starlingx/integ
Code Issues Proposed changes
2b7ac3c340
integ/security/efitools/debian/deb_patches/0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch
Li Zhou 764d81db0a Debian: efitools: add initial version 
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Add efitools 1.9.2-1 for debian.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.

Story: 2009221
Task: 46400

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I672f0c0182bf894d10c508b83b959eec47971ceb
2022-09-29 23:46:49 -04:00

42 lines
1.4 KiB
Diff
Raw Blame History

From f97a150fbf94be75381d90396ac7be5b2edf95d2 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Tue, 23 Aug 2022 14:51:09 +0800
Subject: [PATCH 2/2] efitools: append Microsoft KEK/DB to built-in certs
While BIOS of Dell PowerEdge host enables EFI secure feature,
it uses Microsoft KEK and DB to verify NICs and disks. If one removes
the existing Microsoft certs and uses LockDown.efi to insert self
defined certs, the NICs and disks are missing. So append one Microsoft
KEK and one Microsoft DB to built-in certs for LockDown.efi.
Reference:
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#multiple
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
[lz: Porting the patch from yocto to debian rules]
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
debian/rules | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/rules b/debian/rules
index c20cd9a..78bca19 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,6 +8,13 @@ override_dh_auto_build:
cp uefi_sb_keys/* ./
mv tis-boot.crt DB.crt
dh_auto_build
+ cp -f DB.esl DB-orig.esl
+ cat DB-orig.esl ms-uefi.esl > DB.esl
+ cp -f KEK.esl KEK-orig.esl
+ cat KEK-orig.esl ms-kek.esl > KEK.esl
+ rm DB-orig.esl KEK-orig.esl
+ rm LockDown*efi LockDown.so LockDown.o
+ dh_auto_build
override_dh_auto_install:
dh_auto_install -- EFIDIR="debian/efitools/usr/lib/efitools/${DEB_TARGET_MULTIARCH}"
--
2.17.1
View Git Blame Copy Permalink