Log if the build is nx-compatible or not

Add a new simple script to do this: check_nx

3 files changed, 38 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 84f0fee5..768c5540 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ shim (15.8-1) UNRELEASED; urgency=medium
   * NOTE: Stop building for i386
     + Debian kernels are no longer signed for i386, it's time to stop
       supporting i386 SB.
+  * Log if the build is nx-compatible or not
 
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu
diff --git a/debian/check_nx b/debian/check_nx
new file mode 100755
index 00000000..061064d0
--- /dev/null
+++ b/debian/check_nx
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# Helper script - check if a binary is tagged as NX-compatible or not.
+
+set -e
+
+for FILE in "$@"; do
+
+    if [ ! -f "${FILE}" ]; then
+	echo "${FILE} does not exist. ABORT."
+	exit 1
+    fi
+
+    echo "Checking NX bit on ${FILE}:"
+    DLL_CHARACTERISTICS=$(objdump -x "${FILE}" | awk '/DllCharacteristics/ {print $2}')
+
+    echo "  DllCharacteristics $DLL_CHARACTERISTICS"
+    case $DLL_CHARACTERISTICS in
+	00000000)
+	    echo "  NOT tagged as NX-compatible"
+	    ;;
+	00000100)
+	    echo "  tagged as NX-compatible"
+	    ;;
+	*)
+	    echo "  UNRECOGNISED value, ABORT";
+	    exit 1
+	    ;;
+    esac
+
+done
+
diff --git a/debian/rules b/debian/rules
index a6e97448..39d0357e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -81,7 +81,12 @@ override_dh_auto_install:
 	# And remove the extra removable-media copy of shim too, it's
 	# not needed for our build and causes debhelper to complain
 	rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
+
+	# Generate the template packages that we'll use for SB signing later
 	./debian/signing-template.generate
+
+	# Log some useful things about the build here
+	./debian/check_nx shim*.efi
 	sha256sum *.efi
 
 generate-gnu-efi: