0535f5b0ae
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use shim version: 15+1533136590.3beb971.
Although there was a debian package for shim here, it wasn't
effective because LAT didn't use it (the shim version in use is
12+gitAUTOINC+5202f80c32). So I abandon it and choose a proper
version for this porting.
I choose this version because it should be matched with the grub image.
shim 15.3 introduced and now mandates SBAT.
This means that shim 15.3+ will not launch any EFI binaries
without a .sbat section.
Use tis-shim.der (another format for tis-shim.crt) to verify grub
image's signature.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46401
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2449ac9bbad7635b095a66309f77765a8a01cd1b
27 lines
689 B
Diff
27 lines
689 B
Diff
From 7bf206a8899a5df0bbc361a39eb5b38a6f0b0882 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Thu, 25 Aug 2022 18:10:28 +0800
|
|
Subject: [PATCH] shim: replace the debian cert file with ours
|
|
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
debian/rules | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/debian/rules b/debian/rules
|
|
index 58620be..0434c4d 100755
|
|
--- a/debian/rules
|
|
+++ b/debian/rules
|
|
@@ -11,7 +11,7 @@ ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
|
|
distributor=ubuntu
|
|
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
|
|
else
|
|
- cert=debian/debian-uefi-ca.der
|
|
+ cert=tis-shim.der
|
|
distributor=debian
|
|
endif
|
|
|
|
--
|
|
2.17.1
|
|
|