Add support for OEM dbx enrollment

Foxboron · Aug 10, 2023 · dae25b8 · dae25b8
1 parent 99e260c
commit dae25b8
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/cmd/sbctl/enroll-keys.go b/cmd/sbctl/enroll-keys.go
@@ -137,6 +137,13 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
 			}
 			sigdb.AppendDatabase(oemSigDb)
 
+			// dbx
+			oemSigDbx, err := certs.GetOEMCerts(oem, "dbx")
+			if err != nil {
+				return fmt.Errorf("could not enroll db keys: %w", err)
+			}
+			sigdbx.AppendDatabase(oemSigDbx)
+
 			// KEK
 			oemSigKEK, err := certs.GetOEMCerts(oem, "KEK")
 			if err != nil {
@@ -155,6 +162,13 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
 			}
 			sigdb.AppendDatabase(customSigDb)
 
+			// dbx
+			customSigDbx, err := certs.GetCustomCerts(keydir, "dbx")
+			if err != nil {
+				return fmt.Errorf("could not enroll custom dbx keys: %w", err)
+			}
+			sigdbx.AppendDatabase(customSigDbx)
+
 			// KEK
 			customSigKEK, err := certs.GetCustomCerts(keydir, "KEK")
 			if err != nil {
@@ -172,6 +186,8 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
 				switch cert {
 				case "db":
 					sigdb.AppendDatabase(builtinSigDb)
+				case "dbx":
+					sigdbx.AppendDatabase(builtinSigDb)
 				case "KEK":
 					sigkek.AppendDatabase(builtinSigDb)
 				case "PK":