mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-16 19:14:17 +00:00
55 lines
1.5 KiB
Bash
Executable File
55 lines
1.5 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Helper script - generate a DBX file for inclusion into a shim build
|
|
#
|
|
# Takes an input file (e.g. debian-dbx.hashes) with data in the form
|
|
#
|
|
# <hex-encoded sha256 checksums> <arch>
|
|
#
|
|
# and generates a siglist of the hashes for just the architecture we
|
|
# want. No point including all the hashes for all the arches, it just
|
|
# bloats things and slows things down.
|
|
|
|
set -e
|
|
|
|
ARCH=$1
|
|
IN=$2
|
|
OUT=$3
|
|
|
|
PROXMOX_UUID="e946353a-bc0d-4cfe-80be-3a2ef98edf93"
|
|
|
|
# This needs to be fixed to make builds reproducible, of course. If
|
|
# you're deriving from Debian, please generate your own.
|
|
UUID="$PROXMOX_UUID"
|
|
|
|
rm -f $OUT
|
|
if [ -x /usr/bin/efisiglist ] ; then
|
|
# Older versions of the pesign package included the efisiglist
|
|
# utility. If we have that, use it.
|
|
for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
|
|
awk '{print $1}' | sort | uniq); do
|
|
echo " Adding $HASH to dbx list"
|
|
efisiglist -o $OUT -a -h $HASH
|
|
done
|
|
else
|
|
# It appears we don't have efisiglist, so use efisecdb
|
|
# instead. It's a little more awkward to drive.
|
|
INTMP="" # First pass
|
|
for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
|
|
awk '{print $1}' | sort | uniq); do
|
|
echo " Adding $HASH to dbx list"
|
|
efisecdb -g "$UUID" -a -t sha256 -h $HASH $INTMP -o $OUT
|
|
|
|
# Subsequent passes need to read the previous output as input
|
|
# each time, and won't overwrite the output.
|
|
mv -f $OUT $OUT.in
|
|
INTMP="-i $OUT.in"
|
|
done
|
|
if [ -f $OUT.in ]; then
|
|
mv -f $OUT.in $OUT
|
|
fi
|
|
fi
|
|
|
|
# If we have an empty hashes file, create an empty DBX file
|
|
touch $OUT
|