From 707803ed43e9874aa9cea4d79ea1ad33649bb1b5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Mon, 13 Apr 2015 14:15:57 -0700
Subject: [PATCH] Add support for Secure Boot images and sign unofficial builds
 with test keys

Add qemu_uefi_secure target for building Secure Boot images. These are
identical to qemu_uefi images with the exception that the test keys have
been installed into the flash image, enabling Secure Boot by default. In
addition, sign the grub binary with the test keys during build when
producing unofficial images.
---
 build_library/grub_install.sh  | 13 +++++++++++--
 build_library/vm_image_util.sh | 17 +++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 8b69850023..b3448508d1 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -141,8 +141,17 @@ case "${FLAGS_target}" in
     x86_64-efi)
         info "Installing default x86_64 UEFI bootloader."
         sudo mkdir -p "${ESP_DIR}/EFI/boot"
-        sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
-            "${ESP_DIR}/EFI/boot/bootx64.efi"
+	# Use the test keys for signing unofficial builds
+	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            sudo sbsign --key /usr/share/sb_keys/DB.key \
+		--cert /usr/share/sb_keys/DB.crt \
+                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
+            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
+                "${ESP_DIR}/EFI/boot/bootx64.efi"
+        else
+            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
+                "${ESP_DIR}/EFI/boot/bootx64.efi"
+	fi
         ;;
     x86_64-xen)
         info "Installing default x86_64 Xen bootloader."
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index ade8098880..75db149ced 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -12,6 +12,7 @@ VALID_IMG_TYPES=(
     openstack
     qemu
     qemu_uefi
+    qemu_uefi_secure
     qemu_xen
     rackspace
     rackspace_onmetal
@@ -115,6 +116,10 @@ IMG_qemu_uefi_DISK_FORMAT=qcow2
 IMG_qemu_uefi_DISK_LAYOUT=vm
 IMG_qemu_uefi_CONF_FORMAT=qemu_uefi
 
+IMG_qemu_uefi_secure_DISK_FORMAT=qcow2
+IMG_qemu_uefi_secure_DISK_LAYOUT=vm
+IMG_qemu_uefi_secure_CONF_FORMAT=qemu_uefi_secure
+
 IMG_qemu_xen_DISK_FORMAT=qcow2
 IMG_qemu_xen_DISK_LAYOUT=vm
 IMG_qemu_xen_CONF_FORMAT=qemu_xen
@@ -590,6 +595,18 @@ _write_qemu_uefi_conf() {
     VM_GENERATED_FILES+=( "$(_dst_dir)/${ovmf_ro}" "$(_dst_dir)/${ovmf_rw}" )
 }
 
+_write_qemu_uefi_secure_conf() {
+    local ovmf_rw="$(_dst_name "_ovmf_vars.fd")"
+
+    _write_qemu_uefi_conf
+    cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
+    cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
+    cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
+    flash-var "$(_dst_dir)/${ovmf_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
+    flash-var "$(_dst_dir)/${ovmf_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
+    flash-var "$(_dst_dir)/${ovmf_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+}
+
 _write_qemu_xen_conf() {
     local script="$(_dst_dir)/$(_dst_name ".sh")"
     local dst_name=$(basename "$VM_DST_IMG")