From 839af42e06287aba287ac192d0e37a739e1884ae Mon Sep 17 00:00:00 2001 From: Steve McIntyre <93sam@debian.org> Date: Fri, 3 May 2019 01:53:51 +0100 Subject: Update VCS-* fields in debian/control --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian/control') diff --git a/debian/control b/debian/control index bedff821..8ee1560a 100644 --- a/debian/control +++ b/debian/control @@ -5,8 +5,8 @@ Maintainer: Debian EFI team Uploaders: Steve Langasek , Steve McIntyre <93sam@debian.org> Standards-Version: 4.3.0 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev -Vcs-Browser: https://salsa.debian.org/vorlon/shim -Vcs-Git: https://salsa.debian.org/vorlon/shim.git +Vcs-Browser: https://salsa.debian.org/efi-team/shim +Vcs-Git: https://salsa.debian.org/efi-team/shim.git Package: shim-unsigned Architecture: amd64 arm64 i386 -- cgit v1.2.3 From e17b0af4664eff964d36090143fd6f91e07416c5 Mon Sep 17 00:00:00 2001 From: Steve McIntyre <93sam@debian.org> Date: Fri, 3 May 2019 01:56:07 +0100 Subject: Build using gcc-7 To get better control of reproducibility during the lifetime of Buster --- debian/changelog | 2 ++ debian/control | 2 +- debian/rules | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) (limited to 'debian/control') diff --git a/debian/changelog b/debian/changelog index d4e6dceb..396351b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls + Fix OBJ_create() to tolerate a NULL sn and ln * Update VCS-* fields in debian/control + * Build using gcc-7 to get better control of reproducibility during the + lifetime of Buster. -- Steve McIntyre <93sam@debian.org> Fri, 03 May 2019 01:39:34 +0100 diff --git a/debian/control b/debian/control index 8ee1560a..dfad5e2f 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian EFI team Uploaders: Steve Langasek , Steve McIntyre <93sam@debian.org> Standards-Version: 4.3.0 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7 Vcs-Browser: https://salsa.debian.org/efi-team/shim Vcs-Git: https://salsa.debian.org/efi-team/shim.git diff --git a/debian/rules b/debian/rules index daaed62e..0f125340 100755 --- a/debian/rules +++ b/debian/rules @@ -36,6 +36,7 @@ COMMON_OPTIONS += \ VENDOR_CERT_FILE=$(cert) \ EFIDIR=$(distributor) \ CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \ + CC=$(DEB_HOST_GNU_TYPE)-gcc-7 \ $(NULL) %: -- cgit v1.2.3 From 6cf246a5c9bb035467fafedfd18408bc4ae78f6c Mon Sep 17 00:00:00 2001 From: Steve McIntyre <93sam@debian.org> Date: Sat, 4 May 2019 18:52:08 +0100 Subject: Generate a vendor dbx file at build time This allow us to block executing binaries with specific checksums. Generate the dbx list at runtime from a simple list of sha256 hashes, so we can update this easily. If we need to also blacklist a cert later, we'll need to update this code to add that option too. Add a build-dep on pesign to get the needed efisiglist program. --- debian/control | 2 +- debian/rules | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'debian/control') diff --git a/debian/control b/debian/control index dfad5e2f..db164bb9 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian EFI team Uploaders: Steve Langasek , Steve McIntyre <93sam@debian.org> Standards-Version: 4.3.0 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7 +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign Vcs-Browser: https://salsa.debian.org/efi-team/shim Vcs-Git: https://salsa.debian.org/efi-team/shim.git diff --git a/debian/rules b/debian/rules index 0f125340..2a37327e 100755 --- a/debian/rules +++ b/debian/rules @@ -15,6 +15,9 @@ else distributor=debian endif +export DBX_LIST = dbx.esl +export DBX_HASHES = debian/$(distributor)-dbx.hashes + include /usr/share/dpkg/architecture.mk ifeq ($(DEB_HOST_ARCH),amd64) @@ -34,18 +37,29 @@ COMMON_OPTIONS += \ EFI_PATH=/usr/lib \ ENABLE_HTTPBOOT=true \ VENDOR_CERT_FILE=$(cert) \ + VENDOR_DBX_FILE=$(DBX_LIST) \ EFIDIR=$(distributor) \ CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \ CC=$(DEB_HOST_GNU_TYPE)-gcc-7 \ $(NULL) +$(DBX_LIST): + if [ -f ${DBX_HASHES} ]; then \ + for HASH in $$(grep -E [[:xdigit:]]{32} ${DBX_HASHES}); do \ + efisiglist -o ${DBX_LIST} -a -h $$HASH; \ + done; \ + else \ + touch ${DBX_LIST}; \ + fi + %: dh $@ --parallel override_dh_auto_clean: dh_auto_clean -- MAKELEVEL=0 + rm -f $(DBX_LIST) -override_dh_auto_build: +override_dh_auto_build: $(DBX_LIST) dh_auto_build -- $(COMMON_OPTIONS) override_dh_auto_install: -- cgit v1.2.3 From 88a7a6505b6c502c0180c9980081fb97a224b72f Mon Sep 17 00:00:00 2001 From: Steve McIntyre <93sam@debian.org> Date: Sat, 4 May 2019 18:57:01 +0100 Subject: Add initial file with test checksums for the dbx list --- debian/changelog | 4 ++++ debian/control | 2 +- debian/debian-dbx.hashes | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 debian/debian-dbx.hashes (limited to 'debian/control') diff --git a/debian/changelog b/debian/changelog index 396351b4..492d35e5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,10 @@ shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium * Update VCS-* fields in debian/control * Build using gcc-7 to get better control of reproducibility during the lifetime of Buster. + * Build in a dbx list to blacklist binaries that we know to not be + secure. Build-depend on a new (bug-fixed) version of pesign to + generate that list at build time, using a list of known bad hashes. + * Initial list of known bad hashes is just my personal test binary. -- Steve McIntyre <93sam@debian.org> Fri, 03 May 2019 01:39:34 +0100 diff --git a/debian/control b/debian/control index db164bb9..5f82c5c4 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian EFI team Uploaders: Steve Langasek , Steve McIntyre <93sam@debian.org> Standards-Version: 4.3.0 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign (>= 0.112-5) Vcs-Browser: https://salsa.debian.org/efi-team/shim Vcs-Git: https://salsa.debian.org/efi-team/shim.git diff --git a/debian/debian-dbx.hashes b/debian/debian-dbx.hashes new file mode 100644 index 00000000..494f09df --- /dev/null +++ b/debian/debian-dbx.hashes @@ -0,0 +1,18 @@ +# debian-dbx.hashes +# +# This file contains the sha256 sums of the binaries that we want to +# blacklist directly in our signed shim. Add entries below, with comments +# to explain each entry (where possible). +# +# Format of this file: put hex-encoded sha256 checksums on lines on +# their own. I'm using shell-style comments just for clarity. +# +# The hashes are generated using: +# +# pesign --hash -in +# +# on *either* the signed or unsigned binary, pesign doesn't care +# which. + +# Sledge's test arm64 grub binary +d0555468007c31bd75c1f1c984e5b4adbb464bc68e5dedd670535ee97acc7dd9 -- cgit v1.2.3