summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve McIntyre <steve@einval.com>2026-05-14 16:53:15 +0100
committerSteve McIntyre <steve@einval.com>2026-05-14 16:53:15 +0100
commit0140b59d00318019177364b0a56f180052394868 (patch)
tree963b31c7407bbb9c9c7e7fad9dd636d4b4906859
parentbe5e1a1dd8e69d54bd52ff55f801028af6b83767 (diff)
downloadshim-signed-0140b59d00318019177364b0a56f180052394868.tar.gz
shim-signed-0140b59d00318019177364b0a56f180052394868.zip
Update to boot check: ignore keys listed in DBX
-rwxr-xr-xdebian/shim-signed.postinst14
1 files changed, 14 insertions, 0 deletions
diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
index 1e5e683..91920de 100755
--- a/debian/shim-signed.postinst
+++ b/debian/shim-signed.postinst
@@ -106,7 +106,19 @@ case $1 in
echo "Checking shim signatures on $SHIM"
# SB is enabled - we need to check that it is signed by a
# key in the DB list
+
+ # Grab all the keys in the DB list
for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do
+
+ # Check against the blacklisted keys in DBX
+ for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do
+ if [ "$dbkey" = "$dbxkey" ]; then
+ # If we match a dbx entry, ignore this db key
+ echo " Ignoring DB key $dbkey; it's revoked in DBX"
+ break 2
+ fi
+ done
+
if grep -q "$dbkey" $SHIM_SIGS; then
echo "- signed by DB key $dbkey, should boot OK"
SAFE=y
@@ -116,8 +128,10 @@ case $1 in
if [ $SAFE = n ]; then
# SB is enabled but we don't have a signature that will work
+ echo "***********************************************************"
echo "SecureBoot is enabled and we don't have a valid signature on $SHIM"
echo "ABORT - this system will not boot with this shim installed."
+ echo "***********************************************************"
exit 1
fi