From d67c39545674832431804d63575c21fb8d6e69e4 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Fri, 4 Oct 2024 17:39:14 +0100
Subject: [PATCH 1/6] ci-automation: Include --qemu-ovmf-vars in qemu_update
 test for arm64

Kola's logic for choosing BIOS vs EFI isn't too smart, and not
specifying --qemu-ovmf-vars leads to it passing -bios to QEMU. This
doesn't make sense for arm64, but it did work anyway with the old
firmware in raw format. The new firmware in QCOW2 format doesn't work
this way.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 ci-automation/vendor-testing/qemu_update.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ci-automation/vendor-testing/qemu_update.sh b/ci-automation/vendor-testing/qemu_update.sh
index d05ee2a9e2..68d7d565c9 100755
--- a/ci-automation/vendor-testing/qemu_update.sh
+++ b/ci-automation/vendor-testing/qemu_update.sh
@@ -71,12 +71,19 @@ fi
 bios="${QEMU_FIRMWARE}"
 if [ "${CIA_ARCH}" = "arm64" ]; then
     bios="${QEMU_UEFI_FIRMWARE}"
+    ovmf_vars="${QEMU_UEFI_OVMF_VARS}"
     if [ -f "${bios}" ] ; then
         echo "++++ qemu_update.sh: Using existing ./${bios} ++++"
     else
         echo "++++ qemu_update.sh: downloading ${bios} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
         copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${bios}" .
     fi
+    if [ -f "${ovmf_vars}" ] ; then
+        echo "++++ ${CIA_TESTSCRIPT}: Using existing ${ovmf_vars} ++++"
+    else
+        echo "++++ ${CIA_TESTSCRIPT}: downloading ${ovmf_vars} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
+        copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${ovmf_vars}" .
+    fi
 fi
 
 query_kola_tests() {
@@ -118,6 +125,7 @@ run_kola_tests() {
       --qemu-image="${image}" \
       --tapfile="${instance_tapfile}" \
       --update-payload="${QEMU_UPDATE_PAYLOAD}" \
+      "${ovmf_vars:+--qemu-ovmf-vars=${ovmf_vars}}" \
       ${QEMU_KOLA_SKIP_MANGLE:+--qemu-skip-mangle} \
       "${tests[@]}"
 }

From d1ba9b19fba58172e293459e69453bcaa39a90a7 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Wed, 2 Oct 2024 11:15:57 +0100
Subject: [PATCH 2/6] Switch from raw (.fd) EDK2 firmware images to QCOW2, plus
 4MB on amd64

The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.

Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .github/workflows/ci.yaml                     |  4 ++--
 .github/workflows/run-kola-tests.yaml         |  6 +++---
 build_library/qemu_template.sh                |  4 ++--
 build_library/vm_image_util.sh                | 20 +++++++++----------
 changelog/changes/2024-11-08-uefi-firmware.md |  1 +
 ci-automation/ci-config.env                   |  8 ++++----
 jenkins/kola/qemu_common.sh                   |  2 +-
 run_local_tests.sh                            |  4 ++--
 8 files changed, 24 insertions(+), 25 deletions(-)
 create mode 100644 changelog/changes/2024-11-08-uefi-firmware.md

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0e506f97a9..1997901f6b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -278,7 +278,7 @@ jobs:
             scripts/artifacts/images/flatcar_production_image*.txt
             scripts/artifacts/images/flatcar_production_image*.json
             scripts/artifacts/images/flatcar_production_image_pcr_policy.zip
-            scripts/artifacts/images/flatcar_production_*_efi_*.fd
+            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
             scripts/artifacts/images/flatcar_production_qemu.sh
 
       - name: Upload developer container
@@ -317,7 +317,7 @@ jobs:
           path: |
             scripts/artifacts/images/*.img
             scripts/artifacts/images/*.bin
-            scripts/artifacts/images/flatcar_production_*_efi_*.fd
+            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
             scripts/artifacts/images/*.txt
             scripts/artifacts/images/flatcar-*.raw
             scripts/artifacts/images/flatcar_production_*.sh
diff --git a/.github/workflows/run-kola-tests.yaml b/.github/workflows/run-kola-tests.yaml
index 7e3ea8b039..a5e7ebf548 100644
--- a/.github/workflows/run-kola-tests.yaml
+++ b/.github/workflows/run-kola-tests.yaml
@@ -162,7 +162,7 @@ jobs:
           # Extract the generic image we'll use for qemu tests.
           # Note that the qemu[_uefi] tests use the generic image instead of the
           #  qemu vendor VM image ("Astronaut: [...] Always have been.").
-          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.fd flatcar_production_qemu_uefi_efi_vars.fd scripts/
+          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.qcow2 flatcar_production_qemu_uefi_efi_vars.qcow2 scripts/
 
           mv flatcar_test_update.gz scripts/
 
@@ -197,8 +197,8 @@ jobs:
           cat > sdk_container/.env <<EOF
           # export the QEMU_IMAGE_NAME to avoid to download it.
           export QEMU_IMAGE_NAME="/work/flatcar_production_image.bin"
-          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.fd"
-          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.fd"
+          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.qcow2"
+          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.qcow2"
           export QEMU_UPDATE_PAYLOAD="/work/flatcar_test_update.gz"
           export QEMU_DEVCONTAINER_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"
           export QEMU_DEVCONTAINER_BINHOST_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"
diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh
index 45235b68a0..967b95d101 100755
--- a/build_library/qemu_template.sh
+++ b/build_library/qemu_template.sh
@@ -274,8 +274,8 @@ fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=qcow2,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=qcow2 "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 16b4d5e9de..568b1c6cb0 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -825,25 +825,23 @@ _write_qemu_conf() {
 }
 
 _write_qemu_uefi_conf() {
-    local flash_ro="$(_dst_name "_efi_code.fd")"
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.qcow2")"
+    local flash_rw="$(_dst_name "_efi_vars.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_conf
 
     case $BOARD in
         amd64-usr)
-            cp "/usr/share/edk2-ovmf/OVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
-            cp "/usr/share/edk2-ovmf/OVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.qcow2" "$(_dst_dir)/${flash_ro}"
+            cp "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
         arm64-usr)
             # Get edk2 files into local build workspace.
             info "Updating edk2 in /build/${BOARD}"
             emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
-            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
-            truncate -s 64M "$(_dst_dir)/${flash_ro}"
-            truncate -s 64M "$(_dst_dir)/${flash_rw}"
+            cp "${BOARD_ROOT}/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2" "$(_dst_dir)/${flash_ro}"
+            cp "${BOARD_ROOT}/usr/share/edk2/aarch64/vars-template-pflash.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
     esac
 
@@ -866,13 +864,13 @@ _write_qemu_uefi_conf() {
 }
 
 _write_qemu_uefi_secure_conf() {
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
-    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local flash_rw="$(_dst_name "_efi_vars.qcow2")"
+    local flash_ro="$(_dst_name "_efi_code.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
     local owner="00000000-0000-0000-0000-000000000000"
 
     _write_qemu_uefi_conf
-    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
+    cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
 
     virt-fw-vars \
         --inplace "$(_dst_dir)/${flash_rw}" \
diff --git a/changelog/changes/2024-11-08-uefi-firmware.md b/changelog/changes/2024-11-08-uefi-firmware.md
new file mode 100644
index 0000000000..31c8b408bd
--- /dev/null
+++ b/changelog/changes/2024-11-08-uefi-firmware.md
@@ -0,0 +1 @@
+- The UEFI firmware has changed from raw (.fd) format to QCOW2 format. In addition, the amd64 firmware variables are now held in a 4MB image rather than a 2MB image. Note that this firmware is only intended for testing with QEMU. Do not use it in production. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env
index e321cb4cdd..2e17c6be05 100644
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@@ -65,10 +65,10 @@ QEMU_FIRMWARE="/usr/share/qemu/bios-256k.bin"
 
 # UEFI firmware filename on build cache.
 # Published by vms.sh as part of the qemu vendor build.
-QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.fd}"
-QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
-QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.fd}"
-QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.fd}"
+QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.qcow2}"
+QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.qcow2}"
+QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.qcow2}"
+QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.qcow2}"
 
 # Update payload for the qemu_update.sh test.
 # The default path set below is relative to TEST_WORK_DIR
diff --git a/jenkins/kola/qemu_common.sh b/jenkins/kola/qemu_common.sh
index 2357a4e9a3..fb6bbbbe22 100755
--- a/jenkins/kola/qemu_common.sh
+++ b/jenkins/kola/qemu_common.sh
@@ -7,7 +7,7 @@ if [ "${PLATFORM}" = qemu ]; then
   BIOS="bios-256k.bin"
 elif [ "${PLATFORM}" = qemu_uefi ]; then
   TIMEOUT="14h"
-  BIOS="/mnt/host/source/tmp/flatcar_production_qemu_uefi_efi_code.fd"
+  BIOS="/mnt/host/source/tmp/flatcar_production_qemu_uefi_efi_code.qcow2"
 else
   echo "Unknown platform: \"${PLATFORM}\""
 fi
diff --git a/run_local_tests.sh b/run_local_tests.sh
index 9e53cda581..f1bff2cfe3 100755
--- a/run_local_tests.sh
+++ b/run_local_tests.sh
@@ -52,8 +52,8 @@ function set_vars() {
   # The local directory ("pwd") will be mounted to /work/ in the container.
   cat > sdk_container/.env <<EOF
 export QEMU_IMAGE_NAME=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_image.bin
-export QEMU_UEFI_FIRMWARE=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_code.fd
-export QEMU_UEFI_OVMF_VARS=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_vars.fd
+export QEMU_UEFI_FIRMWARE=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_code.qcow2
+export QEMU_UEFI_OVMF_VARS=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_vars.qcow2
 export QEMU_UPDATE_PAYLOAD=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_test_update.gz
 export PARALLEL_TESTS=${parallel@Q}
 EOF

From e50fe0a7e415df4d8a2feaf7b0417ded2626f897 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Wed, 2 Oct 2024 11:40:17 +0100
Subject: [PATCH 3/6] sys-firmware/edk2-aarch64: Drop in favour of edk2-bin

edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_library/vm_image_util.sh                | 20 +++++++++++-----
 changelog/changes/2024-11-08-uefi-firmware.md |  1 +
 .../profiles/coreos/base/make.defaults        |  3 +--
 .../sys-firmware/edk2-aarch64/Manifest        |  1 -
 .../edk2-aarch64/edk2-aarch64-20220221.ebuild | 23 -------------------
 5 files changed, 16 insertions(+), 32 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild

diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 568b1c6cb0..28e88099ed 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -837,11 +837,8 @@ _write_qemu_uefi_conf() {
             cp "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
         arm64-usr)
-            # Get edk2 files into local build workspace.
-            info "Updating edk2 in /build/${BOARD}"
-            emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            cp "${BOARD_ROOT}/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2" "$(_dst_dir)/${flash_ro}"
-            cp "${BOARD_ROOT}/usr/share/edk2/aarch64/vars-template-pflash.qcow2" "$(_dst_dir)/${flash_rw}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.qcow2" "$(_dst_dir)/${flash_ro}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
     esac
 
@@ -870,7 +867,18 @@ _write_qemu_uefi_secure_conf() {
     local owner="00000000-0000-0000-0000-000000000000"
 
     _write_qemu_uefi_conf
-    cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+
+    case $BOARD in
+        amd64-usr)
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+            ;;
+        arm64-usr)
+            # This firmware is not considered secure due to the lack of an SMM
+            # implementation, which is needed to protect the variable store, but
+            # it's only supposed to be used for testing anyway.
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}"
+            ;;
+    esac
 
     virt-fw-vars \
         --inplace "$(_dst_dir)/${flash_rw}" \
diff --git a/changelog/changes/2024-11-08-uefi-firmware.md b/changelog/changes/2024-11-08-uefi-firmware.md
index 31c8b408bd..83a518bad2 100644
--- a/changelog/changes/2024-11-08-uefi-firmware.md
+++ b/changelog/changes/2024-11-08-uefi-firmware.md
@@ -1 +1,2 @@
 - The UEFI firmware has changed from raw (.fd) format to QCOW2 format. In addition, the amd64 firmware variables are now held in a 4MB image rather than a 2MB image. Note that this firmware is only intended for testing with QEMU. Do not use it in production. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
+- The arm64 UEFI firmware now supports Secure Boot. Be aware that this is not considered secure due to the lack of an SMM implementation, which is needed to protect the variable store. As above, this firmware should not be used in production anyway. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index 8cbfe510c7..d339b275f8 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -56,10 +56,9 @@ USE="${USE} bindist"
 # no-source-code - license for sys-kernel/coreos-firmware
 # linux-fw-redistributable - license for sys-kernel/coreos-firmware
 # freedist - license for sys-kernel/coreos-kernel
-# BSD-2-Clause-Patent - license for sys-firmware/edk2-aarch64
 # intel-ucode - license for sys-firmware/intel-microcode
 ACCEPT_LICENSE="${ACCEPT_LICENSE} no-source-code
-    linux-fw-redistributable freedist BSD-2-Clause-Patent intel-ucode"
+    linux-fw-redistributable freedist intel-ucode"
 
 # Favor our own mirrors over Gentoo's
 GENTOO_MIRRORS="
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
deleted file mode 100644
index 22b3138c39..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild
deleted file mode 100644
index d1fead7ff0..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright (c) 2024 The Flatcar Maintainers.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit rpm
-
-DESCRIPTION="Fedora's build of edk2 ARM64 EFI firmware"
-HOMEPAGE="https://packages.fedoraproject.org/pkgs/edk2/edk2-aarch64/"
-SRC_URI="https://kojipkgs.fedoraproject.org//packages/edk2/20230524/3.fc38/noarch/edk2-aarch64-20230524-3.fc38.noarch.rpm"
-
-LICENSE="BSD-2-Clause-Patent openssl"
-SLOT="0"
-KEYWORDS="amd64 arm64"
-
-S="${WORKDIR}"
-
-src_install() {
-	# Avoid collision with qemu installed config file
-	mv usr/share/qemu/firmware/{60,61}-edk2-aarch64.json
-	insinto /
-	doins -r *
-}

From c0b58cf56b06e5762d9ebbc7ca99b048a6f8fad9 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Wed, 2 Oct 2024 17:59:29 +0100
Subject: [PATCH 4/6] Reuse Secure Boot EFI variables image prepared by Gentoo

Rather than starting with a blank image, reuse the image that already
has the Microsoft certificates and the latest DBX revocation list
applied. Gentoo also applies the Red Hat certificates, which we don't
need, but this is okay.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_library/vm_image_util.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 28e88099ed..1791108d0b 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -865,27 +865,30 @@ _write_qemu_uefi_secure_conf() {
     local flash_ro="$(_dst_name "_efi_code.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
     local owner="00000000-0000-0000-0000-000000000000"
+    local flash_in
 
     _write_qemu_uefi_conf
 
     case $BOARD in
         amd64-usr)
             cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+            flash_in="/usr/share/edk2/OvmfX64/OVMF_VARS_4M.secboot.qcow2"
             ;;
         arm64-usr)
             # This firmware is not considered secure due to the lack of an SMM
             # implementation, which is needed to protect the variable store, but
             # it's only supposed to be used for testing anyway.
             cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}"
+            flash_in="/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.secboot_INSECURE.qcow2"
             ;;
     esac
 
     virt-fw-vars \
-        --inplace "$(_dst_dir)/${flash_rw}" \
+        --input "${flash_in}" \
+        --output "$(_dst_dir)/${flash_rw}" \
         --set-pk  "${owner}" /usr/share/sb_keys/PK.crt \
         --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
-        --add-db  "${owner}" /usr/share/sb_keys/DB.crt \
-        --secure-boot --no-microsoft
+        --add-db  "${owner}" /usr/share/sb_keys/DB.crt
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

From 5125317506818637b6adaad73461e859c78e9814 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 24 Oct 2024 18:14:55 +0100
Subject: [PATCH 5/6] coreos-base/coreos-sb-keys: Drop unnecessary PK and KEK
 certificates

These are only needed when you are going to ship DB updates to existing
systems, which we are not going to do. Our EFI variables are only for
testing. End users are expected to use EFI variables provided by their
hosts or hardware vendors. We presumably provided these before because
some PK and KEK does need to be provided, but we can now use the
Microsoft and Red Hat ones provided via Gentoo's edk2 package.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_library/vm_image_util.sh                |  2 --
 .../coreos-base/coreos-sb-keys/README.md      |  2 --
 ...0.3.ebuild => coreos-sb-keys-1.0.0.ebuild} |  4 ---
 .../coreos-base/coreos-sb-keys/files/KEK.crt  | 19 -------------
 .../coreos-base/coreos-sb-keys/files/KEK.key  | 28 -------------------
 .../coreos-base/coreos-sb-keys/files/PK.crt   | 19 -------------
 .../coreos-base/coreos-sb-keys/files/PK.key   | 28 -------------------
 7 files changed, 102 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/{coreos-sb-keys-0.0.3.ebuild => coreos-sb-keys-1.0.0.ebuild} (78%)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key

diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 1791108d0b..dde1f533f4 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -886,8 +886,6 @@ _write_qemu_uefi_secure_conf() {
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --set-pk  "${owner}" /usr/share/sb_keys/PK.crt \
-        --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
         --add-db  "${owner}" /usr/share/sb_keys/DB.crt
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
index 0231aa542e..f50820c945 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
@@ -1,7 +1,5 @@
 ## Keys & Certificates
 
-- PK (Platform Key): The Platform Key is the key to the platform.
-- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
 - DB (Signature Database): The signature database is used to validate signed EFI binaries.
 - Shim Certificates: Our set of certificates
 
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild
similarity index 78%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild
index 9562a134a1..5080f9ec8c 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild
@@ -16,10 +16,6 @@ S="${WORKDIR}"
 
 src_install() {
   insinto /usr/share/sb_keys
-  newins "${FILESDIR}/PK.key" PK.key
-  newins "${FILESDIR}/PK.crt" PK.crt
-  newins "${FILESDIR}/KEK.key" KEK.key
-  newins "${FILESDIR}/KEK.crt" KEK.crt
   newins "${FILESDIR}/DB.key" DB.key
   newins "${FILESDIR}/DB.crt" DB.crt
 
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt
deleted file mode 100644
index 54646e2aae..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBzCCAe+gAwIBAgIJAN/ga2oSNhyiMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
-BAMMD0NvcmVPUyB0ZXN0IEtFSzAeFw0xNTA0MTMxODMzMzRaFw0xNTA1MTMxODMz
-MzRaMBoxGDAWBgNVBAMMD0NvcmVPUyB0ZXN0IEtFSzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAL/DE8ss0bgdKgLmyQ6CQsAUpeWwLlxMNca+LROR5+UH
-VAa/Xph30xdfmpydWxUO0Ga1ZnyTfZp+UfOWya9kYkzzmmuKAzC0HLzolSWxQ3sL
-EDsXEbpfl7KsjDvPuXdVoJukdN8EppqP6DLGjHbY5lk5AfXj7xCP3wHlLzMsPoxu
-hkfDfZSB0qJ5r+L6egz50Vufvxn1oiolMWh7zorkQaM5i4cP6BEQtan7WNhKDJAZ
-3fbApmcJyOP7TvWLHcAyuI2FM13J89bc7vrclb2PrtAoijNyDnNImLb187/gC8Ab
-kHVFIm8KyZ8ZByNoU5hy4bA1U/EEZ+slyIqqKcnWbukCAwEAAaNQME4wHQYDVR0O
-BBYEFC1uWlFmCG6L18813V9Xy12dQ/MJMB8GA1UdIwQYMBaAFC1uWlFmCG6L1881
-3V9Xy12dQ/MJMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEOKN7AS
-2szIJ4ejcxRJhih5rBFwVkim80rwBX8Ga3sStAAKEpdZC7fjrxXm8UWYbEa8Qisz
-+O74T7QqXaCRoxh3ij4fgg4clULOfjGGWWEghl4rtpUIsarCk3HWtEzqLWbAQOA0
-co3B08KbwYhOYfx1MkRE1K6kFKojJ1tod/w9jxY1/w/qmJKFP/vM6//H9dhVPr14
-4ySqz/NYhb0FZRVGJkeLbXWy4sLZy2Of+ojCRjjAgmY9RAT6ZxovgyXqVBDWfboX
-4Yp9bAboktfNtX6+9wMIW5bTuZ5yZjK+I+MnHSqbRVh/6T/kh5j5+jdPXnKgZGXy
-PWAnhbRJTjUAVTY=
------END CERTIFICATE-----
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key
deleted file mode 100644
index 0536b49f82..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC/wxPLLNG4HSoC
-5skOgkLAFKXlsC5cTDXGvi0TkeflB1QGv16Yd9MXX5qcnVsVDtBmtWZ8k32aflHz
-lsmvZGJM85prigMwtBy86JUlsUN7CxA7FxG6X5eyrIw7z7l3VaCbpHTfBKaaj+gy
-xox22OZZOQH14+8Qj98B5S8zLD6MboZHw32UgdKiea/i+noM+dFbn78Z9aIqJTFo
-e86K5EGjOYuHD+gRELWp+1jYSgyQGd32wKZnCcjj+071ix3AMriNhTNdyfPW3O76
-3JW9j67QKIozcg5zSJi29fO/4AvAG5B1RSJvCsmfGQcjaFOYcuGwNVPxBGfrJciK
-qinJ1m7pAgMBAAECggEAL5jxMc4nJAcBJYU5RIOqo9i8MN3hNAGqm3Ea6S+fGqcO
-ATrA9SFQ4Q1W6Cbas8hgjA3cqXFGjPFr0AWOfB1zlNwmaSjxj8Y1F+K3Gor8T+84
-ESKxwMv3cF8J09LEm01Ctz9DzxNtcxHjNa84sEs4Kc9PoEP6U+cSGHtVkuMZh2t9
-hNad8DfdM2oZi5IPcVcBXr/+QmyjereKlTij5BPSdeKw2JKprv0NWgzuZkDlhtAF
-aSNLkODk3NT9+zMSqvuSkNkWuvcl8kFG32strHzsEKneugEbLQPLwEA2hRz6gDo2
-alPUo9shg4o54r47pascVJjbiFPevIvF0GTgmv/VAQKBgQDodWPClJZiyifJ6M65
-V4p+N4evhr6xBTxYMTfXoXIT6IwqyiDyhDnjUApM9wwr9YTxixJukAdcdDnWOMJb
-qR2JquGXeChPAArH69FzsuybVXURpBiIOBBNFmWf/T97Aw55l6OXxzA/aAuQMFyF
-H8zEQddC57yEMIpToTuNkNq8CQKBgQDTLpvNtsqKBxIpnybv2gRo2MDgJtk+PGu/
-UN3f1GDP1C9nhEVWb1n4v7n9bhYs5zra3vYkgvr317QVAbKF+PUmIPLmid5gN8J5
-46+qdVvK88UPJye2cuIrHO/XScWiC95SzQo6KfVNqawLJhioZ3OlK69pOcLoXWsO
-/nJC5i6T4QKBgQCM6hx/Z/OCD2nvS+GFGTwrJx5pmRUf2jyqeauQW53704yko8M1
-QFKXKX4VCe2m+D6O7e9OdqD/urUU13N6fRoayivW1lAZE711U860hFJKF5PQDdmR
-Oesnz9vrEGna+A9eRj41U9o7labs0WREjvJiRkdnl3L/7yzrZWHkf1sZgQKBgQDJ
-X49oKR6XYci68a0yV8WOqOm6lLDhPMJNy3HXBvBOHXoajrGDi2jS3xgehoQUy2V+
-4c763/8qqIBq65RtVgmGEzMsDFmFjIYgrrGKrKAcNjk5is++lWv/SneV5h3TuNeG
-Q0i2T94+8UVB2FD4/LT00mRQxaiK5NG6mX0hN9dAYQKBgEC8GarO5+lPEXNhkqcM
-rWBtZTszTP9WGs0nB6+ZGZ+23uMwNA/6YZvyvAssfJ9yr4pyI/r2WH0rHa9146s0
-rJx+Xs/TSbGRYDq7BcwjN3DuSvoCg/0arVeoptrmoDIrFOzhlgQWdrIOMqVKTNKi
-s/B7OsUuIhJ7HAJSatt2uzam
------END PRIVATE KEY-----
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt
deleted file mode 100644
index 9fcb2a2e17..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBTCCAe2gAwIBAgIJAPrtEex/4ln3MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
-BAMMDkNvcmVPUyB0ZXN0IFBLMB4XDTE1MDQxMzE4MzMyMloXDTE1MDUxMzE4MzMy
-MlowGTEXMBUGA1UEAwwOQ29yZU9TIHRlc3QgUEswggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCrAWnfZoNaw4FVFbdkQo+aBTjMnaEs643EdqoXRn8ohmJu
-gCnNNy4mcwsxrx7ksSyfU3ZeVeFXFcydAt53F0hFLsWEi/Riw59AImOuyOXxcrK5
-CAzaOqWIs0RvDqvEJjm7JSuOVndeTVFp7d/2up0zJoXltMaZLs3748AyI29aL2jr
-PEW8+FZRqp/z9/EWpifcPZXFzqc7QYTwamfznwqUIFXMLqW5bREroFpZ9MMTmc86
-WMQYUySPdCxvQKKgvGyf0qYWVw2mPp6jZZF84dELn1FvNJ4AMIa/d2TGSkNOpPkn
-0VTWtmJTZoY2n/0/KHFQPT1Ot7M9/s6pRd8IIfDzAgMBAAGjUDBOMB0GA1UdDgQW
-BBRHBFY7ba7b2aOujtUZB1dHVQUqFDAfBgNVHSMEGDAWgBRHBFY7ba7b2aOujtUZ
-B1dHVQUqFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCT3Xs/My5E
-ST//7SrupTakH+QRd7/qIFj2/coXuWE0Qp9cWiWIy9GDyd0oyQsKQklVbuLArju4
-N8oekgtJnNoYbJnLs0JPfAIC5Np3wYTNCyjVi8kSyKSWdXM2vKkycG023sFiFdSk
-0pgmwCO1E8fGxe9YDjCdtRTp8+j6m5GrRkl3YYfqYtUFfXy+BhcKs1H6AlfaKAZH
-m1fYDGmGGuOTij/5yEyY38NJybjL8Aak89nwuVrHm76whldsA3LfPYenjLk5qTd8
-yEYgvoajAZDIXkT05F9E9SdSaob2ZK1nDp98kG+rnv7dN/xQVfaKywuM3cdy5TKk
-VqV0ENF7w+O5
------END CERTIFICATE-----
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key
deleted file mode 100644
index 589fef190e..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrAWnfZoNaw4FV
-FbdkQo+aBTjMnaEs643EdqoXRn8ohmJugCnNNy4mcwsxrx7ksSyfU3ZeVeFXFcyd
-At53F0hFLsWEi/Riw59AImOuyOXxcrK5CAzaOqWIs0RvDqvEJjm7JSuOVndeTVFp
-7d/2up0zJoXltMaZLs3748AyI29aL2jrPEW8+FZRqp/z9/EWpifcPZXFzqc7QYTw
-amfznwqUIFXMLqW5bREroFpZ9MMTmc86WMQYUySPdCxvQKKgvGyf0qYWVw2mPp6j
-ZZF84dELn1FvNJ4AMIa/d2TGSkNOpPkn0VTWtmJTZoY2n/0/KHFQPT1Ot7M9/s6p
-Rd8IIfDzAgMBAAECggEAZI/0Ptf+LwYBrJOUwXUTFbQ0br/T5KKxP/O4mu9uH9rH
-T8w2yOPGU/4beyBMvpgicZ+XYGqIlbnQFhV11frvGSAkL4pOMTZxFDok/MhP0Olu
-iLlfNYZ/iiBCAj1SbYs9L/zv3Eik8ePuGKk2p9WeVFI3M5pXoAWSRKruf42vEg0Q
-mAvjpabEFi41RavmO6EuDt5m6VOO3wgGXBZw/+skTtCtlhABK08aggV4a1jrrAJX
-FVH8+XmYG7xknxMLxQYSuG1H0n86iext1+jtL74qd51PeaVzfXfE00xjnM08naV+
-XivpwhxsSo0aSMsuOipvMefvQDDwbYVN1RVlEIDuoQKBgQDhRy7j2Dz1zN+C0Bg3
-X2xInQGHq3MineGa/DCzN17rGT0jYB/9FMZTSfk60RNzFacHgLhfSxk0sPfBdi+J
-WGWjm48nVz/vsx6V8DNOYiHoi2DxdpHoohUzdxKccySnv1vMDcVRQg3gb47UNp0p
-FRqi/g47Ts+JSLS29X6vqB/iBwKBgQDCU31L4ipLXOWbiJDQVGq5A0N0zAo2j+Jx
-Kr3G+R72XRHTBLCvverayCwrI+fvUyvAeUs/trswQ/PmXdkmg40EEJDCJ87ktfEW
-MfgRJhloPJkyTf+JKaLlUQwgV7YVtV932EWC8V9Rdcf8rNZ9gt9TiiwGOTCrNDH4
-tL1d1T9OtQKBgAXgw5pyU/Td6Z8SKu+W785dOmL92D04/V/74JFsim978xpvMaZ6
-2knmDji4p9dC417Qvv7NiNTVIUHNAaSFx/Ei5/NQ1Xw9ojirUctjyBq3OEpUm64E
-PKVhH/0xC+3MkmqamWFrZc1LW+CxpBwkTtOd6WUmw0eDvCNh+HJA4sQVAoGBAKFN
-rDPRCEqGUhFIyuwjJnNswhGxTMj9pnlJgT4ojAr0NldzDTbT7p6sif1FUMDXyPl7
-tXqts7PctBgEzrupduRo28BOSu6OGBDUaZXSikR8CK45EGRKq2yuWeJ+7CYY56YT
-X5/Ru81idx7GWUTV3Yr6ppCD6GI0cUaAwK+i02oBAoGAcCho+7uZ0+I2BkR9Fxz/
-gdHgL3Cw5o3x7i1erXXCoxN9YLHwidOtj9w+8IS9dSY9ii08w8LE4BXpgoFe+TGU
-yXgEnl8qOUAcXKMu4jRj4LqNaJWXnAZ7J+1WJZ4h7ygGEJh0aYByiUdL5aShs/YJ
-CevUdCQxnWbrAySfMEMIXg0=
------END PRIVATE KEY-----

From 010afcd35dfa55247c59b0a386e66768a0c7f1aa Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Wed, 2 Oct 2024 12:29:35 +0100
Subject: [PATCH 6/6] sys-boot/mokutil: Install on arm64 now that it supports
 Secure Boot

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild       | 2 +-
 .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index 21b35197a6..4816ab1db3 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -76,7 +76,6 @@ RDEPEND="${RDEPEND}
 	amd64? (
 		app-emulation/xenserver-pv-version
 		app-emulation/xenstore
-		sys-boot/mokutil
 	)"
 
 # sys-devel/gettext: it embeds 'envsubst' binary which is useful for simple file templating.
@@ -185,6 +184,7 @@ RDEPEND="${RDEPEND}
 	sys-block/open-iscsi
 	sys-block/parted
 	sys-boot/efibootmgr
+	sys-boot/mokutil
 	sys-cluster/ipvsadm
 	sys-devel/gettext
 	sys-fs/btrfs-progs
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index cfbe026846..835744e513 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -107,7 +107,7 @@
 =sys-apps/zram-generator-1.1.2 ~arm64
 
 # Upgrade to latest version for secureboot
-=sys-boot/mokutil-0.6.0 ~amd64
+=sys-boot/mokutil-0.6.0 ~amd64 ~arm64
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64