OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	10/21/2019 03:48:12 PM	rwxr-xr-x
📄 a2disconf	15.89 KB	02/23/2021 04:35:16 PM	rwxr-xr-x
📄 a2dismod	15.89 KB	02/23/2021 04:35:16 PM	rwxr-xr-x
📄 a2dissite	15.89 KB	02/23/2021 04:35:16 PM	rwxr-xr-x
📄 a2enconf	15.89 KB	02/23/2021 04:35:16 PM	rwxr-xr-x
📄 a2enmod	15.89 KB	02/23/2021 04:35:16 PM	rwxr-xr-x
📄 a2ensite	15.89 KB	02/23/2021 04:35:16 PM	rwxr-xr-x
📄 a2query	9.64 KB	03/08/2023 05:34:33 PM	rwxr-xr-x
📄 aa-remove-unknown	2.85 KB	06/20/2023 11:51:13 PM	rwxr-xr-x
📄 aa-status	8.41 KB	06/20/2023 11:51:13 PM	rwxr-xr-x
📄 accessdb	10.23 KB	08/04/2018 07:16:12 PM	rwxr-xr-x
📄 acpid	50.84 KB	04/28/2017 04:28:10 AM	rwxr-xr-x
📄 add-shell	860 bytes	12/30/2017 06:15:02 PM	rwxr-xr-x
📄 addgnupghome	3.01 KB	07/04/2022 04:20:59 PM	rwxr-xr-x
📄 addgroup	36.45 KB	12/05/2017 04:57:20 PM	rwxr-xr-x
📄 adduser	36.45 KB	12/05/2017 04:57:20 PM	rwxr-xr-x
📄 apache2	659.69 KB	03/08/2023 05:34:33 PM	rwxr-xr-x
📄 apache2ctl	7.06 KB	03/04/2022 10:48:50 AM	rwxr-xr-x
📄 apachectl	7.06 KB	03/04/2022 10:48:50 AM	rwxr-xr-x
📄 apparmor_status	8.41 KB	06/20/2023 11:51:13 PM	rwxr-xr-x
📄 applygnupgdefaults	2.17 KB	07/04/2022 04:20:59 PM	rwxr-xr-x
📄 arp	61.3 KB	01/10/2017 04:25:08 AM	rwxr-xr-x
📄 arpd	54.03 KB	01/26/2021 01:33:08 PM	rwxr-xr-x
📄 atd	26.01 KB	02/20/2018 06:59:43 AM	rwxr-xr-x
📄 bcache-super-show	13.99 KB	08/05/2020 08:44:05 PM	rwxr-xr-x
📄 biosdecode	18.87 KB	01/27/2020 06:09:10 PM	rwxr-xr-x
📄 check_forensic	952 bytes	04/26/2011 03:10:00 PM	rwxr-xr-x
📄 chgpasswd	57.83 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 chmem	42.08 KB	09/16/2020 06:43:15 PM	rwxr-xr-x
📄 chpasswd	53.86 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 chroot	38.18 KB	01/18/2018 09:43:49 AM	rwxr-xr-x
📄 cpgr	55.96 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 cppw	55.96 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 cron	46.3 KB	05/10/2022 08:59:19 PM	rwxr-xr-x
📄 cryptdisks_start	1.11 KB	08/03/2020 09:28:48 PM	rwxr-xr-x
📄 cryptdisks_stop	1.16 KB	08/03/2020 09:28:48 PM	rwxr-xr-x
📄 delgroup	16.11 KB	12/05/2017 04:57:20 PM	rwxr-xr-x
📄 deluser	16.11 KB	12/05/2017 04:57:20 PM	rwxr-xr-x
📄 dmidecode	106.54 KB	01/27/2020 06:09:10 PM	rwxr-xr-x
📄 dnsmasq	379.6 KB	04/18/2023 08:21:55 AM	rwxr-xr-x
📄 dpkg-preconfigure	3.58 KB	05/06/2019 04:30:30 PM	rwxr-xr-x
📄 dpkg-reconfigure	4.34 KB	05/06/2019 04:30:30 PM	rwxr-xr-x
📄 e2freefrag	14.07 KB	06/02/2022 02:37:00 PM	rwxr-xr-x
📄 e4crypt	22.07 KB	06/02/2022 02:37:00 PM	rwxr-xr-x
📄 e4defrag	25.99 KB	06/02/2022 02:37:00 PM	rwxr-xr-x
📄 escapesrc	22.16 KB	10/19/2021 07:44:28 PM	rwxr-xr-x
📄 faillock	13.99 KB	02/02/2023 09:24:07 AM	rwxr-xr-x
📄 fdformat	30.08 KB	09/16/2020 06:43:15 PM	rwxr-xr-x
📄 filefrag	14.02 KB	06/02/2022 02:37:00 PM	rwxr-xr-x
📄 genccode	10.36 KB	10/19/2021 07:44:28 PM	rwxr-xr-x
📄 gencmn	10.44 KB	10/19/2021 07:44:28 PM	rwxr-xr-x
📄 genl	58.05 KB	01/26/2021 01:33:08 PM	rwxr-xr-x
📄 gennorm2	54.59 KB	10/19/2021 07:44:28 PM	rwxr-xr-x
📄 gensprep	18.5 KB	10/19/2021 07:44:28 PM	rwxr-xr-x
📄 groupadd	61.92 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 groupdel	70.37 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 groupmems	57.87 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 groupmod	68.18 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 grpck	53.8 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 grpconv	49.68 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 grpunconv	49.68 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 grub-install	1003.51 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 grub-macbless	780.84 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 grub-mkconfig	8.03 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 grub-mkdevicemap	207.62 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 grub-probe	793.09 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 grub-reboot	4.73 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 grub-set-default	832 bytes	03/24/2018 12:56:45 AM	rwxr-xr-x
📄 grub-set-default-legacy-ec2	3.13 KB	03/24/2018 12:56:45 AM	rwxr-xr-x
📄 grub-set-default.real	3.47 KB	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 httxt2dbm	9.99 KB	03/08/2023 05:34:33 PM	rwxr-xr-x
📄 iconvconfig	30.25 KB	05/03/2022 10:19:39 AM	rwxr-xr-x
📄 icupkg	18.77 KB	10/19/2021 07:44:28 PM	rwxr-xr-x
📄 init.lxc	38.5 KB	05/05/2023 12:06:12 PM	rwxr-xr-x
📄 init.lxc.static	1005.91 KB	05/05/2023 12:06:12 PM	rwxr-xr-x
📄 invoke-rc.d	15.66 KB	10/25/2017 03:38:42 PM	rwxr-xr-x
📄 ip6tables-apply	6.85 KB	05/09/2023 06:42:18 PM	rwxr-xr-x
📄 iptables-apply	6.85 KB	05/09/2023 06:42:18 PM	rwxr-xr-x
📄 irqbalance	62.68 KB	01/09/2019 10:38:44 AM	rwxr-xr-x
📄 irqbalance-ui	34.06 KB	01/09/2019 10:38:44 AM	rwxr-xr-x
📄 iscsi-iname	9.99 KB	04/06/2022 07:19:56 PM	rwxr-xr-x
📄 iscsi_discovery	5.16 KB	09/29/2016 06:33:24 PM	rwxr-xr-x
📄 iscsid	398.15 KB	04/06/2022 07:19:56 PM	rwxr-xr-x
📄 iscsistart	358.13 KB	04/06/2022 07:19:56 PM	rwxr-xr-x
📄 ldattach	30.08 KB	09/16/2020 06:43:15 PM	rwxr-xr-x
📄 locale-gen	4.3 KB	12/07/2020 04:38:09 PM	rwxr-xr-x
📄 logrotate	74.09 KB	08/21/2017 11:01:27 PM	rwxr-xr-x
📄 luksformat	3.32 KB	08/03/2020 09:28:48 PM	rwxr-xr-x
📄 maidag	69.88 KB	11/07/2017 09:06:00 PM	rwxr-xr-x
📄 make-bcache	18.07 KB	08/05/2020 08:44:05 PM	rwxr-xr-x
📄 make-ssl-cert	3.78 KB	04/28/2017 07:58:22 PM	rwxr-xr-x
📄 mkinitramfs	10.89 KB	07/01/2021 01:11:48 PM	rwxr-xr-x
📄 mklost+found	9.99 KB	06/02/2022 02:37:00 PM	rwxr-xr-x
📄 mysqld	23.16 MB	04/23/2023 02:08:47 PM	rwxr-xr-x
📄 netplan	798 bytes	09/07/2021 03:19:37 PM	rwxr-xr-x
📄 newusers	82.39 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 nfnl_osf	13.99 KB	05/09/2023 06:42:18 PM	rwxr-xr-x
📄 nologin	5.99 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 overlayroot-chroot	2.45 KB	09/20/2018 01:29:41 PM	rwxr-xr-x
📄 ownership	10.13 KB	01/27/2020 06:09:10 PM	rwxr-xr-x
📄 pam-auth-update	19.38 KB	07/21/2020 11:40:59 PM	rwxr-xr-x
📄 pam_getenv	2.82 KB	08/23/2018 11:37:53 PM	rwxr-xr-x
📄 pam_timestamp_check	9.99 KB	02/02/2023 09:24:07 AM	rwxr-xr-x
📄 paperconfig	4.07 KB	04/28/2017 05:17:56 AM	rwxr-xr-x
📄 php-fpm7.2	4.65 MB	02/23/2023 01:29:25 PM	rwxr-xr-x
📄 phpdismod	7.11 KB	01/17/2018 11:50:00 PM	rwxr-xr-x
📄 phpenmod	7.11 KB	01/17/2018 11:50:00 PM	rwxr-xr-x
📄 phpquery	6.24 KB	01/17/2018 11:50:00 PM	rwxr-xr-x
📄 popcon-largest-unused	543 bytes	02/22/2018 05:15:22 AM	rwxr-xr-x
📄 popularity-contest	4.92 KB	02/22/2018 05:15:22 AM	rwxr-xr-x
📄 postalias	17.99 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postcat	18.06 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postconf	179.47 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postdrop	14.12 KB	08/12/2021 12:43:19 PM	r-xr-xr-x
📄 postfix	14.07 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postfix-add-filter	4.9 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postfix-add-policy	3.83 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postkick	9.99 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postlock	9.99 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postlog	10.15 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postmap	17.99 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postmulti	26.38 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 postqueue	22.07 KB	08/12/2021 12:43:19 PM	r-xr-xr-x
📄 postsuper	22.32 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 posttls-finger	34.09 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 pwck	49.8 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 pwconv	45.7 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 pwunconv	45.68 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 qmqp-sink	13.99 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 qmqp-source	18.01 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 qshape	12.55 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 readprofile	18.11 KB	09/16/2020 06:43:15 PM	rwxr-xr-x
📄 remove-shell	904 bytes	12/30/2017 06:15:02 PM	rwxr-xr-x
📄 rmail	13.99 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 rmt	58.39 KB	02/15/2023 02:55:10 PM	rwxr-xr-x
📄 rmt-tar	58.39 KB	02/15/2023 02:55:10 PM	rwxr-xr-x
📄 rsyslogd	668.54 KB	05/03/2022 09:20:37 AM	rwxr-xr-x
📄 rtcwake	42.08 KB	09/16/2020 06:43:15 PM	rwxr-xr-x
📄 sendmail	26.15 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 service	9.04 KB	10/25/2017 03:38:42 PM	rwxr-xr-x
📄 setvesablank	14.07 KB	01/22/2018 01:49:48 PM	rwxr-xr-x
📄 slapacl	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapadd	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapauth	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapcat	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapd	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapdn	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapindex	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slappasswd	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slapschema	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 slaptest	1.2 MB	05/12/2022 01:52:38 PM	rwxr-xr-x
📄 smtp-sink	30.93 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 smtp-source	22.02 KB	08/12/2021 12:43:19 PM	rwxr-xr-x
📄 split-logfile	2.36 KB	03/08/2023 05:34:33 PM	rwxr-xr-x
📄 sshd	772.41 KB	03/30/2022 01:17:14 PM	rwxr-xr-x
📄 tarcat	936 bytes	02/15/2023 02:55:10 PM	rwxr-xr-x
📄 tcpdump	999.6 KB	02/10/2023 06:11:16 PM	rwxr-xr-x
📄 tzconfig	106 bytes	04/03/2023 11:03:22 AM	rwxr-xr-x
📄 ufw	4.82 KB	10/25/2021 05:30:24 PM	rwxr-xr-x
📄 update-ca-certificates	5.27 KB	05/18/2023 01:09:37 PM	rwxr-xr-x
📄 update-grub	64 bytes	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 update-grub-legacy-ec2	43.96 KB	03/24/2018 12:56:45 AM	rwxr-xr-x
📄 update-grub2	64 bytes	02/01/2023 05:49:01 PM	rwxr-xr-x
📄 update-gsfontmap	450 bytes	04/13/2023 01:09:22 PM	rwxr-xr-x
📄 update-icon-caches	596 bytes	04/02/2019 03:46:36 PM	rwxr-xr-x
📄 update-info-dir	1.66 KB	02/05/2018 02:48:18 PM	rwxr-xr-x
📄 update-initramfs	8.04 KB	03/18/2021 06:48:17 PM	rwxr-xr-x
📄 update-java-alternatives	3.09 KB	01/06/2017 12:03:20 PM	rwxr-xr-x
📄 update-locale	2.99 KB	05/03/2022 04:27:41 AM	rwxr-xr-x
📄 update-mime	8.84 KB	07/15/2016 12:06:12 PM	rwxr-xr-x
📄 update-passwd	30.41 KB	09/12/2017 09:48:16 PM	rwxr-xr-x
📄 update-pciids	2.84 KB	02/10/2019 06:25:12 PM	rwxr-xr-x
📄 update-rc.d	16.12 KB	10/25/2017 03:38:42 PM	rwxr-xr-x
📄 update-secureboot-policy	7.43 KB	01/31/2023 11:57:37 AM	rwxr-xr-x
📄 update-usbids	1.05 KB	04/21/2017 08:59:17 PM	rwxr-xr-x
📄 useradd	123.28 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 userdel	82.48 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 usermod	123.06 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 uuidd	34.16 KB	09/16/2020 06:43:15 PM	rwxr-xr-x
📄 validlocale	1.73 KB	12/07/2020 04:38:09 PM	rwxr-xr-x
📄 vcstime	9.99 KB	01/22/2018 01:49:48 PM	rwxr-xr-x
📄 vigr	60.18 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 vipw	60.18 KB	11/29/2022 12:25:19 PM	rwxr-xr-x
📄 visudo	208.8 KB	04/04/2023 12:44:58 PM	rwxr-xr-x
📄 vpddecode	14.27 KB	01/27/2020 06:09:10 PM	rwxr-xr-x
📄 xfs_admin	1.35 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_bmap	638 bytes	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_copy	394.31 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_db	667.63 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_estimate	10.01 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_freeze	767 bytes	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_fsr	30.02 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_growfs	382.27 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_info	472 bytes	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_io	130.93 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_logprint	414.27 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_mdrestore	370.28 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_metadump	747 bytes	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_mkfile	1007 bytes	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_ncheck	650 bytes	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_quota	86.01 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 xfs_rtcp	13.99 KB	04/18/2018 06:44:31 AM	rwxr-xr-x
📄 zerofree	9.99 KB	11/14/2016 02:44:00 PM	rwxr-xr-x
📄 zic	54.14 KB	05/03/2022 10:19:39 AM	rwxr-xr-x

Editing: update-secureboot-policy

#!/bin/sh
set -e

if  test $# = 0                                                 \
    && test x"$SHIM_NOTRIGGER" = x                              \
 && test x"$DPKG_MAINTSCRIPT_PACKAGE" != x                      \
 && dpkg-trigger --check-supported 2>/dev/null
then
        if dpkg-trigger --no-await shim-secureboot-policy; then
                if test x"$SHIM_TRIGGER_DEBUG" != x; then
                        echo "shim: wrapper deferring policy update (trigger activated)"
                fi
                exit 0
        fi
fi

if [ "$(id -u)" -ne 0 ]; then
	echo "$0: Permission denied"
	exit 1
fi

do_enroll=0
do_toggle=0

efivars=/sys/firmware/efi/efivars
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23

SB_KEY="/var/lib/shim-signed/mok/MOK.der"
SB_PRIV="/var/lib/shim-signed/mok/MOK.priv"

OLD_DKMS_LIST="/var/lib/shim-signed/dkms-list"
NEW_DKMS_LIST="${OLD_DKMS_LIST}.new"

touch $OLD_DKMS_LIST

dkms_list=$(find /var/lib/dkms -maxdepth 1 -type d -print 2>/dev/null \
            | LC_ALL=C sort)
dkms_modules=$(echo "$dkms_list" | wc -l)

. /usr/share/debconf/confmodule

update_dkms_list()
{
    echo "$dkms_list" > $NEW_DKMS_LIST
}

save_dkms_list()
{
    mv "$NEW_DKMS_LIST" "$OLD_DKMS_LIST"
}

clear_new_dkms_list()
{
    rm "$NEW_DKMS_LIST"
}

new_dkms_module()
{
    # handle nvidia module specially because it changed path
    if ! grep -q "/var/lib/dkms/nvidia" "$OLD_DKMS_LIST" && grep -q "/var/lib/dkms/nvidia" "$NEW_DKMS_LIST" ; then
        # nvidia module is newly added
        return 0
    fi

# return 0 if there is any other new module
    env LC_ALL=C comm -1 -3 $OLD_DKMS_LIST $NEW_DKMS_LIST | grep -q -v "/var/lib/dkms/nvidia"
}

show_dkms_list_changes()
{
    diff -u $OLD_DKMS_LIST $NEW_DKMS_LIST >&2
}

validate_password()
{
    db_capb
    if [ "$key" != "$again" ]; then
        db_fset shim/error/secureboot_key_mismatch seen false
        db_input critical shim/error/secureboot_key_mismatch || true
        STATE=$(($STATE - 2))
    else
        length=$((`echo "$key" | wc -c` - 1))
        if [ $length -lt 8 ] || [ $length -gt 16 ]; then
            db_fset shim/error/bad_secureboot_key seen false
            db_input critical shim/error/bad_secureboot_key || true
            STATE=$(($STATE - 2))
        elif [ $length -ne 0 ]; then
            return 0
        fi
    fi

return 1
}

clear_passwords()
{
    # Always clear secureboot key.
    db_set shim/secureboot_key ''
    db_fset shim/secureboot_key seen false
    db_set shim/secureboot_key_again ''
    db_fset shim/secureboot_key_again seen false
}

toggle_validation()
{
    local key="$1"
    local again="$2"

echo "Enabling shim validation."
    printf '%s\n%s\n' "$key" "$again" | mokutil --enable-validation >/dev/null || true
    mokutil --timeout -1 >/dev/null || true
}

enroll_mok()
{
    local key="$1"
    local again="$2"

echo "Adding '$SB_KEY' to shim:"
    printf '%s\n%s\n' "$key" "$again" | mokutil --import "$SB_KEY" >/dev/null || true
    mokutil --timeout -1 >/dev/null || true
}

do_it()
{
    STATE=1
    db_settitle shim/title/secureboot
    while true; do
        case "$STATE" in
        1)
            db_capb
            db_fset shim/secureboot_explanation seen false
            db_input critical shim/secureboot_explanation || true
            ;;
        2)
            if [ "$do_toggle" -eq 1 ]; then
                # Force no backtracking here; otherwise the GNOME backend
                # might allow it due to displaying the explanation just before.
                # Fixes LP: #1767091
                db_capb
                # Allow the user to skip toggling Secure Boot.
                db_fset shim/enable_secureboot seen false
                db_input critical shim/enable_secureboot || true
                db_go

db_get shim/enable_secureboot
                if [ "$RET" = "false" ]; then
                    break
                fi
            fi
            ;;
        3)

db_input critical shim/secureboot_key || true
            seen_key=$RET
            db_input critical shim/secureboot_key_again || true
            ;;
        4)
            db_get shim/secureboot_key
            key="$RET"
            db_get shim/secureboot_key_again
            again="$RET"

if [ -z "$key$again" ] && echo "$seen_key" | grep -q ^30; then
                echo "Running in non-interactive mode, doing nothing." >&2

if new_dkms_module; then
                    show_dkms_list_changes
                    clear_new_dkms_list
                    exit 1
                else
                    exit 0
                fi
            fi

if validate_password; then
                if [ $do_toggle -eq 1 ]; then
                    toggle_validation "$key" "$again"
                fi
                if [ $do_enroll -eq 1 ]; then
                    enroll_mok "$key" "$again"
                fi
                save_dkms_list
            fi

clear_passwords
            ;;
        *)
            break
            ;;
        esac

if db_go; then
            STATE=$(($STATE + 1))
        else
            STATE=$(($STATE - 1))
        fi
        db_capb backup
    done
    db_capb
}

validate_actions() {
    # Validate any queued actions before we go try to do them.
    local moksbstatert=0

if ! [ -d $efivars ]; then
        echo "$efivars not found, aborting." >&2
        exit 0
    fi

if ! [ -f $efivars/$secureboot_var ] \
        || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
    then
        echo "Secure Boot not enabled on this system." >&2
        exit 0
    fi

if [ $dkms_modules -lt 2 ]; then
        echo "No DKMS modules installed." >&2
        exit 0
    fi

if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
        moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
    elif [ -f $efivars/$moksbstatert_var ]; then
        # MokSBStateRT set to 1 means validation is disabled
        moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
                       awk '{ print $NF; }')
    fi

# We were asked to enroll a key. This only makes sense if validation
    # is enabled.
    if [ $do_enroll -eq 1 ] && [ $moksbstatert -eq 1 ]; then
        do_toggle=1
    fi
}

create_mok()
{
    if [ -e "$SB_KEY" ]; then
        return
    fi

echo "Generating a new Secure Boot signing key:"
    openssl req -config /usr/lib/shim/mok/openssl.cnf \
        -subj "/CN=`hostname -s | cut -b1-31` Secure Boot Module Signature key" \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "$SB_PRIV" \
        -out "$SB_KEY"
}

update_dkms_list

case "$1" in
'--enable'|'--disable')
    echo "Please run mokutil directly to change shim validation behavior."
    exit 0
    ;;

'--new-key')
    create_mok
    exit 0
    ;;

'--enroll-key')
    if [ -e "$SB_KEY" ]; then
        if mokutil --test-key "$SB_KEY" | \
                grep -qc 'is not'; then
            do_enroll=1
        fi
    else
        echo "No MOK found."
        exit 1
    fi
    ;;

*)
    echo "update-secureboot-policy: toggle UEFI Secure Boot in shim"
    echo
    echo "\t--new-key\tCreate a new MOK."
    echo "\t--enroll-key\tEnroll the new MOK for this system in shim."
    echo "\t--help\t\tThis help text."
    exit 0

esac

validate_actions

if [ $(($do_toggle + $do_enroll)) -lt 1 ]; then
    echo "Nothing to do."
    exit 0
fi

do_it

exit 0