starlingx/integ
Code Issues Proposed changes
Files
efc720890d8fa46c9cb46afcc532c3ef64af54e8
integ/security/efitools/debian/bullseye/deb_patches/0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch
Robert Church e49374824f Move packages into compliant distro/codename hierarchy 
This is a few tests of using the new distro/codename packaging hierarchy.

Changes include:
- Move base/base-passwd/debian to base/base-passwd/debian/bullseye as
  this patched package is specific to bullseye. Also add
  'revision.stx_patch: 9' to meta_data.yaml so that the .stx package
  version remains consistent.
- Move base/systemd-presets/debian to base/systemd-presets/debian/all as
  this packages should be the same for all flavors of debian.
- Move security/efitools/debian to security/efitools/debian/bullseye as
  this patched package is specific to bullseye. This also tests a
  package with src_files in the meta_data.yaml and requires an update
  once the package is relocated.

Test Plan:
 - PASS: stx-init-env --rebuild, downloader, build-pkgs -a, build-image

Prototype: Concurrent Builds in master

Change-Id: Id64f3619f2d52fb4ab4d1a9238ffe80808807d13
Depends-On: https://review.opendev.org/c/starlingx/root/+/946812
Story: NNNNNNN
Task: NNNNN
Signed-off-by: Robert Church <robert.church@windriver.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
2025-07-09 14:57:56 -04:00

42 lines
1.4 KiB
Diff
Raw Blame History

From f97a150fbf94be75381d90396ac7be5b2edf95d2 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Tue, 23 Aug 2022 14:51:09 +0800
Subject: [PATCH 2/2] efitools: append Microsoft KEK/DB to built-in certs
While BIOS of Dell PowerEdge host enables EFI secure feature,
it uses Microsoft KEK and DB to verify NICs and disks. If one removes
the existing Microsoft certs and uses LockDown.efi to insert self
defined certs, the NICs and disks are missing. So append one Microsoft
KEK and one Microsoft DB to built-in certs for LockDown.efi.
Reference:
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#multiple
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
[lz: Porting the patch from yocto to debian rules]
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
debian/rules | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/rules b/debian/rules
index c20cd9a..78bca19 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,6 +8,13 @@ override_dh_auto_build:
cp uefi_sb_keys/* ./
mv tis-boot.crt DB.crt
dh_auto_build
+ cp -f DB.esl DB-orig.esl
+ cat DB-orig.esl ms-uefi.esl > DB.esl
+ cp -f KEK.esl KEK-orig.esl
+ cat KEK-orig.esl ms-kek.esl > KEK.esl
+ rm DB-orig.esl KEK-orig.esl
+ rm LockDown*efi LockDown.so LockDown.o
+ dh_auto_build
override_dh_auto_install:
dh_auto_install -- EFIDIR="debian/efitools/usr/lib/efitools/${DEB_TARGET_MULTIARCH}"
--
2.17.1
View Git Blame Copy Permalink