
++ ;;
++ *)
++ break
++ ;;
++ esac;
++
++ if db_go; then
++ STATE=$(($STATE + 1))
++ else
++ STATE=$(($STATE - 1))
++ fi
++ done
++ db_capb
++ fi
++fi
++
diff -Nru dkms-2.2.0.3/debian/templates dkms-2.2.0.3/debian/templates
--- dkms-2.2.0.3/debian/templates 1969-12-31 19:00:00.000000000 -0500
+++ dkms-2.2.0.3/debian/templates 2016-01-11 11:16:00.000000000 -0500
@@ -0,0 +1,30 @@
+Template: dkms/text/efi_secureboot
+Type: text
+Description:
+ Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible
+ with the use of third-party drivers.
+ .
+ After installation completes, Ubuntu will assist you in disabling UEFI
+ Secure Boot. To ensure that this change is being made by you as an authorized
+ user, and not by an attacker, you must choose a password now and then use
+ the same password after reboot to confirm the change.
+ .
+ If you choose to proceed but do not confirm the password upon reboot, Ubuntu
+ will still be able to boot on your system but these third-party drivers will
+ not be available for your hardware.
+
+Template: dkms/text/bad_secureboot_key
+Type: text
+Description:
+ The Secure Boot key you've entered is not valid. The password used must be
+ between 8 and 16 characters.
+
+Template: dkms/disable_validation
+Type: boolean
+Default: false
+Description: Disable UEFI Secure Boot?
+
+Template: dkms/secureboot_key
+Type: password
+Description: Please enter a password for disabling Secure Boot:
+
|