diff options
| author | Steve McIntyre <93sam@debian.org> | 2019-05-04 18:52:08 +0100 |
|---|---|---|
| committer | Steve McIntyre <93sam@debian.org> | 2019-05-04 18:56:30 +0100 |
| commit | 6cf246a5c9bb035467fafedfd18408bc4ae78f6c (patch) | |
| tree | 2e26ccc15a35390eeb40a9e40582b92e2faeda2c /debian/rules | |
| parent | e17b0af4664eff964d36090143fd6f91e07416c5 (diff) | |
| download | efi-boot-shim-6cf246a5c9bb035467fafedfd18408bc4ae78f6c.tar.gz efi-boot-shim-6cf246a5c9bb035467fafedfd18408bc4ae78f6c.zip | |
Generate a vendor dbx file at build time
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
Diffstat (limited to 'debian/rules')
| -rwxr-xr-x | debian/rules | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/debian/rules b/debian/rules index 0f125340..2a37327e 100755 --- a/debian/rules +++ b/debian/rules @@ -15,6 +15,9 @@ else distributor=debian endif +export DBX_LIST = dbx.esl +export DBX_HASHES = debian/$(distributor)-dbx.hashes + include /usr/share/dpkg/architecture.mk ifeq ($(DEB_HOST_ARCH),amd64) @@ -34,18 +37,29 @@ COMMON_OPTIONS += \ EFI_PATH=/usr/lib \ ENABLE_HTTPBOOT=true \ VENDOR_CERT_FILE=$(cert) \ + VENDOR_DBX_FILE=$(DBX_LIST) \ EFIDIR=$(distributor) \ CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \ CC=$(DEB_HOST_GNU_TYPE)-gcc-7 \ $(NULL) +$(DBX_LIST): + if [ -f ${DBX_HASHES} ]; then \ + for HASH in $$(grep -E [[:xdigit:]]{32} ${DBX_HASHES}); do \ + efisiglist -o ${DBX_LIST} -a -h $$HASH; \ + done; \ + else \ + touch ${DBX_LIST}; \ + fi + %: dh $@ --parallel override_dh_auto_clean: dh_auto_clean -- MAKELEVEL=0 + rm -f $(DBX_LIST) -override_dh_auto_build: +override_dh_auto_build: $(DBX_LIST) dh_auto_build -- $(COMMON_OPTIONS) override_dh_auto_install: |