From ecd435f6e94d707dc4bc731387ef7a6d461382c9 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Fri, 19 Aug 2022 22:14:25 +0800
Subject: [PATCH] Debian: tools: install efitools

Install efitools' package into iso and configure LAT to use
the LockDown.efi in it to replace the one from target sysroots
in lat sdk.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.

Story: 2009221
Task: 46400

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I1d06a019086aa88371fc3892e7eff112fa1c7f2b
---
 debian-mirror-tools/config/debian/common/base-bullseye.lst  | 1 +
 debian-mirror-tools/config/debian/common/base-bullseye.yaml | 2 +-
 debian-mirror-tools/config/debian/distro/stx-std.lst        | 4 ++++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/debian-mirror-tools/config/debian/common/base-bullseye.lst b/debian-mirror-tools/config/debian/common/base-bullseye.lst
index 5e7b14382..e90042583 100644
--- a/debian-mirror-tools/config/debian/common/base-bullseye.lst
+++ b/debian-mirror-tools/config/debian/common/base-bullseye.lst
@@ -968,6 +968,7 @@ ruby-test-unit  3.3.9-1
 ruby-xmlrpc  0.3.0-2
 runit-helper  2.10.3
 samba-libs  2:4.13.13+dfsg-1~deb11u3
+sbsigntool 0.9.2-2
 sed  4.7-1
 sensible-utils  0.0.14
 sg3-utils  1.45-1
diff --git a/debian-mirror-tools/config/debian/common/base-bullseye.yaml b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
index 6b1e75340..52dedb6e4 100644
--- a/debian-mirror-tools/config/debian/common/base-bullseye.yaml
+++ b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
@@ -27,7 +27,7 @@ gpg:
     BOOT_SINGED_SHIM: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64.efi
     BOOT_SINGED_SHIMTOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/mmx64.efi
     BOOT_SINGED_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grubx64.efi
-    BOOT_EFITOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/LockDown.efi
+    BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
     BOOT_GRUB_CFG: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grub.cfg
     BOOT_NOSIG_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi
     EFI_SECURE_BOOT: enable
diff --git a/debian-mirror-tools/config/debian/distro/stx-std.lst b/debian-mirror-tools/config/debian/distro/stx-std.lst
index 8563deb99..f6266e4c8 100644
--- a/debian-mirror-tools/config/debian/distro/stx-std.lst
+++ b/debian-mirror-tools/config/debian/distro/stx-std.lst
@@ -183,6 +183,10 @@ docker-registry
 #drbd-tools
 drbd-utils
 
+#efitools
+#efitools-dbgsym  # not used
+efitools
+
 #enable-dev-patch (not used in deployment)
 enable-dev-patch