integ/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch

From e8566efa702a88c1efe15daaf52b3a00446f1d8c Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Thu, 6 May 2021 13:42:27 -0400
Subject: [PATCH] Support pxeboot secure boot

In order to support secure boot with pxeboot, we need to package the
shim.efi file in /pxeboot/EFI, accessible to tftp for the UEFI
install. As well, please note that while /boot/efi/EFI/centos/shim.efi
and other files provided by the shim-x64 package are only accessible
to root, the file under /pxeboot must have broader permissions so that
the dnsmasq-tftp daemon is able to serve it to the requesting host.
Therefore, its file permissions are set to be readable to all.

Signed-off-by: Don Penney <don.penney@windriver.com>
---
 SPECS/shim-signed.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
index 20cdc80..978818a 100755
--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
@@ -227,6 +227,9 @@ install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.C
 
 install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
 install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
+
+# pxeboot support
+install -D -p -m 0755 shimx64.efi $RPM_BUILD_ROOT/pxeboot/EFI/shim.efi
 %endif
 
 cd mokutil-%{mokutil_version}
@@ -243,6 +246,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
 /boot/efi/EFI/BOOT/fallback.efi
 /boot/efi/EFI/%{efidir}/shim.efi
+%attr(755,root,root) /pxeboot/EFI/shim.efi
 
 %ifarch x86_64
 /boot/efi/EFI/%{efidir}/BOOT.CSV
-- 
2.29.2