Add initial file with test checksums for the dbx list

debian/changelog

@@ -7,6 +7,10 @@ shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium
   * Update VCS-* fields in debian/control
   * Build using gcc-7 to get better control of reproducibility during the
     lifetime of Buster.
+  * Build in a dbx list to blacklist binaries that we know to not be
+    secure. Build-depend on a new (bug-fixed) version of pesign to
+    generate that list at build time, using a list of known bad hashes.
+  * Initial list of known bad hashes is just my personal test binary.
 
  -- Steve McIntyre <93sam@debian.org>  Fri, 03 May 2019 01:39:34 +0100
 

debian/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian EFI team <debian-efi@lists.debian.org>
 Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org>
 Standards-Version: 4.3.0
-Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign
+Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign (>= 0.112-5)
 Vcs-Browser: https://salsa.debian.org/efi-team/shim
 Vcs-Git: https://salsa.debian.org/efi-team/shim.git
 

debian/debian-dbx.hashes

@@ -0,0 +1,18 @@
+# debian-dbx.hashes
+#
+# This file contains the sha256 sums of the binaries that we want to
+# blacklist directly in our signed shim. Add entries below, with comments
+# to explain each entry (where possible).
+#
+# Format of this file: put hex-encoded sha256 checksums on lines on
+# their own. I'm using shell-style comments just for clarity.
+#
+# The hashes are generated using:
+#
+#     pesign --hash -in <binary>
+#
+# on *either* the signed or unsigned binary, pesign doesn't care
+# which.
+
+# Sledge's test arm64 grub binary
+d0555468007c31bd75c1f1c984e5b4adbb464bc68e5dedd670535ee97acc7dd9