From 20167758b0ab39fe8eda1bb1c6854fff68643e1c Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 24 Nov 2023 04:41:17 +0530
Subject: [PATCH] fix

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../sys-boot/shim/files/shim.der              | Bin 0 -> 771 bytes
 .../sys-boot/shim/files/shim.pem              |  19 ++++++++++++
 .../sys-boot/shim/files/shim.rsa              |  28 ++++++++++++++++++
 .../sys-boot/shim/shim-9999.ebuild            |   6 ++++
 4 files changed, 53 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.der
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.pem
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.rsa

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.der b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.der
new file mode 100644
index 0000000000000000000000000000000000000000..2194987d0f968ada08aa84664acd7b8a8b4c6714
GIT binary patch
literal 771
zcmXqLV)}2;#Q1yxGZP~dlSppH>M7+_6-r4rX8Yfr%O;RIInvmGmyJ`a&7<u*FC!y2
zD}w>QA+G^98*?ZNGY?B~MrN*ooH(zMv7w=nv5~QXp{YTXIIjtiYiI%GVrpn&R6;hC
zk(GhDiIJZH=ngKXCPqevmo^#VGDbGqR~~Yk2AllpN?Yo%kCiLMf7-d9@A?<yG)d3>
z|F_y8R7R)c^_rLEi(f<p8|^9G9xy%G;N04TB_H1W+$eYX0qbI=D_3@%PmQ{HR3yAr
z>cEDK<r5ySVVZGfnx>F|)V+PHZ-;n>ToUd*Wv8}RZR)~*4J(6Zt81$!zWSIN#WQge
z$LtyM8?v`N7f2|Lwk#?WNt$A4mi$R)t;cM}(AX&pF3ySF;3TVKb}fT3^oZoVbN_b-
zZ<Wl**jf{o|0<vRsItD)9e;6+GGp1ZF+r2sxc)myH!zy>m>m;i)X;o(MQ+Oj$EouT
zOrM{Qx-_{=m|1*s(&uBZm%Yp}WZqvk#gmDdk%4h>utA`KEHIp9`B=nQL>j{7Wsa+K
z#-8rXUi_^`hVRIfvr7!*LDI@B5(Z)o*cI@D6bLgi{%2t|U<Oji!48Z|V6ZbX%<8ZE
z^TabJ_=}2-?7`b}qPT6hyXRVe)B2*ks`l!%zYgb@Km6Ri$0Kp=Ufs^M;jhISWu)CE
zM{05${;z6cmU4B+o$9H2>WiGJ>J};=3!PUcSM+1zt6aBz%=_}^zFF7Id-9L&DgB49
zo4Jk_Hwd)|vMVbIC~ID~o4d*K>X8*07P&bxz8m6O)*W5+`l-hWu~J5Bz87qlQZFqM
z&a%Iw@V+bVl!7DYhCK6J^SG+Vrsbc#t=f{AO0U@IoWCI0xy8{!D&oe3d*|i$-Z|s)
z#-+uid{RhN>-PN22+RML^S$2v{IIUfm)BF(NWAGt^eXQeYED}eq;Di#cxFCzMqo8d
JW2*7NG5~RCG3o#S

literal 0
HcmV?d00001

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.pem b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.pem
new file mode 100644
index 0000000000..de044d7959
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUbWirlHd6eCJi2JtP3Z0GEGWTWTMwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEc2hpbTAeFw0yMzExMjMyMzAxNTBaFw00MzExMTgyMzAx
+NTBaMA8xDTALBgNVBAMMBHNoaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDpPGgXHDI8K9ThCzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjr
+rOl3o+hYUzK8dbdQl2Mwzq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOs
+ApjMlikSEBrevqvbVElU0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu0
+5xBgdVs5cnYUYpQxNmPyLK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1
+fFZv6m8LxSMvGtxPFyh2Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefL
+WtKTdhMDF5Ni88brpulsMQO/dpRJAgMBAAGjUzBRMB0GA1UdDgQWBBSAVx8cxySJ
+XcuJa6P2jBwOxJTNpDAfBgNVHSMEGDAWgBSAVx8cxySJXcuJa6P2jBwOxJTNpDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCaj3785ElsU/QkPB3B
+25xaCz23R2079ir0I6p91Zb9QM+n4fOLvEhhrb0tia1X6xaBHBtGk1kpCMP/JTQ2
+ZNW43HuVLieiQnp+oSPGVZ52HnL4keptRr4Dvm+d7K6DDcn8Lcov4euDCsVzgBKE
+EQcjIhAjKdc+nbI51cSoaDhtbBxNsF+ErsWi6+VIyBZ1ATsO6AbSZdKiE2o/3CDv
+il7KIEEJsG43bTdeeuM1d/NLOoZjAnXUPizP0BGJtEE4GljYkN7PHr3czETsRIQ0
+d5JUeoW3b2lYOf85n0ru+fCudk0NSSUyF4LEW6pLmCZCtCAb2GDQ5jeVmFF7BIFl
+M8F2
+-----END CERTIFICATE-----
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.rsa b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.rsa
new file mode 100644
index 0000000000..52f9fe1e7a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/files/shim.rsa
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDpPGgXHDI8K9Th
+CzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjrrOl3o+hYUzK8dbdQl2Mw
+zq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOsApjMlikSEBrevqvbVElU
+0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu05xBgdVs5cnYUYpQxNmPy
+LK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1fFZv6m8LxSMvGtxPFyh2
+Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefLWtKTdhMDF5Ni88brpuls
+MQO/dpRJAgMBAAECggEAIbJpBYG83kWk5XillSZwIBzRXke12bkBaLPxlx5oGpU3
+oT21ZSFoAoCKraYXOwJS1MP8bg8B06Jzob8SfIaICmzOwrnwwU++/gnYDZPCqvjW
+xghEg7dY/3Cm/BiJ8/Dz8RijkS/yC2ejip4pVhB0p0snsnGrn/IW0rE3ghiiBYsM
+971GSgbGp6o25rhA8/yx5+OOFvGoDX2nIymfFASSPmxiAbXcb4DmdMlrRZ6P4z51
+8WJ8gXiTYvALFVWMNtv8GJZCQFi2fHcat/mWiVzg28J4Mzz9n79E0MrZ+4pxXLFT
+lbtI6OvcjRgvsyxPwkExCsBTKnOeAdgKXKwiczBdMwKBgQD4u5NSEpx98GxiWVZX
+DtT7WuCN257S0KztWzAYpTI5SZIRv4jylZPo+JnSrCvNt4hVs0Jz/aQQXhRIzVSj
+4VrkhlxXGnJpZz1DkICIoFQLi9maazgj1aB9Y6lZeGxAlzCnDHP7pR7dxUj4FF2p
+G6udyGhb3qfsevbSdykZ7DsHMwKBgQDwDOvheT71dNlcNuKrHi89sT5SoD4A2yTv
+pyzBCvh2a+UFxveFa6l+/VgxR8AkX9z37hQxi++QFrBHnTD/NZcLijLnPI1V0pIQ
+uNym6dx1PfuCtulZ24i2Fn5zrNUiNnTLBR31Fa1RJcyJv50IoTMK6F+0Bz4Qxan1
+0Um+xgDGkwKBgAb32ky2UMQGdELdFdoihDz2cswGlxB44B9WKqbGGf4Y3Yq5vvBs
+2FPygvyv7ho5RgyAlSACvxHmUNMpTXG54n38daHLD+F8Du9RoQgy1aftJw94aX43
+geOBY0Eqan30vlwvsSAfpBm6aSzqBSWzrL8i2imYt0OcvkVvKSucvpqZAoGAWoXk
+5dAdJ976oMWp0LG/StpuECaRey0ozp8SR3HlpHKnmPghG1UwQ80x1tOh55Wm9G/5
+eX21x3Zm33qtoXAKF7Xz4DN7cOPJZTjxLJiAJE5NbEuhz9rzwQbWhLSmYxJ6FJ1H
+YMbd5v4EFeYGR9zSLMjYXkFk7Fo9748O6jwsyrUCgYEApBlTWbna9BoxiVElEmvT
+u/NgdKZIEBbeX/NWJz8BJWiBVRg5WaAeuriga/1tMhiX8dgo7z7uGm3moEsXGlVD
+IhZiJeAgMmamr1yqII1q9RTBcA7iPqKmAgto+7zwcVxRmXCMRM/daJ04uqGine+K
+dM/o7gBtadQHJ1KPftM8SqQ=
+-----END PRIVATE KEY-----
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
index 81f69f36cd..6c29fa7e6f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@@ -42,11 +42,15 @@ src_compile() {
 	# itself with the compiler -dumpmachine flag. But also it
 	# expects a different format of the values. It wants x86_64
 	# instead of amd64, and aarch64 instead of arm64.
+	insinto /usr/share/sb_keys
+	newins "${FILESDIR}/shim.der" shim.der
 	if use amd64; then
 		emake_args+=( ARCH=x86_64 )
 	elif use arm64; then
 		emake_args+=( ARCH=aarch64 )
 	fi
+  emake_args+= ( ENABLE_SBSIGN=1 )
+  emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
 	emake "${emake_args[@]}" || die
 }
 
@@ -60,4 +64,6 @@ src_install() {
 	fi
 	insinto /usr/lib/shim
 	newins "shim${suffix}.efi" 'shim.efi'
+  newins "mm${suffix}.efi" "mm${suffix}.efi"
+  newins "fb${suffix}.efi" "fb${suffix}.efi"
 }