42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From f97a150fbf94be75381d90396ac7be5b2edf95d2 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Tue, 23 Aug 2022 14:51:09 +0800
|
|
Subject: [PATCH 2/2] efitools: append Microsoft KEK/DB to built-in certs
|
|
|
|
While BIOS of Dell PowerEdge host enables EFI secure feature,
|
|
it uses Microsoft KEK and DB to verify NICs and disks. If one removes
|
|
the existing Microsoft certs and uses LockDown.efi to insert self
|
|
defined certs, the NICs and disks are missing. So append one Microsoft
|
|
KEK and one Microsoft DB to built-in certs for LockDown.efi.
|
|
Reference:
|
|
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#multiple
|
|
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
[lz: Porting the patch from yocto to debian rules]
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
debian/rules | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/debian/rules b/debian/rules
|
|
index c20cd9a..78bca19 100755
|
|
--- a/debian/rules
|
|
+++ b/debian/rules
|
|
@@ -8,6 +8,13 @@ override_dh_auto_build:
|
|
cp uefi_sb_keys/* ./
|
|
mv tis-boot.crt DB.crt
|
|
dh_auto_build
|
|
+ cp -f DB.esl DB-orig.esl
|
|
+ cat DB-orig.esl ms-uefi.esl > DB.esl
|
|
+ cp -f KEK.esl KEK-orig.esl
|
|
+ cat KEK-orig.esl ms-kek.esl > KEK.esl
|
|
+ rm DB-orig.esl KEK-orig.esl
|
|
+ rm LockDown*efi LockDown.so LockDown.o
|
|
+ dh_auto_build
|
|
|
|
override_dh_auto_install:
|
|
dh_auto_install -- EFIDIR="debian/efitools/usr/lib/efitools/${DEB_TARGET_MULTIARCH}"
|
|
--
|
|
2.17.1
|
|
|