From 2283f97b36cfbc28fac0341337956ce898ff942a Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 16 Mar 2025 20:05:31 +0100
Subject: T861: add .build/config and config/ to .gitignore

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

(limited to '.gitignore')

diff --git a/.gitignore b/.gitignore
index e3724a9f..252b5d82 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
+.build/config
 build/*
+config/*
 *.pyc
 packer_build/*
 packer_cache/*
-- 
cgit v1.2.3


From a02b10b2ba4197c4dcd84eef053e4ab94995295b Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 16 Mar 2025 20:10:09 +0100
Subject: T861: use secure-boot certificates from data/certificates

---
 .gitignore                                                    |  1 -
 data/certificates/.gitignore                                  |  1 +
 .../includes.chroot/var/lib/shim-signed/mok/README.md         | 11 -----------
 scripts/image-build/build-vyos-image                          |  5 +++++
 4 files changed, 6 insertions(+), 12 deletions(-)
 create mode 100644 data/certificates/.gitignore
 delete mode 100644 data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md

(limited to '.gitignore')

diff --git a/.gitignore b/.gitignore
index 252b5d82..6de027c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,6 @@ packer_cache/*
 key/*
 packages/*
 !packages/*/
-data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*
 /testinstall*.img
 /testinstall*.efivars
 /*.qcow2
diff --git a/data/certificates/.gitignore b/data/certificates/.gitignore
new file mode 100644
index 00000000..c996e507
--- /dev/null
+++ b/data/certificates/.gitignore
@@ -0,0 +1 @@
+*.key
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
deleted file mode 100644
index abaaa97a..00000000
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Secure Boot
-
-## CA
-
-Create Certificate Authority used for Kernel signing. CA is loaded into the
-Machine Owner Key store on the target system.
-
-```bash
-openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
-openssl x509 -inform der -in MOK.der -out MOK.pem
-```
diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image
index 94e326d4..aab5ed13 100755
--- a/scripts/image-build/build-vyos-image
+++ b/scripts/image-build/build-vyos-image
@@ -367,6 +367,11 @@ if __name__ == "__main__":
     shutil.copytree("data/live-build-config/", lb_config_dir)
     os.makedirs(lb_config_dir, exist_ok=True)
 
+    ## Secure Boot - Copy public Keys to image
+    sb_certs = 'data/certificates'
+    if os.path.isdir(sb_certs):
+        shutil.copytree(sb_certs, f'{lb_config_dir}/includes.chroot/var/lib/shim-signed/mok')
+
     # Switch to the build directory, this is crucial for the live-build work
     # because the efective build config files etc. are there.
     #
-- 
cgit v1.2.3