11post_install() {
2+ local original="/usr/share/linux-surface-secureboot/surface.cer"
3+ local hashfile
4+
25 echo ""
36 echo "The secure-boot certificate has been installed to"
47 echo ""
5- echo " /usr/share/linux-surface-secureboot/surface.cer "
8+ echo " ${original} "
69 echo ""
10+
11+ # check if efivarfs has been mounted
12+ if ! mount -l | grep --quiet "efivarfs"; then
13+ echo "The 'efivarfs' filesystem has not been mounted. Please add the key to the"
14+ echo "UEFI key store manually."
15+ echo ""
16+ echo "You can do this by, e.g., mounting efivarfs via"
17+ echo ""
18+ echo " mount -t efivarfs none /sys/firmware/efi/efivars"
19+ echo ""
20+ echo "and running mokutil via"
21+ echo ""
22+ echo " mokutil --import ${original}"
23+ echo ""
24+ echo "To finish the enrollment process you then need to reboot, where you will be"
25+ echo "asked to enroll the certificate. During the import, you will be prompted for"
26+ echo "the (temporary) password you chose when asked in the commands above. Please"
27+ echo "make sure that you are indeed adding the right key and confirm by entering"
28+ echo "your chosen password."
29+ echo ""
30+ return
31+ fi
32+
733 echo "It will now be automatically enrolled for you and guarded with the password"
834 echo ""
935 echo " surface"
1036 echo ""
1137
12- local hashfile=$(mktemp)
13- mokutil --generate-hash=surface > ${hashfile}
14- mokutil --hash-file ${hashfile} --import /usr/share/linux-surface-secureboot/surface.cer
38+ hashfile=$(mktemp)
39+ mokutil --generate-hash=surface > " ${hashfile}"
40+ mokutil --hash-file " ${hashfile}" --import ${original}
1541
1642 echo "To finish the enrollment process you need to reboot, where you will then be"
1743 echo "asked to enroll the certificate. During the import, you will be prompted for"
@@ -24,23 +50,56 @@ post_install() {
2450}
2551
2652pre_remove() {
53+ local backup="/tmp/linux-surface-secureboot.surface.cer.backup"
54+ local original="/usr/share/linux-surface-secureboot/surface.cer"
55+ local hashfile
56+
57+ # check if efivarfs has been mounted
58+ if ! mount -l | grep --quiet "efivarfs"; then
59+ cp "${original}" "${backup}"
60+
61+ echo ""
62+ echo "The 'efivarfs' filesystem has not been mounted. Please remove the key from"
63+ echo "the UEFI key store manually."
64+ echo ""
65+ echo "You can do this by, e.g., mounting efivarfs via"
66+ echo ""
67+ echo " mount -t efivarfs none /sys/firmware/efi/efivars"
68+ echo ""
69+ echo "and running mokutil via"
70+ echo ""
71+ echo " mokutil --delete ${backup}"
72+ echo ""
73+ echo "The key will be revoked on the next start of your system. You will then"
74+ echo "be asked to confirm the key and enter the (temporary) password you chose"
75+ echo "when running the command above."
76+ echo ""
77+ echo "Note: The key has been backed up to temporary storage at"
78+ echo ""
79+ echo " ${backup}"
80+ echo ""
81+ echo "It may be gone after the next reboot."
82+ echo ""
83+ return
84+ fi
85+
2786 echo ""
2887 echo "The following secure-boot certificate will be uninstalled and revoked from"
2988 echo "your system"
3089 echo ""
31- echo " /usr/share/linux-surface-secureboot/surface.cer "
90+ echo " ${original} "
3291 echo ""
3392
34- local hashfile=$(mktemp)
35- mokutil --generate-hash=surface > ${hashfile}
36- mokutil --hash-file ${hashfile} --delete /usr/share/linux-surface-secureboot/surface.cer
93+ hashfile=$(mktemp)
94+ mokutil --generate-hash=surface > " ${hashfile}"
95+ mokutil --hash-file " ${hashfile}" --delete "${original}"
3796
3897 echo "The key will be revoked on the next start of your system. You will then"
39- echo "again asked for the password. Enter 'surface' to confirm."
98+ echo "be asked again for the password. Enter 'surface' to confirm."
4099 echo ""
41- echo "Kernels signed with the corresponding private key will still not be allowed"
42- echo "to boot after this. Note that you can always manage your secure-boot keys"
43- echo "via the 'mokutil' tool. Please refer to 'man mokutil' for more information."
100+ echo "Kernels signed with the corresponding private key will not be allowed to "
101+ echo "boot after this. Note that you can always manage your secure-boot keys via "
102+ echo "the 'mokutil' tool. Please refer to 'man mokutil' for more information."
44103 echo ""
45104}
46105
@@ -54,20 +113,42 @@ pre_upgrade() {
54113post_upgrade() {
55114 local backup="/tmp/linux-surface-secureboot.surface.cer.backup"
56115 local original="/usr/share/linux-surface-secureboot/surface.cer"
116+ local hashfile
117+
118+ if ! cmp --silent "${original}" "${backup}"; then
119+ # check if efivarfs has been mounted
120+ if ! mount -l | grep --quiet "efivarfs"; then
121+ echo "The 'efivarfs' filesystem has not been mounted. Please update the key in"
122+ echo "UEFI key store manually."
123+ echo ""
124+ echo "You can do this by, e.g., mounting efivarfs via"
125+ echo ""
126+ echo " mount -t efivarfs none /sys/firmware/efi/efivars"
127+ echo ""
128+ echo "and running mokutil via"
129+ echo ""
130+ echo " mokutil --delete ${backup}"
131+ echo " mokutil --import ${original}"
132+ echo ""
133+ echo "The key will be updated on the next start of your system. You will then"
134+ echo "be asked to confirm the key and enter the (temporary) password you chose"
135+ echo "when running the commands above."
136+ echo ""
137+ return
138+ fi
57139
58- if ! cmp --silent "${original}" "${backup}"
59- then
140+ # certificate has changed and needs re-enrollment
60141 echo ""
61142 echo "Updating secure boot certificate. The old key will be revoked and a new key"
62143 echo "will be installed. You will need to reboot your system, where you will then"
63144 echo "be asked to delete the old and import the new key. In both cases, make sure"
64145 echo "this is the right key and confirm with the password 'surface'."
65146 echo ""
66147
67- local hashfile=$(mktemp)
68- mokutil --generate-hash=surface > ${hashfile}
69- mokutil --hash-file ${hashfile} --delete ${backup}
70- mokutil --hash-file ${hashfile} --import ${original}
148+ hashfile=$(mktemp)
149+ mokutil --generate-hash=surface > " ${hashfile}"
150+ mokutil --hash-file " ${hashfile}" --delete ${backup}
151+ mokutil --hash-file " ${hashfile}" --import ${original}
71152 fi
72153
73154 rm -f "${backup}"
0 commit comments