Embed the additional 2023 Secure Boot certificates from Microsoft

pftf · Apr 11, 2024 · 337f5fa · 337f5fa
1 parent c025e87
commit 337f5fa
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/.github/workflows/linux_edk2.yml b/.github/workflows/linux_edk2.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2021-2022, Pete Batard <pete@akeo.ie>
+# Copyright (c) 2021-2024, Pete Batard <pete@akeo.ie>
 # SPDX-License-Identifier: BSD-3-Clause
 
 name: UEFI firmware - EDK2 build
@@ -47,9 +47,12 @@ jobs:
  mkdir keys
  # We don't really need a usable PK, so just generate a public key for it and discard the private key
  openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes -sha256
- curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek.cer
+ curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek1.cer
+ curl -L https://go.microsoft.com/fwlink/?linkid=2239775 -o keys/ms_kek2.cer
  curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.cer
  curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.cer
+ curl -L https://go.microsoft.com/fwlink/?linkid=2239776 -o keys/ms_db3.cer
+ curl -L https://go.microsoft.com/fwlink/?linkid=2239872 -o keys/ms_db4.cer
  curl -L https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o keys/arm64_dbx.bin
 
  - name: Build UEFI firmware
@@ -58,7 +61,7 @@ jobs:
  export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-platforms:$WORKSPACE/edk2-non-osi
  export BUILD_FLAGS="-D SECURE_BOOT_ENABLE=TRUE -D INCLUDE_TFTP_COMMAND=TRUE -D NETWORK_ISCSI_ENABLE=TRUE -D SMC_PCI_SUPPORT=1"
  export TLS_DISABLE_FLAGS="-D NETWORK_TLS_ENABLE=FALSE -D NETWORK_ALLOW_HTTP_CONNECTIONS=TRUE"
- export DEFAULT_KEYS="-D DEFAULT_KEYS=TRUE -D PK_DEFAULT_FILE=$WORKSPACE/keys/pk.cer -D KEK_DEFAULT_FILE1=$WORKSPACE/keys/ms_kek.cer -D DB_DEFAULT_FILE1=$WORKSPACE/keys/ms_db1.cer -D DB_DEFAULT_FILE2=$WORKSPACE/keys/ms_db2.cer -D DBX_DEFAULT_FILE1=$WORKSPACE/keys/arm64_dbx.bin"
+ export DEFAULT_KEYS="-D DEFAULT_KEYS=TRUE -D PK_DEFAULT_FILE=$WORKSPACE/keys/pk.cer -D KEK_DEFAULT_FILE1=$WORKSPACE/keys/ms_kek1.cer -D KEK_DEFAULT_FILE2=$WORKSPACE/keys/ms_kek2.cer -D DB_DEFAULT_FILE1=$WORKSPACE/keys/ms_db1.cer -D DB_DEFAULT_FILE2=$WORKSPACE/keys/ms_db2.cer -D DB_DEFAULT_FILE3=$WORKSPACE/keys/ms_db3.cer -D DB_DEFAULT_FILE4=$WORKSPACE/keys/ms_db4.cer -D DBX_DEFAULT_FILE1=$WORKSPACE/keys/arm64_dbx.bin"
  # EDK2's 'build' command doesn't play nice with spaces in environmnent variables, so we can't move the PCDs there...
  source edk2/edksetup.sh
  for BUILD_TYPE in DEBUG RELEASE; do