diff options
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/debian-dbx.hashes | 18 |
3 files changed, 23 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 396351b4..492d35e5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,10 @@ shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium * Update VCS-* fields in debian/control * Build using gcc-7 to get better control of reproducibility during the lifetime of Buster. + * Build in a dbx list to blacklist binaries that we know to not be + secure. Build-depend on a new (bug-fixed) version of pesign to + generate that list at build time, using a list of known bad hashes. + * Initial list of known bad hashes is just my personal test binary. -- Steve McIntyre <93sam@debian.org> Fri, 03 May 2019 01:39:34 +0100 diff --git a/debian/control b/debian/control index db164bb9..5f82c5c4 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian EFI team <debian-efi@lists.debian.org> Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org> Standards-Version: 4.3.0 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign (>= 0.112-5) Vcs-Browser: https://salsa.debian.org/efi-team/shim Vcs-Git: https://salsa.debian.org/efi-team/shim.git diff --git a/debian/debian-dbx.hashes b/debian/debian-dbx.hashes new file mode 100644 index 00000000..494f09df --- /dev/null +++ b/debian/debian-dbx.hashes @@ -0,0 +1,18 @@ +# debian-dbx.hashes +# +# This file contains the sha256 sums of the binaries that we want to +# blacklist directly in our signed shim. Add entries below, with comments +# to explain each entry (where possible). +# +# Format of this file: put hex-encoded sha256 checksums on lines on +# their own. I'm using shell-style comments just for clarity. +# +# The hashes are generated using: +# +# pesign --hash -in <binary> +# +# on *either* the signed or unsigned binary, pesign doesn't care +# which. + +# Sledge's test arm64 grub binary +d0555468007c31bd75c1f1c984e5b4adbb464bc68e5dedd670535ee97acc7dd9 |