⚝
One Hat Cyber Team
⚝
Your IP:
216.73.216.144
Server IP:
157.245.143.252
Server:
Linux www 6.11.0-9-generic #9-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 14 13:19:59 UTC 2024 x86_64
Server Software:
nginx/1.26.0
PHP Version:
8.3.11
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
proc
/
self
/
root
/
var
/
lib
/
dpkg
/
info
/
View File Name :
shim-signed.postinst
#! /bin/sh set -e # Must load the confmodule for our template to be installed correctly. . /usr/share/debconf/confmodule efivars=/sys/firmware/efi/efivars secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 efi_archs="x64 aa64" on_secure_boot() { # Validate any queued actions before we go try to do them. local moksbstatert=0 if ! [ -d $efivars ]; then return 1 fi if ! [ -f $efivars/$secureboot_var ] \ || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] then return 1 fi if [ -f /proc/sys/kernel/moksbstate_disabled ]; then moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) elif [ -f $efivars/$moksbstatert_var ]; then # MokSBStateRT set to 1 means validation is disabled moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ awk '{ print $NF; }') fi if [ $moksbstatert -eq 1 ]; then return 1 fi return 0 } # Check that our current kernel and every newer one has not been revoked find_revoked() { uname_r="$(uname -r)" exit=1 for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do # no kernels :( if [ "$kernel" = "/boot/vmlinuz-*" ]; then break fi this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')" if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then continue fi if [ -e "$kernel.efi.signed" ]; then continue fi if ! /usr/lib/shim/is-not-revoked "$kernel"; then exit=0 fi done return $exit } setup_alternatives() { for efi_arch in ${efi_archs}; do test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue if ! on_secure_boot || ! find_revoked; then update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50 else update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50 update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100 fi done } config_item () { if [ -f /etc/default/grub ]; then . /etc/default/grub || return for x in /etc/default/grub.d/*.cfg; do if [ -e "$x" ]; then . "$x" fi done fi eval echo "\$$1" } sign_dkms_modules() { for kern in `dpkg -l linux-image-[0-9]\* | awk '/^ii/ { sub("linux-image-","",$2); print $2 }'`; do for dkms in `dkms status -k $(uname -r) | grep 'installed' | awk -F,\ '{print $1"/"$2}'`; do dkms uninstall -k "$kern" "$dkms" || : if ! dkms status -k "$kern" "$dkms" | grep -q 'built$' then cat <<EOF shim-signed: failed to prepare dkms module for signing; ignoring. module: $dkms kernel: $kern EOF continue fi mods=$(find /var/lib/dkms/${dkms}/${kern}/$(uname -m)/module/ -name "*.ko") for mod in $mods; do kmodsign sha512 \ /var/lib/shim-signed/mok/MOK.priv \ /var/lib/shim-signed/mok/MOK.der \ $mod done dkms install -k "$kern" "${dkms}" done done } case $(dpkg --print-architecture) in amd64) grubarch=x86_64-efi ;; arm64) grubarch=arm64-efi ;; esac case "$1:$2" in triggered:shim-secureboot-policy) if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key fi ;; triggered:shim-kernel-check) setup_alternatives # If we did not switch to the latest shim, do not reinstall shim and grub. for efi_arch in ${efi_archs}; do test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then exit 0 fi done bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ cut -d' ' -f1)" case $bootloader_id in kubuntu) bootloader_id=ubuntu ;; esac # Check /boot/grub to see if we previously installed to an ESP. We don't # want to trigger the install code just by installing the package, # normally the installer installs grub itself first. if [ -e /boot/grub/${grubarch}/core.efi ]; then /usr/lib/grub/grub-multi-install --target=${grubarch} fi ;; configure:*) for efi_arch in ${efi_archs}; do test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue # If NX alternative is not already present, install it at low priority, # otherwise keep the existing priority to allow manually enabling NX # FIXME: we would like to install NX shim on new installs (non-upgrades) by default # but Windows 10 chainloading is currently blocking this if ! update-alternatives --list shim${efi_arch}.efi.signed | grep nx.efi -q; then update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.nx.efi.signed.latest 25 fi done setup_alternatives bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ cut -d' ' -f1)" case $bootloader_id in kubuntu) bootloader_id=ubuntu ;; esac # Check /boot/grub to see if we previously installed to an ESP. We don't # want to trigger the install code just by installing the package, # normally the installer installs grub itself first. if [ -e /boot/grub/${grubarch}/core.efi ]; then /usr/lib/grub/grub-multi-install --target=${grubarch} if dpkg --compare-versions "$2" lt-nl "1.22~"; then rm -f /boot/efi/EFI/ubuntu/MokManager.efi fi fi # Upgrade case, capture pre-existing DKMS packages. if dpkg --compare-versions "$2" lt-nl "1.30" \ && [ -d /var/lib/dkms ] then find /var/lib/dkms -maxdepth 1 -type d -print \ | LC_ALL=C sort > /var/lib/shim-signed/dkms-list fi # Upgrade case, migrate all existing kernels/dkms module combinations # to self-signed modules. if dpkg --compare-versions "$2" lt "1.34.7" \ && [ -d /var/lib/dkms ] then SHIM_NOTRIGGER=y update-secureboot-policy --new-key sign_dkms_modules SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key fi ;; esac exit 0