From f01ba705b5cb074d4836f68ee7366678cad33a04 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 2 Apr 2022 14:25:30 +0800
Subject: [PATCH] debian: enable EFI secure boot feature as default

Whether BIOS enables EFI secure boot or not, this LAT
image could work:

On target:
1. While BIOS enables EFI secure boot
1.1 Insert certs to BIOS
- Enter BIOS, remove existed certs of EFI secure boot
- Boot from ISO or PXE, insert LAT debian certs for EFI secure
  boot and reboot, all done automatically
[log]

  Booting `Automatic Certificate Provision'
/EndEntire
file path: /ACPI(a0341d0,0)/PCI(1,1)/ATAPI(1,0,0)/File(\EFI\BOOT)
/File(LockDown.efi)/EndEntire
Platform is in Setup Mode
Created KEK Cert
Created db Cert
Created dbx Cert
Created PK Cert
Platform is in User Mode
Platform is set to boot securely
Prepare to execute system warm reset after 3 seconds ...
[log]

1.2 Enable EFI secure boot on BIOS
- Enter BIOS again, enable EFI secure boot, save configuration
and reboot
- Boot from ISO/PXE to do LAT debian installation

2. While BIOS disables EFI secure boot
- Enter BIOS, disable EFI secure boot, save configuration and reboot
- Boot from ISO/PXE to do LAT debian installation

PS: while editing grub configuration (press e) at booting time, grub
prompts to enter username and password (root, root)

Story: 2008846
Task: 44920

PASS: Build image with EFI secure boot feature enabled
PASS: BIOS enable secure boot to do LAT debian installation
PASS: BIOS disable secure boot to do LAT debian installation

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Change-Id: Iebbe7124bb8feb1f6d23ad9f973ba8e108955db7
---
 debian-mirror-tools/config/debian/common/base-bullseye.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian-mirror-tools/config/debian/common/base-bullseye.yaml b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
index 8903ee4dd..5ecf15086 100644
--- a/debian-mirror-tools/config/debian/common/base-bullseye.yaml
+++ b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
@@ -32,7 +32,7 @@ gpg:
     BOOT_EFITOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/LockDown.efi
     BOOT_GRUB_CFG: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grub.cfg
     BOOT_NOSIG_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi
-    EFI_SECURE_BOOT: disable
+    EFI_SECURE_BOOT: enable
 packages: []
 external-packages: []
 include-default-packages: '0'