From 88a7a6505b6c502c0180c9980081fb97a224b72f Mon Sep 17 00:00:00 2001
From: Steve McIntyre <93sam@debian.org>
Date: Sat, 4 May 2019 18:57:01 +0100
Subject: [PATCH] Add initial file with test checksums for the dbx list

---
 debian/changelog         |  4 ++++
 debian/control           |  2 +-
 debian/debian-dbx.hashes | 18 ++++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 debian/debian-dbx.hashes

diff --git a/debian/changelog b/debian/changelog
index 396351b..492d35e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,10 @@ shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium
   * Update VCS-* fields in debian/control
   * Build using gcc-7 to get better control of reproducibility during the
     lifetime of Buster.
+  * Build in a dbx list to blacklist binaries that we know to not be
+    secure. Build-depend on a new (bug-fixed) version of pesign to
+    generate that list at build time, using a list of known bad hashes.
+  * Initial list of known bad hashes is just my personal test binary.
 
  -- Steve McIntyre <93sam@debian.org>  Fri, 03 May 2019 01:39:34 +0100
 
diff --git a/debian/control b/debian/control
index db164bb..5f82c5c 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian EFI team <debian-efi@lists.debian.org>
 Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org>
 Standards-Version: 4.3.0
-Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign
+Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev, gcc-7, pesign (>= 0.112-5)
 Vcs-Browser: https://salsa.debian.org/efi-team/shim
 Vcs-Git: https://salsa.debian.org/efi-team/shim.git
 
diff --git a/debian/debian-dbx.hashes b/debian/debian-dbx.hashes
new file mode 100644
index 0000000..494f09d
--- /dev/null
+++ b/debian/debian-dbx.hashes
@@ -0,0 +1,18 @@
+# debian-dbx.hashes
+#
+# This file contains the sha256 sums of the binaries that we want to
+# blacklist directly in our signed shim. Add entries below, with comments
+# to explain each entry (where possible).
+#
+# Format of this file: put hex-encoded sha256 checksums on lines on
+# their own. I'm using shell-style comments just for clarity.
+#
+# The hashes are generated using:
+#
+#     pesign --hash -in <binary>
+#
+# on *either* the signed or unsigned binary, pesign doesn't care
+# which.
+
+# Sledge's test arm64 grub binary
+d0555468007c31bd75c1f1c984e5b4adbb464bc68e5dedd670535ee97acc7dd9