commit b92669e715ba7c6fe82f6fca8a988f61db79ff9d
author Peter Jones <pjones@redhat.com> Tue Oct 06 13:04:37 2015 -0400
committer Edward Jee <edjee@google.com> Wed Mar 07 22:25:34 2018 +0000
tree 35814afcb58922a89a87dbc086831f40ca88c223
parent e9c9ad38970bd5b9c9a85bf8faca3dfed0a16e3c

grub-lakitu: REDHAT: MASTER-SB: Add secureboot support on efi chainloader

Expand the chainloader to be able to verify the image by means of shim
lock protocol. The PE/COFF image is loaded and relocated by the
chainloader instead of calling LoadImage and StartImage UEFI boot
Service as they require positive verification result from keys enrolled
in KEK or DB. The shim will use MOK in addition to firmware enrolled
keys to verify the image.

The chainloader module could be used to load other UEFI bootloaders,
such as xen.efi, and could be signed by any of MOK, KEK or DB.

Based on https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-secureboot-chainloader.patch

Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 5404b3eb5eb6a42e8027fa98ea232a5777559137)
(from master-sb branch of https://github.com/rhboot/grub2)

BUG=b:69569602
TEST=TBD

Change-Id: Ia36ae78f6e6b1da6c98e3efc73db5669b48f857e
Reviewed-on: https://chromium-review.googlesource.com/945893
Reviewed-by: Edward Jee <edjee@google.com>
Commit-Queue: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Trybot-Ready: Edward Jee <edjee@google.com>