Verify netboot config fragments if there's an available gpg key

If there's a gpg public key available in a system firmware variable, trust
it and use it to verify netboot configuration fragments.

build_library/grub.cfg

@@ -27,6 +27,10 @@ if [ "$grub_platform" = "efi" ]; then
    getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode
    if [ "$sb" = "01" -a "$setupmode" = "00" ]; then
       set secure_boot="1"
+      getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey
+      if [ "$gpgpubkey" != "" ]; then
+         trust_var gpgpubkey
+      fi
    fi
 fi
 
@@ -45,6 +49,9 @@ if [ "$net_default_server" != "" ]; then
    done
    if [ "$endpoint" != "" ]; then
       set url="${endpoint}?uuid=$uuid&serial=$serial&mac=$mac"
+      if [ "$gpgpubkey" != "" ]; then
+         set check_signatures="enforce"
+      fi
       configfile $url
    fi
 fi

build_library/grub_install.sh

@@ -43,7 +43,7 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-	CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet http )
+	CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet verify http )
         CORE_NAME="core.efi"
         ;;
     x86_64-xen)