From 6e497dbd0de89197a510d7654b41f881bfcecc3b Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 6 Sep 2023 23:13:24 +0530
Subject: [PATCH 01/25] sys-boot/mokutil: Add from Gentoo

It's from Gentoo commit cf90a21600e8d81c12b7e1143f43cd28f58dd70d.
---
 .../portage-stable/sys-boot/mokutil/Manifest  |  1 +
 .../files/mokutil-0.6.0-conflict.patch        | 38 +++++++++++++++++++
 .../sys-boot/mokutil/metadata.xml             | 11 ++++++
 .../sys-boot/mokutil/mokutil-0.6.0.ebuild     | 28 ++++++++++++++
 4 files changed, 78 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild

diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest
new file mode 100644
index 00000000000..24fa911ab2e
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest
@@ -0,0 +1 @@
+DIST mokutil-0.6.0.tar.gz 38047 BLAKE2B f2307807c700091f1e5a783b3ad8e7b3eaa17e05580b2c24fd0e92433c6b9bedfb51e9eb2d5d1c71448623b12b6667a573dd51ed03fc738aaf9815083e118ca0 SHA512 11a9d172dba4fbb674e58e5d82cb1dc65a80cff844c0eaebd106b4d4608b24a8207e0cfabf36fe1eedb67f68a8a18db2136c7b62aa3230ac104615e8284dbd7d
diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch
new file mode 100644
index 00000000000..6283fa33163
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch
@@ -0,0 +1,38 @@
+From dd55c28236809fc30a7f079882914cde45560277 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 30 Jun 2023 10:36:54 +0800
+Subject: [PATCH] Avoid conflicting efi_char16_t type definitions
+
+It's not necessary to define 'efi_char16_t' as 'wchar_t' since we don't
+need any wchar functions. Besides, it may conflict with efivar-38. This
+commit defines 'efi_char16_t' as 'uint16_t' and adds the conditional
+check to avoid the potential conflict.
+
+Fixes: https://github.com/lcp/mokutil/issues/66
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/mokutil.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.h b/src/mokutil.h
+index d47a380..bd02608 100644
+--- a/src/mokutil.h
++++ b/src/mokutil.h
+@@ -33,13 +33,14 @@
+ #define __MOKUTIL_H__
+ 
+ #include <ctype.h>
+-#include <wchar.h>
+ 
+ #include "signature.h"
+ 
+ typedef unsigned long efi_status_t;
+ typedef uint8_t efi_bool_t;
+-typedef wchar_t efi_char16_t;		/* UNICODE character */
++#ifndef efi_char16_t
++typedef uint16_t efi_char16_t;		/* UNICODE character */
++#endif
+ 
+ typedef enum {
+ 	DELETE_MOK = 0,
diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml
new file mode 100644
index 00000000000..cc8c212f86d
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zerochaos@gentoo.org</email>
+		<name>Rick Farina</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">lcp/mokutil</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild
new file mode 100644
index 00000000000..b57693258f1
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild
@@ -0,0 +1,28 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="The utility to manipulate machines owner keys which managed in shim"
+HOMEPAGE="https://github.com/lcp/mokutil"
+SRC_URI="https://github.com/lcp/mokutil/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND="dev-libs/openssl:=
+	sys-apps/keyutils:=
+	sys-libs/efivar:=
+	virtual/libcrypt:="
+RDEPEND="${DEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=( "${FILESDIR}"/mokutil-0.6.0-conflict.patch )
+
+src_prepare() {
+	default
+	eautoreconf
+}

From 984233b9e8c7882c6de1abde27028760a71ee8a9 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 6 Sep 2023 23:12:36 +0530
Subject: [PATCH 02/25] coreo-base/coreos: Add mokutil to the base amd64 image

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild      | 1 +
 .../profiles/coreos/base/package.accept_keywords               | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index 3303cdd5ee5..e8e896f7d64 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -76,6 +76,7 @@ RDEPEND="${RDEPEND}
 	amd64? (
 		app-emulation/xenserver-pv-version
 		app-emulation/xenstore
+		sys-boot/mokutil
 	)"
 
 # sys-devel/gettext: it embeds 'envsubst' binary which is useful for simple file templating.
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 182e207a404..b974f065f42 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -104,3 +104,6 @@
 
 # Accept unstable host Rust compilers.
 =virtual/rust-1.76.0 ~amd64 ~arm64
+
+# Upgrade to latest version for secureboot
+=sys-boot/mokutil-0.6.0 ~amd64

From ceb1480e486d062b48262f769d63fdbcc955df89 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 6 Sep 2023 23:15:22 +0530
Subject: [PATCH 03/25] sys-firmware/edk2-aarch64: drop old package and replace
 with new

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../sys-firmware/edk2-aarch64/Manifest        |  2 +-
 .../edk2-aarch64/edk2-aarch64-18.02.ebuild    | 22 ------------------
 .../edk2-aarch64/edk2-aarch64-20220221.ebuild | 23 +++++++++++++++++++
 3 files changed, 24 insertions(+), 23 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
index 29730be8906..22b3138c398 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest
@@ -1 +1 @@
-DIST QEMU_EFI.fd 2097152 BLAKE2B 0b65476a7b7363d7ab195dddf59fc69f8c3352de0e41a33cd967629300ee0affc063056603ac5fb53e2b11933060894f74fc8384f117eee6344b518c382eb58a SHA512 ebf456fe789a52ae3a367a1f277255d3db3602af4206fc9a4f8912580312f9262d61221df8f894392dffc98a85535be86196336edc12e0df709110df4b477313
+DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild
deleted file mode 100644
index 0feb414c60f..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild
+++ /dev/null
@@ -1,22 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-DESCRIPTION="Linaro edk2 ARM64 EFI firmware"
-HOMEPAGE="https://github.com/tianocore/edk2"
-SRC_URI="http://releases.linaro.org/reference-platform/enterprise/firmware/18.02/release/qemu-aarch64/QEMU_EFI.fd"
-
-LICENSE="BSD-2-Clause-Patent"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-
-src_unpack() {
-	mkdir "${S}"
-	cp ../distdir/"${A}" "${S}"/QEMU_EFI.fd
-}
-
-src_install() {
-	mkdir -p "${D}/usr/share/edk2-aarch64"
-	cp QEMU_EFI.fd "${D}/usr/share/edk2-aarch64/QEMU_EFI.fd"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild
new file mode 100644
index 00000000000..d1fead7ff07
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild
@@ -0,0 +1,23 @@
+# Copyright (c) 2024 The Flatcar Maintainers.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit rpm
+
+DESCRIPTION="Fedora's build of edk2 ARM64 EFI firmware"
+HOMEPAGE="https://packages.fedoraproject.org/pkgs/edk2/edk2-aarch64/"
+SRC_URI="https://kojipkgs.fedoraproject.org//packages/edk2/20230524/3.fc38/noarch/edk2-aarch64-20230524-3.fc38.noarch.rpm"
+
+LICENSE="BSD-2-Clause-Patent openssl"
+SLOT="0"
+KEYWORDS="amd64 arm64"
+
+S="${WORKDIR}"
+
+src_install() {
+	# Avoid collision with qemu installed config file
+	mv usr/share/qemu/firmware/{60,61}-edk2-aarch64.json
+	insinto /
+	doins -r *
+}

From af68df3d43b2042df8b6b7fa5d14b74df5b8bc32 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 6 Sep 2023 23:17:00 +0530
Subject: [PATCH 04/25] coreos-devel/board-packages: remove edk2-ovmf from
 arm64 dependencies

This package is not used, we use edk2-aarch64 on arm64 but and it is
fetched during image_to_vm.sh because the ebuild simply wraps a binary
file.

Original Author: Jeremi Piotrowski <jpiotrowski@microsoft.com>

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../coreos-devel/board-packages/board-packages-0.0.1.ebuild      | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
index 5166713cb19..e24bee2c0a8 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
@@ -27,7 +27,6 @@ RDEPEND="
 	)
 	arm64? (
 		sys-boot/grub
-		sys-firmware/edk2-ovmf-bin
 	)
 	app-containers/containerd
 	app-containers/docker

From 58806c5342997ff6575fdd23236744e697d7c66e Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 6 Sep 2023 23:57:04 +0530
Subject: [PATCH 05/25] eclass/rpm: Add from Gentoo

It's from Gentoo commit 78e5f99cb41eaa50da930e7ab2dc7993fa243e1f.
---
 .../portage-stable/eclass/rpm.eclass          | 146 ++++++++++++++++++
 1 file changed, 146 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/eclass/rpm.eclass

diff --git a/sdk_container/src/third_party/portage-stable/eclass/rpm.eclass b/sdk_container/src/third_party/portage-stable/eclass/rpm.eclass
new file mode 100644
index 00000000000..d8bb0ad2814
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/eclass/rpm.eclass
@@ -0,0 +1,146 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: rpm.eclass
+# @MAINTAINER:
+# base-system@gentoo.org
+# @SUPPORTED_EAPIS: 6 7 8
+# @BLURB: convenience class for extracting RPMs
+
+case ${EAPI} in
+	6) inherit epatch eutils ;; # eutils for eqawarn
+	7|8) ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ -z ${_RPM_ECLASS} ]] ; then
+_RPM_ECLASS=1
+
+inherit estack
+
+case ${EAPI} in
+	6) DEPEND="app-arch/rpm2targz" ;;
+	*) BDEPEND="app-arch/rpm2targz" ;;
+esac
+
+# @FUNCTION: rpm_unpack
+# @USAGE: <rpms>
+# @DESCRIPTION:
+# Unpack the contents of the specified rpms like the unpack() function.
+rpm_unpack() {
+	[[ $# -eq 0 ]] && set -- ${A}
+	local a
+	for a in "$@" ; do
+		echo ">>> Unpacking ${a} to ${PWD}"
+		if [[ ${a} == ./* ]] ; then
+			: # nothing to do -- path is local
+		elif [[ ${a} == "${DISTDIR}"/* ]] ; then
+			eqawarn 'do not use ${DISTDIR} with rpm_unpack -- it is added for you'
+		elif [[ ${a} == /* ]] ; then
+			eqawarn 'do not use full paths with rpm_unpack -- use ./ paths instead'
+		else
+			a="${DISTDIR}/${a}"
+		fi
+		rpm2tar -O "${a}" | tar xf -
+		assert "failure unpacking ${a}"
+	done
+}
+
+# @FUNCTION: srcrpm_unpack
+# @USAGE: <rpms>
+# @DESCRIPTION:
+# Unpack the contents of the specified rpms like the unpack() function as well
+# as any archives that it might contain.  Note that the secondary archive
+# unpack isn't perfect in that it simply unpacks all archives in the working
+# directory (with the assumption that there weren't any to start with).
+srcrpm_unpack() {
+	[[ $# -eq 0 ]] && set -- ${A}
+	rpm_unpack "$@"
+
+	# no .src.rpm files, then nothing to do
+	[[ "$* " != *".src.rpm " ]] && return 0
+
+	eshopts_push -s nullglob
+
+	# unpack everything
+	local a
+	for a in *.tar.{gz,bz2,xz} *.t{gz,bz2,xz} *.zip *.ZIP ; do
+		unpack "./${a}"
+		rm -f "${a}" || die
+	done
+
+	eshopts_pop
+
+	return 0
+}
+
+# @FUNCTION: rpm_src_unpack
+# @DESCRIPTION:
+# Automatically unpack all archives in ${A} including rpms.  If one of the
+# archives in a source rpm, then the sub archives will be unpacked as well.
+rpm_src_unpack() {
+	local a
+	for a in ${A} ; do
+		case ${a} in
+		*.rpm) srcrpm_unpack "${a}" ;;
+		*)     unpack "${a}" ;;
+		esac
+	done
+}
+
+# @FUNCTION: rpm_spec_epatch
+# @USAGE: [spec]
+# @DEPRECATED: none
+# @DESCRIPTION:
+# Read the specified spec (defaults to ${PN}.spec) and attempt to apply
+# all the patches listed in it.  If the spec does funky things like moving
+# files around, well this won't handle that.
+rpm_spec_epatch() {
+	# no epatch in EAPI 7 and later
+	[[ ${EAPI} == 6 ]] || die "${FUNCNAME} is banned in EAPI ${EAPI}"
+
+	local p spec=$1
+	local dir
+
+	if [[ -z ${spec} ]] ; then
+		# search likely places for the spec file
+		for spec in "${PWD}" "${S}" "${WORKDIR}" ; do
+			spec+="/${PN}.spec"
+			[[ -e ${spec} ]] && break
+		done
+	fi
+	[[ ${spec} == */* ]] \
+		&& dir=${spec%/*} \
+		|| dir=
+
+	ebegin "Applying patches from ${spec}"
+
+	grep '^%patch' "${spec}" | \
+	while read line ; do
+		# expand the %patch line
+		set -- ${line}
+		p=$1
+		shift
+
+		# process the %patch arguments
+		local arg
+		EPATCH_OPTS=
+		for arg in "$@" ; do
+			case ${arg} in
+			-b) EPATCH_OPTS+=" --suffix" ;;
+			*)  EPATCH_OPTS+=" ${arg}" ;;
+			esac
+		done
+
+		# extract the patch name from the Patch# line
+		set -- $(grep "^P${p#%p}: " "${spec}")
+		shift
+		epatch "${dir:+${dir}/}$*"
+	done
+
+	eend
+}
+
+fi
+
+EXPORT_FUNCTIONS src_unpack

From 8019f7fd9fac5d7d5c35fbcd1a40eb12d1f293f0 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Thu, 28 Jul 2022 12:14:20 +0000
Subject: [PATCH 06/25] vm_image_util.sh: update path to arm64 UEFI firmware

The arm64 firmware is now called AAVMF with the updated edk2-aarch64
ebuild.
---
 build_library/vm_image_util.sh | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index e7a966b75be..3f508102435 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -807,14 +807,10 @@ _write_qemu_uefi_conf() {
             # Get edk2 files into local build workspace.
             info "Updating edk2 in /build/${BOARD}"
             emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64
-            # Create 64MiB flash device image files.
-            dd if=/dev/zero bs=1M count=64 of="$(_dst_dir)/${flash_rw}" \
-                status=none
-            cp "/build/${BOARD}/usr/share/edk2-aarch64/QEMU_EFI.fd" \
-                "$(_dst_dir)/${flash_ro}.work"
-            truncate --reference="$(_dst_dir)/${flash_rw}" \
-                "$(_dst_dir)/${flash_ro}.work"
-            mv "$(_dst_dir)/${flash_ro}.work" "$(_dst_dir)/${flash_ro}"
+            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
+            cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_VARS.fd" "$(_dst_dir)/${flash_rw}"
+            truncate -s 64M "$(_dst_dir)/${flash_ro}"
+            truncate -s 64M "$(_dst_dir)/${flash_rw}"
             ;;
     esac
 

From fc4acb6b40fd26ef62e2356a6dabe17fd8dfd30c Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 12 Oct 2023 15:57:40 +0530
Subject: [PATCH 07/25] sys-boot/shim: updates to 15.7

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../shim/{shim-0.8_p20150423-r2.ebuild => shim-15.7.ebuild}   | 0
 .../third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild | 4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-boot/shim/{shim-0.8_p20150423-r2.ebuild => shim-15.7.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-0.8_p20150423-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-0.8_p20150423-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
index b2e4e6bd061..50673ef721b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@@ -8,14 +8,14 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="e98d00c2eb00b1cfb25212f7527ed47d8ab3bb3a"
+	CROS_WORKON_COMMIT="7ba7440c49d32f911fb9e1c213307947a777085d"
 	KEYWORDS="amd64 arm64"
 fi
 
 inherit cros-workon multilib
 
 DESCRIPTION="UEFI Shim loader"
-HOMEPAGE="https://github.com/rhinstaller/shim"
+HOMEPAGE="https://github.com/rhboot/shim"
 
 LICENSE="BSD"
 SLOT="0"

From 65fe1f4cdb63fdda2e75caf457b72aa3516753d5 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 9 Nov 2023 15:29:51 +0530
Subject: [PATCH 08/25] sys-boot/shim: make the shim buildable

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../sys-boot/shim/shim-9999.ebuild            | 34 +++++++++++++++----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
index 50673ef721b..81f69f36cdc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@@ -22,7 +22,11 @@ SLOT="0"
 IUSE=""
 
 RDEPEND=""
-DEPEND="sys-boot/gnu-efi dev-libs/openssl"
+# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
+# currently the shim insists on using the bundled copy. This will need
+# to be addressed by patching this check out after making sure that
+# our copy of gnu-efi is as usable as the bundled one.
+DEPEND="dev-libs/openssl"
 
 src_unpack() {
 	cros-workon_src_unpack
@@ -30,14 +34,30 @@ src_unpack() {
 }
 
 src_compile() {
-	emake \
-		CROSS_COMPILE="${CHOST}-" \
-		EFI_INCLUDE="${SYSROOT%/}"/usr/include/efi \
-		EFI_PATH="${SYSROOT%/}"/usr/$(get_libdir) \
-		shim.efi || die
+	local emake_args=(
+		CROSS_COMPILE="${CHOST}-"
+	)
+	# Apparently our environment already has the ARCH variable in
+	# it, and Makefile picks it up instead of figuring it out
+	# itself with the compiler -dumpmachine flag. But also it
+	# expects a different format of the values. It wants x86_64
+	# instead of amd64, and aarch64 instead of arm64.
+	if use amd64; then
+		emake_args+=( ARCH=x86_64 )
+	elif use arm64; then
+		emake_args+=( ARCH=aarch64 )
+	fi
+	emake "${emake_args[@]}" || die
 }
 
 src_install() {
+	local suffix
+	suffix=''
+	if use amd64; then
+		suffix=x64
+	elif use arm64; then
+		suffix=aa64
+	fi
 	insinto /usr/lib/shim
-	doins "shim.efi"
+	newins "shim${suffix}.efi" 'shim.efi'
 }

From 348a26201aa2febb0f01aebc350980a21b35223a Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 3 Jan 2024 20:54:14 +0530
Subject: [PATCH 09/25] coreos-sb-keys: Add the shim keys

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 ...0.1.ebuild => coreos-sb-keys-0.0.2.ebuild} |   7 ++++-
 .../coreos-base/coreos-sb-keys/files/shim.der | Bin 0 -> 771 bytes
 .../coreos-base/coreos-sb-keys/files/shim.key |  28 ++++++++++++++++++
 .../coreos-base/coreos-sb-keys/files/shim.pem |  19 ++++++++++++
 4 files changed, 53 insertions(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/{coreos-sb-keys-0.0.1.ebuild => coreos-sb-keys-0.0.2.ebuild} (72%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
similarity index 72%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
index 9ff15fdf5d5..14af7b694a8 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=7
 
-DESCRIPTION="CoreOS Secure Boot keys"
+DESCRIPTION="Flatcar Secure Boot keys"
 HOMEPAGE=""
 SRC_URI=""
 LICENSE="BSD"
@@ -21,4 +21,9 @@ src_install() {
 	newins "${FILESDIR}/KEK.crt" KEK.crt
 	newins "${FILESDIR}/DB.key" DB.key
 	newins "${FILESDIR}/DB.crt" DB.crt
+
+	# shim keys
+	newins "${FILESDIR}/shim.key" shim.key
+  	newins "${FILESDIR}/shim.der" shim.der
+  	newins "${FILESDIR}/shim.pem" shim.pem
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der
new file mode 100644
index 0000000000000000000000000000000000000000..2194987d0f968ada08aa84664acd7b8a8b4c6714
GIT binary patch
literal 771
zcmXqLV)}2;#Q1yxGZP~dlSppH>M7+_6-r4rX8Yfr%O;RIInvmGmyJ`a&7<u*FC!y2
zD}w>QA+G^98*?ZNGY?B~MrN*ooH(zMv7w=nv5~QXp{YTXIIjtiYiI%GVrpn&R6;hC
zk(GhDiIJZH=ngKXCPqevmo^#VGDbGqR~~Yk2AllpN?Yo%kCiLMf7-d9@A?<yG)d3>
z|F_y8R7R)c^_rLEi(f<p8|^9G9xy%G;N04TB_H1W+$eYX0qbI=D_3@%PmQ{HR3yAr
z>cEDK<r5ySVVZGfnx>F|)V+PHZ-;n>ToUd*Wv8}RZR)~*4J(6Zt81$!zWSIN#WQge
z$LtyM8?v`N7f2|Lwk#?WNt$A4mi$R)t;cM}(AX&pF3ySF;3TVKb}fT3^oZoVbN_b-
zZ<Wl**jf{o|0<vRsItD)9e;6+GGp1ZF+r2sxc)myH!zy>m>m;i)X;o(MQ+Oj$EouT
zOrM{Qx-_{=m|1*s(&uBZm%Yp}WZqvk#gmDdk%4h>utA`KEHIp9`B=nQL>j{7Wsa+K
z#-8rXUi_^`hVRIfvr7!*LDI@B5(Z)o*cI@D6bLgi{%2t|U<Oji!48Z|V6ZbX%<8ZE
z^TabJ_=}2-?7`b}qPT6hyXRVe)B2*ks`l!%zYgb@Km6Ri$0Kp=Ufs^M;jhISWu)CE
zM{05${;z6cmU4B+o$9H2>WiGJ>J};=3!PUcSM+1zt6aBz%=_}^zFF7Id-9L&DgB49
zo4Jk_Hwd)|vMVbIC~ID~o4d*K>X8*07P&bxz8m6O)*W5+`l-hWu~J5Bz87qlQZFqM
z&a%Iw@V+bVl!7DYhCK6J^SG+Vrsbc#t=f{AO0U@IoWCI0xy8{!D&oe3d*|i$-Z|s)
z#-+uid{RhN>-PN22+RML^S$2v{IIUfm)BF(NWAGt^eXQeYED}eq;Di#cxFCzMqo8d
JW2*7NG5~RCG3o#S

literal 0
HcmV?d00001

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key
new file mode 100644
index 00000000000..52f9fe1e7ac
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDpPGgXHDI8K9Th
+CzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjrrOl3o+hYUzK8dbdQl2Mw
+zq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOsApjMlikSEBrevqvbVElU
+0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu05xBgdVs5cnYUYpQxNmPy
+LK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1fFZv6m8LxSMvGtxPFyh2
+Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefLWtKTdhMDF5Ni88brpuls
+MQO/dpRJAgMBAAECggEAIbJpBYG83kWk5XillSZwIBzRXke12bkBaLPxlx5oGpU3
+oT21ZSFoAoCKraYXOwJS1MP8bg8B06Jzob8SfIaICmzOwrnwwU++/gnYDZPCqvjW
+xghEg7dY/3Cm/BiJ8/Dz8RijkS/yC2ejip4pVhB0p0snsnGrn/IW0rE3ghiiBYsM
+971GSgbGp6o25rhA8/yx5+OOFvGoDX2nIymfFASSPmxiAbXcb4DmdMlrRZ6P4z51
+8WJ8gXiTYvALFVWMNtv8GJZCQFi2fHcat/mWiVzg28J4Mzz9n79E0MrZ+4pxXLFT
+lbtI6OvcjRgvsyxPwkExCsBTKnOeAdgKXKwiczBdMwKBgQD4u5NSEpx98GxiWVZX
+DtT7WuCN257S0KztWzAYpTI5SZIRv4jylZPo+JnSrCvNt4hVs0Jz/aQQXhRIzVSj
+4VrkhlxXGnJpZz1DkICIoFQLi9maazgj1aB9Y6lZeGxAlzCnDHP7pR7dxUj4FF2p
+G6udyGhb3qfsevbSdykZ7DsHMwKBgQDwDOvheT71dNlcNuKrHi89sT5SoD4A2yTv
+pyzBCvh2a+UFxveFa6l+/VgxR8AkX9z37hQxi++QFrBHnTD/NZcLijLnPI1V0pIQ
+uNym6dx1PfuCtulZ24i2Fn5zrNUiNnTLBR31Fa1RJcyJv50IoTMK6F+0Bz4Qxan1
+0Um+xgDGkwKBgAb32ky2UMQGdELdFdoihDz2cswGlxB44B9WKqbGGf4Y3Yq5vvBs
+2FPygvyv7ho5RgyAlSACvxHmUNMpTXG54n38daHLD+F8Du9RoQgy1aftJw94aX43
+geOBY0Eqan30vlwvsSAfpBm6aSzqBSWzrL8i2imYt0OcvkVvKSucvpqZAoGAWoXk
+5dAdJ976oMWp0LG/StpuECaRey0ozp8SR3HlpHKnmPghG1UwQ80x1tOh55Wm9G/5
+eX21x3Zm33qtoXAKF7Xz4DN7cOPJZTjxLJiAJE5NbEuhz9rzwQbWhLSmYxJ6FJ1H
+YMbd5v4EFeYGR9zSLMjYXkFk7Fo9748O6jwsyrUCgYEApBlTWbna9BoxiVElEmvT
+u/NgdKZIEBbeX/NWJz8BJWiBVRg5WaAeuriga/1tMhiX8dgo7z7uGm3moEsXGlVD
+IhZiJeAgMmamr1yqII1q9RTBcA7iPqKmAgto+7zwcVxRmXCMRM/daJ04uqGine+K
+dM/o7gBtadQHJ1KPftM8SqQ=
+-----END PRIVATE KEY-----
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem
new file mode 100644
index 00000000000..de044d7959a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUbWirlHd6eCJi2JtP3Z0GEGWTWTMwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEc2hpbTAeFw0yMzExMjMyMzAxNTBaFw00MzExMTgyMzAx
+NTBaMA8xDTALBgNVBAMMBHNoaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDpPGgXHDI8K9ThCzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjr
+rOl3o+hYUzK8dbdQl2Mwzq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOs
+ApjMlikSEBrevqvbVElU0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu0
+5xBgdVs5cnYUYpQxNmPyLK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1
+fFZv6m8LxSMvGtxPFyh2Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefL
+WtKTdhMDF5Ni88brpulsMQO/dpRJAgMBAAGjUzBRMB0GA1UdDgQWBBSAVx8cxySJ
+XcuJa6P2jBwOxJTNpDAfBgNVHSMEGDAWgBSAVx8cxySJXcuJa6P2jBwOxJTNpDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCaj3785ElsU/QkPB3B
+25xaCz23R2079ir0I6p91Zb9QM+n4fOLvEhhrb0tia1X6xaBHBtGk1kpCMP/JTQ2
+ZNW43HuVLieiQnp+oSPGVZ52HnL4keptRr4Dvm+d7K6DDcn8Lcov4euDCsVzgBKE
+EQcjIhAjKdc+nbI51cSoaDhtbBxNsF+ErsWi6+VIyBZ1ATsO6AbSZdKiE2o/3CDv
+il7KIEEJsG43bTdeeuM1d/NLOoZjAnXUPizP0BGJtEE4GljYkN7PHr3czETsRIQ0
+d5JUeoW3b2lYOf85n0ru+fCudk0NSSUyF4LEW6pLmCZCtCAb2GDQ5jeVmFF7BIFl
+M8F2
+-----END CERTIFICATE-----

From b42e3ad58b10ec99e06daf02254c8792e383d98c Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 24 Nov 2023 04:41:17 +0530
Subject: [PATCH 10/25] sys-boot/shim: Update shim to include signing keys, and
 build mm.efi

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../coreos-base/coreos-sb-keys/README.md       | 18 ++++++++++++++++++
 ....0.2.ebuild => coreos-sb-keys-0.0.3.ebuild} |  9 +++++----
 .../sys-boot/shim/shim-9999.ebuild             | 10 ++++++++--
 3 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
 rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/{coreos-sb-keys-0.0.2.ebuild => coreos-sb-keys-0.0.3.ebuild} (77%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
new file mode 100644
index 00000000000..0231aa542e0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
@@ -0,0 +1,18 @@
+## Keys & Certificates
+
+- PK (Platform Key): The Platform Key is the key to the platform.
+- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
+- DB (Signature Database): The signature database is used to validate signed EFI binaries.
+- Shim Certificates: Our set of certificates
+
+
+## Generation of Keys & Certificates
+
+
+Generate the our shim certificates:
+
+```
+openssl genrsa -out "shim.key" 2048
+openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300
+openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER
+```
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
similarity index 77%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
index 14af7b694a8..db4dc4b9741 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
@@ -1,14 +1,15 @@
 # Copyright (c) 2015 CoreOS Inc.
+# Copyright (c) 2024 The Flatcar Maintainers.
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 DESCRIPTION="Flatcar Secure Boot keys"
 HOMEPAGE=""
 SRC_URI=""
 LICENSE="BSD"
 SLOT="0"
-KEYWORDS="amd64 arm arm64 x86"
+KEYWORDS="amd64 arm64"
 IUSE=""
 
 S="${WORKDIR}"
@@ -24,6 +25,6 @@ src_install() {
 
 	# shim keys
 	newins "${FILESDIR}/shim.key" shim.key
-  	newins "${FILESDIR}/shim.der" shim.der
-  	newins "${FILESDIR}/shim.pem" shim.pem
+  newins "${FILESDIR}/shim.der" shim.der
+  newins "${FILESDIR}/shim.pem" shim.pem
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
index 81f69f36cdc..cc18a91ffb9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@@ -26,7 +26,10 @@ RDEPEND=""
 # currently the shim insists on using the bundled copy. This will need
 # to be addressed by patching this check out after making sure that
 # our copy of gnu-efi is as usable as the bundled one.
-DEPEND="dev-libs/openssl"
+DEPEND="
+	dev-libs/openssl
+  	coreos-base/coreos-sb-keys
+"
 
 src_unpack() {
 	cros-workon_src_unpack
@@ -47,6 +50,8 @@ src_compile() {
 	elif use arm64; then
 		emake_args+=( ARCH=aarch64 )
 	fi
+  	emake_args+=( ENABLE_SBSIGN=1 )
+  	emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
 	emake "${emake_args[@]}" || die
 }
 
@@ -60,4 +65,5 @@ src_install() {
 	fi
 	insinto /usr/lib/shim
 	newins "shim${suffix}.efi" 'shim.efi'
-}
+  	newins "mm${suffix}.efi" "mm${suffix}.efi"
+}
\ No newline at end of file

From 0479480ef1696f9d86bea8dae6262ef5559f5e19 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 3 Jan 2024 21:19:23 +0530
Subject: [PATCH 11/25] grub_install.sh: Sign the GRUB/MM with the proper keys

Add the linux.mod file back

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 build_library/grub_install.sh | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 9b4c82f8c1f..dc74a9a1607 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -58,7 +58,7 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-	CORE_MODULES+=( serial efi_gop efinet pgp http tftp )
+	CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
         CORE_NAME="core.efi"
         ;;
     x86_64-xen)
@@ -192,17 +192,25 @@ case "${FLAGS_target}" in
     x86_64-efi)
         info "Installing default x86_64 UEFI bootloader."
         sudo mkdir -p "${ESP_DIR}/EFI/boot"
-	# Use the test keys for signing unofficial builds
-	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-            sudo sbsign --key /usr/share/sb_keys/DB.key \
-		--cert /usr/share/sb_keys/DB.crt \
-                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
+	    # Use the test keys for signing unofficial builds
+	    if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            # Sign the GRUB with the shim-embedded key
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
+                --cert /usr/share/sb_keys/shim.pem \
+                "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
             sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
-                "${ESP_DIR}/EFI/boot/grub.efi"
+                "${ESP_DIR}/EFI/boot/grubx64.efi"
+            # Sign the mokmanager(mm) with the shim-embedded key
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
+                --cert /usr/share/sb_keys/shim.pem \
+                "/usr/lib/shim/mmx64.efi"
+            sudo cp "/usr/lib/shim/mmx64.efi.signed" \
+                "${ESP_DIR}/EFI/boot/mmx64.efi"
+
             sudo sbsign --key /usr/share/sb_keys/DB.key \
-                 --cert /usr/share/sb_keys/DB.crt \
-                 --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
-                 "/usr/lib/shim/shim.efi"
+                --cert /usr/share/sb_keys/DB.crt \
+                --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                "/usr/lib/shim/shim.efi"
         else
             sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
                 "${ESP_DIR}/EFI/boot/grub.efi"
@@ -211,7 +219,7 @@ case "${FLAGS_target}" in
 	fi
         # copying from vfat so ignore permissions
         if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
-            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \
                 "${FLAGS_copy_efi_grub}"
         fi
         if [[ -n "${FLAGS_copy_shim}" ]]; then

From 64556256db7101c5d67daa59a37efc1155ed2308 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Tue, 12 Dec 2023 17:11:59 +0000
Subject: [PATCH 12/25] grub_install: switch to BOARD_GRUB by default

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_library/grub_install.sh                                 | 2 +-
 .../coreos-devel/board-packages/board-packages-0.0.1.ebuild   | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index dc74a9a1607..eb070f8bb9d 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -50,7 +50,7 @@ CORE_NAME=
 
 # Whether the SDK's grub or the board root's grub is used. Once amd64 is
 # fixed up the board root's grub will always be used.
-BOARD_GRUB=0
+BOARD_GRUB=1
 
 case "${FLAGS_target}" in
     i386-pc)
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
index e24bee2c0a8..9cd818a1949 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
@@ -25,9 +25,7 @@ RDEPEND="
 		coreos-base/nova-agent-container
 		coreos-base/nova-agent-watcher
 	)
-	arm64? (
-		sys-boot/grub
-	)
+	sys-boot/grub
 	app-containers/containerd
 	app-containers/docker
 	app-containers/docker-cli

From fc28e72322a7650aaaeb604cf9d61cba3caf0644 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 3 Jan 2024 21:22:00 +0530
Subject: [PATCH 13/25] sys-boot/grub: install file with sbat contents, add
 --sbat to script

This is just the contents of the section, but the section
itself is written by grub-mkimage. sbat.csv needs to be passed
with --sbat.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 build_library/grub_install.sh                                | 5 +++++
 .../coreos-overlay/sys-boot/grub/files/sbat.csv.in           | 3 +++
 .../grub/{grub-2.06-r9.ebuild => grub-2.06-r10.ebuild}       | 5 +++++
 3 files changed, 13 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in
 rename sdk_container/src/third_party/coreos-overlay/sys-boot/grub/{grub-2.06-r9.ebuild => grub-2.06-r10.ebuild} (97%)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index eb070f8bb9d..324be19c90d 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -52,6 +52,8 @@ CORE_NAME=
 # fixed up the board root's grub will always be used.
 BOARD_GRUB=1
 
+SBAT_ARG=()
+
 case "${FLAGS_target}" in
     i386-pc)
         CORE_MODULES+=( biosdisk serial )
@@ -60,6 +62,7 @@ case "${FLAGS_target}" in
     x86_64-efi)
 	CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
         CORE_NAME="core.efi"
+        SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
     x86_64-xen)
         CORE_NAME="core.elf"
@@ -68,6 +71,7 @@ case "${FLAGS_target}" in
         CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
         CORE_NAME="core.efi"
         BOARD_GRUB=1
+        SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
     *)
         die_notrace "Unknown GRUB target ${FLAGS_target}"
@@ -174,6 +178,7 @@ sudo grub-mkimage \
     --directory "${GRUB_SRC}" \
     --config "${ESP_DIR}/${GRUB_DIR}/load.cfg" \
     --memdisk "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \
+    "${SBAT_ARG[@]}" \
     --output "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
     "${CORE_MODULES[@]}"
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in
new file mode 100644
index 00000000000..21d760043e7
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in
@@ -0,0 +1,3 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,4,Free Software Foundation,grub,@@UPSTREAM_VERSION@@,https://www.gnu.org/software/grub/
+grub.flatcar,1,Flatcar,grub2,@@VERSION@@,https://github.com/flatcar/flatcar
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild
similarity index 97%
rename from sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild
index 72140d4ab9b..a05b1f03c8b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild
@@ -321,6 +321,11 @@ src_install() {
 
 	# https://bugs.gentoo.org/231935
 	dostrip -x /usr/lib/grub
+
+	# SBAT format documentation https://github.com/rhboot/shim/blob/main/SBAT.md
+	dodir /usr/share/grub
+	sed -e "s/@@UPSTREAM_VERSION@@/${PV}/" -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${ED}/usr/share/grub/sbat.csv"
+
 }
 
 pkg_postinst() {

From 6ff9f8b098c546dca13d28a61ca5f091d7b1beef Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Thu, 28 Jul 2022 12:07:51 +0000
Subject: [PATCH 14/25] Add support for secure boot in qemu_template.sh

We have an existing qemu_uefi_secure format definition, but it is
necessary to update it so that it actually works. Qemu needs to be
passed the correct flags to enable SMM, we need to switch to the Q35
machine, and we need to copy over the secboot variant of the OVMF
firmware.
---
 build_library/qemu_template.sh | 12 ++++++++----
 build_library/vm_image_util.sh |  4 ++++
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh
index 3118ef96c9b..50c254fd46b 100755
--- a/build_library/qemu_template.sh
+++ b/build_library/qemu_template.sh
@@ -155,10 +155,14 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then
 else
     case "${VM_BOARD}+$(uname -m)" in
         amd64-usr+x86_64)
+            set -- -global ICH9-LPC.disable_s3=1 \
+                   -global driver=cfi.pflash01,property=secure,value=on \
+                   "$@"
             # Emulate the host CPU closely in both features and cores.
-            set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;;
+            set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@"
+            ;;
         amd64-usr+*)
-            set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;;
+            set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;;
         arm64-usr+aarch64)
             set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
         arm64-usr+*)
@@ -215,8 +219,8 @@ fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 3f508102435..70c4564ef3c 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -821,14 +821,18 @@ _write_qemu_uefi_conf() {
 
 _write_qemu_uefi_secure_conf() {
     local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_uefi_conf
+    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
     cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
     cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
     cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+    sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
 
 _write_pxe_conf() {

From c1bdbd9d90e2ccd53d5c28fcfb8691dbc0c6636a Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Wed, 3 Jan 2024 21:32:15 +0530
Subject: [PATCH 15/25] build_image_util: Sign the vmlinuz with the shim key

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 build_library/build_image_util.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 570743c2393..64a7a89b861 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -828,8 +828,8 @@ EOF
 
   # Sign the kernel after /usr is in a consistent state and verity is calculated
   if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-      sudo sbsign --key /usr/share/sb_keys/DB.key \
-	   --cert /usr/share/sb_keys/DB.crt \
+      sudo sbsign --key /usr/share/sb_keys/shim.key \
+	   --cert /usr/share/sb_keys/shim.pem \
 	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"
       sudo mv "${root_fs_dir}/boot/flatcar/vmlinuz-a.signed" \
 	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"

From 04005652dd1b4e972f70d7256fde2450d6b76e68 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 18 Jan 2024 20:21:18 +0530
Subject: [PATCH 16/25] build_library: Drop redundant config from grub.cfg

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 build_library/grub.cfg | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/build_library/grub.cfg b/build_library/grub.cfg
index 9e6da4b8693..39bf5107255 100644
--- a/build_library/grub.cfg
+++ b/build_library/grub.cfg
@@ -23,18 +23,6 @@ set linux_append=""
 
 set secure_boot="0"
 
-if [ "$grub_platform" = "efi" ]; then
-   getenv -e SecureBoot -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b sb
-   getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode
-   if [ "$sb" = "01" -a "$setupmode" = "00" ]; then
-      set secure_boot="1"
-      getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey
-      if [ "$gpgpubkey" != "" ]; then
-         trust_var gpgpubkey
-      fi
-   fi
-fi
-
 if [ "$net_default_server" != "" ]; then
    smbios --type 1 --get-uuid 8 --set uuid
    smbios --type 1 --get-string 7 --set serial

From 97ebc770eaf7d5c8095c9889e9a21c5155f8af2b Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 19 Jan 2024 08:25:12 +0530
Subject: [PATCH 17/25] sys-boot/shim: Move from cros_workon to upstream

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../coreos-overlay/sys-boot/shim/Manifest     |  1 +
 .../sys-boot/shim/shim-15.7.ebuild            | 56 ++++++++++++++-
 .../sys-boot/shim/shim-9999.ebuild            | 69 -------------------
 3 files changed, 56 insertions(+), 70 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
 mode change 120000 => 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
new file mode 100644
index 00000000000..4834453ff12
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
@@ -0,0 +1 @@
+DIST shim-15.7.tar.bz2 1334863 BLAKE2B 6b9370913daa1224e03a294728edf713e013dddf46104e9693cf92a7465ebdebb932bc37db190bd04b86d5c86d4c64bbfaee5f58e971a3605fd85ad778a3db42 SHA512 99a9792be8dd8834ce1f929af341db1fc8ff985b079cebb42a87a770b3672cde573893463c1444c28e30c78207d560c77ad17795dbf19f24795ab3e22d601cec
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
deleted file mode 120000
index ac0bdc5b80a..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-shim-9999.ebuild
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
new file mode 100644
index 00000000000..40fadb89a7b
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
@@ -0,0 +1,55 @@
+# Copyright 2015 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit multilib
+
+DESCRIPTION="UEFI Shim loader"
+HOMEPAGE="https://github.com/rhboot/shim"
+SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2"
+KEYWORDS="amd64 arm64"
+
+LICENSE="BSD"
+SLOT="0"
+IUSE=""
+
+RDEPEND=""
+# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
+# currently the shim insists on using the bundled copy. This will need
+# to be addressed by patching this check out after making sure that
+# our copy of gnu-efi is as usable as the bundled one.
+DEPEND="
+	dev-libs/openssl
+  	coreos-base/coreos-sb-keys
+"
+src_compile() {
+	local emake_args=(
+		CROSS_COMPILE="${CHOST}-"
+	)
+	# Apparently our environment already has the ARCH variable in
+	# it, and Makefile picks it up instead of figuring it out
+	# itself with the compiler -dumpmachine flag. But also it
+	# expects a different format of the values. It wants x86_64
+	# instead of amd64, and aarch64 instead of arm64.
+	if use amd64; then
+		emake_args+=( ARCH=x86_64 )
+	elif use arm64; then
+		emake_args+=( ARCH=aarch64 )
+	fi
+  	emake_args+=( ENABLE_SBSIGN=1 )
+  	emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
+	emake "${emake_args[@]}" || die
+}
+
+src_install() {
+	local suffix
+	suffix=''
+	if use amd64; then
+		suffix=x64
+	elif use arm64; then
+		suffix=aa64
+	fi
+	insinto /usr/lib/shim
+	newins "shim${suffix}.efi" 'shim.efi'
+  	newins "mm${suffix}.efi" "mm${suffix}.efi"
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
deleted file mode 100644
index cc18a91ffb9..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ /dev/null
@@ -1,69 +0,0 @@
-# Copyright 2015 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-CROS_WORKON_PROJECT="flatcar/shim"
-CROS_WORKON_REPO="https://github.com"
-
-if [[ "${PV}" == 9999 ]]; then
-	KEYWORDS="~amd64 ~arm64"
-else
-	CROS_WORKON_COMMIT="7ba7440c49d32f911fb9e1c213307947a777085d"
-	KEYWORDS="amd64 arm64"
-fi
-
-inherit cros-workon multilib
-
-DESCRIPTION="UEFI Shim loader"
-HOMEPAGE="https://github.com/rhboot/shim"
-
-LICENSE="BSD"
-SLOT="0"
-IUSE=""
-
-RDEPEND=""
-# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
-# currently the shim insists on using the bundled copy. This will need
-# to be addressed by patching this check out after making sure that
-# our copy of gnu-efi is as usable as the bundled one.
-DEPEND="
-	dev-libs/openssl
-  	coreos-base/coreos-sb-keys
-"
-
-src_unpack() {
-	cros-workon_src_unpack
-	default_src_unpack
-}
-
-src_compile() {
-	local emake_args=(
-		CROSS_COMPILE="${CHOST}-"
-	)
-	# Apparently our environment already has the ARCH variable in
-	# it, and Makefile picks it up instead of figuring it out
-	# itself with the compiler -dumpmachine flag. But also it
-	# expects a different format of the values. It wants x86_64
-	# instead of amd64, and aarch64 instead of arm64.
-	if use amd64; then
-		emake_args+=( ARCH=x86_64 )
-	elif use arm64; then
-		emake_args+=( ARCH=aarch64 )
-	fi
-  	emake_args+=( ENABLE_SBSIGN=1 )
-  	emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
-	emake "${emake_args[@]}" || die
-}
-
-src_install() {
-	local suffix
-	suffix=''
-	if use amd64; then
-		suffix=x64
-	elif use arm64; then
-		suffix=aa64
-	fi
-	insinto /usr/lib/shim
-	newins "shim${suffix}.efi" 'shim.efi'
-  	newins "mm${suffix}.efi" "mm${suffix}.efi"
-}
\ No newline at end of file

From 4648be9dbbf9cf705c4cce7453837b5e34b5240d Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 19 Jan 2024 17:28:41 +0530
Subject: [PATCH 18/25] sys-boot/grub: Make sed silently fail when updating
 sbat

Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
---
 .../coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild
index a05b1f03c8b..a4b46efcd3f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild
@@ -324,7 +324,7 @@ src_install() {
 
 	# SBAT format documentation https://github.com/rhboot/shim/blob/main/SBAT.md
 	dodir /usr/share/grub
-	sed -e "s/@@UPSTREAM_VERSION@@/${PV}/" -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${ED}/usr/share/grub/sbat.csv"
+	sed -e "s/@@UPSTREAM_VERSION@@/${PV}/" -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${ED}/usr/share/grub/sbat.csv" || die
 
 }
 

From 99bfcf5f32271a2719619833986301a489f48111 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Fri, 19 Jan 2024 17:36:35 +0530
Subject: [PATCH 19/25] shim, coreos-sb-keys, grub_install.sh: retab to spaces

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 build_library/grub_install.sh                 | 10 ++--
 .../coreos-sb-keys-0.0.3.ebuild               | 18 +++---
 .../sys-boot/shim/shim-15.7.ebuild            | 56 +++++++++----------
 3 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 324be19c90d..63036bb0fb1 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -60,7 +60,7 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-	CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
         CORE_NAME="core.efi"
         SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
@@ -168,7 +168,7 @@ if [[ ! -f "${ESP_DIR}/flatcar/grub/grub.cfg.tar" ]]; then
     fi
 
     sudo tar cf "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \
-	 -C "${GRUB_TEMP_DIR}" "grub.cfg"
+      -C "${GRUB_TEMP_DIR}" "grub.cfg"
 fi
 
 info "Generating ${GRUB_DIR}/${CORE_NAME}"
@@ -197,8 +197,8 @@ case "${FLAGS_target}" in
     x86_64-efi)
         info "Installing default x86_64 UEFI bootloader."
         sudo mkdir -p "${ESP_DIR}/EFI/boot"
-	    # Use the test keys for signing unofficial builds
-	    if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+        # Use the test keys for signing unofficial builds
+        if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
             # Sign the GRUB with the shim-embedded key
             sudo sbsign --key /usr/share/sb_keys/shim.key \
                 --cert /usr/share/sb_keys/shim.pem \
@@ -221,7 +221,7 @@ case "${FLAGS_target}" in
                 "${ESP_DIR}/EFI/boot/grub.efi"
             sudo cp "/usr/lib/shim/shim.efi" \
                 "${ESP_DIR}/EFI/boot/bootx64.efi"
-	fi
+        fi
         # copying from vfat so ignore permissions
         if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
             cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
index db4dc4b9741..9562a134a11 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild
@@ -15,16 +15,16 @@ IUSE=""
 S="${WORKDIR}"
 
 src_install() {
-	insinto /usr/share/sb_keys
-	newins "${FILESDIR}/PK.key" PK.key
-	newins "${FILESDIR}/PK.crt" PK.crt
-	newins "${FILESDIR}/KEK.key" KEK.key
-	newins "${FILESDIR}/KEK.crt" KEK.crt
-	newins "${FILESDIR}/DB.key" DB.key
-	newins "${FILESDIR}/DB.crt" DB.crt
+  insinto /usr/share/sb_keys
+  newins "${FILESDIR}/PK.key" PK.key
+  newins "${FILESDIR}/PK.crt" PK.crt
+  newins "${FILESDIR}/KEK.key" KEK.key
+  newins "${FILESDIR}/KEK.crt" KEK.crt
+  newins "${FILESDIR}/DB.key" DB.key
+  newins "${FILESDIR}/DB.crt" DB.crt
 
-	# shim keys
-	newins "${FILESDIR}/shim.key" shim.key
+  # shim keys
+  newins "${FILESDIR}/shim.key" shim.key
   newins "${FILESDIR}/shim.der" shim.der
   newins "${FILESDIR}/shim.pem" shim.pem
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
index 40fadb89a7b..af215598e1f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
@@ -19,37 +19,37 @@ RDEPEND=""
 # to be addressed by patching this check out after making sure that
 # our copy of gnu-efi is as usable as the bundled one.
 DEPEND="
-	dev-libs/openssl
-  	coreos-base/coreos-sb-keys
+  dev-libs/openssl
+  coreos-base/coreos-sb-keys
 "
 src_compile() {
-	local emake_args=(
-		CROSS_COMPILE="${CHOST}-"
-	)
-	# Apparently our environment already has the ARCH variable in
-	# it, and Makefile picks it up instead of figuring it out
-	# itself with the compiler -dumpmachine flag. But also it
-	# expects a different format of the values. It wants x86_64
-	# instead of amd64, and aarch64 instead of arm64.
-	if use amd64; then
-		emake_args+=( ARCH=x86_64 )
-	elif use arm64; then
-		emake_args+=( ARCH=aarch64 )
-	fi
-  	emake_args+=( ENABLE_SBSIGN=1 )
-  	emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
-	emake "${emake_args[@]}" || die
+  local emake_args=(
+    CROSS_COMPILE="${CHOST}-"
+  )
+  # Apparently our environment already has the ARCH variable in
+  # it, and Makefile picks it up instead of figuring it out
+  # itself with the compiler -dumpmachine flag. But also it
+  # expects a different format of the values. It wants x86_64
+  # instead of amd64, and aarch64 instead of arm64.
+  if use amd64; then
+    emake_args+=( ARCH=x86_64 )
+  elif use arm64; then
+    emake_args+=( ARCH=aarch64 )
+  fi
+    emake_args+=( ENABLE_SBSIGN=1 )
+    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
+  emake "${emake_args[@]}" || die
 }
 
 src_install() {
-	local suffix
-	suffix=''
-	if use amd64; then
-		suffix=x64
-	elif use arm64; then
-		suffix=aa64
-	fi
-	insinto /usr/lib/shim
-	newins "shim${suffix}.efi" 'shim.efi'
-  	newins "mm${suffix}.efi" "mm${suffix}.efi"
+  local suffix
+  suffix=''
+  if use amd64; then
+    suffix=x64
+  elif use arm64; then
+    suffix=aa64
+  fi
+  insinto /usr/lib/shim
+  newins "shim${suffix}.efi" 'shim.efi'
+  newins "mm${suffix}.efi" "mm${suffix}.efi"
 }

From 0fc380cf2169004a451ded59eefd54f349dbc104 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 25 Jan 2024 04:52:11 +0530
Subject: [PATCH 20/25] sys-boot/shim: Add the changelog for shim upgrade, and
 secureboot

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 changelog/changes/2024-01-25-shim-secureboot-update.md | 1 +
 changelog/updates/2024-01-25-shim-15.8.ebuild.md       | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 changelog/changes/2024-01-25-shim-secureboot-update.md
 create mode 100644 changelog/updates/2024-01-25-shim-15.8.ebuild.md

diff --git a/changelog/changes/2024-01-25-shim-secureboot-update.md b/changelog/changes/2024-01-25-shim-secureboot-update.md
new file mode 100644
index 00000000000..c44298c1905
--- /dev/null
+++ b/changelog/changes/2024-01-25-shim-secureboot-update.md
@@ -0,0 +1 @@
+- A new format `qemu_uefi_secure` is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into `qemu_uefi`.
diff --git a/changelog/updates/2024-01-25-shim-15.8.ebuild.md b/changelog/updates/2024-01-25-shim-15.8.ebuild.md
new file mode 100644
index 00000000000..e417f8232f4
--- /dev/null
+++ b/changelog/updates/2024-01-25-shim-15.8.ebuild.md
@@ -0,0 +1 @@
+- shim ([15.8](https://github.com/rhboot/shim/releases/tag/15.8))

From 16b3a2a10bc5f3de24c6ff85a04e5a3451fc835e Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Mon, 29 Jan 2024 17:24:48 +0530
Subject: [PATCH 21/25] vendor-testing: Add qemu_uefi_secure, symlinked to
 qemu.sh

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 ci-automation/vendor-testing/qemu_uefi_secure.sh | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 ci-automation/vendor-testing/qemu_uefi_secure.sh

diff --git a/ci-automation/vendor-testing/qemu_uefi_secure.sh b/ci-automation/vendor-testing/qemu_uefi_secure.sh
new file mode 120000
index 00000000000..a142d967c89
--- /dev/null
+++ b/ci-automation/vendor-testing/qemu_uefi_secure.sh
@@ -0,0 +1 @@
+qemu.sh
\ No newline at end of file

From 3bc69444098ce914b9ef24b5580341d5324ad928 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Tue, 30 Jan 2024 10:47:45 +0530
Subject: [PATCH 22/25] .github/workflow: Add the packages to automation list

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .github/workflows/portage-stable-packages-list | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index 42389b919c1..a5c00470d06 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -364,6 +364,7 @@ eclass/python-utils-r1.eclass
 eclass/readme.gentoo-r1.eclass
 eclass/ruby-single.eclass
 eclass/ruby-utils.eclass
+eclass/rpm.eclass
 eclass/savedconfig.eclass
 eclass/selinux-policy-2.eclass
 eclass/strip-linguas.eclass
@@ -507,6 +508,7 @@ sys-block/parted
 sys-block/thin-provisioning-tools
 
 sys-boot/efibootmgr
+sys-boot/mokutil
 # Updating to 3.0.17 breaks building of sys-boot/shim.
 #
 # sys-boot/gnu-efi

From 52ce21a5ab8e291850736a45f413ffad47b2f9a5 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 1 Feb 2024 19:15:17 +0530
Subject: [PATCH 23/25] grub_install.sh: ship mokmanager, and rename to grubx64

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 build_library/grub_install.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 63036bb0fb1..71600591402 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -218,9 +218,11 @@ case "${FLAGS_target}" in
                 "/usr/lib/shim/shim.efi"
         else
             sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
-                "${ESP_DIR}/EFI/boot/grub.efi"
+                "${ESP_DIR}/EFI/boot/grubx64.efi"
             sudo cp "/usr/lib/shim/shim.efi" \
                 "${ESP_DIR}/EFI/boot/bootx64.efi"
+            sudo cp "/usr/lib/shim/mmx64.efi" \
+                "${ESP_DIR}/EFI/boot/mmx64.efi"
         fi
         # copying from vfat so ignore permissions
         if [[ -n "${FLAGS_copy_efi_grub}" ]]; then

From 36270467306c30e61be04f5cef86779f8604a710 Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Thu, 1 Feb 2024 19:52:20 +0530
Subject: [PATCH 24/25] ci-automation: Update to include the qemu_uefi_secure
 test

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 ci-automation/ci-config.env          | 1 +
 ci-automation/vendor-testing/qemu.sh | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env
index 6c177bb4c5c..9188dc454a4 100644
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@@ -66,6 +66,7 @@ QEMU_BIOS="/usr/share/qemu/bios-256k.bin"
 # UEFI bios filename on build cache.
 # Published by vms.sh as part of the qemu vendor build.
 QEMU_UEFI_BIOS="${QEMU_UEFI_BIOS:-flatcar_production_qemu_uefi_efi_code.fd}"
+QEMU_UEFI_SECURE_BIOS="${QEMU_UEFI_SECURE_BIOS:-flatcar_production_qemu_uefi_secure_efi_code.fd}"
 
 # Update payload for the qemu_update.sh test.
 # The default path set below is relative to TEST_WORK_DIR
diff --git a/ci-automation/vendor-testing/qemu.sh b/ci-automation/vendor-testing/qemu.sh
index 7b426889e41..75c97fb8551 100755
--- a/ci-automation/vendor-testing/qemu.sh
+++ b/ci-automation/vendor-testing/qemu.sh
@@ -34,6 +34,13 @@ fi
 bios="${QEMU_BIOS}"
 if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] ; then
     bios="${QEMU_UEFI_BIOS}"
+fi
+
+if [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then
+    bios="${QEMU_UEFI_SECURE_BIOS}"
+fi
+
+if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] || [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then
     if [ -f "${bios}" ] ; then
         echo "++++ ${CIA_TESTSCRIPT}: Using existing ${bios} ++++"
     else

From 7db81c27f9bec2acf6583a98e792fee283c5b89a Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 26 Feb 2024 11:00:28 +0100
Subject: [PATCH 25/25] sys-boot/shim: Update to 15.8

---
 .../src/third_party/coreos-overlay/sys-boot/shim/Manifest       | 2 +-
 .../sys-boot/shim/{shim-15.7.ebuild => shim-15.8.ebuild}        | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-boot/shim/{shim-15.7.ebuild => shim-15.8.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
index 4834453ff12..aeb21c8d0a5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
@@ -1 +1 @@
-DIST shim-15.7.tar.bz2 1334863 BLAKE2B 6b9370913daa1224e03a294728edf713e013dddf46104e9693cf92a7465ebdebb932bc37db190bd04b86d5c86d4c64bbfaee5f58e971a3605fd85ad778a3db42 SHA512 99a9792be8dd8834ce1f929af341db1fc8ff985b079cebb42a87a770b3672cde573893463c1444c28e30c78207d560c77ad17795dbf19f24795ab3e22d601cec
+DIST shim-15.8.tar.bz2 2315201 BLAKE2B 24da29cf45a08bceffc15682fcdd16e34e42d3b33f2a0b2e528193d8e3455a034b6242c13cebf43db481f73a83329effd9812f0d1e04861ecf7329e54f9059b9 SHA512 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8.ebuild