From 8171154a6b39ccc8002576d02318fde6e1be9ce9 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Fri, 10 Feb 2023 10:15:56 +0800
Subject: [PATCH] secure boot: move pub key to git repo

New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves the keys from integ to the git repo.
Keys involved:
  boot_pub_key
  tis-boot.crt
  tis-shim.der

For grub-efi, the "src_files" in meta_data.yaml can't cause
the files copied to source code dir when "dl_hook" exists.
So remove the useless "src_files" settings here.

Test plan:
  The tests are done with all the changes which involve
public-keys/integ/root repos for this enhancement about pub keys.
 - PASS: rebuild gurb-efi/efitools/shim packages;
 - PASS: follow the process to build iso image for secure boot;
 - PASS: installation test on AIO-DX lab with secure boot enabled.

Story: 2009221
Task: 47358

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I8cde2acfbe90872151f871c3e01a0e45ad8c4c6c
---
 grub/grub-efi/debian/dl_hook                  |   1 +
 grub/grub-efi/debian/files/boot_pub_key       | Bin 1172 -> 0 bytes
 grub/grub-efi/debian/meta_data.yaml           |   6 ------
 security/efitools/debian/meta_data.yaml       |   1 +
 .../efitools/debian/uefi_sb_keys/tis-boot.crt |  20 ------------------
 security/shim-unsigned/debian/meta_data.yaml  |   2 +-
 security/shim-unsigned/files/tis-shim.der     | Bin 865 -> 0 bytes
 7 files changed, 3 insertions(+), 27 deletions(-)
 delete mode 100644 grub/grub-efi/debian/files/boot_pub_key
 delete mode 100644 security/efitools/debian/uefi_sb_keys/tis-boot.crt
 delete mode 100644 security/shim-unsigned/files/tis-shim.der

diff --git a/grub/grub-efi/debian/dl_hook b/grub/grub-efi/debian/dl_hook
index 7791acde6..6f012e5b6 100755
--- a/grub/grub-efi/debian/dl_hook
+++ b/grub/grub-efi/debian/dl_hook
@@ -39,3 +39,4 @@ then
     exit 1
 fi
 cp ../local_debian/files/* ./
+cp ${MY_REPO}/public-keys/boot_pub_key ./
diff --git a/grub/grub-efi/debian/files/boot_pub_key b/grub/grub-efi/debian/files/boot_pub_key
deleted file mode 100644
index f9e50a6261dac4569e146bf6ac2579ccd1171667..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1172
zcmV;F1Z(@50u2ORvKpBI5CGCae)L|SWamGk`?i_#9R0wznWdQqsR<W}9lAz!E3bBt
zk*g9vBIOTb-%QuvKQb)aocTBrCz|Bnj>IpWI)?+))z|fn6?~5H!sQ+_FECHM_+Pd(
zC{6+{%UTfROND({H|kdpJsGh#-!=CPZVOz*8i!v1mNXm@-gE43y`I+p;T3GnOTai{
zVy#a2=_%#k=&|`+nCL*cwjgz@F9xBUa>Vh(Hl+@E{>0bGl7=;FORhJ)O8b8ML|*nV
zXm$$9I_2MFhh-8l_bC+yxu!$8a@#&l?7t!3-VDy53KqFdruS}RK92$O{dS)bH<qmL
zKHV3hi-+dLY#^W2bfP-;G&!?;l?vV&z4M4{LfimJkjKWR77y=@Ozm{WP`1QRkHee`
z(obQiBs`pzTjLzvvm3^Rdox2bJCnxEno~3NVx+DEvfwK|i`@``8oDf2V>=4rrU?U9
zxUk<rp)Nx{BF<Q-Kh0i?YI3*C@4=ldS;8@<oy$Z%i?8ArI2bOBj+@hGxHU$ZDZ3;%
z`$Wem*mho|eP3^Y7oyYZp81h3?NLBDK#R!7R{gpT1Ae{i+bzM#t8QsP37gDzYQ~pj
zOm(rtbXh6u+eUkL+uOS(h)!WmJ#xon-fKdIT)W6m3!gX+Ih|K=1z^9hm0JumI6WR5
zwZ#e+Ts<Fgta$(t0RRECF;it@b#i4wZ*O!%Z*pZIC{t-?ZfS03AWLO=DIh#kWn*=6
zWkYXrWk6<cZ!TkRZ9a(tP6QJH3II43Ap{(L$)~2CmGb>aiC&&ChWT#p%rpf8U9uXP
z0vj&{3ke7Z0tOWd2?z@U1Qr4V0RkQY0vCV)3JDONFoyYV?#whaSr7oNA!(IEtY=S|
zfMYi$wAIz03H*b(SfY%rA^|wICE^Jn-j4C_HH<AU=x*tJUYF{I!-BKw+V0adTo+XI
z<@b!_`{yA2j2ve;$m;qrL|>AmFY-(Gvjs~t+FzEBystdgcx!@M+B>C+Q^k*A+tE8o
zoQcGF-kbL)#dzKP0_7XIj96(URNeL8V#>_O61`nrw9{mdtncpHb`R?jMc?(xKDi1#
z8G)i$eV#sKyXx^bk2`T_?O0h}|FD>c*&uO^-u#PLWJPgaNNztQuGyz{JU$0AskQLF
z)FQUAzkr4w@+d}VMZk7VCd2U))gbus`>XRJjMReeB6j0dsagz2f=peeOEwF*=Bbq~
z1D%oP?%N3QJ_&Uqg_}pS9oMNT2a2mmcG`5^p53oN{{Wddqp|9}O38V3hBtxDmj3@T
zoIZJYs|=}$_rRDEo?u`SVnP-(K6I0~zjR`%IGunrxq_3+bjpt-a@ZU>sg*@w$rWvE
zZXdlIceo1=$k);ZI~)$19R0@57H|t9uPkOYt5HjDO0kV|s39x>pKb9rzT?PpjRS&~
z$d5vN`+Zz=lUQPkSNX$I*s9pu<r}`S7jOfoETFsg(N(A51k>`;(vMMP+R!_BMWm%4
m_s`iFw1Pp#3Gb}qR}3Ni>D4SibV3zS&>6{Lj!&(Dse)>aE-)wn

diff --git a/grub/grub-efi/debian/meta_data.yaml b/grub/grub-efi/debian/meta_data.yaml
index 965e15ed4..a19b5f7e7 100644
--- a/grub/grub-efi/debian/meta_data.yaml
+++ b/grub/grub-efi/debian/meta_data.yaml
@@ -16,12 +16,6 @@ dl_files:
       "https://snapshot.debian.org/archive/debian/20211128T160803Z/\
        pool/main/g/grub2/grub2_2.06-1.debian.tar.xz"
     sha256sum: 16a1a89d93abf8beb148dc30738be1bda05ed3c09cfffd4a1f5e1a0328c74b26
-src_files:
-  - debian/files/boot_cfg_pw
-  - debian/files/boot_pub_key
-  - debian/files/cfg
-  - debian/files/cfg_nosecure
-  - debian/files/grub-runtime.cfg
 revision:
   dist: $STX_DIST
   PKG_GITREVCOUNT: true
diff --git a/security/efitools/debian/meta_data.yaml b/security/efitools/debian/meta_data.yaml
index 51de784ca..d3b810744 100644
--- a/security/efitools/debian/meta_data.yaml
+++ b/security/efitools/debian/meta_data.yaml
@@ -9,6 +9,7 @@ dl_path:
   sha256sum: 69f02c5b588b666075ed4d390655cf3bfe7f7e2daae643423cd052e081e1368a
 src_files:
   - debian/uefi_sb_keys
+  - ${MY_REPO}/public-keys/tis-boot.crt
 revision:
   dist: $STX_DIST
   PKG_GITREVCOUNT: true
diff --git a/security/efitools/debian/uefi_sb_keys/tis-boot.crt b/security/efitools/debian/uefi_sb_keys/tis-boot.crt
deleted file mode 100644
index 2bb80ca65..000000000
--- a/security/efitools/debian/uefi_sb_keys/tis-boot.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDOjCCAiICCQCndPpvXmatAzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJD
-QTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZX
-aW5kIFJpdmVyIFN5c3RlbXMgSW5jMQwwCgYDVQQDDANUaVMwHhcNMTYxMjAxMTc1
-OTMwWhcNMjYxMTI5MTc1OTMwWjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250
-YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZXaW5kIFJpdmVyIFN5c3Rl
-bXMgSW5jMQwwCgYDVQQDDANUaVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDGBF2js8+W952j9b9bPQKme51pepk9zV56dHWlYHwHT6OxRwnIUaa6z4Hb
-qGBBfKc6VqYY5K/PmDb41TXgIwmjDgxn8Nz4Vr8odKz8IsPUl5PzRN1LFKx7S+Bl
-s7LiOw8ZEGYT68VdYp+hwGhas7r2/jFd8K7od/fcmQkPUQyqeZAA+F9gcQNuXlh8
-wFID0d3ek4jmiCj4AcOHCiFeg/gz21dKHdpl0/WQ3NiDASghuvE22lZGz6SrQGFX
-xhC3UFkDQ83MlT1vS4ESfNS7o8Cq5Itnhe8MgI6nfPQrp3pgRNSGu8YU9HSCX5SD
-d/rwaOpVzQtsmI1hj7BouTuwVrhNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAkZ
-Mwub8wHuY7hfpw+q3YjksYQvWVErgH3I5Bs6GQpGhat1t1XnFrD17vrif9ri7sbd
-beaISeyk5YCdTJCejXEbpL6GBppaSghtP9wAKtKLzlAz6Ta1GhSzKSVXdHl/JUVG
-7n7gwiP3Sik2ZRVEdKZiODrVb7c8ga1SaiT/dexyKf+Qt3LmMe6QRKGXgsQVSgoI
-0O1WTzpAJRZa1Z6lMOlzpho7rYdAlSIA0tydxx8rOykIPHRItnW/p79WsoQp646F
-cS1ZaZ5XXRtgaO6AAZ+BKJGnie/xl1sNYah7quASYGwADzUpnN4QeiS92YN26eis
-a16FUsgrac0uAQa55IQ=
------END CERTIFICATE-----
diff --git a/security/shim-unsigned/debian/meta_data.yaml b/security/shim-unsigned/debian/meta_data.yaml
index 03a422700..5c0616b1c 100644
--- a/security/shim-unsigned/debian/meta_data.yaml
+++ b/security/shim-unsigned/debian/meta_data.yaml
@@ -8,7 +8,7 @@ dl_path:
   md5sum: eb6db0c9b8b4257d77ed07a81cd3a7b8
   sha256sum: 06341378fc89836ee3355ff9ade263105a9ab445de8b065c0989eec8c55769c8
 src_files:
-  - files/tis-shim.der
+  - ${MY_REPO}/public-keys/tis-shim.der
 revision:
   dist: $STX_DIST
   PKG_GITREVCOUNT: true
diff --git a/security/shim-unsigned/files/tis-shim.der b/security/shim-unsigned/files/tis-shim.der
deleted file mode 100644
index b29ee11b6a17d85aa32f00a3507b5e31b75806fd..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 865
zcmXqLVvaRvVsc%;%*4pV#L2LB?zEa&>?(W)ylk9WZ60mkc^MhGSs4sm4Y>_C*_cCF
z*o2v!9SwyI1VJ1Q9<Jd0+*IA*lEji!Lq!95kRTV2glAq!YEfQli9&d0N_u8Vu|hye
zrGigMih-Osuc5htv4Nq1p|Po{K@^Z{fyAYjHBF34$R1#1WngY%<YzEwV&r0KVq|3a
zShS;8jrsf61wrrh(&x(Cm86KyoUeWM_X4%z#y3wbWiH-7SX#IB-(8N6W*rI79`V|r
ztaz6CQs4yhtvhc-l6NgVn0el)-+)`qW)2_k#u>R;-@XdWy*;BwAtm9dR6}p(H(~E9
z%h_k<^{0n@Fx~f3sQ0O%RpZSW+`=rO^RGLet2LhMR8*~a@U-2v-+4>@k4@hgs-yiZ
z=<+9p&0U8?dx~7X<X>Ciso1zp%J?{Mc8FR^kmt^gr<GP_@7{aW<Lz9fD>h#?9qj%c
zeUtU_`L~8`%&PpSiwm3it5oKAv-^EX6>O5$imJ?=bD_@t;{lh&i<So*cT;C+5MC&p
zZE<TsLCU|~lbM(q85kD_82A~;0%J^;k420{<Wafo<rhcJnciD`X0ni=WbsVyk~824
zl~rbuFc53Nu7C%mUzml}fSHl;KXRA@6AduT85xR0C%%dhF`m5qeEKZruenSI)x9#_
zOxu?!^EYJY3b~9O8~xIxR-CN<v7%inBPYe;jIew8)E)P7muG&vC(&maAI4MSc>1{9
zBm0WRoWI|fsTSM_+VxH4Q;&GmI`3vFE%jyZqui^yH=N+PeeO@teU8%X6|-*d)LZr0
zXm#HAPj2`7QUm6mW&ZlQ;F;UBMGwvdocI}?w&BRJQ!GK}XU*!7iq!Mw)APD;X<A0l
zx?L7m&7aJYt7hCLZogx9-m=gCPA+#|CRuWvHSwn7JKv6q-&MSU`~Dl7&6~)$XzHW?
tlf}*@ZaE^-(xtOEsehTLMcrNL>sxyqXXQxd@6lIZuweP!-W`06LI8|pSDF9-