From 8171154a6b39ccc8002576d02318fde6e1be9ce9 Mon Sep 17 00:00:00 2001
From: Li Zhou
Date: Fri, 10 Feb 2023 10:15:56 +0800
Subject: [PATCH] secure boot: move pub key to git repo
New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves the keys from integ to the git repo.
Keys involved:
boot_pub_key
tis-boot.crt
tis-shim.der
For grub-efi, the "src_files" in meta_data.yaml can't cause
the files copied to source code dir when "dl_hook" exists.
So remove the useless "src_files" settings here.
Test plan:
The tests are done with all the changes which involve
public-keys/integ/root repos for this enhancement about pub keys.
- PASS: rebuild gurb-efi/efitools/shim packages;
- PASS: follow the process to build iso image for secure boot;
- PASS: installation test on AIO-DX lab with secure boot enabled.
Story: 2009221
Task: 47358
Signed-off-by: Li Zhou
Change-Id: I8cde2acfbe90872151f871c3e01a0e45ad8c4c6c
---
grub/grub-efi/debian/dl_hook | 1 +
grub/grub-efi/debian/files/boot_pub_key | Bin 1172 -> 0 bytes
grub/grub-efi/debian/meta_data.yaml | 6 ------
security/efitools/debian/meta_data.yaml | 1 +
.../efitools/debian/uefi_sb_keys/tis-boot.crt | 20 ------------------
security/shim-unsigned/debian/meta_data.yaml | 2 +-
security/shim-unsigned/files/tis-shim.der | Bin 865 -> 0 bytes
7 files changed, 3 insertions(+), 27 deletions(-)
delete mode 100644 grub/grub-efi/debian/files/boot_pub_key
delete mode 100644 security/efitools/debian/uefi_sb_keys/tis-boot.crt
delete mode 100644 security/shim-unsigned/files/tis-shim.der
diff --git a/grub/grub-efi/debian/dl_hook b/grub/grub-efi/debian/dl_hook
index 7791acde6..6f012e5b6 100755
--- a/grub/grub-efi/debian/dl_hook
+++ b/grub/grub-efi/debian/dl_hook
@@ -39,3 +39,4 @@ then
exit 1
fi
cp ../local_debian/files/* ./
+cp ${MY_REPO}/public-keys/boot_pub_key ./
diff --git a/grub/grub-efi/debian/files/boot_pub_key b/grub/grub-efi/debian/files/boot_pub_key
deleted file mode 100644
index f9e50a6261dac4569e146bf6ac2579ccd1171667..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1172
zcmV;F1Z(@50u2ORvKpBI5CGCae)L|SWamGk`?i_#9R0wznWdQqsRIpWI)?+))z|fn6?~5H!sQ+_FECHM_+Pd(
zC{6+{%UTfROND({H|kdpJsGh#-!=CPZVOz*8i!v1mNXm@-gE43y`I+p;T3GnOTai{
zVy#a2=_%#k=&|`+nCL*cwjgz@F9xBUa>Vh(Hl+@E{>0bGl7=;FORhJ)O8b8ML|*nV
zXm$$9I_2MFhh-8l_bC+yxu!$8a@#&l?7t!3-VDy53KqFdruS}RK92$O{dS)bH=4rrU?U9
zxUk