Add maintainer scripts to the template packages

Manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages. Closes: #966845
2025-10-04 16:05:00 +00:00 · 2021-05-03 20:52:35 +01:00 · 2021-05-03 20:52:35 +01:00 · 29f231fd04
commit 29f231fd04
parent 11e0f1dafd
4 changed files with 147 additions and 2 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,12 @@
+shim (15.4-3) unstable; urgency=medium
+
+  * Add maintainer scripts to the template packages to manage
+    installing and removing fbXXX.efi and mmXXX.efi when we
+    install/remove the shim-helpers-$arch-signed packages.
+    Closes: #966845
+
+ -- Steve McIntyre <93sam@debian.org>  Mon, 03 May 2021 20:48:49 +0100
+
 shim (15.4-2) unstable; urgency=medium

  * Add two further patches from upstream:
--- a/debian/signing-template.generate
+++ b/debian/signing-template.generate
@ -6,6 +6,8 @@ urgency="$(dpkg-parsechangelog -S Urgency)"
 date="$(dpkg-parsechangelog -S Date)"
 version_binary="$(dpkg-parsechangelog -S Version)"
 version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
+pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template"
+final_pkg_name="${pkg_name%-template}"

 subst () {
 	sed \
@ -16,11 +18,11 @@ subst () {
 		-e "s/@distribution@/${distribution}/g" \
 		-e "s/@urgency@/${urgency}/g" \
 		-e "s/@date@/${date}/g" \
+		-e "s/@final_pkg_name@/${final_pkg_name}/g" \
 		"$@"
 }

 template='./debian/signing-template'
-pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template"
 pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
 pkg_deb="${pkg_dir}/source-template/debian"

@ -31,7 +33,7 @@ find "${template}" -type f -printf '%P\n' |
 while read path
 do
 	src="${template}/${path}"
-	dst="${pkg_deb}/${path}"
+	dst=$(echo "${pkg_deb}/${path}" | subst)

 	install -o 0 -g 0 -m 0755 -d "${dst%/*}"
 	subst < "${src}" > "${dst%.in}"
--- a/debian/signing-template/@final_pkg_name@.postinst.in
+++ b/debian/signing-template/@final_pkg_name@.postinst.in
@ -0,0 +1,81 @@
+#! /bin/sh
+set -e
+
+# Must load the confmodule for our template to be installed correctly.
+. /usr/share/debconf/confmodule
+
+# Select the right target architecture for grub-install
+ARCH=@arch@
+case ${ARCH} in
+    i386|amd64)
+	FW_SIZE=$(cat /sys/firmware/efi/fw_platform_size)
+	if [ "$FW_SIZE"x = "32"x ]; then
+	    GRUB_EFI_TARGET="i386-efi"
+	elif [ "$FW_SIZE"x = "64"x ]; then
+	    GRUB_EFI_TARGET="x86_64-efi"
+	else
+	    echo "Unable to read a valid value from fw_platform_size, ABORT"
+	    exit 1
+	fi
+	;;
+    arm64)
+	GRUB_EFI_TARGET="arm64-efi"
+	;;
+    *)
+	echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
+	exit 1
+	;;
+esac
+
+# Pull out a config value from /etc/default/grub
+config_item ()
+{
+    if [ -f /etc/default/grub ]; then
+	. /etc/default/grub || return
+	for x in /etc/default/grub.d/*.cfg; do
+	    if [ -e "$x" ]; then
+		. "$x"
+	    fi
+	done
+    fi
+    eval echo "\$$1"
+}
+
+case $1 in
+    configure)
+	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+			 cut -d' ' -f1)"
+	case $bootloader_id in
+	    kubuntu) bootloader_id=ubuntu ;;
+	esac
+
+	# Call grub-install to make sure we're added to the ESP as
+	# needed
+	if [ "$bootloader_id" ] && \
+	   [ -d "/boot/efi/EFI/$bootloader_id" ] && \
+	   [ -d /sys/firmware/efi ] && \
+	   which grub-install >/dev/null 2>&1
+	then
+	    # Check for some of the options that matter, so we can
+	    # call grub-install safely without dropping them
+	    OPTIONS=""
+
+	    db_get grub2/force_efi_extra_removable
+	    if [ "$RET" = true ]; then
+		OPTIONS="$OPTIONS --force-extra-removable"
+	    fi
+
+	    db_get grub2/update_nvram
+	    if [ "$RET" = false ]; then
+		OPTIONS="$OPTIONS --no-nvram"
+	    fi
+
+	    grub-install --target=${GRUB_EFI_TARGET} $OPTIONS
+	fi
+	;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
--- a/debian/signing-template/@final_pkg_name@.postrm.in
+++ b/debian/signing-template/@final_pkg_name@.postrm.in
@ -0,0 +1,53 @@
+#! /bin/sh
+set -e
+
+case @arch@ in
+    i386)
+	SHIM_REMOVE="mmia32.efi fbia32.efi";;
+    amd64)
+	SHIM_REMOVE="mmx64.efi fbx64.efi";;
+    arm64)
+	SHIM_REMOVE="mmaa64.efi fbaa64.efi";;
+    *)
+	echo "Unsupported dpkg architecture @arch@ in $0. ABORT"
+	exit 1
+	;;
+esac
+
+# Pull out a config value from /etc/default/grub
+config_item ()
+{
+    if [ -f /etc/default/grub ]; then
+	. /etc/default/grub || return
+	for x in /etc/default/grub.d/*.cfg; do
+	    if [ -e "$x" ]; then
+		. "$x"
+	    fi
+	done
+    fi
+    eval echo "\$$1"
+}
+
+case $1 in
+    remove|purge)
+	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+			 cut -d' ' -f1)"
+	case $bootloader_id in
+	    kubuntu) bootloader_id=ubuntu ;;
+	esac
+
+	# If we're being removed, remove the copies installed in the
+	# ESP. grub-install doesn't clean those up for us.
+	if [ "$bootloader_id" ] && \
+	   [ -d "/boot/efi/EFI/$bootloader_id" ] && \
+	   [ -d /sys/firmware/efi ]; then
+
+	    cd /boot/efi/EFI/$bootloader_id
+	    rm -f $SHIM_REMOVE
+	fi
+	;;
+esac
+
+#DEBHELPER#
+
+exit 0