diff mbox series

[isar-cip-core,6/8] change ebg sb signer and secrets to pk kek db

Message ID 20221120204711.5826-7-sven.schultschik@siemens.com (mailing list archive)
State Handled Elsewhere
Headers show
Series Secureboot on QEMU with EDK2, OP-TEE and RPMB | expand

Commit Message

Schultschik, Sven Nov. 20, 2022, 8:47 p.m. UTC 
From: Sven Schultschik <sven.schultschik@siemens.com>

The secure boot setup with OP-TEE, u-boot and EFI works with a platform key (pk), key exchange key (kek) and signature database (db). isar-cip-core should only provide one secure boot solution and so the key structure and setup needed to be adjusted.

Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
 .../files/sign_secure_image.sh                |   2 +-
 .../secure-boot-secrets/files/KEK.auth        | Bin 0 -> 2066 bytes
 .../secure-boot-secrets/files/KEK.crt         |  19 +++++++++
 .../secure-boot-secrets/files/KEK.esl         | Bin 0 -> 839 bytes
 .../secure-boot-secrets/files/KEK.key         |  28 +++++++++++++
 .../secure-boot-secrets/files/PK.auth         | Bin 0 -> 2064 bytes
 .../secure-boot-secrets/files/PK.crt          |  19 +++++++++
 .../secure-boot-secrets/files/PK.esl          | Bin 0 -> 837 bytes
 .../secure-boot-secrets/files/PK.key          |  28 +++++++++++++
 .../files/PkKek-1-snakeoil.key                |  27 -------------
 .../files/PkKek-1-snakeoil.pem                |  21 ----------
 .../secure-boot-secrets/files/db.auth         | Bin 0 -> 2067 bytes
 .../secure-boot-secrets/files/db.crt          |  19 +++++++++
 .../secure-boot-secrets/files/db.esl          | Bin 0 -> 837 bytes
 .../secure-boot-secrets/files/db.key          |  28 +++++++++++++
 .../secure-boot-secrets.inc                   |  37 ++++++++++++++----
 .../secure-boot-snakeoil_0.1.bb               |   5 ++-
 17 files changed, 174 insertions(+), 59 deletions(-)
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/KEK.key
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/PK.key
 delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
 delete mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.auth
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.crt
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.esl
 create mode 100644 recipes-devtools/secure-boot-secrets/files/db.key

Comments

Jan Kiszka Nov. 21, 2022, 10:40 a.m. UTC | #1 
On 20.11.22 21:47, sven.schultschik@siemens.com wrote:
> From: Sven Schultschik <sven.schultschik@siemens.com>
> 
> The secure boot setup with OP-TEE, u-boot and EFI works with a platform key (pk), key exchange key (kek) and signature database (db). isar-cip-core should only provide one secure boot solution and so the key structure and setup needed to be adjusted.
> 

I don't understand the purpose yet, specifically as the touched keys and
the signing structure was already use for UEFI secure boot, on x86 and
ARM[64]. It rather looks to me like you are committing a lot of stuff
that can be easily generated, given the secure boot key pair.

Jan
Schultschik, Sven Nov. 21, 2022, 3:10 p.m. UTC | #2 
> On 20.11.22 21:47, sven.schultschik@siemens.com wrote:
> > From: Sven Schultschik <sven.schultschik@siemens.com>
> >
> > The secure boot setup with OP-TEE, u-boot and EFI works with a platform 
> > key
> (pk), key exchange key (kek) and signature database (db). isar-cip-core 
> should
> only provide one secure boot solution and so the key structure and setup 
> needed
> to be adjusted.
> >
>
> I don't understand the purpose yet, specifically as the touched keys and the
> signing structure was already use for UEFI secure boot, on x86 and ARM[64]. 
> It
> rather looks to me like you are committing a lot of stuff that can be easily
> generated, given the secure boot key pair.
>

It depends on the purpose you want to create.

My idea was to provide the complete PK,KEK,db structure as sankeoil and 
possibility to be added to the build.

Your idea is to use the existing key end pem as "PK" and generate KEK and db 
while the build is running.

- But then my question would be, why then not generating all snakeoil keys and 
certs on the fly?
- Or do you want only the PkKek-1-snakeoil key/cert to be provisioned in qemu 
as "db"
- or should the PkKek-1-snakeoil key/cert be used as "PK" and KEK and db 
should be generated on the fly and signed
by the PkKek-1-snakeoil key/cert?

It depends on the goal you want to achieve.

For production you only need the "db" to sign the efi file, but for qemu you 
would need PK and KEK as well to be
provisioned to the efi environment.

As longer I think about, the more possible solutions I get in mind.

Regards

Sven
Jan Kiszka Nov. 21, 2022, 5:25 p.m. UTC | #3 
On 21.11.22 16:10, Schultschik, Sven (DI PA DCP R&D 2) wrote:
> 
>> On 20.11.22 21:47, sven.schultschik@siemens.com wrote:
>>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>>
>>> The secure boot setup with OP-TEE, u-boot and EFI works with a platform 
>>> key
>> (pk), key exchange key (kek) and signature database (db). isar-cip-core 
>> should
>> only provide one secure boot solution and so the key structure and setup 
>> needed
>> to be adjusted.
>>>
>>
>> I don't understand the purpose yet, specifically as the touched keys and the
>> signing structure was already use for UEFI secure boot, on x86 and ARM[64]. 
>> It
>> rather looks to me like you are committing a lot of stuff that can be easily
>> generated, given the secure boot key pair.
>>
> 
> It depends on the purpose you want to create.
> 
> My idea was to provide the complete PK,KEK,db structure as sankeoil and 
> possibility to be added to the build.
> 
> Your idea is to use the existing key end pem as "PK" and generate KEK and db 
> while the build is running.
> 
> - But then my question would be, why then not generating all snakeoil keys and 
> certs on the fly?

Because we use existing provisioning for x86 OVMF.

> - Or do you want only the PkKek-1-snakeoil key/cert to be provisioned in qemu 
> as "db"
> - or should the PkKek-1-snakeoil key/cert be used as "PK" and KEK and db 
> should be generated on the fly and signed
> by the PkKek-1-snakeoil key/cert?
> 
> It depends on the goal you want to achieve.
> 
> For production you only need the "db" to sign the efi file, but for qemu you 
> would need PK and KEK as well to be
> provisioned to the efi environment.

sbsign takes the private key and the cert to sign a binary. That cert
then has to be added into the cert DB on the target in order to validate
the signature later on. We do that during the build so far for U-Boot
and expect the x86 firmware to have been provisioning accordingly.

However, in order to model a complete UEFI device lifecycle, there
should also be the Platform Key and the Key Exchange Key involved. We
don't do anything about those yet for U-Boot, just set them to be
identical to the signing key. We can change that eventually, but I don't
see that related to adding RPMB as secure storage.

Jan
diff mbox series

Patch

diff --git a/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
index 0c9b898..42e5b90 100644
--- a/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
+++ b/recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
@@ -30,4 +30,4 @@  fi
 
 keydir=/usr/share/secure-boot-secrets
 
-sbsign --key ${keydir}/secure-boot.key --cert ${keydir}/secure-boot.pem --output $signed $signee
+sbsign --key ${keydir}/db.key --cert ${keydir}/db.crt --output $signed $signee
\ No newline at end of file
diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.auth b/recipes-devtools/secure-boot-secrets/files/KEK.auth
new file mode 100644
index 0000000000000000000000000000000000000000..3127ddfd55edd8e07baf97df7fe3ea862b1c3d91
GIT binary patch
literal 2066
zcma)+cT|&E7Qpi*A&Al;ARtA^LLihcWh4j+0V4r2fFQ6il%eZV6akT791Mo0bX1D8
zHGm^!fQ%H$3=S5AQ8qLsfS?#$DG4A-lQQwl>^aOH*V*^aefPY3@4M%g-y3mp1z98#
z@}JWV7u}$X(k1;r*iW1g+NFO_pqsh}SAz_A8597pGN2Sf;@e~j5DbGu0Wk=;2O(jQ
zOi5mm0>puG222HHz>pvV*er)Z0Vq^42;*jER;h5)Da}i_d!;?l>V2f=rx1Vm0DD9s
zRIz(OB?Qb34wIB|wIhE`c69YSPIf)+=j;G#C`;jRpefc2OTb}qSTB)^-=TidmjP(+
z{7RH9i~-0%MA_|zG5`Q_3z_^2^Bx1kwAUWPz0`a%5x3Xfi5EmgKP{v@%klR;QyY+%
zHF$oezrAGn?Hh4P{kn^_mLE0QW8P|ye4gvS@pVWcTqG4<3JVG4AXS=2#yFw-5F{%d
zcXw}cN8$Rn7t{_rd4n{3&qBvct?iZm_7jI4BqHj#n9@ov-_Xr!f58K##xjJp{Pg4G
zLx?id8s{!%cG=pXmcSVrsT>`<L6jRpoxJXw+a~*b6FQY;cF5c;Ls^?&r;vc@3glEV
zIT;3C>VMC32$jM64XgFoy`D}iZcIEql_tiE8yh}LiY`&%y=nvnWfhsYUru}ZYOPJX
zbXd$Zhxp%Vo>BY`3Iia(O;_+3s4l9$x-?t~u9!P;UeH~-$ZBa^6Gle|5$R3y1W@zS
zvkqL;rNqx0$b2$T0Dx_{7zh)Ion;qwSX6cZ5}<YeSU*v+kNr3*GyGr8zE00*>4t8@
zLFQkL3u51jRhH`K)&Q9q{wIwhwNIe}c5lLW9h??wD?$+)X<<d-9`Tdcg&caYPD|^v
z&GCX|Bj=hX@cQ9hzIJ-ts>Y`E?N`;rJt(YRbW2F2c?o;f@ET!BRk!z_DAUo!L_%a{
zN?Z7L3dPSmWJ%a$Uxr|T&5Zh6G7oIf^O@;Bse&8*ocg}H`PML5Vu!9A^6Sulp9{df
ze#8zYSW-y|rw+}%W-O{Km>=(5TvC&rJ78O07jnK~%mZ_DMY>p7KJi?^chOnuHopA9
z+^cx0B%0rJ4-P#E9i3N>qYrTO?poBlVHtprX!JZqTLj|1G`IhIX?E`2jvW#WHk<)K
zRK-IpB`;^5;Ky)_S}%-14_pC9Ji1AGm#IDm`5*AIPYGzC3lmJKw8qEgd00uLRD-de
zMYAme%Ljt8kveX+PU6dj!KfsCSlmzL&2V-Yehe+Cev#FXL~&4WT|S-8A3bk2B`YCB
zY_5-W=VZq~wyAL`TTeLx=iZye1~=k)N8VL?oAa%cdLKS**j;3+LR%rX<#Z3G?sYjm
zQl^)3G-h4R4nvZgPcWGst^E*;s_L43W%u@*3f+ROkU0yCRh1llwVgu<aWvMXyqpH)
zISG&2THNdPGA6fTwo0=Zzh1kN`Oas<9@@nYvIOpqq2&pRYYi?MF>9ynetcZvd9RY6
zUu~aqrv~YbSvX@0`yFZ+k(3i1ZEZaM$Psyh`?(^Hh*HX;W^DgKDVNCnXv5ry^{+xH
z>lThCo$5&GtN%5_pc+;MRQ{b(vVWqK1NpBp^+o5u;#B8t%d`it?zxflsE}D<bEVjA
zahH{}S`${QO?p$Q=4wMxx%G13tzpe$In}F6x9pg7iwg*A)1lfZbKPuD)?8q5SJ3-)
zuIG@%M9!H_rm;zQ1dEqXk$Z2gK7<<dsNU@M&Nu5LnA3@^Qd71+(WKWK4XEUAGVW9t
zmcwpL5-V(XKUwZNq@NX$#5Wd*rD{F-d6!OXvmp252+wW#B%S>%D|UdeZJ0GD(c?5b
zTm12PxGK62)4mZiKzdP|AD)*Z*t2z4=`Af*%+beCa=OTA|9z*Cgj^xnWbK0&ZNdOp
zJGy+92J;VjR1wQIj)q*zVyf`s!`p{_&GR+d;y=f!D&y5lJ?<@&sp-N9Brx6@2-ima
ziBq37_<uMR*KaiCBt)8Ov8!#ypR>;HNBh)}F0Ujc&JbzC)L*@ZnYm{=y~cmI_@eXY
zyZf^a^twKDKpmv-`v+9blPhL(I5mR~0tc_;>Aq<2NY;aIm#~%u7g*ucfrzvWCHj3c
z-0^q3zP~k;wC+=oy$3_78by^{3T%s-j)ZOz3QZ0gR`@TgwcEPSW|<auwT|+bFR<Uo
zQ=r4DOM;l*BoFxtYktSENt=@<HCL6wPV_$HRptBmPZVr0fQ%e$z#y8Tai3^4#@+G?
zFzQ(timO-jK1Jg0sx)~*FQIDk6%`^#ZnrZ+#mTc8fMcgd{Es@W0X53dqqna~HTH!1
IArSGu0a%Gf%K!iX

literal 0
HcmV?d00001

diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.crt b/recipes-devtools/secure-boot-secrets/files/KEK.crt
new file mode 100644
index 0000000..9e30c92
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/KEK.crt
@@ -0,0 +1,19 @@ 
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIUUm6UcyySbfo1Z0j6PE4vwh0VDpUwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQU0lFTUVOU19URVNUX0tFSzAeFw0yMjA3MTkxNDIxMjFa
+Fw0yMzA3MTkxNDIxMjFaMBsxGTAXBgNVBAMMEFNJRU1FTlNfVEVTVF9LRUswggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCqj+JxOHAVUEnTADr7ralBaoH
+UveJrC+kuEOKsp4f+LCaoEL2Y6jYH1GRp/jzqEmFfTx+BkI31axxOyaQWaTsY5vH
+ZPT60FnVCd+Rcv2FLi9sbaTZlEgR9EId1STUV6f9yVyUOdE0O304uA3lR716Dvqx
+KkxFW421p5mgA5ziOKFHCsz2xz0pj22D5C7tBYggzL4II3W27ZL72tlV9ml9s9aP
+ddM0/yyP7AnKT+vrm/vXbBoo0Su7/HTTQd2slGyTke0L/roW6Hp1BU5dLAzpmk8h
+w0/ae5LuRS/59Vp63yoB+Ub2dnoDYWbGoXWzLnMAlo+FGdl5bLvYXjuUHrl5AgMB
+AAGjUzBRMB0GA1UdDgQWBBSmLviEyla34oiK7m0VAd64YwQiJDAfBgNVHSMEGDAW
+gBSmLviEyla34oiK7m0VAd64YwQiJDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQB30i3lT+4VNyCzp0Pe16R2IShdq0GL93uA6jh62EzLWtiFknLC
+Wt6vgd3CvrohjzbOU8VLJDp9HGoCG1nQBUM+iI19MAE6jJMm3bBXhicE/52k8+1+
+pGxM022JjRZ9wzkyVPLZ0SWwnbgcExDAAyQaLXGdhGO5celuAv40mS86LKFh9hu7
+R1brjzebx7jb2YXdMal5SALYGvPtdM6DVxKhQuS/UeJDaS+rlRZraM7F2aaUXWHf
+mPyCAY2RMWLUKIIewzhA3ND+WmItyvDVd64UXG9B0AilL8x9nUwf5BQTbUFVqo1n
+B0XrHgFOwh55tCNTYqsXAkaqlg2xymdfBgZ5
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.esl b/recipes-devtools/secure-boot-secrets/files/KEK.esl
new file mode 100644
index 0000000000000000000000000000000000000000..3debd0f8c60d83fda677003b81b56f3f734371f4
GIT binary patch
literal 839
zcmZ1&d0^?2Da*aux2_hA(f&~6&ddM?+CW+m2$YnJja^)XOu{N=?J;O#7B^^O{J(&i
ziIIs(Bq(o6vCgF2U#96Ezij;U56O!1O*P<U<J4;NX#38~$jHsgU?6QMX&}zV9LmDX
zBM|KA>g(zk93SEu91`#C>TMt=&TC|3U~Xt>Xkuh&WEchH8Y6M>Yi?pxLbi;Nm4Ug5
zk)HwRJ}#yvMn;B1tL!_EJUkHUsP4n?`rWprtgG0AzIU$CU$VowYtuaW9~)*ZaQc?K
z;)Z<S#N|IeukdWGwW(usGQYZ}&{}Om<dQeZvyZ2I`E?=kD(C%)MSolM^mB5T+??Ve
z_{B-~s>+q{<$q7cOtHLZVqI&ogZHWX-YULd8?}5~qkFe5pSgf}&LfM3?p$ZS9k<o&
z&uxC9_m;Io;mke`<<f0$C;h&4GxS?#?dEI!rI$_q>-4|jJmvrT_3Yo*bEGsbYVZD2
za@q0jnkhMxC%)zWw@d6rRVk}qtPao1S^kQL{clxIdgrSD^J`SqeJ#eHZr{qPm=n{E
zEiB!vSIjW2zg6;PWzOy!an@7hc2+VmGcqtP4mJohkOhXnEFX&)i^wv)A1$ZCwm<6V
zdY3E8cyC8Ci;{|gJV;uZMZ!R=0lNZzkOE;w#{Vp=2FySTIoN@53=DQghVo0gPyOGC
znk#Hx?tJh1k}^e&*wv2R->Vy5SybKdIURMQbyCrxsC(-h?;hH>OR?YVT<}qE6{}jA
zEGFs53#`s|9lf;%j8;99)$VQxZ&PRaKX=LJw{=T$d@kp9_KMXWwloU)bn~L>hPgXr
zgar;Tt4Qe<&TUEFS@<%K>7U6=eJh=XiQlAmyNA8*H=lic$L*V~cMVrodNAFP`uw)!
zTywb4LZ>JD10OkO>aU(EmYs3#=*?wQViWJr_|wGLJJB%dibj*%VGD;l7yd;h>7M#<
zwS1jOOupj<j-~o%YUldMKM@hmbqrnAo6hd~T8`20kX+>!<=~{%;!JL<rtxk(l^)N=
GRtW$zSy9pe

literal 0
HcmV?d00001

diff --git a/recipes-devtools/secure-boot-secrets/files/KEK.key b/recipes-devtools/secure-boot-secrets/files/KEK.key
new file mode 100644
index 0000000..d5e015c
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/KEK.key
@@ -0,0 +1,28 @@ 
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCqj+JxOHAVUEn
+TADr7ralBaoHUveJrC+kuEOKsp4f+LCaoEL2Y6jYH1GRp/jzqEmFfTx+BkI31axx
+OyaQWaTsY5vHZPT60FnVCd+Rcv2FLi9sbaTZlEgR9EId1STUV6f9yVyUOdE0O304
+uA3lR716DvqxKkxFW421p5mgA5ziOKFHCsz2xz0pj22D5C7tBYggzL4II3W27ZL7
+2tlV9ml9s9aPddM0/yyP7AnKT+vrm/vXbBoo0Su7/HTTQd2slGyTke0L/roW6Hp1
+BU5dLAzpmk8hw0/ae5LuRS/59Vp63yoB+Ub2dnoDYWbGoXWzLnMAlo+FGdl5bLvY
+XjuUHrl5AgMBAAECggEAEElEFZemN3wqfkoqjZKkLzxBFGnJkfgY6FQOOo1lE1Gw
+HM+pqol9987u+RuvhVsgA44NwJFvetJiofqL6GnHlYtj3hPBNza1PVCdJsMTGNBb
+YVvu/dEdEnt4CJzrfuRyhpYRK8mGijMr79HeP793x713FdlvFiJpwbfq72s99eMX
+dyV6oBXfwYRNs/NVzJtoADEKSdx9WbqEQX1LDH9uqLtrsWEipWRV53F/AmLAjEPF
+3KdK0Yq7JqVLEXig96Dg7d77N/cnXa3ynBKhA2rQrCaJMFWkmSBOUhUNyUFJ0WJe
+pmF80g4Qkljl+usE82uDgLgEsFOQbynDCNA8f3YQfQKBgQD3IVJKbyYAv97wtD7x
+QCqlZyRPElv6cEZm2t9+YA65/In8GAke7m8a+wW6VhxyH3FPsEyyDXTJNAo1LNSp
+ARyQ6QCYrxsCmkQaIrLuvnnbZrfFUsTp1uXS7psryZQeT+CP+pNV1olaZOJtqT7S
+XIo3HgPeEiqH6J6zvUcaqyRd7wKBgQDJpt4DLjITNtdqow4SNbFxhXT1eleCdL31
+LLjYDV4VX7raGjF0JV4A4IS1JlVsHdvarr/PiE8jq0UK/rsoPQHkyFAxcP7T+bWX
+Xit6F0HOk8bh0ygwYNQzNf5YH22OxwXiORHYHs+iDRUEy7mUnFPiaqY8tVzROmtp
+5N7yPANHFwKBgBBYvOe9iGb+ShHj6lHs66U7OFSeo0TijlWZXrUuR2sYAEyTjm7k
+WKcROaTEs2b9G3Ko97nDWBlC/vXbfEmdkDUppGd1FbVLXPvZlbpjEQ5pMfi0a+AH
+3fXg4JS55blHkVQUwBAqe7Vl/PBCBKzHgED7FEhpLTUGNxEukPh7n5EzAoGASiT5
+4s98iAYVJNd5WAa4DNaWT6BBRu1n3xsniAE6Q7+kM4eIAX2v18C16umCZTOBYCH6
+0vL6rlHOHCHXbQ8pgBaLLfKvL//T3ik48TZV8v/xE52RXGBuBbpnn71GikXxiuGT
+BxUlIR+QR+gkf1kPmuO95fqFe0Tws8n8k7KvPdcCgYA6ThU4MXo5VY540TiKkkYy
+cz6nJRPXea8UCjHl0KoYzRxWBn18uCUla64pG2s5c94RwPACWRdIkpDdXxcWQVMl
+ZT7jNGnq0njRMh/VXyKnZMwgYrw564ESNVWcysgDNvgmohNSImP8uQo1IRQcIdY5
+8jh7DDlNxlV3iwRuFyTKGw==
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PK.auth b/recipes-devtools/secure-boot-secrets/files/PK.auth
new file mode 100644
index 0000000000000000000000000000000000000000..75bd8f298420452a1d8b33ae6aca6e9cf8dc7e9b
GIT binary patch
literal 2064
zcmaFH&Mqt<D#`!@yIFuNrjLAcFRk~wpYhJKYo$r8d06UlgC>^wOpJ_%{06*ioC$3n
zjH%2lOpL4y2Hb3%T5TR}-+39?85cA$OBysWiyAaB{$0S##K^=XlA;}IX}MH*v43Zj
z+R5*`lO4X~MS_fg>S5#t8X;vUVIaoF9LmDX!yoMF>g(zk93SEu91<VkZ6GJkYh+|#
zZfI#}Vq|D!7zN}SBXRNSZDLeHwhHK4<|amd2B7P>n3@<F8CHn49c(?&q}}SJbjRp{
z{F(dZ5@G%~Q+zbe&h)r8F)^-aP15B4D>bh!?VkJX#WQvu&9#kd?0?H|z7r#TEcUwQ
zvpDZ|lSapxE!k=5dqgF--MX_UU53rkK{+fe#&!S9UkP>6cK$I2RmP`2?0>b!z30;I
z3_EYm+_e|9=PkYPL?_fiamEp`jq}-@gkGL#vt^razB=G|>xB6~uPD3?V9FCOF8yO6
zcvU5HdfcR)0@wdCJ?*!&wYKaPS9-EmxLW&o@}6a_dwR8^WFsbfr}G=f-;h4#`S@kS
z?2QctPdiy}mfyKi=2$#e^5(;h25;vt>@zx85EZBJ^JUO}n^)V?61Q%9B~s7C%*epF
zIM^W2Ko%JKvV1IJEFzOG*StMB@8go~8-KnlE>5wi-SpnXKprHm%mR$12J8y>K?;N!
z8UM4e8ZZMX<X{KJFfiB|8IlwZ2VSz^xw!d6VPDSqZE^nBs=9PSZ=_h8-g{g6f_3RU
z%}J{n`+5^Ib@P<+Rg$>=vT#_ve5WMB#P+8%dsa?(<)i8E_SB{-Z{Kn4@4Xq{bOTmz
zGMH}15$CCXVcEt_zy3d5Zo#c$s9wB1Ezf%H<{vuKOg>Agom-@0e*0sCNnT(3&Yb`4
z9`P}0pWkirn$NbxU|Z9=75qn>HQx7i#df@%b7{}Ii)-KS$QH2JuO=w!oBq5a$>{O1
z&8a5#K91G-wr?IceU$uQ9dhpDXK8^qX6_5trqyh?6Rz#{oo}|dP(#Ix`r>|B=eQ?V
zCQUWwZLW%cdCExR5!3DW;^noM_o(l(Sr=;9#25=qdXd0fWMG6Z-QvzP$oUQ_4*?T4
zOA{jlfB(f}Z?dbJs$vc#PyAdRS+MT8&TnUyy2(e|JrfG~#FIN*V&dv;r^Ndt*1Ab;
zUR_kX=((cNMK<Y^Uwrrf)tBWuWMMziaSzuIdxwv&`)?GlK4T>|&%W;8Wr@j8-%S*^
zI<@0x_L=T8fw?o?D!v|QPw`ll9=hO(%n~bC;awS%>gNhdPWyd7BGz(M{o?d~*NujL
zd-vW-Vd#^oIMo?z`F4>~Y<{+w!6V};>HB@n>u;@}$Yt@Z(o&Wsz-jk`T!*VwPyej!
z|Freo%J$9;r;jOJ;t&rER@E?I;8?xrskEDs%2DYBpP23ys~>tlk2A&O`|DKR3DSSR
zEB+S`WIJspwximoePQH*rB9|T_iEp|S~N!cLy;>pq)^iY(t<#sq-1RD;v!@cRxxYO
PXel*XN{yCMSV}1Xh66(<

literal 0
HcmV?d00001

diff --git a/recipes-devtools/secure-boot-secrets/files/PK.crt b/recipes-devtools/secure-boot-secrets/files/PK.crt
new file mode 100644
index 0000000..b775cd9
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PK.crt
@@ -0,0 +1,19 @@ 
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIUZCtVOTmlE6NPiVomyfe7Y0D0blkwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX1BLMB4XDTIyMDcxOTE0MjEyMVoX
+DTIzMDcxOTE0MjEyMVowGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX1BLMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBWGwYXAgiuFSiLcMuAfzN93GFZP
+2WRMKM2ZSNaRYV5yrGKTj9R86tK7nfbo5gcMKa2BrD/7H7PcXBvGXdcp5l5LhzSB
+QZmEa2ZnvBUZttrcvGccBkFAI1ZWXEW/mfpgfhs+T1wwejPK8L/qrEeM0rtoPksJ
+ba3QK56l0OQsVUAhmMQWsZ8GQhLpyIY9Bp83q1DHhZCf+dQg7VACbhdzdfw4EdUk
+aZdekrkQ1/0C5Y85PTs5jRci5K0TeyvHY7ymhbyNKlodWJNLZw8zX9gbyknj6YCb
+sYBw5YkF2Xfc2HZBc50Z2eGxMO2foY4ywXBaXiD56VK/POq2ZmG1tuoUfwIDAQAB
+o1MwUTAdBgNVHQ4EFgQUktN87cme8aS3sfnuc3NkOH2y7zQwHwYDVR0jBBgwFoAU
+ktN87cme8aS3sfnuc3NkOH2y7zQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAYiDDUdI4DNGzyHGObM+2Xk/WeoosVdhkOzXe7XXoBaWeKZKrAY6N
+YWktbiJvJGIK/QQIOunuIhQCBvyJa5psV3nil+68fWUjt7jW/d6Y9i1Qq7Iwlz4I
+Xkkn0Kaxsvr/4ac4CyQxJ3O3Zm47nbP4LJY08xomzqIkN9vxgDRujoe5bP+HSF9c
+ZvPuskqfBqQwtoKuqA/EQyjvjopdiO2c0ryu0a3vuGsQOL8mERVNZ+d4YjLjxrNl
+ND9MQXtvPezjgvEZ8DtUzvHzGxDsNkegrWZ8sNxXK0b3DpsXEoB4mH9zjx1DXuTU
+kpUzDYN6X+nKMijiAtvvF3d907wnujyuVQ==
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PK.esl b/recipes-devtools/secure-boot-secrets/files/PK.esl
new file mode 100644
index 0000000000000000000000000000000000000000..acd616b5ce5fa5fedfcd0a77334821fc834f1a88
GIT binary patch
literal 837
zcmZ1&d0^?2Da*aux2_hA(f&~6%FF-;nm}3*2$YnJja^)XOu{N=?J;O#7By&M{JVge
ziIIs(Bt<*a(sHTrV*k!4wUgg>Cp&z}i!|V6<J4;NX#38~$jHsgU?62EVIaoF9LmDX
z!yoMF>g(zk93SEu91<VkZ6GJkYh+|#ZfI#}Vq|D!7zN}SBXRNSZDLeHwu+IJfw_s1
zp8@DPE~X|%MurulZ3kNqG-<bbDcv!8Ab;k5xkQ-%%@iMvvok%eO-zg{T9Y)n|4PlP
zOS|WOd-05&M{{lC8vEb!oA1O(AB(-N`7F-6-K5cRW=nQj`W{iqZMW|1Nta=BbWjcp
zi*emQ^H)Nhw4Hy9L6z~T5Bp!OaqqdbJHyVKGk5I;?RiTtJkbetP@Hi@Y~y@3C!v=o
z+HBe8o39Qy-a29a&npUV1DNu}i%b7l2wqjmoE|r6r@-~UOi%kQZLKYP#g(3{6|UAk
zp1fyS>z-b%DA|a~-s$|t@i(MTc|LyGFneP|!P8FGo8@<IlsOj9mAv_Iqruzx3;T=?
z7DUA<{CpX--{#e}w8X93UWwE*F*7nSE)F&bG>`>`zAPV$7>mfH%QbIL&ilAz`^KN|
zii=Y$YB#+%F^~sIE3*J&sR6qJevkrTM#ldvtOm?L3OU$;F$@fLMusGX!-1D9crI=}
zQP`Jrep{UXwW=<i&>Jb%ruW{KzF=KCPjk|0#=hRfOx--Ce3c}wzbqV9FW)JNFtPpV
z%$}7KUioPHyFIn3%G-Bb`+IN3H{F2Mn+&Ggam0D5Us$$r)35&zms@bF7^)X<Ps_8O
zyZMLCG?UL#YUdWInBV@`V3OC@zBA{4yGMLX+UIwhyymklG1%6$ZUz4lXN~uLU9lZ+
z=Um#e?&8|_JF*2V_Nxhs`ldgxNHThSY;&rKy^mvczU`aGO&=vcScjbZ_*q)ujhXv`
zwP`gQ?u2W*edn7kF4RylqrSLb);aFUl}S^Ld7G=^U!F43c*J!3y?A-;<vr@VY}SPW
E037I59smFU

literal 0
HcmV?d00001

diff --git a/recipes-devtools/secure-boot-secrets/files/PK.key b/recipes-devtools/secure-boot-secrets/files/PK.key
new file mode 100644
index 0000000..8241b95
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/PK.key
@@ -0,0 +1,28 @@ 
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCoFYbBhcCCK4VK
+Itwy4B/M33cYVk/ZZEwozZlI1pFhXnKsYpOP1Hzq0rud9ujmBwwprYGsP/sfs9xc
+G8Zd1ynmXkuHNIFBmYRrZme8FRm22ty8ZxwGQUAjVlZcRb+Z+mB+Gz5PXDB6M8rw
+v+qsR4zSu2g+SwltrdArnqXQ5CxVQCGYxBaxnwZCEunIhj0GnzerUMeFkJ/51CDt
+UAJuF3N1/DgR1SRpl16SuRDX/QLljzk9OzmNFyLkrRN7K8djvKaFvI0qWh1Yk0tn
+DzNf2BvKSePpgJuxgHDliQXZd9zYdkFznRnZ4bEw7Z+hjjLBcFpeIPnpUr886rZm
+YbW26hR/AgMBAAECggEBAID06wuEu7ri+wNzFXAvBhbgB/ZzGhYW3lubyhPZE3cZ
+yG87vizmgOSEw48hRXReSdWcGdX2zIt5KgK9CIcssifdhqL4BIc46iCgU8w4gB8L
+cblWfmjKHRQ/hEiM9sCDGQ8HhdnLSCIppHTrOXft+TwgrozEczpj1UfyExPeS6kn
+KKT6qYroBDI6019YyGnsUXAldvweoFb8apkNXQr41PJsdv00FZC+VnM96GHKle4o
+TKPqfPMV9UTuYlCVbNhGmS17C5qZUdPhqlPnGjBzKO0SmwDF4GDKr2q8oVHrfGKs
+tgaUeoDI8NAYpMahaLvP+aM/gEEDZKguGwzk7FQaNGECgYEA3+VrKaM95QVwElIS
+UGZY6qiXER9I1vFjAd96i0MF7KYVSRBvLc2L/kvh/m9TVYosM6PziI45jhkfs19p
+r6DZiWl7tXY3vRzF2L+14ST8nlmkDe2GiYkGP3W2EXUwW4eORK1FvJdGJMsByplG
+66u19qWFO9A4r68Uiwu4wJalQU8CgYEAwC9oWamopJaZzSbachkn2jz94/1rkf8/
+ggNPZgyeFb3GT52/0ocb8UV3/f++qQKfVeDuM2X4wI0SkJlVXTRHv2xhYZcjpDkT
+fS9VIrgo4yjfL1N1KNY7EayySG6zzrwewHsoxxahjFJSeFZQK6QkB0aTbP/1DZsx
+SJv3o4A1TdECgYBzOP7IQ9EzjnPZidEQ/UrfIHn1/tKeg0U/joHjL0/aNLKZklKV
+EMXtzaF1LleFmwEaZlKLQR5PiZBt4Dlkf/PTqqxWe4s90JPk8uwn/L/gwiMSY92r
+5A+KEwrquxNy1zUZFM7hujwH7U1ztSPxXsHbN910Jbk2eHSrBhJDUoOjMwKBgBJK
+8OXH7lNsOkt6rUQ6/L4bHBd9YaXN49+eLQqLnOh43c1qOH3zekdm01sL4rv3ke78
+r++YfyrkwqWc0rFCbqnbyREe77eL7zz1KmdZnBqzIzs/+GDgs1KlW3rlfpvo8Axm
+LKV2k/3lQBBQNuVQhFVk9FdlrY+T/AbrQZEAfRJhAoGBAIUM6deAiamqsr9CAD99
+mwUbZIzQVQ/yaa4oNZGaF+SX/ZVkbUqC0p7eUWXn3g5FcOafM+uS8FPh/pakpLve
+ZcMd1N8FaPPChKbKnOECouw6ZZAo68W7L800Z3nxr2aCigcWGk0mKt+mth3AwAet
+Um0CSV1HpOZ3XD85/IvfKtxh
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
deleted file mode 100644
index 193de62..0000000
--- a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
+++ /dev/null
@@ -1,27 +0,0 @@ 
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAyIuuXei5qIw+UvavLxPyyNhx0G6Ijuf9SqxVXOpKcQ+l3ZCc
-KQaCLWCH0pbPQj587zVjgMUd4SHgXdVP6awDz8b0NcLgyzF31pHBmmB3z55nv2Jb
-gI56bix9TEHLpoDs4+cWAb2WZPkW8rV/6YR+xVuE8fi9aAWJ7H4dwUhPzU7RBB1d
-Z1wF6Wv3b8nn1jJa5W8I3zOd+tpWczOsqyRnDnFhMiOulGAiFTtmIXv2VReQf7Tx
-rXdqAAs9dcS3qizzNVgY5XpABtmYu1AjyLwwqXZ+blZ2tmUUJicgw3YdCWtlTAtf
-XZDHf+ZzgCNtTvhb2DzpAVmF/H+A8w8lUJZiBQIDAQABAoIBABET/BRZNj5JOyF7
-im2a6Ej8TazvTMfGr8ZFKLvR4+b+6yQUJYhE2p8colRnrVy5z4/bXw7fOm0qol27
-RaPjlyuBiNhvMQ98tfTa0r7fyjQvDCy7JomrGHf7Z+wvijUys3mw+ynIyF7u62pd
-1HfBZb5OzeKBSTfriNRP5R7JlqooDl+O9JVlnvlJIaFe1rX2sQxZ7F8gVINKIJDv
-n7ZZ0o351uIMjKLqwmliULPTjZ2ZeeJqnkB0pFcWZzEf2wAnrrglYRdnn10oNzhB
-6cXMHJeuEOedXECLZtmynRw1dWZK9+Xku1jEAqTWAoI0OIjrfYYzntwe/kab8w/R
-T7ojFGECgYEA9rGhtmSQiim2h+3iGyXNTEQiEOFFL7E8/1ibfWi3vzDhoLARrnH1
-p45DPgnL664xLHXIUl6/wto79Ij/2qA9mp054nVJ4X4AQgq3xCT/57nL0QHfQLaa
-VdzNIoz4jJT3cO0gYcBAK4Bg+dGGQ6ZUrRRt6VkHG/W6fW0D1e7PnEkCgYEA0Bxj
-Jr4ShNXb7J4YDQ24uSwmc2E1IgX5FjHu/JMKCiyIDWQkrxtVdIL9v6+kmYecyxFJ
-S3Qyr3ZqOHqwN1svYuB/CHyKg6dHrzJyZFTj8cr8h0ZKLDu2xZNFxfBIjn5vitSX
-W9q3477oFG/30Ew12Yee4NhDQkaEuB/Ic9+yv90CgYB2y00rLrwnvDSIunXiSs7U
-xg59gG03rSrJb5rYxj+NkvVj0sWA8qGwASLCUidfo69MUJ+ZgsTnCP5MIFjMp9Ni
-jAne0ko0it+G7fBWRNbyeJb8W+FtIUGqzTv/QlFCKU4KlDW+vLxp9lU8l7gHBabK
-/gZ7kwKIZUlbss5hC7Hv+QKBgQCsQBLBKmlhkTEqs9/sTgMrISPiM/8qXg9BE6tf
-WsTgjuM9UjoaxWEBwroMQnDWsqxQV8p2rYKWQEjC3qmj59Fc4bvDZnGvbnGizPpp
-mOniY8SIouEZo4MwHSmPH8auSnBAVJ3C5VF3K7gj0lknCy03E02phNaGsJ+BVq0v
-W2Qz8QKBgEB5RKiwJhgGQA2o+NJKKUUCDM9iBsO1Yy3QwtDWioKKcdAkxdTg3xR+
-XtJdXq6MkCMWM5em3v6GHPceexn81FZTxGBbIMBYNp0Sp4qs/3lK64ln8m5Qttxe
-70HVtrp9HhG5oFJ3fUuLPcYpE2GMgPM9fIbAWh9GZ4GpTLuPRtWg
------END RSA PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem b/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
deleted file mode 100644
index dd02a82..0000000
--- a/recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
+++ /dev/null
@@ -1,21 +0,0 @@ 
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL
-BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG
-b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY
-DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
-ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ
-boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1
-wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx
-+L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy
-I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u
-Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB
-AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW
-gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE
-sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac
-HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS
-JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M
-3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h
-pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY
------END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/db.auth b/recipes-devtools/secure-boot-secrets/files/db.auth
new file mode 100644
index 0000000000000000000000000000000000000000..a385ee08c9cc40761f9f0f52e0b4ff9d48b87770
GIT binary patch
literal 2067
zcmaFH&Mqt<D#ic<`&fW1rjLAcFRk~wpYhJKYo$r8d06UlgC>?mOpJ_%{06*ioC$3n
zjH%2lOpL4y2Hb3%T5TR}-+39?85cA$OB*yXiyJgC{$Ie%#K^=X5|lTkSZ7l1FVl37
zUp9XFhh#<hrh<%s>S5#t8X;{cX&}zV9LmDXBM|KA>g(zk93SEu91`#C>TMt=&TC|3
zU~Xt>Xkuh&WEchH8Y6M>Yi?pxLbeR(Ugjo7eg>fXxR{z485s_(vhO_d@Ia`ex(~za
zciWb-u3``R-nmA9$qwhPP4nb`Y?!sc>09!O8}fk@m;d;@!n3v3rjE_Y{OX!QYqbfH
zOWq{UKA!UB*M-QdocAXd{cY9L&&geKbBc%H7bn@PDp$gn|2-Kq#qy$wb*;q?-ly(+
ztN4Cx)beqS?%le4<^tw9k1Q6tbDjBi+*Y$cxA}?QTh<PRGy6D{OSiq9^!wJ$&~KTw
zo3HhkUN-r!)BlF^l>h73vwvUDk<z%Rz57qeWyiZ~rsPbX_?G+MF0mI?rL2CjIy^6D
z`70jwzg0cyovZ%OuTfR^wHSZ8eJiVCPE0$tuynItF~hX}R>_-{IlFJfSx=GMS;@rA
z$iTQb*dWkA78w4rd@N!tBFprCw44gt{-~qtU9KqOy&cIcN-75OAZcY52?MbP><ain
z3WOOM|Ff_fFas&%U<bxAFxVLx$}j0Y^?xU7uCRHz^S$d!$`mzXS37opuWoo{QFX)T
zbkvR3NkxaE?yYaUduZP-#eTDM!AHGStZHSln4}{wusYjy^wt_MTJ=m;ySpL0O`YZc
z+$Epi)-B2Lxt!bCD^`2h(kSH9&5NoV=I)RY7C6AHBBfh6w<URJ;mbUxe<m~at#lS9
zev{tq9`?H5eD?7jw{N!IHC$Qg!E{6F^V^bh&EY}|ou2FueB_*|zj~@zcE-7*H<wL`
zO}szjPZMMBM8l*j8clMCEgbG#_!pI=d+Nj0@^vCH`HmMjmg=9Wo$Dk2L_|2(F?3aL
zI=ky@IYz%ja+O<@gOgT^Gr6sr#=G%UdORCjrC}3e95Crc0rQc8G2VoWJKrE@J)~>|
zOxY|=j12s?c735Ig`OsH-^~1DIs5L74v`$U2X-DyTc$2ERn4BgZ0>&33cpjH=evH%
z*)-TMy?=J|zsPeuDH3lFSR1tLUlClOzWMdcw_oS%`ZNFag*&UV<aR$Z(Q#tgGp+iV
zz3-o@Pj7+^HFzaM0xJ{`cI*uhoEOIMXyG-ExpQ{sz1)7?foW%rrF+nyI%b`wyJ!5?
z2jqQrE&q__XghDmY3=J<FUhZSU*;Udyxf&@mFViz37=aJMC25DMyIZhedW}gYi0go
zh1Y#!5oWXEjT{a8x62-0Cc1sknu|@}rrGKF3h#T=7Niuf8n-KAvey5+6&Iv4YC|n~
z?H#r33)Y!zKKU%Z_`Bq%g^>rAKAE!It9|Qg(HQLyMXt<{a!nIR3j%?XlCiOii;ziJ
z#jHKRf=Uz^8-Jk%m2R`C_mYQ()0xba<mdjpp1}Y7;Tp6=Y#?O_%m9#riXWw*N=ZU1
zr;Jd`DWfR7dI=R%%U$+gR(^N1O;Vv}^??VIZ_a!7t0w=I<yW70amxwbt8%%g2z}XR
zu*0Ne|Eur`O_yeioj>y@%5lGQlZ=Vel4HHvs}y{S>^+aHRk;1lN83w5<HmdSzWrA3
z<Ifu$o%{6a*^J`Ht|2<c_chb)x!liX?3vTonf^CvW9#ehEN3k9FEwnnwJG-~(@GZ-
zxOG}O*j9h{AJd;(uj>{ppJJ-xbnrq=+0>f~afhSR;~TVBy6SQ~*>Zo~EPK_L+uZE?
zHwi!7bedO6P&!NRS$t`~v1vv4id_w+HA;HoCnsInDciE^aXZ8N8IykJUX9ePzkBFH
zbl-`1w+iRNi^3<*9_(Qi3uX4wIEby7$_hOun7lWpF0yaq%p3Ls{!PZmub~uESQQXc
zOwF_xD0nGoIBC(Xj{9p1m$h{+<CxZ-dc^gO%(ITiKesFSxgO_sEm(Sa&gq5uoT_SR
zjg>BYvqA;<xPzN=*GV}^r)LT7($&gjRzAfLnqWM2*Da+>@sk&QUFJ~1z+QRPnDyhl
z=I6@Y^S(ds@Z2>a(O`R|%Y&PpntQjHl$P%?PUh~uJu_)zbKlPIzQMX(k=sNr>dh^B
zkiFfYFT`8&*DE1!s|AnxzD!MWTv?Ugec;Vm=_9>~6Q}oYYPLEwcc$ewVW%obJ03T#
zt9suaB~4lsuNxp3eCuqPuKIcXEEZ)Qs|#Nvi%xu1U%JNYW|FOU)|DHMuf(=I+kINa
Paf;{kpd$s2M~?siFKstz

literal 0
HcmV?d00001

diff --git a/recipes-devtools/secure-boot-secrets/files/db.crt b/recipes-devtools/secure-boot-secrets/files/db.crt
new file mode 100644
index 0000000..d8016c0
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/db.crt
@@ -0,0 +1,19 @@ 
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIULYM1S6ThMZcCNiIfnfnXYA/n4awwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX2RiMB4XDTIyMDcxOTE0MjEyMloX
+DTIzMDcxOTE0MjEyMlowGjEYMBYGA1UEAwwPU0lFTUVOU19URVNUX2RiMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0S/0yPuxYYZIIyrwOCT2Z7u+nxv
+6jn1TF8XOZBLqm0LlBL0tjC4NHS/6leQgtKbFs/M/FpBv0OCHDRCpMaNK6ogTHI/
+ScStINv2TCtKICjY7yeOvzrvX88wxZ3l1c1oc+NFVCwz3ylnPwpHzmi8nI6JZ/1i
+sYXr9wTMOW/SgLU9PHdIdipnEhDayxtTPS+7/DX5tdctcKeUNSxCwdB8dpXZIF7D
+W2dfgCupRS0I5LTfrpo/Jem2Rj+PshPhsssNGhEbai7mX3WPMzV4V6i6gDV8Ii4X
+yZLSuR2EuuOHAO+Ykvtt1Vktf93C0FuOyF9GeENx0RPJzcGMBRZVA0oowQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUalXGEWO9XH5ZjrGZ2D8QT4Izx9YwHwYDVR0jBBgwFoAU
+alXGEWO9XH5ZjrGZ2D8QT4Izx9YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAmT8QcOkRMZKi2ojfrXGmhommCJaHZcRF7BzmiOP5tyJORccLRXCl
+05zLoW8JJSZmgXlEvWpVEA4LU4JtrhpCG2dqEbotKmkDI8oAVWAzlbraItJfk6L1
+pkB4AAd51TMF8Z6D5yOLnvfjiEm6kGEwt1lE4NmJKb20NHV3vDNjC4vbmWKxg465
+901TLYpZthTRLp1y4Gu3MI5USxn66hJLOqDijvSVYkGpemeLwOzNG8SNYZGXj7KD
+OsKdmTm2E0J6QT4MRgrVLvbiYpKiXy1QEVPazXYtJ88vagQjLDrQ9VlyyPUnpaxK
+2WI9S2rU2EHqFrTmu8skQZRJl1LEcEHFxA==
+-----END CERTIFICATE-----
diff --git a/recipes-devtools/secure-boot-secrets/files/db.esl b/recipes-devtools/secure-boot-secrets/files/db.esl
new file mode 100644
index 0000000000000000000000000000000000000000..644357bedea2acb605e9f3abbd97423133844c0c
GIT binary patch
literal 837
zcmZ1&d0^?2Da*aux2_hA(f&~6%FF-;nm}3*2$YnJja^)XOu{N=?J;O#7By&M{JVge
ziIIs(M7P=0d&xt?=}cxy@^gP)PvC$4aE$>k8>d#AN85K^Mn-N{1_LQW2?H@U=1>-9
z9{ylYS6^4Z;P?>N;E?!~Bm+5dULzv|b3;o*6C*<-qbMNP7>SElZxf>uvQ><%49rc8
z{0u<XaWOS9GBPZ8*?(F2-O)Blg`U+19!$PD@7=GO{8yG=ed5I}CwQ;Q<(?w+Wt+hc
zlal?f!Y4Fcnk{zz%%3R7{mxA?CQeI^^=hwD@F}wQJhE2d_BS7GF9nSo@74SETfL7z
zZ*X+()2nAQiXXd%=osJEOt<H9KbNs*PG4vG-=vMLufMaLvCO~Ju+`S4+@nk@T}a^8
zY3X2F{oQ{|e{Q|5Td;hJsgBdZ3pHg^Zz{wcj!utn&|c}P%kgB({dKeKRbOs%v+v&|
z{BYB0UMWH8EWKy(rTxaH72zv(HJH{Y>4~45bZMt-%dW@m4DV-5`ki|<Qn&u@p$pM{
zC*s{IoC_}spFDf8hgB?;*-PUf6Eh<N<Kke0Km%D|=*#l4h_Q%dg&q@3-WyXF*|%}#
z4SNCqCgbDR4CF!5$}GTGYQV05AEZE-k?}tZs{u2RLJoFd3<HCmkzuC2K*38v!%2&7
zb=+TDxU8*n8OOBt)FZBMWS(_A{<&Sr&-FOBYr)dXb51YJ=TucoYpitHn-wa+#~s|1
zyH3hUIz3Bpm#$VOv+^m1&;;YDyKX66il4mb>oSK52KLIU#;hObH9uGGp7;H6hv%*d
zi3ZyvT^`)*)ZDwpq_ljGaWZ%J?U_j%oBMWt_YKzVirgl0QEzV1gY4}FeIeeGzg`J>
zTP=9h_ho95<I1Y^?gMYmN+0P>oH)IIQ?u2fxic-d2|HCe+VQw?UDf;cC~4B7c-;WO
z;9F<Qbk)!6XR#>jSY7xUS#;v7`qDLCH<N6=v##85d?mK!+3wRSj#E6R2OTMJJbDBG
Di@!@P

literal 0
HcmV?d00001

diff --git a/recipes-devtools/secure-boot-secrets/files/db.key b/recipes-devtools/secure-boot-secrets/files/db.key
new file mode 100644
index 0000000..46e130e
--- /dev/null
+++ b/recipes-devtools/secure-boot-secrets/files/db.key
@@ -0,0 +1,28 @@ 
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnRL/TI+7Fhhkg
+jKvA4JPZnu76fG/qOfVMXxc5kEuqbQuUEvS2MLg0dL/qV5CC0psWz8z8WkG/Q4Ic
+NEKkxo0rqiBMcj9JxK0g2/ZMK0ogKNjvJ46/Ou9fzzDFneXVzWhz40VULDPfKWc/
+CkfOaLycjoln/WKxhev3BMw5b9KAtT08d0h2KmcSENrLG1M9L7v8Nfm11y1wp5Q1
+LELB0Hx2ldkgXsNbZ1+AK6lFLQjktN+umj8l6bZGP4+yE+Gyyw0aERtqLuZfdY8z
+NXhXqLqANXwiLhfJktK5HYS644cA75iS+23VWS1/3cLQW47IX0Z4Q3HRE8nNwYwF
+FlUDSijBAgMBAAECggEBAJRVTV9qcCZOYx4QYYesILFOVlNf4sduGnBdq3Tq148N
+IMVxgf3HerNaDY89k/PP3KUAJqJrT/7TWSC135vMUAi21+mzLxi2B2oqZmLpyNR4
+JNkA1YAUPY9TZ8b33YganlSW6TZZ9K4kQ2EONtt+2jRj2sqTU+BmCPmIEaul1KE5
+qPaF5CbKVIIg8Jlkq8OuOLaCtaOq2iv7bOZFdoK6jCKNQA9dfGQPD6NgTtPXAX8f
+3iNeHtX+vfbUhsxqKsMeybWxYDTzjuV/zADvh66IPrjViIe4jS52f9jmKrdMe6fp
+GHmGVlZqkUtuE5aQTJOnQIxKqjJMv4TetXJrNa6WBiECgYEA2AnpfXnb0ONsD3Wz
+4TwXrY7OimbWgkBLXpWBDuxKmmCKdtac9l2g8USzZFqZ1svu7r07BUnGbziPtKCN
+Fn36UNRll75FmgZ12PcX9vwr2SnU4UaKWgBJCAVjJAIaqeysG+6TyB/gtFszqlhF
+OmGCa/o7vEVrTd4V1Dfv6rH25v0CgYEAxjVsDIbGb7eZ5v6Wi6XMq5ssO7MvFmhb
+LwSOMFX2lNRPOXYf3xRdkgzrdqVtvWvH2OnY7jy81IVa8OdJ7DFdLOkO2kBfb71/
+F8xyLlo6dWoOmTtBQ1GVfetwto6E9puaaP5x4n4CgRkt7X4j1HNSAOVIZ7m8wYaC
+QiAv4p+S7hUCgYEAgJ0mDDVH0AwUgP+pnyWPUxv5ihu/CLwOIrkOpDu4Dj/7LtSF
+jYYgEoK76bqma2HtVOQDBxrsr7oUk4whcop9QzGvaa808IV4EzrHYZqu4BIvUg4U
+v4/76nKKmx1FknP74oUeJb4UoErLb1YtoJv8cRwABA2v3COjCzxh8G8SdmECgYB4
++aI5AwmapjUJB9pa4ZdKJiuZRIQ46Pi+eclPNyiJLgwsxiwtvABgZAJTKCUSt/YC
+Lrh4sBmQnNQktQYpYve7sYOfMisNyFsJ637FS8ziXRkL7V6n9+OGN21T/yioW9Ci
+xKo90ys0IGonyhWUVc53PXoz1OmgNLjMI1kWuM61AQKBgB2+vLFr+uPsOoQE1KzY
+W2+NQAQzvixsESdrdl2p4r/VmF40kPbKyLtKx7/yUzWAblvYahB3T2Bb9Ppy4DhN
+1gTQYvi7rfdmEvNVo0cHAdUlhZZAkBF3sfRNZktKSrIf+lxJfCMVwrhRGkNko2ou
+8LlFqem938MnXqxlDCh1YQ9J
+-----END PRIVATE KEY-----
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
index f53435a..2a30f1e 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
@@ -13,20 +13,41 @@  inherit dpkg-raw
 
 PROVIDES += "secure-boot-secrets"
 
-SB_KEY ??= ""
-SB_CERT ??= ""
+SB_PK ??= ""
+SB_KEK ??= ""
+SB_DB ??= ""
 
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".auth" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".crt" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".esl" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_PK')+".key" if d.getVar('SB_PK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".auth" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".crt" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".esl" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEK')+".key" if d.getVar('SB_KEK') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".auth" if d.getVar('SB_DB') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".crt" if d.getVar('SB_DB') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".esl" if d.getVar('SB_DB') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_DB')+".key" if d.getVar('SB_DB') else '' }"
 
 do_install() {
-    if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then
-        bbfatal "You must set SB_KEY and SB_CERT and provide the required files as artifacts to this recipe"
+    if [ -z ${SB_PK} ] || [ -z ${SB_KEK} || [ -z ${SB_DB}]; then
+        bbfatal "You must set SB_PK, SB_KEK and SB_DB and provide the required files as artifacts to this recipe"
     fi
     TARGET=${D}/usr/share/secure-boot-secrets
     install -d -m 0700 ${TARGET}
-    install -m 0700 ${WORKDIR}/${SB_KEY} ${TARGET}/secure-boot.key
-    install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem
+    install -m 0700 ${WORKDIR}/${SB_PK}.auth ${TARGET}/PK.auth
+    install -m 0700 ${WORKDIR}/${SB_PK}.crt ${TARGET}/PK.crt
+    install -m 0700 ${WORKDIR}/${SB_PK}.esl ${TARGET}/PK.esl
+    install -m 0700 ${WORKDIR}/${SB_PK}.key ${TARGET}/PK.key
+    install -m 0700 ${WORKDIR}/${SB_KEK}.auth ${TARGET}/KEK.auth
+    install -m 0700 ${WORKDIR}/${SB_KEK}.crt ${TARGET}/KEK.crt
+    install -m 0700 ${WORKDIR}/${SB_KEK}.esl ${TARGET}/KEK.esl
+    install -m 0700 ${WORKDIR}/${SB_KEK}.key ${TARGET}/KEK.key
+    install -m 0700 ${WORKDIR}/${SB_DB}.auth ${TARGET}/db.auth
+    install -m 0700 ${WORKDIR}/${SB_DB}.crt ${TARGET}/db.crt
+    install -m 0700 ${WORKDIR}/${SB_DB}.esl ${TARGET}/db.esl
+    install -m 0700 ${WORKDIR}/${SB_DB}.key ${TARGET}/db.key
 }
 
 do_prepare_build_append() {
diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
index 24a5352..b78f22f 100644
--- a/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
+++ b/recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
@@ -11,7 +11,8 @@ 
 
 require secure-boot-secrets.inc
 
-SB_KEY = "PkKek-1-snakeoil.key"
-SB_CERT = "PkKek-1-snakeoil.pem"
+SB_PK ??= "PK"
+SB_KEK ??= "KEK"
+SB_DB ??= "db"
 
 DEBIAN_CONFLICTS = "secure-boot-key"