This no longer works and is not maintained and tested.
Signed-off-by: Anuj Mittal <anuj.mit...@intel.com>
---
classes/uefi-comboapp.bbclass | 151 ---------------
classes/uefi-sign.bbclass | 50 -----
conf/include/maintainers.inc | 4 -
lib/oeqa/selftest/cases/secureboot.py | 176 ------------------
...mf-RefkitTestCA-TEST-UEFI-SecureBoot.patch | 129 -------------
.../ovmf/ovmf-shell-image-enrollkeys.bb | 13 --
recipes-core/ovmf/ovmf_%.bbappend | 6 -
recipes-selftest/images/files/incorrect.crt | 19 --
recipes-selftest/images/files/incorrect.key | 27 ---
recipes-selftest/images/files/refkit-db.crt | 18 --
recipes-selftest/images/files/refkit-db.key | 28 ---
.../secureboot-selftest-image-signed.bb | 6 -
.../secureboot-selftest-image-unsigned.bb | 20 --
.../sbsigntool/sbsigntool-native_git.bb | 83 ---------
...build-dependencies-for-cross-compili.patch | 54 ------
15 files changed, 784 deletions(-)
delete mode 100644 classes/uefi-comboapp.bbclass
delete mode 100644 classes/uefi-sign.bbclass
delete mode 100644 lib/oeqa/selftest/cases/secureboot.py
delete mode 100644
recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
delete mode 100644 recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
delete mode 100644 recipes-core/ovmf/ovmf_%.bbappend
delete mode 100644 recipes-selftest/images/files/incorrect.crt
delete mode 100644 recipes-selftest/images/files/incorrect.key
delete mode 100644 recipes-selftest/images/files/refkit-db.crt
delete mode 100644 recipes-selftest/images/files/refkit-db.key
delete mode 100644 recipes-selftest/images/secureboot-selftest-image-signed.bb
delete mode 100644
recipes-selftest/images/secureboot-selftest-image-unsigned.bb
delete mode 100644 recipes-support/sbsigntool/sbsigntool-native_git.bb
delete mode 100644
recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
diff --git a/classes/uefi-comboapp.bbclass b/classes/uefi-comboapp.bbclass
deleted file mode 100644
index a05e0ca0..00000000
--- a/classes/uefi-comboapp.bbclass
+++ /dev/null
@@ -1,151 +0,0 @@
-# This class brings a more generic version of the UEFI combo app from refkit
to meta-intel.
-# It uses a combo file, containing kernel, initramfs and
-# command line, presented to the BIOS as UEFI application, by prepending
-# it with the efi stub obtained from systemd-boot.
-
-# Don't add syslinux or build an ISO
-PCBIOS:forcevariable = "0"
-NOISO:forcevariable = "1"
-
-# image-live.bbclass will default INITRD_LIVE to the image INITRD_IMAGE
creates.
-# We want behavior to be consistent whether or not "live" is in IMAGE_FSTYPES,
so
-# we default INITRD_LIVE to the INITRD_IMAGE as well.
-INITRD_IMAGE ?= "core-image-minimal-initramfs"
-INITRD_LIVE ?= " ${@ ('${DEPLOY_DIR_IMAGE}/' + d.getVar('INITRD_IMAGE',
expand=True) + '-${MACHINE}.cpio.gz') if d.getVar('INITRD_IMAGE', True) else
''}"
-
-do_uefiapp[depends] += " \
- intel-microcode:do_deploy \
- systemd-boot:do_deploy \
- virtual/kernel:do_deploy \
- "
-
-# INITRD_IMAGE is added to INITRD_LIVE, which we use to create our initrd, so
depend on it if it is set
-do_uefiapp[depends] += "${@ '${INITRD_IMAGE}:do_image_complete' if
d.getVar('INITRD_IMAGE') else ''}"
-
-# The image does without traditional bootloader.
-# In its place, instead, it uses a single UEFI executable binary, which is
-# composed by:
-# - an UEFI stub
-# The linux kernel can generate a UEFI stub, however the one from
systemd-boot can fetch
-# the command line from a separate section of the EFI application,
avoiding the need to
-# rebuild the kernel.
-# - the kernel
-# - an initramfs (optional)
-
-def create_uefiapp(d, uuid=None, app_suffix=''):
- import glob, re
- from subprocess import check_call
-
- build_dir = d.getVar('B')
- deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
- image_link_name = d.getVar('IMAGE_LINK_NAME')
-
- cmdline = '%s/cmdline.txt' % build_dir
- linux = '%s/%s' % (deploy_dir_image, d.getVar('KERNEL_IMAGETYPE'))
- initrd = '%s/initrd' % build_dir
-
- stub_path = '%s/linux*.efi.stub' % deploy_dir_image
- stub = glob.glob(stub_path)[0]
- m = re.match(r"\S*(ia32|x64)(.efi)\S*", os.path.basename(stub))
- app = "boot%s%s%s" % (m.group(1), app_suffix, m.group(2))
- executable = '%s/%s.%s' % (deploy_dir_image, image_link_name, app)
-
- if d.getVar('INITRD_LIVE'):
- with open(initrd, 'wb') as dst:
- for cpio in d.getVar('INITRD_LIVE').split():
- with open(cpio, 'rb') as src:
- dst.write(src.read())
- initrd_cmd = "--add-section .initrd=%s --change-section-vma
.initrd=0x3000000 " % initrd
- else:
- initrd_cmd = ""
-
- root = 'root=PARTUUID=%s' % uuid if uuid else ''
-
- with open(cmdline, 'w') as f:
- f.write('%s %s' % (d.getVar('APPEND'), root))
-
- objcopy_cmd = ("objcopy "
- "--add-section .cmdline=%s --change-section-vma .cmdline=0x30000 "
- "--add-section .linux=%s --change-section-vma .linux=0x40000 "
- "%s %s %s") % \
- (cmdline, linux, initrd_cmd, stub, executable)
-
- check_call(objcopy_cmd, shell=True)
-
-python create_uefiapps () {
- # We must clean up anything that matches the expected output pattern, to
ensure that
- # the next steps do not accidentally use old files.
- import glob
- pattern = d.expand('${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi')
- for old_efi in glob.glob(pattern):
- os.unlink(old_efi)
- uuid = d.getVar('DISK_SIGNATURE_UUID')
- create_uefiapp(d, uuid=uuid)
-}
-
-# This is intentionally split into different parts. This way, derived
-# classes or images can extend the individual parts. We can also use
-# whatever language (shell script or Python) is more suitable.
-python do_uefiapp() {
- bb.build.exec_func('create_uefiapps', d)
-}
-
-do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE
KERNEL_IMAGETYPE IMAGE_LINK_NAME"
-
-uefiapp_deploy_at() {
- dest=$1
- for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do
- target=`basename $i`
- target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'`
- cp --preserve=timestamps -r $i $dest/$target
- done
-}
-
-fakeroot do_uefiapp_deploy() {
- rm -rf ${IMAGE_ROOTFS}/boot/*
- dest=${IMAGE_ROOTFS}/boot/EFI/BOOT
- mkdir -p $dest
- uefiapp_deploy_at $dest
-}
-
-do_uefiapp_deploy[depends] += "${PN}:do_uefiapp
virtual/fakeroot-native:do_populate_sysroot"
-
-
-# This decides when/how we add our tasks to the image
-python () {
- image_fstypes = d.getVar('IMAGE_FSTYPES', True)
- initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True)
-
- # Don't add any of these tasks to initramfs images
- if initramfs_fstypes not in image_fstypes:
- bb.build.addtask('uefiapp', 'do_image', 'do_rootfs', d)
- bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d)
-}
-
-SIGN_AFTER ?= "do_uefiapp"
-SIGN_BEFORE ?= "do_uefiapp_deploy"
-SIGNING_DIR ?= "${DEPLOY_DIR_IMAGE}"
-SIGNING_BINARIES ?= "${IMAGE_LINK_NAME}.boot*.efi"
-inherit uefi-sign
-
-# Legacy hddimg support below this line
-efi_hddimg_populate() {
- uefiapp_deploy_at "$1"
-}
-
-build_efi_cfg() {
- # The command line is built into the combo app, so this is a null op
- :
-}
-
-populate_kernel:append() {
- # The kernel and initrd are built into the app, so we don't need these
- if [ -f $dest/initrd ]; then
- rm $dest/initrd
- fi
- if [ -f $dest/vmlinuz ]; then
- rm $dest/vmlinuz
- fi
-}
-
-IMAGE_FEATURES[validitems] += "secureboot"
diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass
deleted file mode 100644
index e8f203b9..00000000
--- a/classes/uefi-sign.bbclass
+++ /dev/null
@@ -1,50 +0,0 @@
-# By default, sign all .efi binaries in ${B} after compiling and before
deploying
-SIGNING_DIR ?= "${B}"
-SIGNING_BINARIES ?= "*.efi"
-SIGN_AFTER ?= "do_compile"
-SIGN_BEFORE ?= "do_deploy"
-
-python () {
- import os
- import hashlib
-
- # Ensure that if the signing key or cert change, we rerun the uefiapp
process
- if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
- for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
- filename = d.getVar(varname)
- if filename is None:
- bb.fatal('%s is not set.' % varname)
- if not os.path.isfile(filename):
- bb.fatal('%s=%s is not a file.' % (varname, filename))
- with open(filename, 'rb') as f:
- data = f.read()
- hash = hashlib.sha256(data).hexdigest()
- d.setVar('%s_HASH' % varname, hash)
-
- # Must reparse and thus rehash on file changes.
- bb.parse.mark_dependency(d, filename)
-
- bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'),
d.getVar('SIGN_AFTER'), d)
-
- # Original binary needs to be regenerated if the hash changes since we
overwrite it
- # SIGN_AFTER isn't necessarily when it gets generated, but its our
best guess
- d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps',
'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
-}
-
-do_uefi_sign() {
- if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT}
]; then
- for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
- sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert
${SECURE_BOOT_SIGNING_CERT} $i
- sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
- mv $i.signed $i
- done
- fi
-}
-
-do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
-
-do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
- SECURE_BOOT_SIGNING_KEY_HASH \
- SIGNING_BINARIES SIGNING_DIR \
- SIGN_BEFORE SIGN_AFTER \
- "
diff --git a/conf/include/maintainers.inc b/conf/include/maintainers.inc
index 990fbb08..3403b6b6 100644
--- a/conf/include/maintainers.inc
+++ b/conf/include/maintainers.inc
@@ -46,10 +46,6 @@ RECIPE_MAINTAINER:pn-openvino-inference-engine = "Anuj
Mittal <anuj.mittal@intel
RECIPE_MAINTAINER:pn-openvino-model-optimizer = "Anuj Mittal
<anuj.mit...@intel.com>"
RECIPE_MAINTAINER:pn-openvkl = "Naveen Saini <naveen.kumar.sa...@intel.com>"
RECIPE_MAINTAINER:pn-ospray = "Naveen Saini <naveen.kumar.sa...@intel.com>"
-RECIPE_MAINTAINER:pn-ovmf-shell-image-enrollkeys = "Naveen Saini
<naveen.kumar.sa...@intel.com>"
RECIPE_MAINTAINER:pn-rkcommon = "Naveen Saini <naveen.kumar.sa...@intel.com>"
-RECIPE_MAINTAINER:pn-sbsigntool-native = "Anuj Mittal <anuj.mit...@intel.com>"
-RECIPE_MAINTAINER:pn-secureboot-selftest-image-signed = "Anuj Mittal
<anuj.mit...@intel.com>"
-RECIPE_MAINTAINER:pn-secureboot-selftest-image-unsigned = "Anuj Mittal
<anuj.mit...@intel.com>"
RECIPE_MAINTAINER:pn-thermald = "Anuj Mittal <anuj.mit...@intel.com>"
RECIPE_MAINTAINER:pn-xf86-video-ast = "Anuj Mittal <anuj.mit...@intel.com>"
diff --git a/lib/oeqa/selftest/cases/secureboot.py
b/lib/oeqa/selftest/cases/secureboot.py
deleted file mode 100644
index 4c059e25..00000000
--- a/lib/oeqa/selftest/cases/secureboot.py
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env python
-# ex:ts=4:sw=4:sts=4:et
-# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
-#
-# Copyright (c) 2017, Intel Corporation.
-# All rights reserved.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# AUTHORS
-# Mikko Ylinen <mikko.yli...@linux.intel.com>
-#
-# Based on meta/lib/oeqa/selftest/* and meta-refkit/lib/oeqa/selftest/*
-
-"""Test cases for secure boot with QEMU running OVMF."""
-
-import os
-import unittest
-import re
-import glob
-from shutil import rmtree, copy
-
-from oeqa.core.decorator.depends import OETestDepends
-from oeqa.selftest.case import OESelftestTestCase
-from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars,
runqemu
-
-class SecureBootTests(OESelftestTestCase):
- """Secure Boot test class."""
-
- ovmf_keys_enrolled = False
- ovmf_qemuparams = ''
- ovmf_dir = ''
- test_image_unsigned = 'secureboot-selftest-image-unsigned'
- test_image_signed = 'secureboot-selftest-image-signed'
- correct_key = 'refkit-db'
- incorrect_key = 'incorrect'
-
- @classmethod
- def setUpLocal(self):
-
- if not SecureBootTests.ovmf_keys_enrolled:
- bitbake('ovmf ovmf-shell-image-enrollkeys', output_log=self.logger)
-
- bb_vars = get_bb_vars(['TMPDIR', 'DEPLOY_DIR_IMAGE'])
-
- SecureBootTests.ovmf_dir = os.path.join(bb_vars['TMPDIR'],
'oeselftest', 'secureboot', 'ovmf')
- bb.utils.mkdirhier(SecureBootTests.ovmf_dir)
-
- # Copy (all) OVMF in a temporary location
- for src in glob.glob('%s/ovmf.*' % bb_vars['DEPLOY_DIR_IMAGE']):
- copy(src, SecureBootTests.ovmf_dir)
-
- SecureBootTests.ovmf_qemuparams = '-drive
if=pflash,format=qcow2,file=%s/ovmf.secboot.qcow2' % SecureBootTests.ovmf_dir
-
- cmd = ("runqemu "
- "qemuparams='%s' "
- "ovmf-shell-image-enrollkeys wic intel-corei7-64 "
- "nographic slirp") % SecureBootTests.ovmf_qemuparams
- print('Running "%s"' % cmd)
- status = runCmd(cmd)
-
- if not re.search('info: success', status.output, re.M):
- self.fail('Failed to enroll keys. EFI shell log:\n%s' %
status.output)
- else:
- # keys enrolled in ovmf.secboot.vars
- SecureBootTests.ovmf_keys_enrolled = True
-
- @classmethod
- def tearDownLocal(self):
- # Seems this is mandatory between the tests (a signed image is booted
- # when running test_boot_unsigned_image after test_boot_signed_image).
- # bitbake('-c clean %s' % test_image, output_log=self.logger)
- #
- # Whatever the problem was, it no longer seems to be necessary, so
- # we can skip the time-consuming clean + full rebuild (5:04 min instead
- # of 6:55min here).
- pass
-
- @classmethod
- def tearDownClass(self):
- bitbake('ovmf-shell-image-enrollkeys:do_cleanall',
output_log=self.logger)
- rmtree(self.ovmf_dir, ignore_errors=True)
-
- def secureboot_with_image(self, boot_timeout=300, signing_key=None):
- """Boot the image with UEFI SecureBoot enabled and see the result. """
-
- config = ""
-
- if signing_key:
- test_image = self.test_image_signed
- config += 'SECURE_BOOT_SIGNING_KEY = "${THISDIR}/files/%s.key"\n'
% signing_key
- config += 'SECURE_BOOT_SIGNING_CERT = "${THISDIR}/files/%s.crt"\n'
% signing_key
- else:
- test_image = self.test_image_unsigned
-
- self.write_config(config)
- bitbake(test_image, output_log=self.logger)
- self.remove_config(config)
-
- # Some of the cases depend on the timeout to expire. Allow overrides
- # so that we don't have to wait 1000s which is the default.
- overrides = {
- 'TEST_QEMUBOOT_TIMEOUT': boot_timeout,
- }
-
- print('Booting %s' % test_image)
-
- try:
- with runqemu(test_image, ssh=False,
- runqemuparams='nographic slirp',
- qemuparams=self.ovmf_qemuparams,
- overrides=overrides,
- image_fstype='wic') as qemu:
-
- cmd = 'uname -a'
-
- status, output = qemu.run_serial(cmd)
-
- self.assertTrue(status, 'Could not run \'uname -a\'
(status=%s):\n%s' % (status, output))
-
- # if we got this far without a correctly signed image,
something went wrong
- if signing_key != self.correct_key:
- self.fail('The image not give a Security violation when
expected. Boot log:\n%s' % output)
-
-
- except Exception:
-
- # Currently runqemu() fails if 'login:' prompt is not seen and it's
- # not possible to login as 'root'. Those conditions aren't met when
- # booting to EFI shell (See [YOCTO #11438]). We catch the failure
- # and parse the boot log to determine the success. Note: the
- # timeout triggers verbose bb.error() but that's normal with some
- # of the test cases.
-
- workdir = get_bb_var('WORKDIR', test_image)
- bootlog = "%s/testimage/qemu_boot_log" % workdir
-
- with open(bootlog, "r") as log:
-
- # This isn't right but all we can do at this point. The right
- # approach would run commands in the EFI shell to determine
- # the BIOS rejects unsigned and/or images signed with keys in
- # dbx key store but that needs changes in oeqa framework.
-
- output = log.read()
-
- # PASS if we see a security violation on unsigned or
incorrectly signed images, otherwise fail
- if signing_key == self.correct_key:
- self.fail('Correctly signed image failed to boot. Boot
log:\n%s' % output)
- elif not re.search('Security Violation', output):
- self.fail('The image not give a Security violation when
expected. Boot log:\n%s' % output)
-
- def test_boot_unsigned_image(self):
- """ Boot unsigned image with secureboot enabled in UEFI."""
- self.secureboot_with_image(boot_timeout=120, signing_key=None)
-
- @OETestDepends(['secureboot.SecureBootTests.test_boot_unsigned_image'])
- def test_boot_incorrectly_signed_image(self):
- """ Boot (correctly) signed image with secureboot enabled in UEFI."""
- self.secureboot_with_image(boot_timeout=120,
signing_key=self.incorrect_key)
-
-
@OETestDepends(['secureboot.SecureBootTests.test_boot_incorrectly_signed_image'])
- def test_boot_correctly_signed_image(self):
- """ Boot (correctly) signed image with secureboot enabled in UEFI."""
- self.secureboot_with_image(boot_timeout=150,
signing_key=self.correct_key)
diff --git
a/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
b/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
deleted file mode 100644
index 7eb3bc69..00000000
--- a/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From b2099e7184d48a6d05c8713b6fd5dac0e2e70963 Mon Sep 17 00:00:00 2001
-From: Mikko Ylinen <mikko.yli...@linux.intel.com>
-Date: Wed, 2 Mar 2022 10:55:35 +0800
-Subject: [PATCH] ovmf: RefkitTestCA: TEST UEFI SecureBoot
-
-This patch adds refkit-db.cer (via xxd -i) in OVMF's db
-signature database when used with EnrollDefaultKeys EFI
-application. It's used for testing purposes only.
-
-Images signed with refkit-db keys are allowed to boot.
-
-Upstream-Status: Inappropriate
-
-Signed-off-by: Mikko Ylinen <mikko.yli...@linux.intel.com>
-Signed-off-by: Naveen Saini <naveen.kumar.sa...@intel.com>
----
- OvmfPkg/EnrollDefaultKeys/AuthData.c | 69 +++++++++++++++++++
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 3 +
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 +
- 3 files changed, 74 insertions(+)
-
-diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c
b/OvmfPkg/EnrollDefaultKeys/AuthData.c
-index 53ee7f7003..127131cd05 100644
---- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
-+++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
-@@ -395,6 +395,75 @@ CONST UINT8 mMicrosoftUefiCa[] = {
-
- CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
-
-+CONST UINT8 mRefkitTestCA[] = {
-+ 0x30, 0x82, 0x02, 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01,
-+ 0x02, 0x02, 0x09, 0x00, 0xd4, 0xf6, 0x48, 0xc2, 0x68, 0x19, 0x91, 0xac,
-+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
-+ 0x0b, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
-+ 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65, 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64,
-+ 0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x30, 0x31,
-+ 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34,
-+ 0x32, 0x30, 0x31, 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x30, 0x14, 0x31,
-+ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65,
-+ 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64, 0x62, 0x30, 0x82, 0x01, 0x22, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
-+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
-+ 0x82, 0x01, 0x01, 0x00, 0xb4, 0x1c, 0x22, 0xa6, 0x22, 0x01, 0x57, 0xcd,
-+ 0xf1, 0x4f, 0xaf, 0x72, 0xe3, 0xd9, 0x01, 0x80, 0x50, 0x55, 0xef, 0x02,
-+ 0x5e, 0xeb, 0x99, 0x35, 0xcb, 0x7f, 0x2a, 0x79, 0xff, 0xb5, 0x3e, 0xec,
-+ 0x5d, 0x92, 0x06, 0x30, 0x20, 0xe7, 0x95, 0xad, 0xa4, 0x84, 0x2e, 0x3f,
-+ 0xfa, 0xd7, 0x46, 0xdd, 0x49, 0xa8, 0xe8, 0xe3, 0x79, 0x49, 0xf6, 0x8f,
-+ 0x0b, 0x1d, 0xfe, 0x63, 0xa8, 0xd1, 0x63, 0xa3, 0xd6, 0x0d, 0x4e, 0x6c,
-+ 0x66, 0x5c, 0xd6, 0x66, 0x26, 0xd1, 0x26, 0x98, 0xd4, 0x4f, 0x76, 0xc9,
-+ 0x65, 0x48, 0x58, 0x13, 0x08, 0x31, 0xbc, 0xe5, 0x47, 0x25, 0x65, 0x95,
-+ 0x39, 0x89, 0x5f, 0x02, 0xf1, 0xc5, 0x06, 0x17, 0x58, 0xca, 0x09, 0xfd,
-+ 0xf6, 0x1e, 0xc5, 0x97, 0xda, 0xa3, 0x4e, 0x1a, 0x48, 0xbe, 0xcf, 0x96,
-+ 0x27, 0x04, 0x4b, 0xb7, 0x6d, 0x67, 0xb6, 0x50, 0x18, 0x04, 0x73, 0x51,
-+ 0xd2, 0x6a, 0x2d, 0xdf, 0x3b, 0xab, 0xf2, 0x2d, 0x95, 0xd7, 0xa8, 0xb8,
-+ 0xa8, 0x30, 0xa1, 0xab, 0x8b, 0x92, 0x2b, 0x60, 0x3e, 0x3a, 0xe5, 0x86,
-+ 0x40, 0x71, 0xc1, 0x3f, 0x2d, 0x2e, 0x90, 0xe7, 0xd6, 0xec, 0xcc, 0xc2,
-+ 0x0b, 0x79, 0x83, 0x71, 0x6d, 0xf6, 0xa3, 0xa9, 0x4c, 0xcd, 0x46, 0x81,
-+ 0xdc, 0xef, 0xec, 0x51, 0xbe, 0x81, 0x2a, 0xf1, 0x78, 0x73, 0x41, 0xdb,
-+ 0x54, 0xce, 0x7c, 0xce, 0xa2, 0xe3, 0x90, 0x4f, 0x45, 0x1a, 0xf9, 0x3d,
-+ 0x88, 0xfc, 0x0e, 0xed, 0xd3, 0x69, 0x22, 0x4c, 0xfa, 0x0a, 0x69, 0xd1,
-+ 0x48, 0xc0, 0xaa, 0xa9, 0x3a, 0xb3, 0x8f, 0x10, 0x3a, 0x76, 0xa8, 0x0c,
-+ 0x7a, 0x3d, 0xd8, 0x79, 0xce, 0x1c, 0x96, 0x62, 0xf4, 0x06, 0xee, 0x47,
-+ 0xe8, 0xe0, 0x69, 0x91, 0xae, 0xea, 0x34, 0xcf, 0xda, 0xa8, 0xb4, 0x39,
-+ 0x5e, 0xf3, 0x7a, 0xd0, 0x88, 0x48, 0x47, 0x69, 0x02, 0x03, 0x01, 0x00,
-+ 0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
-+ 0x04, 0x16, 0x04, 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b,
-+ 0x1a, 0x9f, 0x46, 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd,
-+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
-+ 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b, 0x1a, 0x9f, 0x46,
-+ 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd, 0x30, 0x0c, 0x06,
-+ 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
-+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
-+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0xd2, 0x84, 0x7c, 0x43,
-+ 0x47, 0xca, 0x6b, 0xfd, 0x87, 0x83, 0xd0, 0xef, 0x75, 0xd3, 0x20, 0x52,
-+ 0x73, 0x18, 0xaa, 0x32, 0x71, 0xfb, 0xa5, 0xf4, 0xc9, 0x11, 0xa3, 0x68,
-+ 0x4d, 0xb7, 0x9d, 0xe6, 0xd9, 0x46, 0x24, 0xdc, 0xc7, 0xc2, 0x3b, 0xf9,
-+ 0xb0, 0x98, 0xfc, 0xee, 0x34, 0x6e, 0x10, 0x9b, 0x3d, 0x44, 0x6e, 0x33,
-+ 0x09, 0x11, 0xb8, 0x29, 0xd6, 0x2d, 0x06, 0xcf, 0x67, 0x8f, 0x96, 0x85,
-+ 0x9d, 0x63, 0x72, 0xbf, 0x64, 0x5f, 0x0d, 0xe3, 0xc9, 0x63, 0x19, 0x71,
-+ 0xd4, 0x7d, 0x4c, 0x9c, 0x77, 0x46, 0xda, 0x20, 0x97, 0x6d, 0xbc, 0xdd,
-+ 0xc2, 0x1f, 0xf3, 0x40, 0x38, 0x1e, 0xe7, 0xcc, 0x55, 0x05, 0x72, 0xba,
-+ 0x24, 0x4f, 0xb3, 0x8a, 0x93, 0x0c, 0x30, 0x60, 0xda, 0x9f, 0x6f, 0x35,
-+ 0xf6, 0xfb, 0xb0, 0x1f, 0xb3, 0x00, 0xdd, 0xc4, 0xa6, 0xbc, 0xe2, 0x37,
-+ 0xc1, 0xa3, 0xef, 0xd9, 0xa1, 0x86, 0xf9, 0xeb, 0xa4, 0xa5, 0x45, 0x38,
-+ 0xff, 0x4e, 0x87, 0x4a, 0x41, 0xcf, 0x6e, 0x69, 0x7e, 0x97, 0xbe, 0x2d,
-+ 0x22, 0xbc, 0x8d, 0xa0, 0x1a, 0x21, 0x8f, 0x4b, 0x72, 0x90, 0x01, 0x5c,
-+ 0xba, 0xa5, 0x9c, 0x2d, 0xd7, 0x25, 0x24, 0xfc, 0xff, 0x5c, 0x58, 0x14,
-+ 0x46, 0x30, 0x09, 0x7c, 0x55, 0x64, 0x83, 0x0b, 0xb9, 0xdf, 0xcf, 0x25,
-+ 0xee, 0xec, 0xf7, 0xcb, 0xdb, 0xd1, 0x5b, 0x93, 0x93, 0xc8, 0x8a, 0x10,
-+ 0x46, 0xb8, 0xb0, 0x35, 0x1c, 0x6c, 0x0d, 0x8f, 0x03, 0x6a, 0x8f, 0x1b,
-+ 0x36, 0x68, 0xf3, 0x53, 0x89, 0x36, 0x5b, 0x21, 0x80, 0xde, 0xe3, 0x92,
-+ 0x52, 0x94, 0x97, 0x9d, 0x49, 0x89, 0x7d, 0x3e, 0xde, 0x29, 0x51, 0xba,
-+ 0x11, 0xf7, 0xba, 0x01, 0xf7, 0xab, 0xea, 0xc1, 0xa7, 0x2e, 0xa3, 0x4d,
-+ 0x65, 0xfd, 0x40, 0x71, 0xf1, 0xe2, 0x3f, 0x6c, 0x28, 0xcb, 0xd3
-+};
-+
-+CONST UINTN mSizeOfRefkitTestCA = sizeof mRefkitTestCA;
-+
- //
- // The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test
case
- // of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-index 094e4c821b..0a7eef54dc 100644
---- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-@@ -702,6 +702,9 @@ ShellAppMain (
- mMicrosoftUefiCa,
- mSizeOfMicrosoftUefiCa,
- &gMicrosoftVendorGuid,
-+ mRefkitTestCA,
-+ mSizeOfRefkitTestCA,
-+ &gEfiCallerIdGuid,
- NULL
- );
- }
-diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
-index 56da9c71d6..8de1dfe4e0 100644
---- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
-+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
-@@ -133,4 +133,6 @@ extern CONST UINTN mSizeOfMicrosoftUefiCa;
- extern CONST UINT8 mSha256OfDevNull[];
- extern CONST UINTN mSizeOfSha256OfDevNull;
-
-+extern CONST UINT8 mRefkitTestCA[];
-+extern CONST UINTN mSizeOfRefkitTestCA;
- #endif /* ENROLL_DEFAULT_KEYS_H_ */
---
-2.17.1
-
diff --git a/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
b/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
deleted file mode 100644
index ca3cfc15..00000000
--- a/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-require recipes-core/ovmf/ovmf-shell-image.bb
-
-WKS_SEARCH_PATH:append = ":${COREBASE}/meta/recipes-core/ovmf"
-
-QB_DRIVE_TYPE = "/dev/vd"
-
-do_image:append() {
- cat > ${IMAGE_ROOTFS}/startup.nsh << EOF
-EnrollDefaultKeys
-reset
-EOF
-
-}
diff --git a/recipes-core/ovmf/ovmf_%.bbappend
b/recipes-core/ovmf/ovmf_%.bbappend
deleted file mode 100644
index 34a9dd1b..00000000
--- a/recipes-core/ovmf/ovmf_%.bbappend
+++ /dev/null
@@ -1,6 +0,0 @@
-FILESEXTRAPATHS:prepend:intel-x86-common := "${THISDIR}/files:"
-
-SRC_URI:append:intel-x86-common = " \
- file://0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch \
-"
-PACKAGECONFIG:append:intel-x86-common = " secureboot"
diff --git a/recipes-selftest/images/files/incorrect.crt
b/recipes-selftest/images/files/incorrect.crt
deleted file mode 100644
index 3a2411ab..00000000
--- a/recipes-selftest/images/files/incorrect.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIJAIYXAHv3cQNjMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
-BAMMEFRlc3QgWW9jdG8gdGhpbmcwHhcNMTcwMTI1MjI1MjI3WhcNMTgwMTI1MjI1
-MjI3WjAbMRkwFwYDVQQDDBBUZXN0IFlvY3RvIHRoaW5nMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXD
-SwDVXNWfiKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoeh
-T51gkuTfv7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE
-31hLOkCFb+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk
-/6q5kqNhyrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4
-GqpqeFOPqxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABo1AwTjAdBgNV
-HQ4EFgQURA8KbgpiGfS2+7MT0H5AvpxeYLowHwYDVR0jBBgwFoAURA8KbgpiGfS2
-+7MT0H5AvpxeYLowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAK9n+
-9T+hlM2kEpsUgtyihEJbGHzbw+Pj11b0ICntCVuPKewtBMveYp8lejrQwMFNGRMt
-ZQe1LFb9HcLeM3MLUz9Lm4BJIjkey3Jfq1AskROYk/bJnFIJIx6P3U9gBa20P46X
-LH3g6yub1HR7KZC9nfBsak3FPoJR/SYTJs0HsMeL4878+2IbETA4BL0kbKW48FFW
-jF4f6don0eiaF8b4KkfbWKrCaEm+LMxbyBEQ6fIb1cmGY8A9A5houjmgi6YWSkoi
-SLpOC9TZ2R51fO9rRsv7XwLK0V9o9YaEYPBg6V/TeJl5nxAZBeVTKVTQbBGZY+l2
-nzN0pKsl7RXLf3SRYA==
------END CERTIFICATE-----
diff --git a/recipes-selftest/images/files/incorrect.key
b/recipes-selftest/images/files/incorrect.key
deleted file mode 100644
index d05475b6..00000000
--- a/recipes-selftest/images/files/incorrect.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXDSwDVXNWf
-iKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoehT51gkuTf
-v7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE31hLOkCF
-b+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk/6q5kqNh
-yrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4GqpqeFOP
-qxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABAoIBAQCEtAox86s9N6d2
-164z3998Zmj3UyL+7K9x6JI2YvMabBSYGOeaLOLRj6fjQxdC63H8brBM958p4di7
-Z82XMco4Dok6yoOeJ+hMLYv+gfGvTJxy7DhyVXsSwok99axg9vUsV3TYw3wSdpNF
-EKLkcUldpu0W2ADBHUr4sLI85xctHH3Kt0sNDzhgADFa5rDYACXTKHtFOhEqBIwN
-FmbuRQirnErUkI3Pczgl2Xy1MlaozH9CB+bLAb5q2FYu4DKgjl4UorC+w2HV41KH
-XoL7L36XXqLRHBfEAwOWb8yro+TK8T7gW7aagTI1wgsbbQkjQmOHxclmJACdMOiJ
-DjPeR0GBAoGBAO7i2eaEoKa9QlKokN+93uOJD/F6DBi6jF0vGOqWlF8AVTj3kGL3
-X8fY/avrSlg7hKZWdei+Q5PyZViKxqmHjq781ZisKck52Tqz4s7ylqRXSgStinZr
-UqrkShCqZ3g1W91gIeVPQz0/b+gBskoHzQ5WQHfV5v9S1PaxjzcYtCrRAoGBAMea
-LcA2jjuEjqxa5v5fh8ygcHasJMRKJxW1OCKiQ94DjjzPsdVqZ1sJZChLW/N3nxe7
-wHlNJmsGbJ2w1zD5+qkkPjLq5Q4B5KAd62NNrWaEHFdEc/PPkn4xP7Zkfuu5K+m2
-7z/MF4ibvVh9PvD3HY8FWKEtkqB4rfD8AoUOVd4ZAoGAXxXAsfa8k2Hl0kzyTXyg
-CWV3CSERS46FbFngyw9gw2e4hFJWEG5ym3ONlS60iuY16JelmxyQfYUQPewPI0+n
-xZMx2fE9OLFj+++6KbF5sLRl6/K/mF8jqo3vxS5uvPRQOo+XLlUcaHalrm1ub/Um
-87v1MT3dEmgACKmoXb/hhuECgYAZluiapePiOYJZEmZe4jx0vXTtofAswhz0qYEC
-3663vdj0buQrqjKJ91BB4jdtpT5eOpHYe02blv1B0jQkcUfze1QGDxtCineXF37g
-Aktiwzkm7v22mjv7tbCnX4buDZVVp0BQ+4dg2iaSO6xgFC5T8amFMGSF8jLKnGRu
-ToIvsQKBgADBTse2vnI85NRsYq48ztQuIU2zlGXIAcoPSvGb8Vhty/joc0jWcI5P
-raGXBARbuVlcEapK3mDRfO0CQjDaTPK4EYYJwGp8k33Hkkcbgs4kfm308jRsclMr
-YeMwQsYyOv45x4iPCwrqZEhpPDvACBi7DB6QvZ0++vJbobTt1jyi
------END RSA PRIVATE KEY-----
diff --git a/recipes-selftest/images/files/refkit-db.crt
b/recipes-selftest/images/files/refkit-db.crt
deleted file mode 100644
index 22ad6a89..00000000
--- a/recipes-selftest/images/files/refkit-db.crt
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+zCCAeOgAwIBAgIJANT2SMJoGZGsMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
-BAMMCXJlZmtpdC1kYjAeFw0xNzA0MjAxMjA2MzJaFw0xODA0MjAxMjA2MzJaMBQx
-EjAQBgNVBAMMCXJlZmtpdC1kYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALQcIqYiAVfN8U+vcuPZAYBQVe8CXuuZNct/Knn/tT7sXZIGMCDnla2khC4/
-+tdG3Umo6ON5SfaPCx3+Y6jRY6PWDU5sZlzWZibRJpjUT3bJZUhYEwgxvOVHJWWV
-OYlfAvHFBhdYygn99h7Fl9qjThpIvs+WJwRLt21ntlAYBHNR0mot3zur8i2V16i4
-qDChq4uSK2A+OuWGQHHBPy0ukOfW7MzCC3mDcW32o6lMzUaB3O/sUb6BKvF4c0Hb
-VM58zqLjkE9FGvk9iPwO7dNpIkz6CmnRSMCqqTqzjxA6dqgMej3Yec4clmL0Bu5H
-6OBpka7qNM/aqLQ5XvN60IhIR2kCAwEAAaNQME4wHQYDVR0OBBYEFGhgESWFFHgb
-Gp9GEuYh5O/7O6rdMB8GA1UdIwQYMBaAFGhgESWFFHgbGp9GEuYh5O/7O6rdMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ShHxDR8pr/YeD0O910yBS
-cxiqMnH7pfTJEaNoTbed5tlGJNzHwjv5sJj87jRuEJs9RG4zCRG4KdYtBs9nj5aF
-nWNyv2RfDePJYxlx1H1MnHdG2iCXbbzdwh/zQDge58xVBXK6JE+zipMMMGDan281
-9vuwH7MA3cSmvOI3waPv2aGG+eukpUU4/06HSkHPbml+l74tIryNoBohj0tykAFc
-uqWcLdclJPz/XFgURjAJfFVkgwu5388l7uz3y9vRW5OTyIoQRriwNRxsDY8Dao8b
-NmjzU4k2WyGA3uOSUpSXnUmJfT7eKVG6Efe6Afer6sGnLqNNZf1AcfHiP2woy9M=
------END CERTIFICATE-----
diff --git a/recipes-selftest/images/files/refkit-db.key
b/recipes-selftest/images/files/refkit-db.key
deleted file mode 100644
index 4b54587e..00000000
--- a/recipes-selftest/images/files/refkit-db.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0HCKmIgFXzfFP
-r3Lj2QGAUFXvAl7rmTXLfyp5/7U+7F2SBjAg55WtpIQuP/rXRt1JqOjjeUn2jwsd
-/mOo0WOj1g1ObGZc1mYm0SaY1E92yWVIWBMIMbzlRyVllTmJXwLxxQYXWMoJ/fYe
-xZfao04aSL7PlicES7dtZ7ZQGARzUdJqLd87q/ItldeouKgwoauLkitgPjrlhkBx
-wT8tLpDn1uzMwgt5g3Ft9qOpTM1Ggdzv7FG+gSrxeHNB21TOfM6i45BPRRr5PYj8
-Du3TaSJM+gpp0UjAqqk6s48QOnaoDHo92HnOHJZi9AbuR+jgaZGu6jTP2qi0OV7z
-etCISEdpAgMBAAECggEAbtXplKbUgL4hQ9JKN2Cxhc7qMv0YgI92BVaqQw1S8ffu
-1Q+tynH5MDRPi06gBJ59SvkA6AsZsvrv8nM7zQWd9ZKh+aLHk1X04upOgDoW9JiX
-FV/txlslTUrs/ohIMfsgCrweNXvUSTXZobIi8s8QHyipE4HpXMFjjZYHIV7GTlgA
-PRgGu3NygbWfR8hcx5JtzVz/jka7FFFSbk/pMr0TeJHXP55VfqWLeeSBQmWwooj2
-QcRfqMXgLKgu6uEggaP5HMcfTuWgWNhbke/596CgsUtQ5Gg64Q6v7cKcPy0/lgn1
-PnvfT9uhgEFDLNFkSBxV3ImrNYo73Nqmbp3w5tK9SQKBgQDs/HW7pNnB0LD51qok
-pkX0SBvyKxDT1QuU4z0FY9GT7OKOg8Xa0ZGyErt+ZbyFiyUGF5Axc3rJ3DyGslgu
-5O+AqcpCQOlOyovGQ6ST9x/gEeVcRnZn1MV4vMxwaOSXtY7u0IGyaDlFn1QWHWCN
-imv8OR6YuhivwBIXGzJ16oEqDwKBgQDCj3ls7tlPrLvUQIh8gfjCoInU8fRAqtAe
-Ab/OximLsKQPKLDma6xd+X2Fk8Dowdb88GNT99x3VZjHqVJM9URDkiOGKAXA/rBp
-jAXhnQwahT8YCzOUHqDYNMMQrXHvbiHqLodGrrO2WjYNmH69prQAk8WYAIwl+hdx
-BS70LGLPBwKBgQDU9RinAkBcFjiyieBjBreeCJ50Q5bfhHbf2EOhcE2IbDo6bteB
-Bwmxx3uM3cdHCf6/NrVweqFAfBQ3xlPP8BH4wJrsZoBBOWnZRDfEbzHJnMtK3FbS
-fzTkhmQAL4Ibgh9rIxspQtcUZVSees+k4VqgUIPaIoDEjgizktEJfS2MqQKBgQDA
-rOFtVaRz2PYyHq6LzxMRe3bEIdDn8cEk1kqjdW9TXV07feqiZmNOtXLvRAG4/63u
-1Akp8L6ul2Az6qUMfaBa4nC3vQ7lr9P40qhIZATGhsqS/xTXTPWw55999qZsnL6N
-cgKZpw1mOzRohmqNWnfMUotOGsywF1n7nUyAlyxLJQKBgElTaNTFYF3MbGfhl1He
-fnDXlf8OCOK1i5oIzMLqverb2UN/qp6p0b3SAtcw5cUXcaPlajHrfYgacF/0Qyua
-Cerey9GLEdJ7saDWhz0GyJ8yyEXy8CVs0svVaLPWI0s2B7/obzP9+gTb/WE9qZqu
-bNoVEpJ/wZhk+IL4+KPmqphu
------END PRIVATE KEY-----
diff --git a/recipes-selftest/images/secureboot-selftest-image-signed.bb
b/recipes-selftest/images/secureboot-selftest-image-signed.bb
deleted file mode 100644
index 3ce11f32..00000000
--- a/recipes-selftest/images/secureboot-selftest-image-signed.bb
+++ /dev/null
@@ -1,6 +0,0 @@
-require secureboot-selftest-image-unsigned.bb
-
-IMAGE_FEATURES += "secureboot"
-
-SECURE_BOOT_SIGNING_KEY ?= "${THISDIR}/files/refkit-db.key"
-SECURE_BOOT_SIGNING_CERT ?= "${THISDIR}/files/refkit-db.crt"
diff --git a/recipes-selftest/images/secureboot-selftest-image-unsigned.bb
b/recipes-selftest/images/secureboot-selftest-image-unsigned.bb
deleted file mode 100644
index d0fa6405..00000000
--- a/recipes-selftest/images/secureboot-selftest-image-unsigned.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-require recipes-core/images/core-image-minimal.bb
-
-DEPENDS:remove = "grub-efi"
-
-inherit uefi-comboapp
-
-WKS_FILE = "generic-bootdisk.wks.in"
-
-do_uefiapp_deploy:append() {
- for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do
- target=`basename $i`
- target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'`
-
- cat > ${IMAGE_ROOTFS}/boot/startup.nsh << EOF
-$target
-reset
-EOF
- break
- done
-}
diff --git a/recipes-support/sbsigntool/sbsigntool-native_git.bb
b/recipes-support/sbsigntool/sbsigntool-native_git.bb
deleted file mode 100644
index 5a9f5b4d..00000000
--- a/recipes-support/sbsigntool/sbsigntool-native_git.bb
+++ /dev/null
@@ -1,83 +0,0 @@
-DESCRIPTION = "Utility for signing and verifying files for UEFI Secure Boot"
-LICENSE = "GPL-3.0-only & LGPL-2.1-only & LGPL-3.0-only & MIT"
-
-# sbsigntool statically links to libccan.a which is built with modules
-# passed to "create-ccan-tree" (and their dependencies). Therefore,
-# we also keep track of all the ccan module licenses.
-LIC_FILES_CHKSUM = "file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
- file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
-
file://lib/ccan.git/ccan/endian/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
-
file://lib/ccan.git/ccan/htable/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
-
file://lib/ccan.git/ccan/list/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
-
file://lib/ccan.git/ccan/read_write_all/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1
\
-
file://lib/ccan.git/ccan/talloc/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
-
file://lib/ccan.git/ccan/typesafe_cb/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1
\
-
file://lib/ccan.git/ccan/failtest/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
-
file://lib/ccan.git/ccan/tlist/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
-
file://lib/ccan.git/ccan/time/LICENSE;md5=838c366f69b72c5df05c96dff79b35f2 \
-"
-
-# The original upstream is git://kernel.ubuntu.com/jk/sbsigntool but it has
-# not been maintained and many patches have been backported in this repo.
-SRC_URI =
"git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools;branch=master
\
-
git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan;branch=master
\
-
file://0001-configure-Fixup-build-dependencies-for-cross-compili.patch \
- "
-
-SRCREV_sbsigntools ?= "9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba"
-SRCREV_ccan ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
-SRCREV_FORMAT = "sbsigntools_ccan"
-
-DEPENDS = "binutils-native gnu-efi-native help2man-native openssl-native
util-linux-native"
-
-PV = "0.9.5"
-
-S = "${WORKDIR}/git"
-
-inherit autotools pkgconfig
-inherit native
-
-do_configure:prepend() {
- cd ${S}
-
- sed -i s#RECIPE_SYSROOT#${RECIPE_SYSROOT_NATIVE}#g configure.ac
-
- if [ ! -e lib/ccan ]; then
-
- # Use empty SCOREDIR because 'make scores' is not run.
- # The default setting depends on (non-whitelisted) host tools.
- sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
-
- lib/ccan.git/tools/create-ccan-tree \
- --build-type=automake lib/ccan \
- talloc read_write_all build_assert array_size endian
- fi
-
- # Create generatable docs from git
- (
- echo "Authors of sbsigntool:"
- echo
- git log --format='%an' | sort -u | sed 's,^,\t,'
- ) > AUTHORS
-
- # Generate simple ChangeLog
- git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
-
- cd ${B}
-}
-
-def efi_arch(d):
- import re
- harch = d.getVar("HOST_ARCH")
- if re.match("i[3456789]86", harch):
- return "ia32"
- return harch
-
-EXTRA_OEMAKE = "\
- INCLUDES+='-I${S}/lib/ccan.git/ \
- -I${STAGING_INCDIR_NATIVE}/efi \
- -I${STAGING_INCDIR_NATIVE} \
- -I${STAGING_INCDIR_NATIVE}/efi/${@efi_arch(d)}' \
- "
-
-CFLAGS:append = " -Wno-error"
diff --git
a/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
b/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
deleted file mode 100644
index ea7bee29..00000000
---
a/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From c3533b8da1e1425801d2fc0bcd231e13d593f16b Mon Sep 17 00:00:00 2001
-From: Ricardo Neri <ricardo.neri-calde...@linux.intel.com>
-Date: Tue, 19 Feb 2019 20:07:45 +0800
-Subject: [PATCH] configure: Fixup build dependencies for cross-compiling
-
-When cross-compiling, custom header files and libraries need to be
-specified. sbsign assumes that all the dependencies are located
-under /usr/include and /usr/lib.
-
-Prepend these paths with a placeholder that can be replaced with the
-actual paths once they are resolved.
-
-Upstream-Status: Inappropriate [OE specific]
-
-Signed-off-by: Ricardo Neri <ricardo.neri-calde...@linux.intel.com>
-
-Taken from :
-https://github.com/intel/luv-yocto/tree/master/meta-luv/recipes-devtools/sbsigntool/sbsigntool
-
-Corrected typo error and ported to version 0.9.2
-
-Signed-off-by: Naveen Saini <naveen.kumar.sa...@intel.com>
----
- configure.ac | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 1459e91..3e34c8d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -70,7 +70,10 @@ AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" =
"arm" -o "$EFI_ARCH" = "
- ##
- # no consistent view of where gnu-efi should dump the efi stuff, so find it
- ##
--for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi
/usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
-+for path in RECIPE_SYSROOT/lib RECIPE_SYSROOT/lib64 RECIPE_SYSROOT/usr/lib \
-+ RECIPE_SYSROOT/usr/lib64 RECIPE_SYSROOT/usr/lib32 \
-+ RECIPE_SYSROOT/lib/efi RECIPE_SYSROOT/lib64/efi \
-+ RECIPE_SYSROOT/usr/lib/efi RECIPE_SYSROOT/usr/lib64/efi; do
- if test -e $path/crt0-efi-$EFI_ARCH.o; then
- CRTPATH=$path
- fi
-@@ -79,7 +82,7 @@ if test -z "$CRTPATH"; then
- AC_MSG_ERROR([cannot find the gnu-efi crt path])
- fi
-
--EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
-+EFI_CPPFLAGS="-IRECIPE_SYSROOT/usr/include/efi
-IRECIPE_SYSROOT/usr/include/efi/$EFI_ARCH \
- -DEFI_FUNCTION_WRAPPER"
- CPPFLAGS_save="$CPPFLAGS"
- CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
---
-2.7.4
-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#8340):
https://lists.yoctoproject.org/g/meta-intel/message/8340
Mute This Topic: https://lists.yoctoproject.org/mt/106381864/21656
Group Owner: meta-intel+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/meta-intel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
