diff options
| author | Steve McIntyre <93sam@debian.org> | 2019-05-04 18:52:08 +0100 |
|---|---|---|
| committer | Steve McIntyre <93sam@debian.org> | 2019-05-04 18:56:30 +0100 |
| commit | 6cf246a5c9bb035467fafedfd18408bc4ae78f6c (patch) | |
| tree | 2e26ccc15a35390eeb40a9e40582b92e2faeda2c | |
| parent | e17b0af4664eff964d36090143fd6f91e07416c5 (diff) | |
| download | efi-boot-shim-6cf246a5c9bb035467fafedfd18408bc4ae78f6c.tar.gz efi-boot-shim-6cf246a5c9bb035467fafedfd18408bc4ae78f6c.zip | |
Generate a vendor dbx file at build time
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
| -rw-r--r-- | debian/control | 2 | ||||
| -rwxr-xr-x | debian/rules | 16 |
2 files changed, 16 insertions, 2 deletions
diff --git a/debian/control b/debian/control index dfad5e2f..db164bb9 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian EFI team <debian-efi@lists.debian.org> Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org> Standards-Version: 4.3.0 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7 +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign Vcs-Browser: https://salsa.debian.org/efi-team/shim Vcs-Git: https://salsa.debian.org/efi-team/shim.git diff --git a/debian/rules b/debian/rules index 0f125340..2a37327e 100755 --- a/debian/rules +++ b/debian/rules @@ -15,6 +15,9 @@ else distributor=debian endif +export DBX_LIST = dbx.esl +export DBX_HASHES = debian/$(distributor)-dbx.hashes + include /usr/share/dpkg/architecture.mk ifeq ($(DEB_HOST_ARCH),amd64) @@ -34,18 +37,29 @@ COMMON_OPTIONS += \ EFI_PATH=/usr/lib \ ENABLE_HTTPBOOT=true \ VENDOR_CERT_FILE=$(cert) \ + VENDOR_DBX_FILE=$(DBX_LIST) \ EFIDIR=$(distributor) \ CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \ CC=$(DEB_HOST_GNU_TYPE)-gcc-7 \ $(NULL) +$(DBX_LIST): + if [ -f ${DBX_HASHES} ]; then \ + for HASH in $$(grep -E [[:xdigit:]]{32} ${DBX_HASHES}); do \ + efisiglist -o ${DBX_LIST} -a -h $$HASH; \ + done; \ + else \ + touch ${DBX_LIST}; \ + fi + %: dh $@ --parallel override_dh_auto_clean: dh_auto_clean -- MAKELEVEL=0 + rm -f $(DBX_LIST) -override_dh_auto_build: +override_dh_auto_build: $(DBX_LIST) dh_auto_build -- $(COMMON_OPTIONS) override_dh_auto_install: |