sys-boot/shim: Add a use flag to use a DER files for shim builds

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
2025-09-29 01:21:02 +02:00 · 2024-09-05 22:57:55 +05:30 · 2024-09-05 22:57:55 +05:30 · b8f290bae4
commit b8f290bae4
parent d18a373cb7
1 changed files with 10 additions and 2 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"

 LICENSE="BSD"
 SLOT="0"
-IUSE=""
+IUSE="official"

 RDEPEND=""
 # TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
@ -41,8 +41,16 @@ src_compile() {
  elif use arm64; then
    emake_args+=( ARCH=aarch64 )
  fi
-    emake_args+=( ENABLE_SBSIGN=1 )
+  emake_args+=( ENABLE_SBSIGN=1 )
+
+  if use official; then
+    if [ -z "${SHIM_SIGNING_CERTIFICATE}" ]; then
+      die "use production flag needs env SHIM_SIGNING_CERTIFICATE"
+    fi
+    emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE}" )
+  else
    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
+  fi
  emake "${emake_args[@]}" || die
 }