Merge pull request #2434 from flatcar/chewi/new-firmware

Switch from raw to QCOW2 and 2MB to 4MB firmware, adjust firmware variables creation

.github/workflows/ci.yaml

@@ -278,7 +278,7 @@ jobs:
             scripts/artifacts/images/flatcar_production_image*.txt
             scripts/artifacts/images/flatcar_production_image*.json
             scripts/artifacts/images/flatcar_production_image_pcr_policy.zip
-            scripts/artifacts/images/flatcar_production_*_efi_*.fd
+            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
             scripts/artifacts/images/flatcar_production_qemu.sh
 
       - name: Upload developer container
@@ -317,7 +317,7 @@ jobs:
           path: |
             scripts/artifacts/images/*.img
             scripts/artifacts/images/*.bin
-            scripts/artifacts/images/flatcar_production_*_efi_*.fd
+            scripts/artifacts/images/flatcar_production_*_efi_*.qcow2
             scripts/artifacts/images/*.txt
             scripts/artifacts/images/flatcar-*.raw
             scripts/artifacts/images/flatcar_production_*.sh

.github/workflows/run-kola-tests.yaml

@@ -162,7 +162,7 @@ jobs:
           # Extract the generic image we'll use for qemu tests.
           # Note that the qemu[_uefi] tests use the generic image instead of the
           #  qemu vendor VM image ("Astronaut: [...] Always have been.").
-          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.fd flatcar_production_qemu_uefi_efi_vars.fd scripts/
+          mv flatcar_production_image.bin flatcar_production_qemu_uefi_efi_code.qcow2 flatcar_production_qemu_uefi_efi_vars.qcow2 scripts/
 
           mv flatcar_test_update.gz scripts/
 
@@ -197,8 +197,8 @@ jobs:
           cat > sdk_container/.env <<EOF
           # export the QEMU_IMAGE_NAME to avoid to download it.
           export QEMU_IMAGE_NAME="/work/flatcar_production_image.bin"
-          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.fd"
+          export QEMU_UEFI_FIRMWARE="/work/flatcar_production_qemu_uefi_efi_code.qcow2"
-          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.fd"
+          export QEMU_UEFI_OVMF_VARS="/work/flatcar_production_qemu_uefi_efi_vars.qcow2"
           export QEMU_UPDATE_PAYLOAD="/work/flatcar_test_update.gz"
           export QEMU_DEVCONTAINER_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"
           export QEMU_DEVCONTAINER_BINHOST_URL="http://${TESTS_WEBSERVER_IP}:${TESTS_WEBSERVER_PORT}"

build_library/qemu_template.sh

@@ -274,8 +274,8 @@ fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=qcow2,readonly=on \
-        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=qcow2 "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then

build_library/vm_image_util.sh

@@ -825,25 +825,20 @@ _write_qemu_conf() {
 }
 
 _write_qemu_uefi_conf() {
-    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local flash_ro="$(_dst_name "_efi_code.qcow2")"
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_rw="$(_dst_name "_efi_vars.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_conf
 
     case $BOARD in
         amd64-usr)
-            cp "/usr/share/edk2-ovmf/OVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.qcow2" "$(_dst_dir)/${flash_ro}"
-            cp "/usr/share/edk2-ovmf/OVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
+            cp "/usr/share/edk2/OvmfX64/OVMF_VARS_4M.qcow2" "$(_dst_dir)/${flash_rw}"
             ;;
         arm64-usr)
-            # Get edk2 files into local build workspace.
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.qcow2" "$(_dst_dir)/${flash_ro}"
-            info "Updating edk2 in /build/${BOARD}"
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.qcow2" "$(_dst_dir)/${flash_rw}"
-            emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
-            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
-            truncate -s 64M "$(_dst_dir)/${flash_ro}"
-            truncate -s 64M "$(_dst_dir)/${flash_rw}"
             ;;
     esac
 
@@ -866,20 +861,32 @@ _write_qemu_uefi_conf() {
 }
 
 _write_qemu_uefi_secure_conf() {
-    local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_rw="$(_dst_name "_efi_vars.qcow2")"
-    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local flash_ro="$(_dst_name "_efi_code.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
     local owner="00000000-0000-0000-0000-000000000000"
+    local flash_in
 
     _write_qemu_uefi_conf
-    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
+
+    case $BOARD in
+        amd64-usr)
+            cp "/usr/share/edk2/OvmfX64/OVMF_CODE_4M.secboot.qcow2" "$(_dst_dir)/${flash_ro}"
+            flash_in="/usr/share/edk2/OvmfX64/OVMF_VARS_4M.secboot.qcow2"
+            ;;
+        arm64-usr)
+            # This firmware is not considered secure due to the lack of an SMM
+            # implementation, which is needed to protect the variable store, but
+            # it's only supposed to be used for testing anyway.
+            cp "/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_EFI.secboot_INSECURE.qcow2" "$(_dst_dir)/${flash_ro}"
+            flash_in="/usr/share/edk2/ArmVirtQemu-AARCH64/QEMU_VARS.secboot_INSECURE.qcow2"
+            ;;
+    esac
 
     virt-fw-vars \
-        --inplace "$(_dst_dir)/${flash_rw}" \
+        --input "${flash_in}" \
-        --set-pk  "${owner}" /usr/share/sb_keys/PK.crt \
+        --output "$(_dst_dir)/${flash_rw}" \
-        --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
+        --add-db  "${owner}" /usr/share/sb_keys/DB.crt
-        --add-db  "${owner}" /usr/share/sb_keys/DB.crt \
-        --secure-boot --no-microsoft
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

changelog/changes/2024-11-08-uefi-firmware.md

@@ -0,0 +1,2 @@
+- The UEFI firmware has changed from raw (.fd) format to QCOW2 format. In addition, the amd64 firmware variables are now held in a 4MB image rather than a 2MB image. Note that this firmware is only intended for testing with QEMU. Do not use it in production. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))
+- The arm64 UEFI firmware now supports Secure Boot. Be aware that this is not considered secure due to the lack of an SMM implementation, which is needed to protect the variable store. As above, this firmware should not be used in production anyway. ([scripts#2434](https://github.com/flatcar/scripts/pull/2434))

ci-automation/ci-config.env

@@ -65,10 +65,10 @@ QEMU_FIRMWARE="/usr/share/qemu/bios-256k.bin"
 
 # UEFI firmware filename on build cache.
 # Published by vms.sh as part of the qemu vendor build.
-QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.fd}"
+QEMU_UEFI_FIRMWARE="${QEMU_UEFI_FIRMWARE:-flatcar_production_qemu_uefi_efi_code.qcow2}"
-QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
+QEMU_UEFI_SECURE_FIRMWARE="${QEMU_UEFI_SECURE_FIRMWARE:-flatcar_production_qemu_uefi_secure_efi_code.qcow2}"
-QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.fd}"
+QEMU_UEFI_OVMF_VARS="${QEMU_UEFI_OVMF_VARS:-flatcar_production_qemu_uefi_efi_vars.qcow2}"
-QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.fd}"
+QEMU_UEFI_SECURE_OVMF_VARS="${QEMU_UEFI_SECURE_OVMF_VARS:-flatcar_production_qemu_uefi_secure_efi_vars.qcow2}"
 
 # Update payload for the qemu_update.sh test.
 # The default path set below is relative to TEST_WORK_DIR

ci-automation/vendor-testing/qemu_update.sh

@@ -71,12 +71,19 @@ fi
 bios="${QEMU_FIRMWARE}"
 if [ "${CIA_ARCH}" = "arm64" ]; then
     bios="${QEMU_UEFI_FIRMWARE}"
+    ovmf_vars="${QEMU_UEFI_OVMF_VARS}"
     if [ -f "${bios}" ] ; then
         echo "++++ qemu_update.sh: Using existing ./${bios} ++++"
     else
         echo "++++ qemu_update.sh: downloading ${bios} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
         copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${bios}" .
     fi
+    if [ -f "${ovmf_vars}" ] ; then
+        echo "++++ ${CIA_TESTSCRIPT}: Using existing ${ovmf_vars} ++++"
+    else
+        echo "++++ ${CIA_TESTSCRIPT}: downloading ${ovmf_vars} for ${CIA_VERNUM} (${CIA_ARCH}) ++++"
+        copy_from_buildcache "images/${CIA_ARCH}/${CIA_VERNUM}/${ovmf_vars}" .
+    fi
 fi
 
 query_kola_tests() {
@@ -118,6 +125,7 @@ run_kola_tests() {
       --qemu-image="${image}" \
       --tapfile="${instance_tapfile}" \
       --update-payload="${QEMU_UPDATE_PAYLOAD}" \
+      "${ovmf_vars:+--qemu-ovmf-vars=${ovmf_vars}}" \
       ${QEMU_KOLA_SKIP_MANGLE:+--qemu-skip-mangle} \
       "${tests[@]}"
 }

jenkins/kola/qemu_common.sh

@@ -7,7 +7,7 @@ if [ "${PLATFORM}" = qemu ]; then
   BIOS="bios-256k.bin"
 elif [ "${PLATFORM}" = qemu_uefi ]; then
   TIMEOUT="14h"
-  BIOS="/mnt/host/source/tmp/flatcar_production_qemu_uefi_efi_code.fd"
+  BIOS="/mnt/host/source/tmp/flatcar_production_qemu_uefi_efi_code.qcow2"
 else
   echo "Unknown platform: \"${PLATFORM}\""
 fi

run_local_tests.sh

@@ -52,8 +52,8 @@ function set_vars() {
   # The local directory ("pwd") will be mounted to /work/ in the container.
   cat > sdk_container/.env <<EOF
 export QEMU_IMAGE_NAME=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_image.bin
-export QEMU_UEFI_FIRMWARE=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_code.fd
+export QEMU_UEFI_FIRMWARE=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_code.qcow2
-export QEMU_UEFI_OVMF_VARS=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_vars.fd
+export QEMU_UEFI_OVMF_VARS=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_production_qemu_uefi_efi_vars.qcow2
 export QEMU_UPDATE_PAYLOAD=/work/__build__/images/images/${arch@Q}-usr/latest/flatcar_test_update.gz
 export PARALLEL_TESTS=${parallel@Q}
 EOF

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md

@@ -1,7 +1,5 @@
 ## Keys & Certificates
 
-- PK (Platform Key): The Platform Key is the key to the platform.
-- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
 - DB (Signature Database): The signature database is used to validate signed EFI binaries.
 - Shim Certificates: Our set of certificates
 

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild

@@ -16,10 +16,6 @@ S="${WORKDIR}"
 
 src_install() {
   insinto /usr/share/sb_keys
-  newins "${FILESDIR}/PK.key" PK.key
-  newins "${FILESDIR}/PK.crt" PK.crt
-  newins "${FILESDIR}/KEK.key" KEK.key
-  newins "${FILESDIR}/KEK.crt" KEK.crt
   newins "${FILESDIR}/DB.key" DB.key
   newins "${FILESDIR}/DB.crt" DB.crt
 

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBzCCAe+gAwIBAgIJAN/ga2oSNhyiMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
-BAMMD0NvcmVPUyB0ZXN0IEtFSzAeFw0xNTA0MTMxODMzMzRaFw0xNTA1MTMxODMz
-MzRaMBoxGDAWBgNVBAMMD0NvcmVPUyB0ZXN0IEtFSzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAL/DE8ss0bgdKgLmyQ6CQsAUpeWwLlxMNca+LROR5+UH
-VAa/Xph30xdfmpydWxUO0Ga1ZnyTfZp+UfOWya9kYkzzmmuKAzC0HLzolSWxQ3sL
-EDsXEbpfl7KsjDvPuXdVoJukdN8EppqP6DLGjHbY5lk5AfXj7xCP3wHlLzMsPoxu
-hkfDfZSB0qJ5r+L6egz50Vufvxn1oiolMWh7zorkQaM5i4cP6BEQtan7WNhKDJAZ
-3fbApmcJyOP7TvWLHcAyuI2FM13J89bc7vrclb2PrtAoijNyDnNImLb187/gC8Ab
-kHVFIm8KyZ8ZByNoU5hy4bA1U/EEZ+slyIqqKcnWbukCAwEAAaNQME4wHQYDVR0O
-BBYEFC1uWlFmCG6L18813V9Xy12dQ/MJMB8GA1UdIwQYMBaAFC1uWlFmCG6L1881
-3V9Xy12dQ/MJMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEOKN7AS
-2szIJ4ejcxRJhih5rBFwVkim80rwBX8Ga3sStAAKEpdZC7fjrxXm8UWYbEa8Qisz
-+O74T7QqXaCRoxh3ij4fgg4clULOfjGGWWEghl4rtpUIsarCk3HWtEzqLWbAQOA0
-co3B08KbwYhOYfx1MkRE1K6kFKojJ1tod/w9jxY1/w/qmJKFP/vM6//H9dhVPr14
-4ySqz/NYhb0FZRVGJkeLbXWy4sLZy2Of+ojCRjjAgmY9RAT6ZxovgyXqVBDWfboX
-4Yp9bAboktfNtX6+9wMIW5bTuZ5yZjK+I+MnHSqbRVh/6T/kh5j5+jdPXnKgZGXy
-PWAnhbRJTjUAVTY=
------END CERTIFICATE-----

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC/wxPLLNG4HSoC
-5skOgkLAFKXlsC5cTDXGvi0TkeflB1QGv16Yd9MXX5qcnVsVDtBmtWZ8k32aflHz
-lsmvZGJM85prigMwtBy86JUlsUN7CxA7FxG6X5eyrIw7z7l3VaCbpHTfBKaaj+gy
-xox22OZZOQH14+8Qj98B5S8zLD6MboZHw32UgdKiea/i+noM+dFbn78Z9aIqJTFo
-e86K5EGjOYuHD+gRELWp+1jYSgyQGd32wKZnCcjj+071ix3AMriNhTNdyfPW3O76
-3JW9j67QKIozcg5zSJi29fO/4AvAG5B1RSJvCsmfGQcjaFOYcuGwNVPxBGfrJciK
-qinJ1m7pAgMBAAECggEAL5jxMc4nJAcBJYU5RIOqo9i8MN3hNAGqm3Ea6S+fGqcO
-ATrA9SFQ4Q1W6Cbas8hgjA3cqXFGjPFr0AWOfB1zlNwmaSjxj8Y1F+K3Gor8T+84
-ESKxwMv3cF8J09LEm01Ctz9DzxNtcxHjNa84sEs4Kc9PoEP6U+cSGHtVkuMZh2t9
-hNad8DfdM2oZi5IPcVcBXr/+QmyjereKlTij5BPSdeKw2JKprv0NWgzuZkDlhtAF
-aSNLkODk3NT9+zMSqvuSkNkWuvcl8kFG32strHzsEKneugEbLQPLwEA2hRz6gDo2
-alPUo9shg4o54r47pascVJjbiFPevIvF0GTgmv/VAQKBgQDodWPClJZiyifJ6M65
-V4p+N4evhr6xBTxYMTfXoXIT6IwqyiDyhDnjUApM9wwr9YTxixJukAdcdDnWOMJb
-qR2JquGXeChPAArH69FzsuybVXURpBiIOBBNFmWf/T97Aw55l6OXxzA/aAuQMFyF
-H8zEQddC57yEMIpToTuNkNq8CQKBgQDTLpvNtsqKBxIpnybv2gRo2MDgJtk+PGu/
-UN3f1GDP1C9nhEVWb1n4v7n9bhYs5zra3vYkgvr317QVAbKF+PUmIPLmid5gN8J5
-46+qdVvK88UPJye2cuIrHO/XScWiC95SzQo6KfVNqawLJhioZ3OlK69pOcLoXWsO
-/nJC5i6T4QKBgQCM6hx/Z/OCD2nvS+GFGTwrJx5pmRUf2jyqeauQW53704yko8M1
-QFKXKX4VCe2m+D6O7e9OdqD/urUU13N6fRoayivW1lAZE711U860hFJKF5PQDdmR
-Oesnz9vrEGna+A9eRj41U9o7labs0WREjvJiRkdnl3L/7yzrZWHkf1sZgQKBgQDJ
-X49oKR6XYci68a0yV8WOqOm6lLDhPMJNy3HXBvBOHXoajrGDi2jS3xgehoQUy2V+
-4c763/8qqIBq65RtVgmGEzMsDFmFjIYgrrGKrKAcNjk5is++lWv/SneV5h3TuNeG
-Q0i2T94+8UVB2FD4/LT00mRQxaiK5NG6mX0hN9dAYQKBgEC8GarO5+lPEXNhkqcM
-rWBtZTszTP9WGs0nB6+ZGZ+23uMwNA/6YZvyvAssfJ9yr4pyI/r2WH0rHa9146s0
-rJx+Xs/TSbGRYDq7BcwjN3DuSvoCg/0arVeoptrmoDIrFOzhlgQWdrIOMqVKTNKi
-s/B7OsUuIhJ7HAJSatt2uzam
------END PRIVATE KEY-----

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDBTCCAe2gAwIBAgIJAPrtEex/4ln3MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
-BAMMDkNvcmVPUyB0ZXN0IFBLMB4XDTE1MDQxMzE4MzMyMloXDTE1MDUxMzE4MzMy
-MlowGTEXMBUGA1UEAwwOQ29yZU9TIHRlc3QgUEswggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCrAWnfZoNaw4FVFbdkQo+aBTjMnaEs643EdqoXRn8ohmJu
-gCnNNy4mcwsxrx7ksSyfU3ZeVeFXFcydAt53F0hFLsWEi/Riw59AImOuyOXxcrK5
-CAzaOqWIs0RvDqvEJjm7JSuOVndeTVFp7d/2up0zJoXltMaZLs3748AyI29aL2jr
-PEW8+FZRqp/z9/EWpifcPZXFzqc7QYTwamfznwqUIFXMLqW5bREroFpZ9MMTmc86
-WMQYUySPdCxvQKKgvGyf0qYWVw2mPp6jZZF84dELn1FvNJ4AMIa/d2TGSkNOpPkn
-0VTWtmJTZoY2n/0/KHFQPT1Ot7M9/s6pRd8IIfDzAgMBAAGjUDBOMB0GA1UdDgQW
-BBRHBFY7ba7b2aOujtUZB1dHVQUqFDAfBgNVHSMEGDAWgBRHBFY7ba7b2aOujtUZ
-B1dHVQUqFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCT3Xs/My5E
-ST//7SrupTakH+QRd7/qIFj2/coXuWE0Qp9cWiWIy9GDyd0oyQsKQklVbuLArju4
-N8oekgtJnNoYbJnLs0JPfAIC5Np3wYTNCyjVi8kSyKSWdXM2vKkycG023sFiFdSk
-0pgmwCO1E8fGxe9YDjCdtRTp8+j6m5GrRkl3YYfqYtUFfXy+BhcKs1H6AlfaKAZH
-m1fYDGmGGuOTij/5yEyY38NJybjL8Aak89nwuVrHm76whldsA3LfPYenjLk5qTd8
-yEYgvoajAZDIXkT05F9E9SdSaob2ZK1nDp98kG+rnv7dN/xQVfaKywuM3cdy5TKk
-VqV0ENF7w+O5
------END CERTIFICATE-----

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrAWnfZoNaw4FV
-FbdkQo+aBTjMnaEs643EdqoXRn8ohmJugCnNNy4mcwsxrx7ksSyfU3ZeVeFXFcyd
-At53F0hFLsWEi/Riw59AImOuyOXxcrK5CAzaOqWIs0RvDqvEJjm7JSuOVndeTVFp
-7d/2up0zJoXltMaZLs3748AyI29aL2jrPEW8+FZRqp/z9/EWpifcPZXFzqc7QYTw
-amfznwqUIFXMLqW5bREroFpZ9MMTmc86WMQYUySPdCxvQKKgvGyf0qYWVw2mPp6j
-ZZF84dELn1FvNJ4AMIa/d2TGSkNOpPkn0VTWtmJTZoY2n/0/KHFQPT1Ot7M9/s6p
-Rd8IIfDzAgMBAAECggEAZI/0Ptf+LwYBrJOUwXUTFbQ0br/T5KKxP/O4mu9uH9rH
-T8w2yOPGU/4beyBMvpgicZ+XYGqIlbnQFhV11frvGSAkL4pOMTZxFDok/MhP0Olu
-iLlfNYZ/iiBCAj1SbYs9L/zv3Eik8ePuGKk2p9WeVFI3M5pXoAWSRKruf42vEg0Q
-mAvjpabEFi41RavmO6EuDt5m6VOO3wgGXBZw/+skTtCtlhABK08aggV4a1jrrAJX
-FVH8+XmYG7xknxMLxQYSuG1H0n86iext1+jtL74qd51PeaVzfXfE00xjnM08naV+
-XivpwhxsSo0aSMsuOipvMefvQDDwbYVN1RVlEIDuoQKBgQDhRy7j2Dz1zN+C0Bg3
-X2xInQGHq3MineGa/DCzN17rGT0jYB/9FMZTSfk60RNzFacHgLhfSxk0sPfBdi+J
-WGWjm48nVz/vsx6V8DNOYiHoi2DxdpHoohUzdxKccySnv1vMDcVRQg3gb47UNp0p
-FRqi/g47Ts+JSLS29X6vqB/iBwKBgQDCU31L4ipLXOWbiJDQVGq5A0N0zAo2j+Jx
-Kr3G+R72XRHTBLCvverayCwrI+fvUyvAeUs/trswQ/PmXdkmg40EEJDCJ87ktfEW
-MfgRJhloPJkyTf+JKaLlUQwgV7YVtV932EWC8V9Rdcf8rNZ9gt9TiiwGOTCrNDH4
-tL1d1T9OtQKBgAXgw5pyU/Td6Z8SKu+W785dOmL92D04/V/74JFsim978xpvMaZ6
-2knmDji4p9dC417Qvv7NiNTVIUHNAaSFx/Ei5/NQ1Xw9ojirUctjyBq3OEpUm64E
-PKVhH/0xC+3MkmqamWFrZc1LW+CxpBwkTtOd6WUmw0eDvCNh+HJA4sQVAoGBAKFN
-rDPRCEqGUhFIyuwjJnNswhGxTMj9pnlJgT4ojAr0NldzDTbT7p6sif1FUMDXyPl7
-tXqts7PctBgEzrupduRo28BOSu6OGBDUaZXSikR8CK45EGRKq2yuWeJ+7CYY56YT
-X5/Ru81idx7GWUTV3Yr6ppCD6GI0cUaAwK+i02oBAoGAcCho+7uZ0+I2BkR9Fxz/
-gdHgL3Cw5o3x7i1erXXCoxN9YLHwidOtj9w+8IS9dSY9ii08w8LE4BXpgoFe+TGU
-yXgEnl8qOUAcXKMu4jRj4LqNaJWXnAZ7J+1WJZ4h7ygGEJh0aYByiUdL5aShs/YJ
-CevUdCQxnWbrAySfMEMIXg0=
------END PRIVATE KEY-----

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -76,7 +76,6 @@ RDEPEND="${RDEPEND}
 	amd64? (
 		app-emulation/xenserver-pv-version
 		app-emulation/xenstore
-		sys-boot/mokutil
 	)"
 
 # sys-devel/gettext: it embeds 'envsubst' binary which is useful for simple file templating.
@@ -185,6 +184,7 @@ RDEPEND="${RDEPEND}
 	sys-block/open-iscsi
 	sys-block/parted
 	sys-boot/efibootmgr
+	sys-boot/mokutil
 	sys-cluster/ipvsadm
 	sys-devel/gettext
 	sys-fs/btrfs-progs

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -56,10 +56,9 @@ USE="${USE} bindist"
 # no-source-code - license for sys-kernel/coreos-firmware
 # linux-fw-redistributable - license for sys-kernel/coreos-firmware
 # freedist - license for sys-kernel/coreos-kernel
-# BSD-2-Clause-Patent - license for sys-firmware/edk2-aarch64
 # intel-ucode - license for sys-firmware/intel-microcode
 ACCEPT_LICENSE="${ACCEPT_LICENSE} no-source-code
-    linux-fw-redistributable freedist BSD-2-Clause-Patent intel-ucode"
+    linux-fw-redistributable freedist intel-ucode"
 
 # Favor our own mirrors over Gentoo's
 GENTOO_MIRRORS="

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -107,7 +107,7 @@
 =sys-apps/zram-generator-1.1.2 ~arm64
 
 # Upgrade to latest version for secureboot
-=sys-boot/mokutil-0.6.0 ~amd64
+=sys-boot/mokutil-0.6.0 ~amd64 ~arm64
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64

sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest

@@ -1 +0,0 @@
-DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b

sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild

@@ -1,23 +0,0 @@
-# Copyright (c) 2024 The Flatcar Maintainers.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit rpm
-
-DESCRIPTION="Fedora's build of edk2 ARM64 EFI firmware"
-HOMEPAGE="https://packages.fedoraproject.org/pkgs/edk2/edk2-aarch64/"
-SRC_URI="https://kojipkgs.fedoraproject.org//packages/edk2/20230524/3.fc38/noarch/edk2-aarch64-20230524-3.fc38.noarch.rpm"
-
-LICENSE="BSD-2-Clause-Patent openssl"
-SLOT="0"
-KEYWORDS="amd64 arm64"
-
-S="${WORKDIR}"
-
-src_install() {
-	# Avoid collision with qemu installed config file
-	mv usr/share/qemu/firmware/{60,61}-edk2-aarch64.json
-	insinto /
-	doins -r *
-}