Import Debian version 1.28

shim-signed (1.28) unstable; urgency=medium

  * Initial Debian upload, based on Ubuntu package.

Makefile

@@ -0,0 +1,14 @@
+all:
+
+check:
+	mkdir -p build
+	# Verifying that the image is signed with the correct key.
+	sbverify --cert MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed
+	# Verifying that we have the correct binary.
+	sbattach --detach build/detached-sig shimx64.efi.signed 
+	cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed
+	sbattach --attach build/detached-sig build/shimx64.efi.signed
+	cmp shimx64.efi.signed build/shimx64.efi.signed
+
+clean:
+	rm -rf build

MicCorUEFCA2011_2011-06-27.crt

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG
+A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
+HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z
+b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN
+MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
+Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0
+aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug
++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI
+rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ
+E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp
+XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L
+71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB
+AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW
+BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA
+QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD
+4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p
+Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f
+MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw
+Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv
+b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q
+aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz
+Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g
+Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX
+i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM
+sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh
+aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk
+BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs
+deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5
+QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7
+5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu
+AkXuZcK2o35pFnUHkpv1prxZg1g=
+-----END CERTIFICATE-----

debian/bzr-builddeb.conf

@@ -0,0 +1,2 @@
+[BUILDDEB]
+native = True

debian/changelog

@@ -0,0 +1,5 @@
+shim-signed (1.28) unstable; urgency=medium
+
+  * Initial Debian upload, based on Ubuntu package.
+
+ -- Steve Langasek <vorlon@debian.org>  Fri, 14 Apr 2017 21:44:06 +0000

debian/compat

@@ -0,0 +1 @@
+9

debian/control

@@ -0,0 +1,21 @@
+Source: shim-signed
+Section: utils
+Priority: optional
+Maintainer: Steve Langasek <vorlon@debian.org>
+Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
+Standards-Version: 3.9.4
+
+Package: shim-signed
+Architecture: amd64
+Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Recommends: secureboot-db
+Built-Using: shim (= ${shim:Version})
+Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the version of the bootloader binary signed by the
+ Microsoft UEFI CA.

debian/copyright

@@ -0,0 +1,33 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: shim
+Upstream-Contact: Matthew Garrett <mjg@redhat.com>
+Source: https://github.com/mjg59/shim.git
+
+Files: *
+Copyright: 2012 Red Hat, Inc
+	2009-2012 Intel Corporation
+License: BSD-2-Clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.

debian/lintian-overrides

@@ -0,0 +1 @@
+shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy

debian/po/POTFILES.in

@@ -0,0 +1 @@
+[type: gettext/rfc822deb] templates

debian/po/templates.pot

@@ -0,0 +1,110 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the shim-signed package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: shim-signed\n"
+"Report-Msgid-Bugs-To: shim-signed@packages.debian.org\n"
+"POT-Creation-Date: 2016-05-04 16:57-0500\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: text
+#. Description
+#: ../templates:1001
+msgid "Configuring Secure Boot"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:2001
+msgid "Invalid password"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:2001
+msgid ""
+"The Secure Boot key you've entered is not valid. The password used must be "
+"between 8 and 16 characters."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid "Disable UEFI Secure Boot?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible "
+"with the use of third-party drivers."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"The system will assist you in disabling UEFI Secure Boot. To ensure that "
+"this change is being made by you as an authorized user, and not by an "
+"attacker, you must choose a password now and then use the same password "
+"after reboot to confirm the change."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3001
+msgid ""
+"If you choose to proceed but do not confirm the password upon reboot, Ubuntu "
+"will still be able to boot on your system but these third-party drivers will "
+"not be available for your hardware."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:4001
+msgid "Password:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:4001
+msgid ""
+"Please enter a password for disabling Secure Boot. It will be asked again "
+"after a reboot."
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:5001
+msgid "Re-enter password to verify:"
+msgstr ""
+
+#. Type: password
+#. Description
+#: ../templates:5001
+msgid ""
+"Please enter the same password again to verify you have typed it correctly."
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:6001
+msgid "Password input error"
+msgstr ""
+
+#. Type: error
+#. Description
+#: ../templates:6001
+msgid "The two passwords you entered were not the same. Please try again."
+msgstr ""

debian/rules

@@ -0,0 +1,19 @@
+#! /usr/bin/make -f
+
+VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
+SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
+
+%:
+	dh $@
+
+docdir := debian/shim-signed/usr/share/doc/shim-signed
+
+override_dh_installchangelogs:
+	dh_installchangelogs
+	# Quieten lintian, which otherwise gets confused by our odd version
+	# number.
+	ln $(docdir)/changelog $(docdir)/changelog.Debian
+
+override_dh_gencontrol:
+	dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
+		-Vshim:Version=$(SHIM_VERSION)

debian/shim-signed.install

@@ -0,0 +1,3 @@
+shimx64.efi.signed /usr/lib/shim
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/

debian/shim-signed.links

@@ -0,0 +1 @@
+usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py

debian/shim-signed.postinst

@@ -0,0 +1,45 @@
+#! /bin/sh
+set -e
+
+# Must load the confmodule for our template to be installed correctly.
+. /usr/share/debconf/confmodule
+
+config_item ()
+{
+    if [ -f /etc/default/grub ]; then
+	. /etc/default/grub || return
+	for x in /etc/default/grub.d/*.cfg; do
+	    if [ -e "$x" ]; then
+		. "$x"
+	    fi
+	done
+    fi
+    eval echo "\$$1"
+}
+
+case $1 in
+    triggered)
+	SHIM_NOTRIGGER=y update-secureboot-policy
+	;;
+    configure)
+	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+			 cut -d' ' -f1)"
+	case $bootloader_id in
+	    kubuntu) bootloader_id=ubuntu ;;
+	esac
+	if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
+	   && which grub-install >/dev/null 2>&1
+	then
+	    grub-install --target=x86_64-efi
+            if dpkg --compare-versions "$2" lt-nl "1.22~"; then
+                rm -f /boot/efi/EFI/ubuntu/MokManager.efi
+            fi
+	fi
+
+	SHIM_NOTRIGGER=y update-secureboot-policy
+	;;
+esac
+
+#DEBHELPER#
+
+exit 0

debian/shim-signed.triggers

@@ -0,0 +1 @@
+interest-noawait shim-secureboot-policy

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

debian/source_shim-signed.py

@@ -0,0 +1,55 @@
+'''apport package hook for shim and shim-signed
+
+(c) 2015 Canonical Ltd.
+Author: Brian Murray <brian@ubuntu.com>
+'''
+
+import errno
+import os
+
+from apport.hookutils import (
+    command_available,
+    command_output,
+    attach_file,
+    attach_root_command_outputs)
+
+efiarch = {'amd64': 'x64',
+           'i386': 'ia32',
+           'arm64': 'aarch64'
+          }
+grubarch = {'amd64': 'x86_64',
+            'i386': 'i386',
+            'arm64': 'arm64'
+           }
+
+def add_info(report, ui):
+    efiboot = '/boot/efi/EFI/ubuntu'
+    if command_available('efibootmgr'):
+        report['EFIBootMgr'] = command_output(['efibootmgr', '-v'])
+    else:
+        report['EFIBootMgr'] = 'efibootmgr not available'
+    commands = {}
+    try:
+        directory = os.stat(efiboot)
+    except OSError as e:
+        if e.errno == errno.ENOENT:
+            report['Missing'] = '/boot/efi/EFI/ubuntu directory is missing'
+            return
+        if e.errno == errno.EACCES:
+            directory= True
+    if directory:
+        arch = report['Architecture']
+        commands['BootEFIContents'] = 'ls %s' % efiboot
+        commands['ShimDiff'] = 'diff %s/shim%s.efi /usr/lib/shim/shim%s.efi.signed' % (efiboot, efiarch[arch], efiarch[arch])
+        commands['GrubDiff'] = 'diff %s/grub%s.efi /usr/lib/grub/%s-efi-signed/grub%s.efi.signed' %(efiboot, efiarch[arch], grubarch[arch], efiarch[arch])
+        attach_root_command_outputs(report, commands)
+
+    efivars_dir = '/sys/firmware/efi/efivars'
+    sb_var = os.path.join(efivars_dir,
+                          'SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c')
+    mok_var = os.path.join(efivars_dir,
+                           'MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23')
+
+    attach_file(report, '/proc/sys/kernel/moksbstate_disabled')
+    attach_file(report, sb_var)
+    attach_file(report, mok_var)

debian/templates

@@ -0,0 +1,56 @@
+Template: shim/title/secureboot
+Type: text
+_Description: Configuring Secure Boot
+
+Template: shim/error/bad_secureboot_key
+Type: error
+_Description: Invalid password
+ The Secure Boot key you've entered is not valid. The password used must be
+ between 8 and 16 characters.
+
+Template: shim/disable_secureboot
+Type: boolean
+Default: true
+_Description: Disable UEFI Secure Boot?
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/enable_secureboot
+Type: boolean
+Default: false
+_Description: Enable UEFI Secure Boot?
+ If Secure Boot is enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_explanation
+Type: note
+_Description: Your system has UEFI Secure Boot enabled.
+ UEFI Secure Boot is not compatible with the use of third-party drivers.
+ .
+ The system will assist you in toggling UEFI Secure Boot. To ensure that this
+ change is being made by you as an authorized user, and not by an attacker,
+ you must choose a password now and then use the same password after reboot
+ to confirm the change.
+ .
+ If you choose to proceed but do not confirm the password upon reboot, Ubuntu
+ will still be able to boot on your system but the Secure Boot state will not
+ be changed.
+ .
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_key
+Type: string
+_Description: Enter a password for Secure Boot. It will be asked again after a reboot.
+
+Template: shim/secureboot_key_again
+Type: string
+_Description: Enter the same password again to verify you have typed it correctly.
+
+Template: shim/error/secureboot_key_mismatch
+Type: error
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.

update-secureboot-policy

@@ -0,0 +1,151 @@
+#!/bin/sh
+set -e
+
+if  test $# = 0                                                 \
+    && test x"$SHIM_NOTRIGGER" = x                              \
+ && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x                      \
+ && dpkg-trigger --check-supported 2>/dev/null
+then
+        if dpkg-trigger --no-await shim-secureboot-policy; then
+                if test x"$SHIM_TRIGGER_DEBUG" != x; then
+                        echo "shim: wrapper deferring policy update (trigger activated)"
+                fi
+                exit 0
+        fi
+fi
+
+. /usr/share/debconf/confmodule
+
+setup_mok_validation()
+{
+    local moksbstatert
+    local efivars secureboot_var moksb_var moksbstatert_var
+    local enable_sb action
+    enable_sb=$1
+    efivars=/sys/firmware/efi/efivars
+    secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
+    moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
+    moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
+    action=disable
+
+    if [ $enable_sb -eq 1 ]; then
+        action=enable
+    fi
+
+    if ! [ -f $efivars/$secureboot_var ] \
+       || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
+    then
+        echo "Secure Boot not enabled on this system." >&2
+        return 0
+    fi
+    moksbstatert=0
+    if [ -f $efivars/$moksb_var ]; then
+        # if MokSB exists we've likely already run mokutil since last boot
+        echo "The Secure Boot policy was already changed since last reboot; nothing to do." >&2
+        return 0
+    fi
+    if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
+        moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
+    elif [ -f $efivars/$moksbstatert_var ]; then
+        # MokSBStateRT set to 1 means validation is disabled
+        moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
+                       awk '{ print $NF; }')
+    fi
+    # poor man's xor
+    if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then
+        STATE=1
+        db_settitle shim/title/secureboot
+        while true; do
+            case "$STATE" in
+            1)
+                db_capb
+                db_fset shim/secureboot_explanation seen false
+                db_input critical shim/secureboot_explanation || true
+                db_go
+
+                # Allow the user to skip disabling Secure Boot.
+                db_fset shim/${action}_secureboot seen false
+                db_input critical shim/${action}_secureboot || true
+                ;;
+            2)
+                db_get shim/${action}_secureboot
+                if [ "$RET" = "false" ]; then
+                    break
+                fi
+
+                db_input critical shim/secureboot_key || true
+                seen_key=$RET
+                db_input critical shim/secureboot_key_again || true
+                ;;
+            3)
+                db_get shim/secureboot_key
+                key="$RET"
+                db_get shim/secureboot_key_again
+                again="$RET"
+
+                if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
+                    echo "Running in non-interactive mode, doing nothing." >&2
+                    exit 1
+                fi
+
+                db_capb
+                if [ "$key" != "$again" ]; then
+                    db_fset shim/error/secureboot_key_mismatch seen false
+                    db_input critical shim/error/secureboot_key_mismatch || true
+                    STATE=$(($STATE - 2))
+                else
+                    length=$((`echo "$key" | wc -c` - 1))
+                    if [ $length -lt 8 ] || [ $length -gt 16 ]; then
+                        db_fset shim/error/bad_secureboot_key seen false
+                        db_input critical shim/error/bad_secureboot_key || true
+                        STATE=$(($STATE - 2))
+                    elif [ $length -ne 0 ]; then
+                        printf '%s\n%s\n' "$key" "$again" | mokutil --${action}-validation >/dev/null || true
+                    fi
+                fi
+
+                # Always clear secureboot key.
+                db_set shim/secureboot_key ''
+                db_fset shim/secureboot_key seen false
+                db_set shim/secureboot_key_again ''
+                db_fset shim/secureboot_key_again seen false
+                ;;
+            *)
+                break
+                ;;
+            esac
+
+            if db_go; then
+                STATE=$(($STATE + 1))
+            else
+                STATE=$(($STATE - 1))
+            fi
+            db_capb backup
+        done
+        db_capb
+    fi
+}
+
+args=$@
+enable_secureboot=0
+
+if echo "$args" | grep -qc -- '--enable'; then
+	enable_secureboot=1
+elif echo "$args" | grep -qc -- '--disable'; then
+	enable_secureboot=0
+elif echo "$args" | grep -qc -- '--help'; then
+	echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
+	echo
+	echo "\t--enable\tPrompt to enable Secure Boot validation."
+	echo "\t--disable\tPrompt to disable Secure Boot validation (default)."
+	echo "\t--help\t\tThis help text."
+	exit 0
+fi
+
+if [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
+	setup_mok_validation $enable_secureboot
+else
+	echo "No DKMS packages installed: not changing Secure Boot validation state."
+fi
+
+exit 0