From 1974b3f570c0a21ec5e4cfe7d806c58a01a7dd0c Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Fri, 7 May 2021 09:01:47 -0400
Subject: [PATCH] Copy shim.efi to /pxeboot for UEFI pxeboot support

Package a copy of the shim.efi file to /pxeboot to support UEFI secure
boot. The recent grub2 update for CVE-2020-15705 requires the use of
shim.efi in order to support kernel signature validation.

Change-Id: If87925e1697b34d7ff1a7a770d9f13619dd9dd52
Partial-Bug: 1927730
Signed-off-by: Don Penney <don.penney@windriver.com>
---
 .../0003-Support-pxeboot-secure-boot.patch    | 43 +++++++++++++++++++
 .../centos/meta_patches/PATCH_ORDER           |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch

diff --git a/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch b/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch
new file mode 100644
index 000000000..572c33744
--- /dev/null
+++ b/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch
@@ -0,0 +1,43 @@
+From e8566efa702a88c1efe15daaf52b3a00446f1d8c Mon Sep 17 00:00:00 2001
+From: Don Penney <don.penney@windriver.com>
+Date: Thu, 6 May 2021 13:42:27 -0400
+Subject: [PATCH] Support pxeboot secure boot
+
+In order to support secure boot with pxeboot, we need to package the
+shim.efi file in /pxeboot/EFI, accessible to tftp for the UEFI
+install. As well, please note that while /boot/efi/EFI/centos/shim.efi
+and other files provided by the shim-x64 package are only accessible
+to root, the file under /pxeboot must have broader permissions so that
+the dnsmasq-tftp daemon is able to serve it to the requesting host.
+Therefore, its file permissions are set to be readable to all.
+
+Signed-off-by: Don Penney <don.penney@windriver.com>
+---
+ SPECS/shim-signed.spec | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
+index 20cdc80..978818a 100755
+--- a/SPECS/shim-signed.spec
++++ b/SPECS/shim-signed.spec
+@@ -227,6 +227,9 @@ install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.C
+ 
+ install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
+ install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
++
++# pxeboot support
++install -D -p -m 0755 shimx64.efi $RPM_BUILD_ROOT/pxeboot/EFI/shim.efi
+ %endif
+ 
+ cd mokutil-%{mokutil_version}
+@@ -243,6 +246,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+ /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
+ /boot/efi/EFI/BOOT/fallback.efi
+ /boot/efi/EFI/%{efidir}/shim.efi
++%attr(755,root,root) /pxeboot/EFI/shim.efi
+ 
+ %ifarch x86_64
+ /boot/efi/EFI/%{efidir}/BOOT.CSV
+-- 
+2.29.2
+
diff --git a/security/shim-signed/centos/meta_patches/PATCH_ORDER b/security/shim-signed/centos/meta_patches/PATCH_ORDER
index 88969c0f1..6cddcd319 100644
--- a/security/shim-signed/centos/meta_patches/PATCH_ORDER
+++ b/security/shim-signed/centos/meta_patches/PATCH_ORDER
@@ -1,2 +1,3 @@
 0001-Titanium-release-info.patch
 0002-Use-presigned-binaries.patch
+0003-Support-pxeboot-secure-boot.patch