From: srs5694 Date: Fri, 13 Feb 2015 01:18:30 +0000 (-0500) Subject: install.sh & related: Improved Secure Boot detection & removed error X-Git-Url: https://code.delx.au/refind/commitdiff_plain/e86087ab76430dd4acf8c992aa0d9bad1c1c494b install.sh & related: Improved Secure Boot detection & removed error messages when copying Shim & MokManager files over themselves. --- diff --git a/debian/postinst b/debian/postinst index 76df587..e78bd9d 100755 --- a/debian/postinst +++ b/debian/postinst @@ -12,7 +12,11 @@ fi cd /usr/share/refind -declare VarFile=`ls -d /sys/firmware/efi/vars/SecureBoot* 2> /dev/null` +if [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then + IsSecureBoot=`od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data | tr -d '[[:space:]]'` +else + IsSecureBoot="0" +fi # Note: Two find operations for ShimFile favors shim over PreLoader -- if both are # present, the script uses shim rather than PreLoader. declare ShimFile=`find /boot -name shim\.efi -o -name shimx64\.efi -o -name PreLoader\.efi 2> /dev/null | head -n 1` @@ -31,7 +35,7 @@ declare OpenSSL=`which openssl 2> /dev/null` # enroll an extra MOK. I'm including it here because I'm NOT a # distribution maintainer, and I want to encourage users to use # their own local keys. -if [[ -n $VarFile && -n $ShimFile ]] ; then +if [[ $IsSecureBoot == "1" && -n $ShimFile ]] ; then if [[ -n $SBSign && -n $OpenSSL ]] ; then ./install.sh --shim $ShimFile --localkeys --yes else diff --git a/install.sh b/install.sh index 4306c3f..ccf7d81 100755 --- a/install.sh +++ b/install.sh @@ -35,6 +35,8 @@ # # Revision history: # +# 0.8.7 -- Better detection of Secure Boot mode & fixed errors when copying +# Shim & MokManager files over themselves. # 0.8.6 -- Fixed bugs that caused misidentification of ESP on disks with # partition numbers over 10 on OS X and misidentification of mount # point if already-mounted ESP had space in path. @@ -223,15 +225,24 @@ CheckForFiles() { # Helper for CopyRefindFiles; copies shim files (including MokManager, if it's # available) to target. CopyShimFiles() { - cp -fb "$ShimSource" "$InstallDir/$TargetDir/$TargetShim" - if [[ $? != 0 ]] ; then - Problems=1 - fi - if [[ -f "$MokManagerSource" ]] ; then - cp -fb "$MokManagerSource" "$InstallDir/$TargetDir/" + local inode1=`ls -i "$ShimSource" | cut -f 1 -d " "` + local inode2=`ls -i "$InstallDir/$TargetDir/$TargetShim" | cut -f 1 -d " "` + if [[ $inode1 != $inode2 ]] ; then + cp -fb "$ShimSource" "$InstallDir/$TargetDir/$TargetShim" + if [[ $? != 0 ]] ; then + Problems=1 + fi fi - if [[ $? != 0 ]] ; then - Problems=1 + inode1 = `ls -i "$MokManagerSource" | cut -f 1 -d " "` + local TargetMMName=`basename $MokManagerSource` + inode2 = `ls -i "$InstallDir/$TargetDir/$TargetShim/$TargetMMName" | cut -f 1 -d " "` + if [[ $inode1 != $inode2 ]] ; then + if [[ -f "$MokManagerSource" ]] ; then + cp -fb "$MokManagerSource" "$InstallDir/$TargetDir/" + fi + if [[ $? != 0 ]] ; then + Problems=1 + fi fi } # CopyShimFiles() @@ -702,20 +713,18 @@ InstallOnOSX() { # appropriate options haven't been set, warn the user and offer to abort. # If we're NOT in Secure Boot mode but the user HAS specified the --shim # or --localkeys option, warn the user and offer to abort. -# -# FIXME: Although I checked the presence (and lack thereof) of the -# /sys/firmware/efi/vars/SecureBoot* files on my Secure Boot test system -# before releasing this script, I've since found that they are at least -# sometimes present when Secure Boot is absent. This means that the first -# test can produce false alarms. A better test is highly desirable. CheckSecureBoot() { - VarFile=`ls -d /sys/firmware/efi/vars/SecureBoot* 2> /dev/null` - if [[ -n "$VarFile" && "$TargetDir" != '/EFI/BOOT' && "$ShimSource" == "none" ]] ; then + local IsSecureBoot + if [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then + IsSecureBoot=`od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data | tr -d '[[:space:]]'` + else + IsSecureBoot="0" + fi + if [[ $IsSecureBoot == "1" && "$TargetDir" != '/EFI/BOOT' && "$ShimSource" == "none" ]] ; then echo "" - echo "CAUTION: Your computer appears to support Secure Boot, but you haven't" - echo "specified a valid shim.efi file source. If you've disabled Secure Boot and" - echo "intend to leave it disabled, this is fine; but if Secure Boot is active, the" - echo "resulting installation won't boot. You can read more about this topic at" + echo "CAUTION: Your computer appears to be booted with Secure Boot, but you haven't" + echo "specified a valid shim.efi file source. Chances are you should re-run with" + echo "the --shim option. You can read more about this topic at" echo "http://www.rodsbooks.com/refind/secureboot.html." echo "" echo -n "Do you want to proceed with installation (Y/N)? " @@ -727,7 +736,7 @@ CheckSecureBoot() { fi fi - if [[ "$ShimSource" != "none" && ! -n "$VarFile" ]] ; then + if [[ "$ShimSource" != "none" && ! $IsSecureBoot == "1" ]] ; then echo "" echo "You've specified installing using a shim.efi file, but your computer does not" echo "appear to be running in Secure Boot mode. Although installing in this way" @@ -745,7 +754,7 @@ CheckSecureBoot() { fi fi - if [[ $LocalKeys != 0 && ! -n "$VarFile" ]] ; then + if [[ $LocalKeys != 0 && ! $IsSecureBoot == "1" ]] ; then echo "" echo "You've specified re-signing your rEFInd binaries with locally-generated keys," echo "but your computer does not appear to be running in Secure Boot mode. The" diff --git a/refind.spec b/refind.spec index 057cb53..76d9533 100644 --- a/refind.spec +++ b/refind.spec @@ -1,6 +1,6 @@ Summary: EFI boot manager software Name: refind -Version: 0.8.6 +Version: 0.8.6.1 Release: 1%{?dist} Summary: EFI boot manager software License: GPLv3 @@ -125,7 +125,11 @@ fi cd /usr/share/refind-%{version} -declare VarFile=`ls -d /sys/firmware/efi/vars/SecureBoot* 2> /dev/null` +if [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then + IsSecureBoot=`od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data | tr -d '[[:space:]]'` +else + IsSecureBoot="0" +fi # Note: Two find operations for ShimFile favors shim over PreLoader -- if both are # present, the script uses shim rather than PreLoader. declare ShimFile=`find /boot -name shim\.efi -o -name shimx64\.efi -o -name PreLoader\.efi 2> /dev/null | head -n 1` @@ -144,7 +148,7 @@ declare OpenSSL=`which openssl 2> /dev/null` # enroll an extra MOK. I'm including it here because I'm NOT a # distribution maintainer, and I want to encourage users to use # their own local keys. -if [[ -n $VarFile && -n $ShimFile ]] ; then +if [[ $IsSecureBoot == "1" && -n $ShimFile ]] ; then if [[ -n $SBSign && -n $OpenSSL ]] ; then ./install.sh --shim $ShimFile --localkeys --yes else diff --git a/refind/main.c b/refind/main.c index 8e39000..8c27da2 100644 --- a/refind/main.c +++ b/refind/main.c @@ -166,7 +166,7 @@ static VOID AboutrEFInd(VOID) if (AboutMenu.EntryCount == 0) { AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT); - AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.8.6"); + AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.8.6.1"); AddMenuInfoLine(&AboutMenu, L""); AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer"); AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012-2015 Roderick W. Smith");