secureboot-db-1.1/0000775000000000000000000000000012057450415011003 5ustar secureboot-db-1.1/debian/0000775000000000000000000000000012104022053012207 5ustar secureboot-db-1.1/debian/compat0000664000000000000000000000000212053206130013410 0ustar 9 secureboot-db-1.1/debian/README.source0000664000000000000000000000232612057225724014412 0ustar WARNING: updating this package has the potential to break boot for all Secure Boot enabled systems. Any updates to this package should be verifyied to work with (at least) the following Ubuntu packages: * grub2-signed * shim-signed * linux-signed If an update to DBX is added to blacklist an Ubuntu binary, then this package should Breaks on a version less than or equal to the version of the package that ships the blacklisted binary. New signed updates should be added to /data/updates/db for DB and /data/updates/dbx for DBX and use a naming scheme like '__.signed'. Eg: $ ls data/updates/db # for an update to DB canonical_20121126_9963142d-83ed-4585-bc56-3c7a3b095877.signed $ ls data/updates/dbx # for an update to DBX microsoft_20121010_21d2a52c-2940-44b0-8ffa-752671d5abbd.signed The name of the file is not important to sbkeysync but using this naming scheme helps with maintenance. On installation and upgrade, sbkeysync will examine the signed updates in /usr/share/secureboot/updates and add only the missing ones, like so: $ sudo sbkeysync --no-default-keystores \ --keystore /usr/share/secureboot/updates \ --verbose secureboot-db-1.1/debian/secureboot-db.install0000664000000000000000000000003512053216350016342 0ustar data/* /usr/share/secureboot secureboot-db-1.1/debian/source/0000775000000000000000000000000012053211760013517 5ustar secureboot-db-1.1/debian/source/format0000664000000000000000000000001512053211760014726 0ustar 3.0 (native) secureboot-db-1.1/debian/secureboot-db.postinst0000664000000000000000000000061112057447700016570 0ustar #!/bin/sh # postinst script for secureboot-db # set -e keystore="/usr/share/secureboot/updates" case "$1" in configure) sbkeysync --no-default-keystores --keystore "$keystore" --verbose || true ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 secureboot-db-1.1/debian/control0000664000000000000000000000100612104021144013607 0ustar Source: secureboot-db Section: utils Priority: optional Maintainer: Jamie Strandboge Build-Depends: debhelper (>= 9) Standards-Version: 3.9.3 Package: secureboot-db Architecture: any-amd64 any-i386 Depends: ${misc:Depends}, sbsigntool Description: Secure Boot updates for DB and DBX Systems with Secure Boot enabled have portions of the system signed by entries in the Secure Boot DB. This package provides a mechanism for delivering updates to DB and the corresponding blacklist database, DBX. secureboot-db-1.1/debian/changelog0000664000000000000000000000064712104022053014070 0ustar secureboot-db (1.1) raring-proposed; urgency=low * debian/control: use 'Architecture: any-amd64 any-i386' since armhf can't install sbsigntool and this package Depends on sbsigntool -- Jamie Strandboge Mon, 04 Feb 2013 15:04:58 -0600 secureboot-db (1.0) raring-proposed; urgency=low * Initial release (LP: #1081700) -- Jamie Strandboge Mon, 03 Dec 2012 16:55:00 -0600 secureboot-db-1.1/debian/rules0000775000000000000000000000016112057450374013307 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ secureboot-db-1.1/debian/copyright0000664000000000000000000000201212054763444014161 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: secureboot-db Upstream-Contact: Jamie Strandboge Source: https://launchpad.net/ubuntu/+source/secureboot-db Files: * Copyright: 2012 Canonical Ltd. License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems the full text of the GNU General Public License can be found in the `/usr/share/common-licenses/GPL-3' file. secureboot-db-1.1/debian/README.Debian0000664000000000000000000000174312057451247014277 0ustar secureboot-db for Ubuntu ------------------------ When Secure Boot is enabled, the bootloader must be signed by an entry in the Secure Boot DB. If the signature verifies and the entry does not appear in the DBX blacklist, the boot process is allowed to continue. Each stage of the boot process may also be verified against DB and DBX. DB and DBX will need to be updated for certificate updates and additions to the blacklist, and this package provides the mechanism do so. It works by adding signed updates to /usr/share/secureboot/updates and then runs sbkeysync on them. Eg: $ sudo sbkeysync --no-default-keystores \ --keystore /usr/share/secureboot/updates Note that this package tries to add all keys from the keystore that are not found in the key databases in firmware. When secure boot is enabled, updates to DB and DBX can only be performed if they are signed by an entry in the KEK database. -- Jamie Strandboge Tue, 04 Dec 2012 13:22:03 -0600 secureboot-db-1.1/Makefile0000664000000000000000000000002312057450415012436 0ustar all: check: clean: secureboot-db-1.1/data/0000775000000000000000000000000012054763113011713 5ustar secureboot-db-1.1/data/updates/0000775000000000000000000000000012053200153013345 5ustar secureboot-db-1.1/data/updates/dbx/0000775000000000000000000000000012053200153014122 5ustar secureboot-db-1.1/data/updates/db/0000775000000000000000000000000012053200153013732 5ustar