Check for efivarfs before running mokutil

arch/PKGBUILD

@@ -7,7 +7,7 @@ pkgdesc='Secure-boot machine owner key for linux-surface kernels'
 url='https://github.com/linux-surface/linux-surface'
 license=('MIT')
 arch=('any')
-depends=('mokutil')
+depends=('mokutil' 'grep')
 install="${pkgname}.install"
 
 _commit="d8887bc8ce14a47d5b9d45f6697f05d53e43fe9a"

arch/linux-surface-secureboot-mok.install

@@ -1,17 +1,43 @@
 post_install() {
+    local original="/usr/share/linux-surface-secureboot/surface.cer"
+    local hashfile
+
     echo ""
     echo "The secure-boot certificate has been installed to"
     echo ""
-    echo "    /usr/share/linux-surface-secureboot/surface.cer"
+    echo "    ${original}"
     echo ""
+
+    # check if efivarfs has been mounted
+    if ! mount -l | grep --quiet "efivarfs"; then
+        echo "The 'efivarfs' filesystem has not been mounted. Please add the key to the"
+        echo "UEFI key store manually."
+        echo ""
+        echo "You can do this by, e.g., mounting efivarfs via"
+        echo ""
+        echo "    mount -t efivarfs none /sys/firmware/efi/efivars"
+        echo ""
+        echo "and running mokutil via"
+        echo ""
+        echo "    mokutil --import ${original}"
+        echo ""
+        echo "To finish the enrollment process you then need to reboot, where you will be"
+        echo "asked to enroll the certificate. During the import, you will be prompted for"
+        echo "the (temporary) password you chose when asked in the commands above. Please"
+        echo "make sure that you are indeed adding the right key and confirm by entering"
+        echo "your chosen password."
+        echo ""
+        return
+    fi
+
     echo "It will now be automatically enrolled for you and guarded with the password"
     echo ""
     echo "    surface"
     echo ""
 
-    local hashfile=$(mktemp)
-    mokutil --generate-hash=surface > ${hashfile}
-    mokutil --hash-file ${hashfile} --import /usr/share/linux-surface-secureboot/surface.cer
+    hashfile=$(mktemp)
+    mokutil --generate-hash=surface > "${hashfile}"
+    mokutil --hash-file "${hashfile}" --import ${original}
 
     echo "To finish the enrollment process you need to reboot, where you will then be"
     echo "asked to enroll the certificate. During the import, you will be prompted for"
@@ -24,23 +50,56 @@ post_install() {
 }
 
 pre_remove() {
+    local backup="/tmp/linux-surface-secureboot.surface.cer.backup"
+    local original="/usr/share/linux-surface-secureboot/surface.cer"
+    local hashfile
+
+    # check if efivarfs has been mounted
+    if ! mount -l | grep --quiet "efivarfs"; then
+        cp "${original}" "${backup}"
+
+        echo ""
+        echo "The 'efivarfs' filesystem has not been mounted. Please remove the key from"
+        echo "the UEFI key store manually."
+        echo ""
+        echo "You can do this by, e.g., mounting efivarfs via"
+        echo ""
+        echo "    mount -t efivarfs none /sys/firmware/efi/efivars"
+        echo ""
+        echo "and running mokutil via"
+        echo ""
+        echo "    mokutil --delete ${backup}"
+        echo ""
+        echo "The key will be revoked on the next start of your system. You will then"
+        echo "be asked to confirm the key and enter the (temporary) password you chose"
+        echo "when running the command above."
+        echo ""
+        echo "Note: The key has been backed up to temporary storage at"
+        echo ""
+        echo "    ${backup}"
+        echo ""
+        echo "It may be gone after the next reboot."
+        echo ""
+        return
+    fi
+
     echo ""
     echo "The following secure-boot certificate will be uninstalled and revoked from"
     echo "your system"
     echo ""
-    echo "    /usr/share/linux-surface-secureboot/surface.cer"
+    echo "    ${original}"
     echo ""
 
-    local hashfile=$(mktemp)
-    mokutil --generate-hash=surface > ${hashfile}
-    mokutil --hash-file ${hashfile} --delete /usr/share/linux-surface-secureboot/surface.cer
+    hashfile=$(mktemp)
+    mokutil --generate-hash=surface > "${hashfile}"
+    mokutil --hash-file "${hashfile}" --delete "${original}"
 
     echo "The key will be revoked on the next start of your system. You will then"
-    echo "again asked for the password. Enter 'surface' to confirm."
+    echo "be asked again for the password. Enter 'surface' to confirm."
     echo ""
-    echo "Kernels signed with the corresponding private key will still not be allowed"
-    echo "to boot after this. Note that you can always manage your secure-boot keys"
-    echo "via the 'mokutil' tool. Please refer to 'man mokutil' for more information."
+    echo "Kernels signed with the corresponding private key will not be allowed to"
+    echo "boot after this. Note that you can always manage your secure-boot keys via"
+    echo "the 'mokutil' tool. Please refer to 'man mokutil' for more information."
     echo ""
 }
 
@@ -54,20 +113,42 @@ pre_upgrade() {
 post_upgrade() {
     local backup="/tmp/linux-surface-secureboot.surface.cer.backup"
     local original="/usr/share/linux-surface-secureboot/surface.cer"
+    local hashfile
+
+    if ! cmp --silent "${original}" "${backup}"; then
+        # check if efivarfs has been mounted
+        if ! mount -l | grep --quiet "efivarfs"; then
+            echo "The 'efivarfs' filesystem has not been mounted. Please update the key in"
+            echo "UEFI key store manually."
+            echo ""
+            echo "You can do this by, e.g., mounting efivarfs via"
+            echo ""
+            echo "    mount -t efivarfs none /sys/firmware/efi/efivars"
+            echo ""
+            echo "and running mokutil via"
+            echo ""
+            echo "    mokutil --delete ${backup}"
+            echo "    mokutil --import ${original}"
+            echo ""
+            echo "The key will be updated on the next start of your system. You will then"
+            echo "be asked to confirm the key and enter the (temporary) password you chose"
+            echo "when running the commands above."
+            echo ""
+            return
+        fi
 
-    if ! cmp --silent "${original}" "${backup}"
-    then
+        # certificate has changed and needs re-enrollment
         echo ""
         echo "Updating secure boot certificate. The old key will be revoked and a new key"
         echo "will be installed. You will need to reboot your system, where you will then"
         echo "be asked to delete the old and import the new key. In both cases, make sure"
         echo "this is the right key and confirm with the password 'surface'."
         echo ""
 
-        local hashfile=$(mktemp)
-        mokutil --generate-hash=surface > ${hashfile}
-        mokutil --hash-file ${hashfile} --delete ${backup}
-        mokutil --hash-file ${hashfile} --import ${original}
+        hashfile=$(mktemp)
+        mokutil --generate-hash=surface > "${hashfile}"
+        mokutil --hash-file "${hashfile}" --delete ${backup}
+        mokutil --hash-file "${hashfile}" --import ${original}
     fi
 
     rm -f "${backup}"

debian/debian/control

@@ -6,5 +6,5 @@ Build-Depends: build-essential, debhelper (>= 10)
 
 Package: linux-surface-secureboot-mok
 Architecture: amd64
-Depends: mokutil
+Depends: mokutil, grep
 Description: Secure-boot machine owner key for linux-surface kernels

debian/debian/postinst

@@ -4,8 +4,30 @@ set -e
 post_upgrade() {
     local backup="/tmp/linux-surface-secureboot.surface.cer.backup"
     local original="/usr/share/linux-surface-secureboot/surface.cer"
+    local hashfile
 
     if ! cmp --silent "${original}" "${backup}"; then
+        # check if efivarfs has been mounted
+        if ! mount -l | grep --quiet "efivarfs"; then
+            echo "The 'efivarfs' filesystem has not been mounted. Please update the key in"
+            echo "UEFI key store manually."
+            echo ""
+            echo "You can do this by, e.g., mounting efivarfs via"
+            echo ""
+            echo "    mount -t efivarfs none /sys/firmware/efi/efivars"
+            echo ""
+            echo "and running mokutil via"
+            echo ""
+            echo "    mokutil --delete ${backup}"
+            echo "    mokutil --import ${original}"
+            echo ""
+            echo "The key will be updated on the next start of your system. You will then"
+            echo "be asked to confirm the key and enter the (temporary) password you chose"
+            echo "when running the commands above."
+            echo ""
+            return
+        fi
+
         # certificate has changed and needs re-enrollment
         echo ""
         echo "Updating secure boot certificate. The old key will be revoked and a new key"
@@ -14,31 +36,55 @@ post_upgrade() {
         echo "this is the right key and confirm with the password 'surface'."
         echo ""
 
-        local hashfile=$(mktemp)
-        mokutil --generate-hash=surface > ${hashfile}
-        mokutil --hash-file ${hashfile} --delete ${backup}
-        mokutil --hash-file ${hashfile} --import ${original}
+        hashfile=$(mktemp)
+        mokutil --generate-hash=surface > "${hashfile}"
+        mokutil --hash-file "${hashfile}" --delete ${backup}
+        mokutil --hash-file "${hashfile}" --import ${original}
     fi
 
     rm -f "${backup}"
 }
 
 post_install() {
     local original="/usr/share/linux-surface-secureboot/surface.cer"
+    local hashfile
 
     echo ""
     echo "The secure-boot certificate has been installed to"
     echo ""
     echo "    ${original}"
     echo ""
+
+    # check if efivarfs has been mounted
+    if ! mount -l | grep --quiet "efivarfs"; then
+        echo "The 'efivarfs' filesystem has not been mounted. Please add the key to the"
+        echo "UEFI key store manually."
+        echo ""
+        echo "You can do this by, e.g., mounting efivarfs via"
+        echo ""
+        echo "    mount -t efivarfs none /sys/firmware/efi/efivars"
+        echo ""
+        echo "and running mokutil via"
+        echo ""
+        echo "    mokutil --import ${original}"
+        echo ""
+        echo "To finish the enrollment process you then need to reboot, where you will be"
+        echo "asked to enroll the certificate. During the import, you will be prompted for"
+        echo "the (temporary) password you chose when asked in the commands above. Please"
+        echo "make sure that you are indeed adding the right key and confirm by entering"
+        echo "your chosen password."
+        echo ""
+        return
+    fi
+
     echo "It will now be automatically enrolled for you and guarded with the password"
     echo ""
     echo "    surface"
     echo ""
 
-    local hashfile=$(mktemp)
-    mokutil --generate-hash=surface > ${hashfile}
-    mokutil --hash-file ${hashfile} --import ${original}
+    hashfile=$(mktemp)
+    mokutil --generate-hash=surface > "${hashfile}"
+    mokutil --hash-file "${hashfile}" --import ${original}
 
     echo "To finish the enrollment process you need to reboot, where you will then be"
     echo "asked to enroll the certificate. During the import, you will be prompted for"

debian/debian/prerm

@@ -2,23 +2,56 @@
 set -e
 
 pre_remove() {
+    local backup="/tmp/linux-surface-secureboot.surface.cer.backup"
+    local original="/usr/share/linux-surface-secureboot/surface.cer"
+    local hashfile
+
+    # check if efivarfs has been mounted
+    if ! mount -l | grep --quiet "efivarfs"; then
+        cp "${original}" "${backup}"
+
+        echo ""
+        echo "The 'efivarfs' filesystem has not been mounted. Please remove the key from"
+        echo "the UEFI key store manually."
+        echo ""
+        echo "You can do this by, e.g., mounting efivarfs via"
+        echo ""
+        echo "    mount -t efivarfs none /sys/firmware/efi/efivars"
+        echo ""
+        echo "and running mokutil via"
+        echo ""
+        echo "    mokutil --delete ${backup}"
+        echo ""
+        echo "The key will be revoked on the next start of your system. You will then"
+        echo "be asked to confirm the key and enter the (temporary) password you chose"
+        echo "when running the command above."
+        echo ""
+        echo "Note: The key has been backed up to temporary storage at"
+        echo ""
+        echo "    ${backup}"
+        echo ""
+        echo "It may be gone after the next reboot."
+        echo ""
+        return
+    fi
+
     echo ""
     echo "The following secure-boot certificate will be uninstalled and revoked from"
     echo "your system"
     echo ""
-    echo "    /usr/share/linux-surface-secureboot/surface.cer"
+    echo "    ${original}"
     echo ""
 
-    local hashfile=$(mktemp)
-    mokutil --generate-hash=surface > ${hashfile}
-    mokutil --hash-file ${hashfile} --delete /usr/share/linux-surface-secureboot/surface.cer
+    hashfile=$(mktemp)
+    mokutil --generate-hash=surface > "${hashfile}"
+    mokutil --hash-file "${hashfile}" --delete "${original}"
 
     echo "The key will be revoked on the next start of your system. You will then"
-    echo "again asked for the password. Enter 'surface' to confirm."
+    echo "be asked again for the password. Enter 'surface' to confirm."
     echo ""
-    echo "Kernels signed with the corresponding private key will still not be allowed"
-    echo "to boot after this. Note that you can always manage your secure-boot keys"
-    echo "via the 'mokutil' tool. Please refer to 'man mokutil' for more information."
+    echo "Kernels signed with the corresponding private key will not be allowed to"
+    echo "boot after this. Note that you can always manage your secure-boot keys via"
+    echo "the 'mokutil' tool. Please refer to 'man mokutil' for more information."
     echo ""
 }