diff --git a/grub-update b/grub-update index fbac7ef..66ce91c 100644 --- a/grub-update +++ b/grub-update @@ -1,6 +1,6 @@ #!/bin/bash echo "[+] Updating Grub..."; -update-grub; +/usr/sbin/update-grub; /usr/share/ubuntu-system-adjustments/systemd/start; -sign-boot; +/usr/local/sbin/sign-boot; echo "[*] Grub Update Complete!"; diff --git a/initramfs-tools-hooks/zzz-sign-grub.sh b/initramfs-tools-hooks/zzz-sign-grub.sh new file mode 100755 index 0000000..e084bb9 --- /dev/null +++ b/initramfs-tools-hooks/zzz-sign-grub.sh @@ -0,0 +1,28 @@ +#!/bin/sh +REREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +error_exit() +{ + echo "[ERROR] $1" + exit 1 +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +echo "> Grub File Signing..."; +/usr/share/ubuntu-system-adjustments/systemd/start; +/usr/local/sbin/sign-boot; +echo "> Completed Signing."; +exit 0; diff --git a/kernel-hooks/postinst.d/zzz-sign-grub b/kernel-hooks/postinst.d/zzz-sign-grub new file mode 100755 index 0000000..b4003f2 --- /dev/null +++ b/kernel-hooks/postinst.d/zzz-sign-grub @@ -0,0 +1,26 @@ +#! /bin/sh +set -e + +which update-grub >/dev/null 2>&1 || exit 0 + +if type systemd-detect-virt >/dev/null 2>&1 && + systemd-detect-virt --quiet --container; then + exit 0 +fi + +set -- $DEB_MAINT_PARAMS +mode="${1#\'}" +mode="${mode%\'}" +case $0:$mode in + # Only run on postinst configure and postrm remove, to avoid wasting + # time by calling update-grub multiple times on upgrade and removal. + # Also run if we have no DEB_MAINT_PARAMS, in order to work with old + # kernel packages. + */postinst.d/*:|*/postinst.d/*:configure|*/postrm.d/*:|*/postrm.d/*:remove) + if [ -e /boot/grub/grub.cfg ]; then + exec /usr/local/sbin/grub-update + fi + ;; +esac + +exit 0 diff --git a/kernel-hooks/postrm.d/zzz-sign-grub b/kernel-hooks/postrm.d/zzz-sign-grub new file mode 100755 index 0000000..b4003f2 --- /dev/null +++ b/kernel-hooks/postrm.d/zzz-sign-grub @@ -0,0 +1,26 @@ +#! /bin/sh +set -e + +which update-grub >/dev/null 2>&1 || exit 0 + +if type systemd-detect-virt >/dev/null 2>&1 && + systemd-detect-virt --quiet --container; then + exit 0 +fi + +set -- $DEB_MAINT_PARAMS +mode="${1#\'}" +mode="${mode%\'}" +case $0:$mode in + # Only run on postinst configure and postrm remove, to avoid wasting + # time by calling update-grub multiple times on upgrade and removal. + # Also run if we have no DEB_MAINT_PARAMS, in order to work with old + # kernel packages. + */postinst.d/*:|*/postinst.d/*:configure|*/postrm.d/*:|*/postrm.d/*:remove) + if [ -e /boot/grub/grub.cfg ]; then + exec /usr/local/sbin/grub-update + fi + ;; +esac + +exit 0 diff --git a/lib-systemd-system-sleep/grub-vs b/lib-systemd-system-sleep/grub-vs new file mode 100755 index 0000000..493b094 --- /dev/null +++ b/lib-systemd-system-sleep/grub-vs @@ -0,0 +1,7 @@ +#!/bin/sh + +case $1 in + pre) + /usr/local/sbin/boot-verify-sign + ;; +esac diff --git a/linux-version b/linux-version new file mode 100755 index 0000000..89bf5ad --- /dev/null +++ b/linux-version @@ -0,0 +1,121 @@ +#!/usr/bin/perl + +# Copyright 2011 Ben Hutchings +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +use strict; +use warnings; + +use DebianLinux qw(version_cmp image_list); + +sub usage { + my $fh = shift; + print $fh (<< "EOT"); +Usage: $0 compare VERSION1 OP VERSION2 + $0 sort [--reverse] [VERSION1 VERSION2 ...] + $0 list [--paths] + +The version arguments should be kernel version strings as shown by +'uname -r' and used in filenames. + +The valid comparison operators are: lt le eq ge gt +EOT +} + +sub usage_error { + usage(*STDERR{IO}); + exit 2; +} + +sub compare_versions { + my %op_map = qw(lt < le <= eq == ge >= gt >); + + # Check arguments + if (@_ != 3) { + usage_error(); + } + my ($left, $op, $right) = @_; + if (!exists($op_map{$op})) { + usage_error(); + } + + my $sign = version_cmp($left, $right); + exit !eval("$sign ${op_map{$op}} 0"); +} + +sub sort_versions { + # Check for --reverse option + my $sign = 1; + if (@_ >= 1 and $_[0] eq '--reverse') { + $sign = -1; + shift; + } + + # Collect versions from argv or stdin (with optional suffix after a space) + my @versions; + if (@_) { + @versions = map({[$_, "\n"]} @_); + } else { + while () { + /^([^ \n]*)(.*\n?)$/ or die; + push @versions, [$1, $2]; + } + } + + for (sort({version_cmp($a->[0], $b->[0]) * $sign} @versions)) { + print @$_; + } + exit 0; +} + +sub list_versions { + my $show_paths; + + if (@_ == 1 and $_[0] eq '--paths') { + $show_paths = 1; + } elsif (@_ != 0) { + usage_error(); + } + my $sig = '.sig'; + for (image_list()) { + my ($version, $path) = @$_; + unless ($path =~ /\Q$sig\E$/) { + if ($show_paths) { + print "$version $path\n"; + } else { + print "$version\n"; + } + } + } + exit 0; +} + +if (@ARGV == 0) { + usage_error(); +} + +my $command = shift; +if ($command eq 'help' or grep({$_ eq '--help'} $command, @ARGV)) { + usage(*STDOUT{IO}); + exit 0; +} elsif ($command eq 'compare') { + compare_versions(@ARGV); +} elsif ($command eq 'sort') { + sort_versions(@ARGV); +} elsif ($command eq 'list') { + list_versions(@ARGV); +} +usage_error(); diff --git a/sign-boot b/sign-boot index 771fb04..9b7efce 100644 --- a/sign-boot +++ b/sign-boot @@ -7,28 +7,28 @@ echo "[*] Preparing to sign!"; #read -s pwd; #echo -n "$pwd" > /dev/shm/sb-passpwd.txt; echo "[-] BMOK Un-Signing..."; -for i in $(find /boot/grub -iname "*.efi" -type f -print) +for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print) do echo $i; - sbattach --remove $i; + /usr/bin/sbattach --remove $i; done; echo "[+] BMOK Signing..."; -for i in $(find /boot/grub -iname "*.efi" -type f -print) +for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print) do echo $i; - sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i; + /usr/bin/sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i; done; echo "[-] Un-Signing..."; #-iname "efi" -prune -o -for i in $(find /boot -iname "*.sig" -type f -print) +for i in $(/usr/bin/find /boot -iname "*.sig" -type f -print) do rm "$i"; done; echo "[+] Signing..."; -for i in $(find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +for i in $(/usr/bin/find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) do echo $i; - gpg --batch --detach-sign $i; + /usr/bin/gpg --batch --detach-sign $i; #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \ # /dev/shm/sb-passpwd.txt; done;