secure boot: move pub key to git repo

New git repo cgcs-root/public-keys is available now for public keys used in secure boot process. This commit moves the keys from integ to the git repo. Keys involved: boot_pub_key tis-boot.crt tis-shim.der For grub-efi, the "src_files" in meta_data.yaml can't cause the files copied to source code dir when "dl_hook" exists. So remove the useless "src_files" settings here. Test plan: The tests are done with all the changes which involve public-keys/integ/root repos for this enhancement about pub keys. - PASS: rebuild gurb-efi/efitools/shim packages; - PASS: follow the process to build iso image for secure boot; - PASS: installation test on AIO-DX lab with secure boot enabled. Story: 2009221 Task: 47358 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I8cde2acfbe90872151f871c3e01a0e45ad8c4c6c
2023-02-10 10:15:56 +08:00 · 2023-02-10 10:15:56 +08:00 · 8171154a6b
parent 813b15cf06
commit 8171154a6b
7 changed files with 3 additions and 27 deletions
--- a/grub/grub-efi/debian/dl_hook
+++ b/grub/grub-efi/debian/dl_hook
@ -39,3 +39,4 @@ then
    exit 1
 fi
 cp ../local_debian/files/* ./
+cp ${MY_REPO}/public-keys/boot_pub_key ./
--- a/grub/grub-efi/debian/files/boot_pub_key
+++ b/grub/grub-efi/debian/files/boot_pub_key
--- a/grub/grub-efi/debian/meta_data.yaml
+++ b/grub/grub-efi/debian/meta_data.yaml
@ -16,12 +16,6 @@ dl_files:
      "https://snapshot.debian.org/archive/debian/20211128T160803Z/\
       pool/main/g/grub2/grub2_2.06-1.debian.tar.xz"
    sha256sum: 16a1a89d93abf8beb148dc30738be1bda05ed3c09cfffd4a1f5e1a0328c74b26
-src_files:
-  - debian/files/boot_cfg_pw
-  - debian/files/boot_pub_key
-  - debian/files/cfg
-  - debian/files/cfg_nosecure
-  - debian/files/grub-runtime.cfg
 revision:
  dist: $STX_DIST
  PKG_GITREVCOUNT: true
--- a/security/efitools/debian/meta_data.yaml
+++ b/security/efitools/debian/meta_data.yaml
@ -9,6 +9,7 @@ dl_path:
  sha256sum: 69f02c5b588b666075ed4d390655cf3bfe7f7e2daae643423cd052e081e1368a
 src_files:
  - debian/uefi_sb_keys
+  - ${MY_REPO}/public-keys/tis-boot.crt
 revision:
  dist: $STX_DIST
  PKG_GITREVCOUNT: true
--- a/security/efitools/debian/uefi_sb_keys/tis-boot.crt
+++ b/security/efitools/debian/uefi_sb_keys/tis-boot.crt
@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDOjCCAiICCQCndPpvXmatAzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJD
-QTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZX
-aW5kIFJpdmVyIFN5c3RlbXMgSW5jMQwwCgYDVQQDDANUaVMwHhcNMTYxMjAxMTc1
-OTMwWhcNMjYxMTI5MTc1OTMwWjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250
-YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZXaW5kIFJpdmVyIFN5c3Rl
-bXMgSW5jMQwwCgYDVQQDDANUaVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDGBF2js8+W952j9b9bPQKme51pepk9zV56dHWlYHwHT6OxRwnIUaa6z4Hb
-qGBBfKc6VqYY5K/PmDb41TXgIwmjDgxn8Nz4Vr8odKz8IsPUl5PzRN1LFKx7S+Bl
-s7LiOw8ZEGYT68VdYp+hwGhas7r2/jFd8K7od/fcmQkPUQyqeZAA+F9gcQNuXlh8
-wFID0d3ek4jmiCj4AcOHCiFeg/gz21dKHdpl0/WQ3NiDASghuvE22lZGz6SrQGFX
-xhC3UFkDQ83MlT1vS4ESfNS7o8Cq5Itnhe8MgI6nfPQrp3pgRNSGu8YU9HSCX5SD
-d/rwaOpVzQtsmI1hj7BouTuwVrhNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAkZ
-Mwub8wHuY7hfpw+q3YjksYQvWVErgH3I5Bs6GQpGhat1t1XnFrD17vrif9ri7sbd
-beaISeyk5YCdTJCejXEbpL6GBppaSghtP9wAKtKLzlAz6Ta1GhSzKSVXdHl/JUVG
-7n7gwiP3Sik2ZRVEdKZiODrVb7c8ga1SaiT/dexyKf+Qt3LmMe6QRKGXgsQVSgoI
-0O1WTzpAJRZa1Z6lMOlzpho7rYdAlSIA0tydxx8rOykIPHRItnW/p79WsoQp646F
-cS1ZaZ5XXRtgaO6AAZ+BKJGnie/xl1sNYah7quASYGwADzUpnN4QeiS92YN26eis
-a16FUsgrac0uAQa55IQ=
-----END CERTIFICATE-----
--- a/security/shim-unsigned/debian/meta_data.yaml
+++ b/security/shim-unsigned/debian/meta_data.yaml
@ -8,7 +8,7 @@ dl_path:
  md5sum: eb6db0c9b8b4257d77ed07a81cd3a7b8
  sha256sum: 06341378fc89836ee3355ff9ade263105a9ab445de8b065c0989eec8c55769c8
 src_files:
-  - files/tis-shim.der
+  - ${MY_REPO}/public-keys/tis-shim.der
 revision:
  dist: $STX_DIST
  PKG_GITREVCOUNT: true
--- a/security/shim-unsigned/files/tis-shim.der
+++ b/security/shim-unsigned/files/tis-shim.der