Open raddirad opened 1 year ago
raddirad
commented
1 year ago is it
hash-to-efi-sig-list ~/grubx64.efi vendor_dbx.eslto generate the vendor_dbx
and then provide
VENDOR_DBX_FILE=vendor_dbx.eslas a make variable to compile the hashes into the shim dbx?
I better want to ask than submit and then waste time from the reviewer by doing something wrong.
Regards
tSU-RooT
commented
2 months ago Hi, this is humble my opinion.
is it
hash-to-efi-sig-list ~/grubx64.efi vendor_dbx.esl
to generate the vendor_dbx
I don't recommend to use hash-to-efi-sig-list, because this utility seems has a bug.[1]
Recommend to use efisiglist or efisecdb (NOTE: efisiglist is removed after pesign version 114 2)
$ pesign --hash --padding --in <grub_binary_path>
hash: <hash>
$ efisiglist -o vendor_dbx.esl -a -h <hash>Debian's package repository is awesome helpful for reference. https://salsa.debian.org/efi-team/shim/-/blob/master/debian/generate_dbx_list https://salsa.debian.org/efi-team/shim/-/blob/master/debian/debian-dbx.hashes
and then provide
VENDOR_DBX_FILE=vendor_dbx.esl
I think so. But actual setting depends how you build your shim(rpm, deb or else)
[1]: I have reported hash-to-efi-sig-list(efitools) behavior in help-grub mailing list, but some mysteries is not resolved still now. https://lists.gnu.org/archive/html/help-grub/2024-04/msg00018.html
Hi
I am currently opening an issue in the shim-review. Going through the README I saw the following
How do I compile a shim with a vendor_dbx file? How does this file have to look? Simply the hashes (sha256?) line by line?
We'd like to reuse the cert we have.
Regards