[linux-meta][K][L][PATCH 1/2] UBUNTU: [Packaging] Check if EFI signatures are revoked at build time

[Dimitri John Ledkov]

BugLink: https://bugs.launchpad.net/bugs/1996955

If built-in revocation certificates information is known, verify if
freshly signed EFI binaries are revoked. This prevents accidentally
publishing signed kernel packages that fail to kexec/kdump under
secureboot.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
 debian/rules | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/debian/rules b/debian/rules
index 69b5e48598..d27ab822f8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,8 @@ clean:: pre-clean
 %:
 	dh $@
 
+override_dh_auto_build: SHELL=/bin/sh -x
+
 override_dh_auto_build:
 	./download-signed "$(src_headers_arch)" "$(unsigned_ver)" "$(unsigned_src)"
 	#./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)"
@@ -54,6 +56,19 @@ override_dh_auto_build:
 		for s in *.efi.signed; do					\
 			[ ! -f "$$s" ] && continue;				\
 			base=$$(echo "$$s" | sed -e 's/.efi.signed//');		\
+			flavour=$$(echo "$$base" | sed -e "s at .*-$(abi)-@@");	\
+			verflav="$(abi)-$$flavour";				\
+			if [ -e /usr/lib/linux/$$verflav/canonical-revoked-certs.pem ]; then \
+				awk 'BEGIN {c=0;} /Certificate:/{c++} { print > "revoked-cert." c ".pem"}' < /usr/lib/linux/$$verflav/canonical-revoked-certs.pem; \
+				for cert in revoked-cert.*.pem; do		\
+					echo Checking signature against $$cert; \
+					if sbverify --verbose --verbose --cert $$cert $$s; then \
+						echo Which is bad. EFI binary signed with revoked cert $$cert; \
+						exit 1;				\
+					fi;					\
+				done;						\
+				echo All good. EFI binary not signed with a revoked key.; \
+			fi;							\
 			(							\
 				vars="$${base}.efi.vars";			\
 				[ -f "$$vars" ] && . "./$$vars";		\
-- 
2.34.1