[Feature]: Remove Hashes from DBX if the Authority is not present in the DB

[Flickdm]

Feature Overview

Only add hashes to the DBX if the hash is authorized by a CA in the DB in order to conserve space

Make this an optional field that can be used if something like "--necessary-dbx-entries-only" or something else that makes sense

Solution Overview

Given that in the latest dbx json file (for example, dbx_info_msft_06_10_25.json) that the json field has an "Authority" field

            {
                "authenticodeHash": "80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A",
                "hashType": "SHA256",
                "flatHash": "",
                "filename": "shim.efi",
                "description": "",
                "companyName": "Unknown",
                "dateOfAddition": "2018-04-01",
                "signingAuthority": "CN = Microsoft Corporation UEFI CA 2011"
            }

And we can map these "signingAuthority" fields to a CA in the DB section in the toml file via its subject name

PreSignedObjects/DB/Certificates/MicCorUEFCA2011_2011-06-27.der:  "CN = Microsoft Corporation UEFI CA 2011"
PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der: "CN = Microsoft Windows Production PCA 2011"

update secure_boot_default_keys.py to only add hashes that are authorized by one of the DB CAs to the DBX to conserve space

Alternatives Considered

No response

Urgency

Low

Are you going to implement the feature request?

I will implement the feature

Do you need maintainer feedback?

No maintainer feedback needed

Anything else?

No response

[Flickdm]

@copilot Additionally, if a CA ends up in the DBX - do not add any of the hashes authorized by that CA. Make sure there is enough warnings that a user can know this is happening.

[mu-automation]

This issue has been automatically marked as stale because it has not had activity in 45 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.