Re: Please review changes for the Debian shim -7 upload
On Mon, May 06, 2019 at 02:31:51PM -0600, dann frazier wrote:
>On Mon, May 6, 2019 at 6:25 AM Steve McIntyre <steve@einval.com> wrote:
>>
>> In particular, please check my logic in the dbx file creation. I've
>> tested this using a local VM set up with secure boot enabldd and test
>> keys in the firmware, and it looked to work ok.
>>
>> Please review/test as soon as you can - I don't want this to be
>> blocking the Buster release.
>
>Nice work Steve! I don't have any feedback on the overall logic, but I
>did have some take-or-leave suggestions for the packaging, mostly
>around making the dbx list generation more robust. See:
> https://salsa.debian.org/dannf/shim/tree/dbx-hash-cleanup
>
>The "set -e" thing is the only one I'd strongly push for.
Ooh, thanks for those. I was going to say "I like all of your
suggestions, except..." but I've just followed your changes through
and it all looks cool. :-) Merged!
We'd also need to add an empty (except comments) DBX_HASHES file for
the Ubuntu build, I guess. I'm doing that now too.
>One other thing - is there is a way to sanity check dbx.esl from the
>command line? If so, I'd suggest adding that test to the $(DBX_LIST)
>target, so that a misbehaving efisiglist fails the build. That should
>also avoid the need to version the build-dep on pesign.
It took me a while to find the issues in efisiglist, and I had a patch
ready to go. Then I found that Gary Lin had already fixed it upstream
in *exactly* the same way! Without writing another tool very similar
to pesign, it's difficult to validate its output. :-/ I ended up
printing a hexdump and using pencil and paper to work things out!
Thanks for the review and suggestions - for a key piece like this, I'm
much happier if other people's eyes have checked my work. :-)
I'll upload later.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Armed with "Valor": "Centurion" represents quality of Discipline,
Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
concord the digital world while feeling safe and proud.
Reply to: