This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use shim version: 15+1533136590.3beb971.
Although there was a debian package for shim here, it wasn't
effective because LAT didn't use it (the shim version in use is
12+gitAUTOINC+5202f80c32). So I abandon it and choose a proper
version for this porting.
I choose this version because it should be matched with the grub image.
shim 15.3 introduced and now mandates SBAT.
This means that shim 15.3+ will not launch any EFI binaries
without a .sbat section.
Use tis-shim.der (another format for tis-shim.crt) to verify grub
image's signature.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46401
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2449ac9bbad7635b095a66309f77765a8a01cd1b
0535f5b0ae