proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-03 10:17:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,438 Commits 1 Branch 3 Tags 11 MiB
57e2a32bef
Commit Graph

7 Commits

Author SHA1 Message Date
Steve McIntyre
de3def7f53 Improve how the dbx hashes are handled 
Only include the hashes for the architecture we're building for - no
point in adding bloat and delay here.

Add a script "block_signed_deb" to scan a set of .deb files, extract
the hashes for .efi binaries and list them in the format wanted for
the dbx hashes file.

Split out the code to use that file from the rules file into a
separate helper.
 2021-03-23 23:33:04 +00:00
Steve McIntyre
58195ca37e Add dbx entries for all our existing grub binaries 
They're insecure, let's break the chainloading hole
 2021-03-23 23:32:38 +00:00
Steve McIntyre
c161c40d1e Typo fix 2020-07-24 01:28:51 +01:00
Steve McIntyre
3a1cdbfd4c Use --padding when calling pesign to generate hashes 
for the dbx list, as recommended by Peter Jones. No actual changes
needed in our list of hashes at this point - they work out the same
either way.
 2019-05-08 16:49:11 +01:00
Steve McIntyre
ea8f00b9bf Remove the hash for Sledge's test arm64 grub binary 
Not needed now.
 2019-05-08 02:03:37 +01:00
Steve McIntyre
549f650b3d Add more hashes that we want to blacklist 
signed arm64 grub binaries that allow use of the devicetree command,
as found in

 grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb
 grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
 2019-05-06 13:07:00 +01:00
Steve McIntyre
88a7a6505b Add initial file with test checksums for the dbx list 2019-05-06 13:00:19 +01:00