fix

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
2026-03-03 12:31:10 +01:00 · 2023-12-07 16:00:39 +05:30 · 2023-12-07 16:00:39 +05:30 · 55be0f7ffc
commit 55be0f7ffc
parent a3f58f0f9d
3 changed files with 19 additions and 11 deletions
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@ -58,7 +58,7 @@ case "${FLAGS_target}" in
        CORE_NAME="core.img"
        ;;
    x86_64-efi)
-	CORE_MODULES+=( serial efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial efi_gop efinet pgp http tftp )
        CORE_NAME="core.efi"
        ;;
    x86_64-xen)
@ -192,19 +192,25 @@ case "${FLAGS_target}" in
    x86_64-efi)
        info "Installing default x86_64 UEFI bootloader."
        sudo mkdir -p "${ESP_DIR}/EFI/boot"
-	# Use the test keys for signing unofficial builds
-	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-            sudo sbsign --key /usr/share/sb_keys/DB.key \
-                    --cert /usr/share/sb_keys/DB.crt \
+        # Use the test keys for signing unofficial builds
+        if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+                    --cert /usr/share/sb_keys/shim.pem \
                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
                "${ESP_DIR}/EFI/boot/grubx64.efi"
-            sudo cp "/usr/lib/shim/mmx64.efi" \
+            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+                    --cert /usr/share/sb_keys/shim.pem \
+                    "/usr/lib/shim/mmx64.efi"
+            sudo cp "/usr/lib/shim/mmx64.efi.signed" \
                "${ESP_DIR}/EFI/boot/mmx64.efi"
-            sudo cp "/usr/lib/shim/fbx64.efi" \
+            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+                    --cert /usr/share/sb_keys/shim.pem \
+                    "/usr/lib/shim/fbx64.efi"
+            sudo cp "/usr/lib/shim/fbx64.efi.signed" \
                "${ESP_DIR}/EFI/boot/fbx64.efi"
-            sudo sbsign --key /usr/share/sb_keys/DB.key \
-                 --cert /usr/share/sb_keys/DB.crt \
+            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+                 --cert /usr/share/sb_keys/shim.pem \
                 --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
                 "/usr/lib/shim/shim.efi"
        else
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
@ -3,7 +3,7 @@

 EAPI=7

-DESCRIPTION="CoreOS Secure Boot keys"
+DESCRIPTION="Flatcar Secure Boot keys"
 HOMEPAGE=""
 SRC_URI=""
 LICENSE="BSD"
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@ -47,13 +47,15 @@ src_compile() {
 	# instead of amd64, and aarch64 instead of arm64.
 	insinto /usr/share/sb_keys
 	newins "${FILESDIR}/shim.der" shim.der
+	newins "${FILESDIR}/shim.rsa" shim.rsa
+	newins "${FILESDIR}/shim.pem" shim.pem
 	if use amd64; then
 		emake_args+=( ARCH=x86_64 )
 	elif use arm64; then
 		emake_args+=( ARCH=aarch64 )
 	fi
  emake_args+=( ENABLE_SBSIGN=1 )
-  emake_args+=( VENDOR_CERT_FILE="${SYSROOT}/usr/share/sb_keys/DB.der" )
+  emake_args+=( VENDOR_CERT_FILE="${SYSROOT}/usr/share/sb_keys/shim.der" )
 	emake "${emake_args[@]}" || die
 }