From 1174634037dc986a2221176657407ea3447cf6a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Kope=C4=87?= <michal.kopec@3mdeb.com>
Date: Tue, 21 Nov 2023 13:08:14 +0100
Subject: [PATCH] Add CI for UEFI DBX
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
---
 .github/workflows/dbx.yml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .github/workflows/dbx.yml

diff --git a/.github/workflows/dbx.yml b/.github/workflows/dbx.yml
new file mode 100644
index 0000000000..cd514eb7b9
--- /dev/null
+++ b/.github/workflows/dbx.yml
@@ -0,0 +1,33 @@
+name: Check if UEFI revocation list is up-to-date
+
+on:
+  push:
+    branches:
+      - dasharo
+  pull_request:
+    branches:
+      - dasharo
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v2
+
+    - name: Check if DBX is up-to-date
+      run: |
+        echo 'Fetching DBX from uefi.org'
+        wget https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin -o /dev/null
+        if [ $? -ne 0 ]; then
+          echo 'Failed to fetch latest DBX.'
+          exit 1
+        fi
+        diff <(sha256sum x64_DBXUpdate.bin | awk '{ print $1 }') <(sha256sum UefiPayloadPkg/SecureBootDefaultKeys/DBXUpdate.bin | awk '{ print $1 }')
+        if [ $? -ne 0 ]; then
+          echo 'UEFI DBX is out of date.'
+          exit 1
+        else
+          echo 'UEFI DBX is up-to-date.'
+        fi