mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-08 05:26:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-boot/shim: Update shim to include signing keys, and build mm.efi

Browse Source 
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
This commit is contained in:
Sayan Chowdhury 2023-11-24 04:41:17 +05:30 committed by Kai Lueke
parent 348a26201a
commit b42e3ad58b
3 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md vendored Normal file
View File

@ -0,0 +1,18 @@
## Keys & Certificates
- PK (Platform Key): The Platform Key is the key to the platform.
- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
- DB (Signature Database): The signature database is used to validate signed EFI binaries.
- Shim Certificates: Our set of certificates
## Generation of Keys & Certificates
Generate the our shim certificates:
```
openssl genrsa -out "shim.key" 2048
openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300
openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER
```

5
sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild vendored
View File

@ -1,14 +1,15 @@
# Copyright (c) 2015 CoreOS Inc. # Copyright (c) 2015 CoreOS Inc.
# Copyright (c) 2024 The Flatcar Maintainers.
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI=7 EAPI=8
DESCRIPTION="Flatcar Secure Boot keys" DESCRIPTION="Flatcar Secure Boot keys"
HOMEPAGE="" HOMEPAGE=""
SRC_URI="" SRC_URI=""
LICENSE="BSD" LICENSE="BSD"
SLOT="0" SLOT="0"
KEYWORDS="amd64 arm arm64 x86" KEYWORDS="amd64 arm64"
IUSE="" IUSE=""
S="${WORKDIR}" S="${WORKDIR}"

8
sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild vendored
View File

@ -26,7 +26,10 @@ RDEPEND=""
# currently the shim insists on using the bundled copy. This will need # currently the shim insists on using the bundled copy. This will need
# to be addressed by patching this check out after making sure that # to be addressed by patching this check out after making sure that
# our copy of gnu-efi is as usable as the bundled one. # our copy of gnu-efi is as usable as the bundled one.
DEPEND="dev-libs/openssl" DEPEND="
dev-libs/openssl
coreos-base/coreos-sb-keys
"
src_unpack() { src_unpack() {
cros-workon_src_unpack cros-workon_src_unpack
@ -47,6 +50,8 @@ src_compile() {
elif use arm64; then elif use arm64; then
emake_args+=( ARCH=aarch64 ) emake_args+=( ARCH=aarch64 )
fi fi
emake_args+=( ENABLE_SBSIGN=1 )
emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
emake "${emake_args[@]}" || die emake "${emake_args[@]}" || die
} }
@ -60,4 +65,5 @@ src_install() {
fi fi
insinto /usr/lib/shim insinto /usr/lib/shim
newins "shim${suffix}.efi" 'shim.efi' newins "shim${suffix}.efi" 'shim.efi'
newins "mm${suffix}.efi" "mm${suffix}.efi"
} }