Debian: tools: install efitools

Install efitools' package into iso and configure LAT to use
the LockDown.efi in it to replace the one from target sysroots
in lat sdk.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.

Story: 2009221
Task: 46400

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I1d06a019086aa88371fc3892e7eff112fa1c7f2b

debian-mirror-tools/config/debian/common/base-bullseye.lst

@@ -968,6 +968,7 @@ ruby-test-unit  3.3.9-1
 ruby-xmlrpc  0.3.0-2
 runit-helper  2.10.3
 samba-libs  2:4.13.13+dfsg-1~deb11u3
+sbsigntool 0.9.2-2
 sed  4.7-1
 sensible-utils  0.0.14
 sg3-utils  1.45-1

debian-mirror-tools/config/debian/common/base-bullseye.yaml

@@ -27,7 +27,7 @@ gpg:
     BOOT_SINGED_SHIM: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64.efi
     BOOT_SINGED_SHIMTOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/mmx64.efi
     BOOT_SINGED_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grubx64.efi
-    BOOT_EFITOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/LockDown.efi
+    BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
     BOOT_GRUB_CFG: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grub.cfg
     BOOT_NOSIG_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi
     EFI_SECURE_BOOT: enable

debian-mirror-tools/config/debian/distro/stx-std.lst

@@ -183,6 +183,10 @@ docker-registry
 #drbd-tools
 drbd-utils
 
+#efitools
+#efitools-dbgsym  # not used
+efitools
+
 #enable-dev-patch (not used in deployment)
 enable-dev-patch