@@ -45,6 +45,8 @@ clean:: pre-clean
%:
dh $@
+override_dh_auto_build: SHELL=/bin/sh -x
+
override_dh_auto_build:
./download-signed "$(src_headers_arch)" "$(unsigned_ver)" "$(unsigned_src)"
#./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)"
@@ -54,6 +56,19 @@ override_dh_auto_build:
for s in *.efi.signed; do \
[ ! -f "$$s" ] && continue; \
base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \
+ flavour=$$(echo "$$base" | sed -e "s@.*-$(abi)-@@"); \
+ verflav="$(abi)-$$flavour"; \
+ if [ -e /usr/lib/linux/$$verflav/canonical-revoked-certs.pem ]; then \
+ awk 'BEGIN {c=0;} /Certificate:/{c++} { print > "revoked-cert." c ".pem"}' < /usr/lib/linux/$$verflav/canonical-revoked-certs.pem; \
+ for cert in revoked-cert.*.pem; do \
+ echo Checking signature against $$cert; \
+ if sbverify --verbose --verbose --cert $$cert $$s; then \
+ echo Which is bad. EFI binary signed with revoked cert $$cert; \
+ exit 1; \
+ fi; \
+ done; \
+ echo All good. EFI binary not signed with a revoked key.; \
+ fi; \
( \
vars="$${base}.efi.vars"; \
[ -f "$$vars" ] && . "./$$vars"; \
BugLink: https://bugs.launchpad.net/bugs/1996955 If built-in revocation certificates information is known, verify if freshly signed EFI binaries are revoked. This prevents accidentally publishing signed kernel packages that fail to kexec/kdump under secureboot. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- debian/rules | 15 +++++++++++++++ 1 file changed, 15 insertions(+)