diff options
| author | Steve McIntyre <steve@einval.com> | 2026-05-14 16:53:15 +0100 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2026-05-14 16:53:15 +0100 |
| commit | 0140b59d00318019177364b0a56f180052394868 (patch) | |
| tree | 963b31c7407bbb9c9c7e7fad9dd636d4b4906859 | |
| parent | be5e1a1dd8e69d54bd52ff55f801028af6b83767 (diff) | |
| download | shim-signed-0140b59d00318019177364b0a56f180052394868.tar.gz shim-signed-0140b59d00318019177364b0a56f180052394868.zip | |
Update to boot check: ignore keys listed in DBX
| -rwxr-xr-x | debian/shim-signed.postinst | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst index 1e5e683..91920de 100755 --- a/debian/shim-signed.postinst +++ b/debian/shim-signed.postinst @@ -106,7 +106,19 @@ case $1 in echo "Checking shim signatures on $SHIM" # SB is enabled - we need to check that it is signed by a # key in the DB list + + # Grab all the keys in the DB list for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do + + # Check against the blacklisted keys in DBX + for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do + if [ "$dbkey" = "$dbxkey" ]; then + # If we match a dbx entry, ignore this db key + echo " Ignoring DB key $dbkey; it's revoked in DBX" + break 2 + fi + done + if grep -q "$dbkey" $SHIM_SIGS; then echo "- signed by DB key $dbkey, should boot OK" SAFE=y @@ -116,8 +128,10 @@ case $1 in if [ $SAFE = n ]; then # SB is enabled but we don't have a signature that will work + echo "***********************************************************" echo "SecureBoot is enabled and we don't have a valid signature on $SHIM" echo "ABORT - this system will not boot with this shim installed." + echo "***********************************************************" exit 1 fi |
