Merge pull request #1589 from flatcar/sayan/secureboot-changes

Initial implementation for Secure boot support

.github/workflows/portage-stable-packages-list

@@ -364,6 +364,7 @@ eclass/python-utils-r1.eclass
 eclass/readme.gentoo-r1.eclass
 eclass/ruby-single.eclass
 eclass/ruby-utils.eclass
+eclass/rpm.eclass
 eclass/savedconfig.eclass
 eclass/selinux-policy-2.eclass
 eclass/strip-linguas.eclass
@@ -507,6 +508,7 @@ sys-block/parted
 sys-block/thin-provisioning-tools
 
 sys-boot/efibootmgr
+sys-boot/mokutil
 # Updating to 3.0.17 breaks building of sys-boot/shim.
 #
 # sys-boot/gnu-efi

build_library/build_image_util.sh

@@ -828,8 +828,8 @@ EOF
 
   # Sign the kernel after /usr is in a consistent state and verity is calculated
   if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-      sudo sbsign --key /usr/share/sb_keys/DB.key \
-	   --cert /usr/share/sb_keys/DB.crt \
+      sudo sbsign --key /usr/share/sb_keys/shim.key \
+	   --cert /usr/share/sb_keys/shim.pem \
 	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"
       sudo mv "${root_fs_dir}/boot/flatcar/vmlinuz-a.signed" \
 	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"

build_library/grub.cfg

@@ -23,18 +23,6 @@ set linux_append=""
 
 set secure_boot="0"
 
-if [ "$grub_platform" = "efi" ]; then
-   getenv -e SecureBoot -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b sb
-   getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode
-   if [ "$sb" = "01" -a "$setupmode" = "00" ]; then
-      set secure_boot="1"
-      getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey
-      if [ "$gpgpubkey" != "" ]; then
-         trust_var gpgpubkey
-      fi
-   fi
-fi
-
 if [ "$net_default_server" != "" ]; then
    smbios --type 1 --get-uuid 8 --set uuid
    smbios --type 1 --get-string 7 --set serial

build_library/grub_install.sh

@@ -50,7 +50,9 @@ CORE_NAME=
 
 # Whether the SDK's grub or the board root's grub is used. Once amd64 is
 # fixed up the board root's grub will always be used.
-BOARD_GRUB=0
+BOARD_GRUB=1
+
+SBAT_ARG=()
 
 case "${FLAGS_target}" in
     i386-pc)
@@ -58,8 +60,9 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-	CORE_MODULES+=( serial efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
         CORE_NAME="core.efi"
+        SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
     x86_64-xen)
         CORE_NAME="core.elf"
@@ -68,6 +71,7 @@ case "${FLAGS_target}" in
         CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
         CORE_NAME="core.efi"
         BOARD_GRUB=1
+        SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
     *)
         die_notrace "Unknown GRUB target ${FLAGS_target}"
@@ -164,7 +168,7 @@ if [[ ! -f "${ESP_DIR}/flatcar/grub/grub.cfg.tar" ]]; then
     fi
 
     sudo tar cf "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \
-	 -C "${GRUB_TEMP_DIR}" "grub.cfg"
+      -C "${GRUB_TEMP_DIR}" "grub.cfg"
 fi
 
 info "Generating ${GRUB_DIR}/${CORE_NAME}"
@@ -174,6 +178,7 @@ sudo grub-mkimage \
     --directory "${GRUB_SRC}" \
     --config "${ESP_DIR}/${GRUB_DIR}/load.cfg" \
     --memdisk "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \
+    "${SBAT_ARG[@]}" \
     --output "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
     "${CORE_MODULES[@]}"
 
@@ -192,26 +197,36 @@ case "${FLAGS_target}" in
     x86_64-efi)
         info "Installing default x86_64 UEFI bootloader."
         sudo mkdir -p "${ESP_DIR}/EFI/boot"
-	# Use the test keys for signing unofficial builds
-	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-            sudo sbsign --key /usr/share/sb_keys/DB.key \
-		--cert /usr/share/sb_keys/DB.crt \
-                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
+        # Use the test keys for signing unofficial builds
+        if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            # Sign the GRUB with the shim-embedded key
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
+                --cert /usr/share/sb_keys/shim.pem \
+                "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
             sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
-                "${ESP_DIR}/EFI/boot/grub.efi"
+                "${ESP_DIR}/EFI/boot/grubx64.efi"
+            # Sign the mokmanager(mm) with the shim-embedded key
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
+                --cert /usr/share/sb_keys/shim.pem \
+                "/usr/lib/shim/mmx64.efi"
+            sudo cp "/usr/lib/shim/mmx64.efi.signed" \
+                "${ESP_DIR}/EFI/boot/mmx64.efi"
+
             sudo sbsign --key /usr/share/sb_keys/DB.key \
-                 --cert /usr/share/sb_keys/DB.crt \
-                 --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
-                 "/usr/lib/shim/shim.efi"
+                --cert /usr/share/sb_keys/DB.crt \
+                --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                "/usr/lib/shim/shim.efi"
         else
             sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
-                "${ESP_DIR}/EFI/boot/grub.efi"
+                "${ESP_DIR}/EFI/boot/grubx64.efi"
             sudo cp "/usr/lib/shim/shim.efi" \
                 "${ESP_DIR}/EFI/boot/bootx64.efi"
-	fi
+            sudo cp "/usr/lib/shim/mmx64.efi" \
+                "${ESP_DIR}/EFI/boot/mmx64.efi"
+        fi
         # copying from vfat so ignore permissions
         if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
-            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \
                 "${FLAGS_copy_efi_grub}"
         fi
         if [[ -n "${FLAGS_copy_shim}" ]]; then

build_library/qemu_template.sh

@@ -155,10 +155,14 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then
 else
     case "${VM_BOARD}+$(uname -m)" in
         amd64-usr+x86_64)
+            set -- -global ICH9-LPC.disable_s3=1 \
+                   -global driver=cfi.pflash01,property=secure,value=on \
+                   "$@"
             # Emulate the host CPU closely in both features and cores.
-            set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;;
+            set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@"
+            ;;
         amd64-usr+*)
-            set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;;
+            set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;;
         arm64-usr+aarch64)
             set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
         arm64-usr+*)
@@ -215,8 +219,8 @@ fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then

build_library/vm_image_util.sh

@@ -807,14 +807,10 @@ _write_qemu_uefi_conf() {
             # Get edk2 files into local build workspace.
             info "Updating edk2 in /build/${BOARD}"
             emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            # Create 64MiB flash device image files.
-            dd if=/dev/zero bs=1M count=64 of="$(_dst_dir)/${flash_rw}" \
-                status=none
-            cp "/build/${BOARD}/usr/share/edk2-aarch64/QEMU_EFI.fd" \
-                "$(_dst_dir)/${flash_ro}.work"
-            truncate --reference="$(_dst_dir)/${flash_rw}" \
-                "$(_dst_dir)/${flash_ro}.work"
-            mv "$(_dst_dir)/${flash_ro}.work" "$(_dst_dir)/${flash_ro}"
+            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
+            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
+            truncate -s 64M "$(_dst_dir)/${flash_ro}"
+            truncate -s 64M "$(_dst_dir)/${flash_rw}"
             ;;
     esac
 
@@ -825,14 +821,18 @@ _write_qemu_uefi_conf() {
 
 _write_qemu_uefi_secure_conf() {
     local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_uefi_conf
+    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
     cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
     cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
     cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+    sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
 
 _write_pxe_conf() {

changelog/changes/2024-01-25-shim-secureboot-update.md

@@ -0,0 +1 @@
+- A new format `qemu_uefi_secure` is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into `qemu_uefi`.

changelog/updates/2024-01-25-shim-15.8.ebuild.md

@@ -0,0 +1 @@
+- shim ([15.8](https://github.com/rhboot/shim/releases/tag/15.8))

ci-automation/ci-config.env

@@ -66,6 +66,7 @@ QEMU_BIOS="/usr/share/qemu/bios-256k.bin"
 # UEFI bios filename on build cache.
 # Published by vms.sh as part of the qemu vendor build.
 QEMU_UEFI_BIOS="${QEMU_UEFI_BIOS:-flatcar_production_qemu_uefi_efi_code.fd}"
+QEMU_UEFI_SECURE_BIOS="${QEMU_UEFI_SECURE_BIOS:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
 
 # Update payload for the qemu_update.sh test.
 # The default path set below is relative to TEST_WORK_DIR

ci-automation/vendor-testing/qemu.sh

@@ -34,6 +34,13 @@ fi
 bios="${QEMU_BIOS}"
 if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] ; then
     bios="${QEMU_UEFI_BIOS}"
+fi
+
+if [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then
+    bios="${QEMU_UEFI_SECURE_BIOS}"
+fi
+
+if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] || [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then
     if [ -f "${bios}" ] ; then
         echo "++++ ${CIA_TESTSCRIPT}: Using existing ${bios} ++++"
     else

ci-automation/vendor-testing/qemu_uefi_secure.sh

@@ -0,0 +1 @@
+qemu.sh

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md

@@ -0,0 +1,18 @@
+## Keys & Certificates
+
+- PK (Platform Key): The Platform Key is the key to the platform.
+- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
+- DB (Signature Database): The signature database is used to validate signed EFI binaries.
+- Shim Certificates: Our set of certificates
+
+
+## Generation of Keys & Certificates
+
+
+Generate the our shim certificates:
+
+```
+openssl genrsa -out "shim.key" 2048
+openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300
+openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER
+```

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild

@@ -1,24 +0,0 @@
-# Copyright (c) 2015 CoreOS Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-DESCRIPTION="CoreOS Secure Boot keys"
-HOMEPAGE=""
-SRC_URI=""
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="amd64 arm arm64 x86"
-IUSE=""
-
-S="${WORKDIR}"
-
-src_install() {
-	insinto /usr/share/sb_keys
-	newins "${FILESDIR}/PK.key" PK.key
-	newins "${FILESDIR}/PK.crt" PK.crt
-	newins "${FILESDIR}/KEK.key" KEK.key
-	newins "${FILESDIR}/KEK.crt" KEK.crt
-	newins "${FILESDIR}/DB.key" DB.key
-	newins "${FILESDIR}/DB.crt" DB.crt
-}

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild

@@ -0,0 +1,30 @@
+# Copyright (c) 2015 CoreOS Inc.
+# Copyright (c) 2024 The Flatcar Maintainers.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Flatcar Secure Boot keys"
+HOMEPAGE=""
+SRC_URI=""
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+S="${WORKDIR}"
+
+src_install() {
+  insinto /usr/share/sb_keys
+  newins "${FILESDIR}/PK.key" PK.key
+  newins "${FILESDIR}/PK.crt" PK.crt
+  newins "${FILESDIR}/KEK.key" KEK.key
+  newins "${FILESDIR}/KEK.crt" KEK.crt
+  newins "${FILESDIR}/DB.key" DB.key
+  newins "${FILESDIR}/DB.crt" DB.crt
+
+  # shim keys
+  newins "${FILESDIR}/shim.key" shim.key
+  newins "${FILESDIR}/shim.der" shim.der
+  newins "${FILESDIR}/shim.pem" shim.pem
+}

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDpPGgXHDI8K9Th
+CzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjrrOl3o+hYUzK8dbdQl2Mw
+zq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOsApjMlikSEBrevqvbVElU
+0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu05xBgdVs5cnYUYpQxNmPy
+LK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1fFZv6m8LxSMvGtxPFyh2
+Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefLWtKTdhMDF5Ni88brpuls
+MQO/dpRJAgMBAAECggEAIbJpBYG83kWk5XillSZwIBzRXke12bkBaLPxlx5oGpU3
+oT21ZSFoAoCKraYXOwJS1MP8bg8B06Jzob8SfIaICmzOwrnwwU++/gnYDZPCqvjW
+xghEg7dY/3Cm/BiJ8/Dz8RijkS/yC2ejip4pVhB0p0snsnGrn/IW0rE3ghiiBYsM
+971GSgbGp6o25rhA8/yx5+OOFvGoDX2nIymfFASSPmxiAbXcb4DmdMlrRZ6P4z51
+8WJ8gXiTYvALFVWMNtv8GJZCQFi2fHcat/mWiVzg28J4Mzz9n79E0MrZ+4pxXLFT
+lbtI6OvcjRgvsyxPwkExCsBTKnOeAdgKXKwiczBdMwKBgQD4u5NSEpx98GxiWVZX
+DtT7WuCN257S0KztWzAYpTI5SZIRv4jylZPo+JnSrCvNt4hVs0Jz/aQQXhRIzVSj
+4VrkhlxXGnJpZz1DkICIoFQLi9maazgj1aB9Y6lZeGxAlzCnDHP7pR7dxUj4FF2p
+G6udyGhb3qfsevbSdykZ7DsHMwKBgQDwDOvheT71dNlcNuKrHi89sT5SoD4A2yTv
+pyzBCvh2a+UFxveFa6l+/VgxR8AkX9z37hQxi++QFrBHnTD/NZcLijLnPI1V0pIQ
+uNym6dx1PfuCtulZ24i2Fn5zrNUiNnTLBR31Fa1RJcyJv50IoTMK6F+0Bz4Qxan1
+0Um+xgDGkwKBgAb32ky2UMQGdELdFdoihDz2cswGlxB44B9WKqbGGf4Y3Yq5vvBs
+2FPygvyv7ho5RgyAlSACvxHmUNMpTXG54n38daHLD+F8Du9RoQgy1aftJw94aX43
+geOBY0Eqan30vlwvsSAfpBm6aSzqBSWzrL8i2imYt0OcvkVvKSucvpqZAoGAWoXk
+5dAdJ976oMWp0LG/StpuECaRey0ozp8SR3HlpHKnmPghG1UwQ80x1tOh55Wm9G/5
+eX21x3Zm33qtoXAKF7Xz4DN7cOPJZTjxLJiAJE5NbEuhz9rzwQbWhLSmYxJ6FJ1H
+YMbd5v4EFeYGR9zSLMjYXkFk7Fo9748O6jwsyrUCgYEApBlTWbna9BoxiVElEmvT
+u/NgdKZIEBbeX/NWJz8BJWiBVRg5WaAeuriga/1tMhiX8dgo7z7uGm3moEsXGlVD
+IhZiJeAgMmamr1yqII1q9RTBcA7iPqKmAgto+7zwcVxRmXCMRM/daJ04uqGine+K
+dM/o7gBtadQHJ1KPftM8SqQ=
+-----END PRIVATE KEY-----

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUbWirlHd6eCJi2JtP3Z0GEGWTWTMwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEc2hpbTAeFw0yMzExMjMyMzAxNTBaFw00MzExMTgyMzAx
+NTBaMA8xDTALBgNVBAMMBHNoaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDpPGgXHDI8K9ThCzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjr
+rOl3o+hYUzK8dbdQl2Mwzq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOs
+ApjMlikSEBrevqvbVElU0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu0
+5xBgdVs5cnYUYpQxNmPyLK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1
+fFZv6m8LxSMvGtxPFyh2Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefL
+WtKTdhMDF5Ni88brpulsMQO/dpRJAgMBAAGjUzBRMB0GA1UdDgQWBBSAVx8cxySJ
+XcuJa6P2jBwOxJTNpDAfBgNVHSMEGDAWgBSAVx8cxySJXcuJa6P2jBwOxJTNpDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCaj3785ElsU/QkPB3B
+25xaCz23R2079ir0I6p91Zb9QM+n4fOLvEhhrb0tia1X6xaBHBtGk1kpCMP/JTQ2
+ZNW43HuVLieiQnp+oSPGVZ52HnL4keptRr4Dvm+d7K6DDcn8Lcov4euDCsVzgBKE
+EQcjIhAjKdc+nbI51cSoaDhtbBxNsF+ErsWi6+VIyBZ1ATsO6AbSZdKiE2o/3CDv
+il7KIEEJsG43bTdeeuM1d/NLOoZjAnXUPizP0BGJtEE4GljYkN7PHr3czETsRIQ0
+d5JUeoW3b2lYOf85n0ru+fCudk0NSSUyF4LEW6pLmCZCtCAb2GDQ5jeVmFF7BIFl
+M8F2
+-----END CERTIFICATE-----

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -76,6 +76,7 @@ RDEPEND="${RDEPEND}
 	amd64? (
 		app-emulation/xenserver-pv-version
 		app-emulation/xenstore
+		sys-boot/mokutil
 	)"
 
 # sys-devel/gettext: it embeds 'envsubst' binary which is useful for simple file templating.

sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild

@@ -25,10 +25,7 @@ RDEPEND="
 		coreos-base/nova-agent-container
 		coreos-base/nova-agent-watcher
 	)
-	arm64? (
-		sys-boot/grub
-		sys-firmware/edk2-ovmf-bin
-	)
+	sys-boot/grub
 	app-containers/containerd
 	app-containers/docker
 	app-containers/docker-cli

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -104,3 +104,6 @@
 
 # Accept unstable host Rust compilers.
 =virtual/rust-1.76.0 ~amd64 ~arm64
+
+# Upgrade to latest version for secureboot
+=sys-boot/mokutil-0.6.0 ~amd64

sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in

@@ -0,0 +1,3 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,4,Free Software Foundation,grub,@@UPSTREAM_VERSION@@,https://www.gnu.org/software/grub/
+grub.flatcar,1,Flatcar,grub2,@@VERSION@@,https://github.com/flatcar/flatcar

sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild

@@ -321,6 +321,11 @@ src_install() {
 
 	# https://bugs.gentoo.org/231935
 	dostrip -x /usr/lib/grub
+
+	# SBAT format documentation https://github.com/rhboot/shim/blob/main/SBAT.md
+	dodir /usr/share/grub
+	sed -e "s/@@UPSTREAM_VERSION@@/${PV}/" -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${ED}/usr/share/grub/sbat.csv" || die
+
 }
 
 pkg_postinst() {

sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest

@@ -0,0 +1 @@
+DIST shim-15.8.tar.bz2 2315201 BLAKE2B 24da29cf45a08bceffc15682fcdd16e34e42d3b33f2a0b2e528193d8e3455a034b6242c13cebf43db481f73a83329effd9812f0d1e04861ecf7329e54f9059b9 SHA512 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1

sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-0.8_p20150423-r2.ebuild

@@ -1 +0,0 @@
-shim-9999.ebuild

sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8.ebuild

@@ -0,0 +1,55 @@
+# Copyright 2015 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit multilib
+
+DESCRIPTION="UEFI Shim loader"
+HOMEPAGE="https://github.com/rhboot/shim"
+SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2"
+KEYWORDS="amd64 arm64"
+
+LICENSE="BSD"
+SLOT="0"
+IUSE=""
+
+RDEPEND=""
+# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
+# currently the shim insists on using the bundled copy. This will need
+# to be addressed by patching this check out after making sure that
+# our copy of gnu-efi is as usable as the bundled one.
+DEPEND="
+  dev-libs/openssl
+  coreos-base/coreos-sb-keys
+"
+src_compile() {
+  local emake_args=(
+    CROSS_COMPILE="${CHOST}-"
+  )
+  # Apparently our environment already has the ARCH variable in
+  # it, and Makefile picks it up instead of figuring it out
+  # itself with the compiler -dumpmachine flag. But also it
+  # expects a different format of the values. It wants x86_64
+  # instead of amd64, and aarch64 instead of arm64.
+  if use amd64; then
+    emake_args+=( ARCH=x86_64 )
+  elif use arm64; then
+    emake_args+=( ARCH=aarch64 )
+  fi
+    emake_args+=( ENABLE_SBSIGN=1 )
+    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
+  emake "${emake_args[@]}" || die
+}
+
+src_install() {
+  local suffix
+  suffix=''
+  if use amd64; then
+    suffix=x64
+  elif use arm64; then
+    suffix=aa64
+  fi
+  insinto /usr/lib/shim
+  newins "shim${suffix}.efi" 'shim.efi'
+  newins "mm${suffix}.efi" "mm${suffix}.efi"
+}

sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild

@@ -1,43 +0,0 @@
-# Copyright 2015 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-CROS_WORKON_PROJECT="flatcar/shim"
-CROS_WORKON_REPO="https://github.com"
-
-if [[ "${PV}" == 9999 ]]; then
-	KEYWORDS="~amd64 ~arm64"
-else
-	CROS_WORKON_COMMIT="e98d00c2eb00b1cfb25212f7527ed47d8ab3bb3a"
-	KEYWORDS="amd64 arm64"
-fi
-
-inherit cros-workon multilib
-
-DESCRIPTION="UEFI Shim loader"
-HOMEPAGE="https://github.com/rhinstaller/shim"
-
-LICENSE="BSD"
-SLOT="0"
-IUSE=""
-
-RDEPEND=""
-DEPEND="sys-boot/gnu-efi dev-libs/openssl"
-
-src_unpack() {
-	cros-workon_src_unpack
-	default_src_unpack
-}
-
-src_compile() {
-	emake \
-		CROSS_COMPILE="${CHOST}-" \
-		EFI_INCLUDE="${SYSROOT%/}"/usr/include/efi \
-		EFI_PATH="${SYSROOT%/}"/usr/$(get_libdir) \
-		shim.efi || die
-}
-
-src_install() {
-	insinto /usr/lib/shim
-	doins "shim.efi"
-}

sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest

@@ -1 +1 @@
-DIST QEMU_EFI.fd 2097152 BLAKE2B 0b65476a7b7363d7ab195dddf59fc69f8c3352de0e41a33cd967629300ee0affc063056603ac5fb53e2b11933060894f74fc8384f117eee6344b518c382eb58a SHA512 ebf456fe789a52ae3a367a1f277255d3db3602af4206fc9a4f8912580312f9262d61221df8f894392dffc98a85535be86196336edc12e0df709110df4b477313
+DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b

sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild

@@ -1,22 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-DESCRIPTION="Linaro edk2 ARM64 EFI firmware"
-HOMEPAGE="https://github.com/tianocore/edk2"
-SRC_URI="http://releases.linaro.org/reference-platform/enterprise/firmware/18.02/release/qemu-aarch64/QEMU_EFI.fd"
-
-LICENSE="BSD-2-Clause-Patent"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-
-src_unpack() {
-	mkdir "${S}"
-	cp ../distdir/"${A}" "${S}"/QEMU_EFI.fd
-}
-
-src_install() {
-	mkdir -p "${D}/usr/share/edk2-aarch64"
-	cp QEMU_EFI.fd "${D}/usr/share/edk2-aarch64/QEMU_EFI.fd"
-}

sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild

@@ -0,0 +1,23 @@
+# Copyright (c) 2024 The Flatcar Maintainers.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit rpm
+
+DESCRIPTION="Fedora's build of edk2 ARM64 EFI firmware"
+HOMEPAGE="https://packages.fedoraproject.org/pkgs/edk2/edk2-aarch64/"
+SRC_URI="https://kojipkgs.fedoraproject.org//packages/edk2/20230524/3.fc38/noarch/edk2-aarch64-20230524-3.fc38.noarch.rpm"
+
+LICENSE="BSD-2-Clause-Patent openssl"
+SLOT="0"
+KEYWORDS="amd64 arm64"
+
+S="${WORKDIR}"
+
+src_install() {
+	# Avoid collision with qemu installed config file
+	mv usr/share/qemu/firmware/{60,61}-edk2-aarch64.json
+	insinto /
+	doins -r *
+}

sdk_container/src/third_party/portage-stable/eclass/rpm.eclass

@@ -0,0 +1,146 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: rpm.eclass
+# @MAINTAINER:
+# base-system@gentoo.org
+# @SUPPORTED_EAPIS: 6 7 8
+# @BLURB: convenience class for extracting RPMs
+
+case ${EAPI} in
+	6) inherit epatch eutils ;; # eutils for eqawarn
+	7|8) ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ -z ${_RPM_ECLASS} ]] ; then
+_RPM_ECLASS=1
+
+inherit estack
+
+case ${EAPI} in
+	6) DEPEND="app-arch/rpm2targz" ;;
+	*) BDEPEND="app-arch/rpm2targz" ;;
+esac
+
+# @FUNCTION: rpm_unpack
+# @USAGE: <rpms>
+# @DESCRIPTION:
+# Unpack the contents of the specified rpms like the unpack() function.
+rpm_unpack() {
+	[[ $# -eq 0 ]] && set -- ${A}
+	local a
+	for a in "$@" ; do
+		echo ">>> Unpacking ${a} to ${PWD}"
+		if [[ ${a} == ./* ]] ; then
+			: # nothing to do -- path is local
+		elif [[ ${a} == "${DISTDIR}"/* ]] ; then
+			eqawarn 'do not use ${DISTDIR} with rpm_unpack -- it is added for you'
+		elif [[ ${a} == /* ]] ; then
+			eqawarn 'do not use full paths with rpm_unpack -- use ./ paths instead'
+		else
+			a="${DISTDIR}/${a}"
+		fi
+		rpm2tar -O "${a}" | tar xf -
+		assert "failure unpacking ${a}"
+	done
+}
+
+# @FUNCTION: srcrpm_unpack
+# @USAGE: <rpms>
+# @DESCRIPTION:
+# Unpack the contents of the specified rpms like the unpack() function as well
+# as any archives that it might contain.  Note that the secondary archive
+# unpack isn't perfect in that it simply unpacks all archives in the working
+# directory (with the assumption that there weren't any to start with).
+srcrpm_unpack() {
+	[[ $# -eq 0 ]] && set -- ${A}
+	rpm_unpack "$@"
+
+	# no .src.rpm files, then nothing to do
+	[[ "$* " != *".src.rpm " ]] && return 0
+
+	eshopts_push -s nullglob
+
+	# unpack everything
+	local a
+	for a in *.tar.{gz,bz2,xz} *.t{gz,bz2,xz} *.zip *.ZIP ; do
+		unpack "./${a}"
+		rm -f "${a}" || die
+	done
+
+	eshopts_pop
+
+	return 0
+}
+
+# @FUNCTION: rpm_src_unpack
+# @DESCRIPTION:
+# Automatically unpack all archives in ${A} including rpms.  If one of the
+# archives in a source rpm, then the sub archives will be unpacked as well.
+rpm_src_unpack() {
+	local a
+	for a in ${A} ; do
+		case ${a} in
+		*.rpm) srcrpm_unpack "${a}" ;;
+		*)     unpack "${a}" ;;
+		esac
+	done
+}
+
+# @FUNCTION: rpm_spec_epatch
+# @USAGE: [spec]
+# @DEPRECATED: none
+# @DESCRIPTION:
+# Read the specified spec (defaults to ${PN}.spec) and attempt to apply
+# all the patches listed in it.  If the spec does funky things like moving
+# files around, well this won't handle that.
+rpm_spec_epatch() {
+	# no epatch in EAPI 7 and later
+	[[ ${EAPI} == 6 ]] || die "${FUNCNAME} is banned in EAPI ${EAPI}"
+
+	local p spec=$1
+	local dir
+
+	if [[ -z ${spec} ]] ; then
+		# search likely places for the spec file
+		for spec in "${PWD}" "${S}" "${WORKDIR}" ; do
+			spec+="/${PN}.spec"
+			[[ -e ${spec} ]] && break
+		done
+	fi
+	[[ ${spec} == */* ]] \
+		&& dir=${spec%/*} \
+		|| dir=
+
+	ebegin "Applying patches from ${spec}"
+
+	grep '^%patch' "${spec}" | \
+	while read line ; do
+		# expand the %patch line
+		set -- ${line}
+		p=$1
+		shift
+
+		# process the %patch arguments
+		local arg
+		EPATCH_OPTS=
+		for arg in "$@" ; do
+			case ${arg} in
+			-b) EPATCH_OPTS+=" --suffix" ;;
+			*)  EPATCH_OPTS+=" ${arg}" ;;
+			esac
+		done
+
+		# extract the patch name from the Patch# line
+		set -- $(grep "^P${p#%p}: " "${spec}")
+		shift
+		epatch "${dir:+${dir}/}$*"
+	done
+
+	eend
+}
+
+fi
+
+EXPORT_FUNCTIONS src_unpack

sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest

@@ -0,0 +1 @@
+DIST mokutil-0.6.0.tar.gz 38047 BLAKE2B f2307807c700091f1e5a783b3ad8e7b3eaa17e05580b2c24fd0e92433c6b9bedfb51e9eb2d5d1c71448623b12b6667a573dd51ed03fc738aaf9815083e118ca0 SHA512 11a9d172dba4fbb674e58e5d82cb1dc65a80cff844c0eaebd106b4d4608b24a8207e0cfabf36fe1eedb67f68a8a18db2136c7b62aa3230ac104615e8284dbd7d

sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch

@@ -0,0 +1,38 @@
+From dd55c28236809fc30a7f079882914cde45560277 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 30 Jun 2023 10:36:54 +0800
+Subject: [PATCH] Avoid conflicting efi_char16_t type definitions
+
+It's not necessary to define 'efi_char16_t' as 'wchar_t' since we don't
+need any wchar functions. Besides, it may conflict with efivar-38. This
+commit defines 'efi_char16_t' as 'uint16_t' and adds the conditional
+check to avoid the potential conflict.
+
+Fixes: https://github.com/lcp/mokutil/issues/66
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/mokutil.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.h b/src/mokutil.h
+index d47a380..bd02608 100644
+--- a/src/mokutil.h
++++ b/src/mokutil.h
+@@ -33,13 +33,14 @@
+ #define __MOKUTIL_H__
+ 
+ #include <ctype.h>
+-#include <wchar.h>
+ 
+ #include "signature.h"
+ 
+ typedef unsigned long efi_status_t;
+ typedef uint8_t efi_bool_t;
+-typedef wchar_t efi_char16_t;		/* UNICODE character */
++#ifndef efi_char16_t
++typedef uint16_t efi_char16_t;		/* UNICODE character */
++#endif
+ 
+ typedef enum {
+ 	DELETE_MOK = 0,

sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zerochaos@gentoo.org</email>
+		<name>Rick Farina</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">lcp/mokutil</remote-id>
+	</upstream>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild

@@ -0,0 +1,28 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="The utility to manipulate machines owner keys which managed in shim"
+HOMEPAGE="https://github.com/lcp/mokutil"
+SRC_URI="https://github.com/lcp/mokutil/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND="dev-libs/openssl:=
+	sys-apps/keyutils:=
+	sys-libs/efivar:=
+	virtual/libcrypt:="
+RDEPEND="${DEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=( "${FILESDIR}"/mokutil-0.6.0-conflict.patch )
+
+src_prepare() {
+	default
+	eautoreconf
+}