From f11b1c250b02e5ae87ab91da6fd3494c8cdf33a5 Mon Sep 17 00:00:00 2001
From: Richard Ulrich <richi@ulrichard.ch>
Date: Fri, 24 Jan 2025 18:05:38 +0100
Subject: [PATCH 1/2] dm-verity and secureboot

---
 .gitignore                               |   1 +
 Dockerfile                               | 187 ++++++++++++++++-------
 Makefile                                 |  86 +++++++++--
 resources/grub-early.cfg                 |   3 -
 resources/grub-standalone.cfg            |   3 +
 resources/grub.cfg                       |   6 +-
 resources/isolinux.cfg                   |   4 -
 resources/skeleton/etc/default/nodm      |   1 +
 resources/skeleton/etc/fstab             |   3 +-
 resources/skeleton/home/satoshi/.profile |   1 +
 resources/skeleton/home/satoshi/.xinitrc |   2 -
 scripts/mkimage.sh                       | 178 +++++++++++++++++++++
 secureboot/keys/DBX.bin                  | Bin 0 -> 3531 bytes
 secureboot/keys/DBX.cer                  | Bin 0 -> 1399 bytes
 secureboot/keys/DBX.crt                  |  32 ++++
 secureboot/keys/DBX.esl                  | Bin 0 -> 1443 bytes
 secureboot/keys/GUID.txt                 |   1 +
 secureboot/keys/KEK.bin                  | Bin 0 -> 3487 bytes
 secureboot/keys/KEK.cer                  | Bin 0 -> 1367 bytes
 secureboot/keys/KEK.crt                  |  31 ++++
 secureboot/keys/KEK.esl                  | Bin 0 -> 1411 bytes
 secureboot/keys/PK.bin                   | Bin 0 -> 3479 bytes
 secureboot/keys/PK.cer                   | Bin 0 -> 1359 bytes
 secureboot/keys/PK.crt                   |  31 ++++
 secureboot/keys/PK.esl                   | Bin 0 -> 1403 bytes
 secureboot/keys/db.bin                   | Bin 0 -> 3511 bytes
 secureboot/keys/db.cer                   | Bin 0 -> 1379 bytes
 secureboot/keys/db.crt                   |  31 ++++
 secureboot/keys/db.esl                   | Bin 0 -> 1423 bytes
 secureboot/signers/ccc.pgp               | Bin 0 -> 5028 bytes
 30 files changed, 517 insertions(+), 84 deletions(-)
 delete mode 100644 resources/grub-early.cfg
 create mode 100644 resources/grub-standalone.cfg
 delete mode 100644 resources/isolinux.cfg
 create mode 100644 resources/skeleton/etc/default/nodm
 create mode 100644 resources/skeleton/home/satoshi/.profile
 delete mode 100644 resources/skeleton/home/satoshi/.xinitrc
 create mode 100644 scripts/mkimage.sh
 create mode 100644 secureboot/keys/DBX.bin
 create mode 100644 secureboot/keys/DBX.cer
 create mode 100644 secureboot/keys/DBX.crt
 create mode 100644 secureboot/keys/DBX.esl
 create mode 100644 secureboot/keys/GUID.txt
 create mode 100644 secureboot/keys/KEK.bin
 create mode 100644 secureboot/keys/KEK.cer
 create mode 100644 secureboot/keys/KEK.crt
 create mode 100644 secureboot/keys/KEK.esl
 create mode 100644 secureboot/keys/PK.bin
 create mode 100644 secureboot/keys/PK.cer
 create mode 100644 secureboot/keys/PK.crt
 create mode 100644 secureboot/keys/PK.esl
 create mode 100644 secureboot/keys/db.bin
 create mode 100644 secureboot/keys/db.cer
 create mode 100644 secureboot/keys/db.crt
 create mode 100644 secureboot/keys/db.esl
 create mode 100644 secureboot/signers/ccc.pgp

diff --git a/.gitignore b/.gitignore
index 1d60f85..a94f205 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 output/*
 /*.tar.gz
+OVMF_VARS_4M.fd
diff --git a/Dockerfile b/Dockerfile
index b005037..0f5e19a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,34 +14,78 @@ RUN cargo install --locked --root /usr/local --git https://github.com/weareseba/
 	--branch feature/rust-1.69
 
 
-FROM builder
-RUN apt-get install -y --no-install-recommends \
+FROM debian:trixie-slim
+ENV SOURCE_DATE_EPOCH=1231006505
+ENV VERITY_SALT=08a0beacc11acabe72fa687107a743ed0680cfa985eac4386b6143ad93a563fc
+ENV VERITY_UUID=12345678-1234-1234-1234-123456789abc
+RUN apt-get update \
+ && apt-get -y dist-upgrade \
+ && apt-get install -y --no-install-recommends \
+	bash \
 	build-essential \
 	coreutils \
-	grub-efi-amd64-bin \
+	cpio \
+	cryptsetup-bin \
+	dkms \
+	efitools \
+	e2tools \
+	e2fsprogs \
+	faketime \
+	gawk \
+	gnupg \
+	grub-efi-amd64 \
+	initramfs-tools \
+	libccid \
+	libcryptsetup-dev \
+	libengine-pkcs11-openssl \
 	libsystemd-shared \
+	locales \
 	mmdebstrap \
 	mtools \
+	opensc-pkcs11 \
+	openssl \
 	python3-dev \
 	python3-pip \
 	python3-pytest \
+	sbsigntool \
 	squashfs-tools \
 	squashfs-tools-ng \
+	wget \
 	xorriso \
-	xz-utils
-
-
-RUN mkdir -p staging/live \
- && mkdir -p staging/boot/grub/x86_64-efi \
- && mkdir -p staging/boot/syslinux/
-
+	xz-utils \
+	ykcs11 \
+	yubico-piv-tool \
+	yubikey-manager \
+	zstd
+
+# Create user
+ARG UID
+ARG GID
+RUN groupadd -g ${GID} satoshi && \
+	useradd -m -r -u ${UID} -g ${GID} -G users,lp,disk,adm,dialout -c "Satoshi Nakamoto" -s /bin/bash satoshi
+WORKDIR /home/satoshi
+
+# Copy res and useful files
 COPY resources/skeleton/ resources/skeleton
 
 # copy binaries built with cargo to the chroot
 COPY --from=cargo-install /usr/local/bin/bdk-cli              /usr/local/bin/
 COPY --from=cargo-install /usr/local/bin/electrum2descriptors /usr/local/bin/
 
+# Set the locale
+RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
+    dpkg-reconfigure --frontend=noninteractive locales && \
+    update-locale LANG=en_US.UTF-8
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+# Create staging folders
+RUN mkdir -p staging/live && \
+	mkdir -p staging/boot/grub/x86_64-efi && \
+	mkdir -p staging/boot/syslinux/
 
+# Create Live OS filesystem
 RUN mmdebstrap \
 	--variant=apt \
 	--dpkgopt='path-exclude=/usr/share/man/*' \
@@ -52,44 +96,64 @@ RUN mmdebstrap \
 	--dpkgopt='path-include=/usr/share/doc/*/changelog.Debian.*' \
 	--include='\
 		busybox,\
+		curl,\
+		cryptsetup-bin,\
 		dosfstools,\
+		efitools,\
 		electrum,\
 		evince,\
 		fdisk,\
 		firefox-esr,\
 		fonts-freefont-ttf,\
 		fonts-noto-mono,\
-		gpa,\
 		gpg,\
 		grub-efi-amd64-bin,\
 		isolinux,\
+		jq,\
 		keepassxc,\
+		libgl1,\
+		libglib2.0-0,\
+		libnss-resolve,\
+		libpcsclite1,\
 		libykpiv2,\
 		libnss-resolve,\
+		lightdm,\
 		linux-image-amd64,\
 		live-boot,\
+		nodm,\
+		mokutil,\
 		mousepad,\
+		mtools,\
+		net-tools,\
+		network-manager,\
 		openssh-client,\
 		p7zip-full,\
 		pcscd,\
 		python3-ecdsa,\
 		python3-hidapi,\
-		python3-libusb1,\
 		python3-mnemonic,\
 		python3-pyaes,\
 		python3-pyqt5,\
 		python3-semver,\
 		python3-trezor,\
 		python3-typing-extensions,\
+		python3-usb,\
+		python3-usb1,\
 		rsync,\
 		scdaemon,\
 		syslinux-common,\
+		systemd-cryptsetup,\
+		systemd-repart,\
 		systemd-resolved,\
 		systemd-timesyncd,\
+		systemd-sysv,\
 		thunar-archive-plugin,\
+		uuid-runtime,\
 		usbutils,\
 		vim,\
+		wget,\
 		xarchiver,\
+		xclip,\
 		xfce4,\
 		xfce4-terminal,\
 		xinit,\
@@ -99,7 +163,7 @@ RUN mmdebstrap \
 		yubikey-personalization,\
 		yubioath-desktop' \
 	--customize-hook='chroot "$1" usermod --expiredate 1 --shell /usr/sbin/nologin --password ! root' \
-	--customize-hook='chroot "$1" useradd -G users,lp,disk,adm,dialout -c "Satoshi Nakamoto" --home-dir /home/satoshi --create-home -s /bin/bash satoshi' \
+	--customize-hook='chroot "$1" useradd -G users,lp,disk,adm,dialout,video,tty -c "Satoshi Nakamoto" --home-dir /home/satoshi --create-home -s /bin/bash satoshi' \
 	--customize-hook='sync-in resources/skeleton/ /' \
 	--customize-hook='sync-in /usr/local/bin/ /usr/local/bin/' \
 	--customize-hook='chroot "$1" chown -R satoshi:satoshi /home/satoshi' \
@@ -108,20 +172,22 @@ RUN mmdebstrap \
 		base58 \
 		noiseprotocol \
 		protobuf==3.20 \
-		btchip-python \
+		ledger-bitcoin \
 		ckcc-protocol \
 		keepkey' \
 	--customize-hook='chroot "$1" /usr/bin/busybox --install -s' \
-	--customize-hook='chroot "$1" systemctl enable systemd-networkd' \
-	--customize-hook="download /vmlinuz staging/live/vmlinuz" \
+	--customize-hook='chroot "$1" systemctl enable NetworkManager' \
+	--customize-hook='chroot "$1" systemctl set-default graphical.target' \
+	--customize-hook="download /vmlinuz staging/live/vmlinuz.unsigned" \
 	--customize-hook="download /initrd.img staging/live/initrd" \
-	--customize-hook='set -e; for f in 20-hw1.rules 51-coinkite.rules 51-hid-digitalbitbox.rules 51-safe-t.rules 51-trezor.rules 51-usb-keepkey.rules 52-hid-digitalbitbox.rules 53-hid-bitbox02.rules 54-hid-bitbox02.rules 55-usb-jade.rules; do \
+	--customize-hook='set -e; mkdir -p "$1/etc/udev/rules.d"; for f in 20-hw1.rules 51-coinkite.rules 51-hid-digitalbitbox.rules 51-safe-t.rules 51-trezor.rules 51-usb-keepkey.rules 52-hid-digitalbitbox.rules 53-hid-bitbox02.rules 54-hid-bitbox02.rules 55-usb-jade.rules; do \
 		wget -q -P "$1/etc/udev/rules.d" "https://raw.githubusercontent.com/spesmilo/electrum/4.4.5/contrib/udev/$f"; done' \
 	--customize-hook='wget -q -O - https://gethstore.blob.core.windows.net/builds/geth-alltools-linux-amd64-1.13.11-8f7eb9cc.tar.gz | tar -C "$1/usr/local/bin" --strip-components=1 -zx' \
 	--customize-hook='wget -q -O - https://github.com/wealdtech/ethdo/releases/download/v1.35.2/ethdo-1.35.2-linux-amd64.tar.gz | tar -C "$1/usr/local/bin" -zx' \
 	--customize-hook='wget -q -O - https://github.com/ethereum/staking-deposit-cli/releases/download/v2.7.0/staking_deposit-cli-fdab65d-linux-amd64.tar.gz  | tar -C "$1/usr/local/bin" --strip-components=2 -zx' \
 	--customize-hook='ln -sf /usr/share/zoneinfo/CET  "$1/etc/localtime"' \
-	--customize-hook='mkdir -p "$1/media/usb"' \
+	--customize-hook='mkdir -p "$1/media/usb-rw"' \
+	--customize-hook='mkdir -p "$1/media/usb-ro"' \
 	--customize-hook='echo CET > "$1/etc/timezone"' \
 	--customize-hook='sync-out /usr/lib/grub/x86_64-efi/ staging/boot/grub/x86_64-efi/' \
 	--customize-hook='copy-out /usr/lib/ISOLINUX/isohdpfx.bin staging/boot/syslinux/' \
@@ -143,44 +209,47 @@ RUN mmdebstrap \
 	--customize-hook='find "$1" -name "[a-z]*[.-]old" -delete' \
 	--customize-hook='find "$1/usr/lib" -name __pycache__ -type d -depth -exec rm -rf {} \;' \
 	--customize-hook='find "$1/usr/local/lib" -name __pycache__ -type d -depth -exec rm -rf {} \;' \
-	bookworm staging/live/filesystem.squashfs
-
-COPY resources/isolinux.cfg     staging/isolinux/isolinux.cfg
-COPY resources/grub.cfg         staging/boot/grub/grub.cfg
-COPY resources/grub-early.cfg	.
-
-
-RUN mkdir -p staging/EFI/boot \
- && grub-mkimage \
-	--compression="xz" \
-	--format="x86_64-efi" \
-	--config="grub-early.cfg" \
-	--output="staging/EFI/boot/bootx64.efi" \
-	--prefix="/boot/grub" \
-	all_video disk part_gpt part_msdos linux normal configfile search \
-	search_label efi_gop fat iso9660 cat echo ls test true help gzio
-
-RUN mformat -i staging/efiboot.img -C -f 1440 -N 0 :: \
- && mcopy   -i staging/efiboot.img -s staging/EFI ::
-
-CMD find staging -print0 | xargs -0 touch -md "@${SOURCE_DATE_EPOCH}" \
- && xorrisofs \
-	-iso-level 3 \
-	-o /output/livedeb.iso \
-	-full-iso9660-filenames \
-	-joliet \
-	-rational-rock \
-	-sysid LINUX \
-	-volid "$(echo DEB${TAG} | cut -c -32)" \
-	-isohybrid-mbr staging/boot/syslinux/isohdpfx.bin \
-		-eltorito-boot boot/syslinux/isolinux.bin \
-		-eltorito-catalog boot/syslinux/boot.cat \
-		-no-emul-boot \
-		-boot-load-size 4 \
-		-boot-info-table \
-	-eltorito-alt-boot \
-		-e efiboot.img \
-		-no-emul-boot \
-		-isohybrid-gpt-basdat \
-	staging/ \
- && sha256sum /output/livedeb.iso
+	trixie staging/live/filesystem.squashfs
+
+# Copy secureboot and GRUB files
+# https://wiki.debian.org/SecureBoot/VirtualMachine
+# https://github.com/salrashid123/secure_boot
+# https://superuser.com/questions/1660806/how-to-install-a-windows-guest-in-qemu-kvm-with-secure-boot-enabled
+RUN mkdir -p secureboot
+ADD secureboot/ secureboot/
+COPY resources/grub.cfg staging/boot/grub/grub.cfg
+COPY resources/grub-standalone.cfg .
+
+# Create verity partition
+RUN veritysetup format \
+	--uuid=${VERITY_UUID} \
+	--salt=${VERITY_SALT} \
+	--root-hash-file=staging/live/filesystem.squashfs.roothash \
+	staging/live/filesystem.squashfs staging/live/filesystem.squashfs.verity
+RUN veritysetup verify \
+	--root-hash-file=staging/live/filesystem.squashfs.roothash \
+	staging/live/filesystem.squashfs staging/live/filesystem.squashfs.verity
+
+# Patch initrd for missing system libraries for dm-verity (dlopen)
+# - libcryptsetup.so
+# - libuuid.so.1
+# - libjson-c.so.5
+RUN mkdir initrd-patched && \
+	unmkinitramfs -v staging/live/initrd initrd-patched
+RUN cp /usr/lib/x86_64-linux-gnu/libcryptsetup.so.12 initrd-patched/usr/lib/x86_64-linux-gnu/ && \
+	cp /usr/lib/x86_64-linux-gnu/libuuid.so.1 initrd-patched/usr/lib/x86_64-linux-gnu/ && \
+	cp /usr/lib/x86_64-linux-gnu/libjson-c.so.5 initrd-patched/usr/lib/x86_64-linux-gnu/
+# NOTE: having different locales set can lead to different final checksums of the ISO (Docker takes locale from host's settings)
+RUN cd initrd-patched && \
+	find . -print0 | xargs -0 touch -md "@0" && \
+	find . | sort -V | cpio -o -H newc --reproducible --device-independent --owner root:root > ../initrd.patched.img && \
+	mv ../initrd.patched.img ../staging/live/initrd
+
+# TODO
+# Add M$ keys to DBX (https://github.com/microsoft/secureboot_objects.git)
+
+# Copy script for creating the image
+COPY scripts/mkimage.sh .
+RUN chmod +x mkimage.sh
+
+ENTRYPOINT ["./mkimage.sh"]
diff --git a/Makefile b/Makefile
index 6a2343c..4441efb 100644
--- a/Makefile
+++ b/Makefile
@@ -1,16 +1,51 @@
 USB_DISK ?= $(shell realpath /dev/disk/by-path/*usb* | head -n 1)
 TAG := livedeb
+ISO_FILENAME := output/livedeb.iso
+ISO_FILENAME_NOSB := output/livedeb-nosb.iso
+UID := $(shell id -u)
+GID := $(shell id -g)
 
 # creating a live system roughly by following https://willhaley.com/blog/custom-debian-live-environment/
-iso: builder
-	docker run --rm \
-		--volume ${PWD}/output:/output \
+iso: ${ISO_FILENAME}
+iso-nosb: ${ISO_FILENAME_NOSB}
+
+# Creates and ISO by signing files for Secureboot
+${ISO_FILENAME}: builder
+	@git --version
+	docker run \
+		--rm \
+		--interactive \
+		--tty \
+		--volume /run/pcscd:/run/pcscd:ro \
+		--volume /run/user/${UID}/gnupg/S.gpg-agent:/root/.gnupg/S.gpg-agent:ro \
+		--volume ${HOME}/.gnupg:/root/.gnupg:ro \
+		--volume ${PWD}/output:/home/satoshi/output \
 		--env SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct) \
-		--env TAG="$(shell git describe --long --always --dirty)" \
+		--env TAG="$(shell git log -1 --format=%h)" \
 		${TAG}
 
-sign: iso
-	sha256sum output/livedeb.iso | gpg --clearsign
+# Creates and ISO without signing files for Secureboot
+${ISO_FILENAME_NOSB}: builder
+	@git --version
+	docker run \
+		--rm \
+		--interactive \
+		--tty \
+		--volume /run/pcscd:/run/pcscd:ro \
+		--volume /run/user/${UID}/gnupg/S.gpg-agent:/root/.gnupg/S.gpg-agent:ro \
+		--volume ${HOME}/.gnupg:/root/.gnupg:ro \
+		--volume ${PWD}/output:/home/satoshi/output \
+		--env SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct) \
+		--env TAG="$(shell git log -1 --format=%h)" \
+		${TAG} --no-secureboot
+
+sign:
+	bash -c "if [ ! -f ${ISO_FILENAME} ]; then make ${ISO_FILENAME} ; fi"
+	sha256sum ${ISO_FILENAME} | gpg --clearsign
+
+sign-nosb:
+	bash -c "if [ ! -f ${ISO_FILENAME_NOSB} ]; then make ${ISO_FILENAME_NOSB} ; fi"
+	sha256sum ${ISO_FILENAME_NOSB} | gpg --clearsign
 
 builder:
 	chmod -R go-w resources
@@ -20,23 +55,48 @@ builder:
 		--build-arg https_proxy="${http_proxy}" \
 		--build-arg HTTP_PROXY="${http_proxy}" \
 		--build-arg HTTPS_PROXY="${http_proxy}" \
+		--build-arg UID="${UID}" \
+		--build-arg GID="${GID}" \
 		--tag ${TAG} .
 
-run: iso
-	qemu-system-x86_64 -cdrom output/livedeb.iso -m 2048 -bios /usr/share/ovmf/OVMF.fd
+run:
+	echo "Press `Esc` to enter the Boot menu and enroll the certs from EFI directory"
+	bash -c "if [ ! -f OVMF_VARS_4M.fd ]; then cp /usr/share/OVMF/OVMF_VARS_4M.fd ./ ; fi"
+	bash -c "if [ ! -f ${ISO_FILENAME} ]; then make ${ISO_FILENAME} ; fi"
+	qemu-system-x86_64 \
+		-enable-kvm \
+		-machine q35,smm=on \
+		-m 2048 \
+		-device virtio-rng-pci,rng=rng0 \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-global driver=cfi.pflash01,property=secure,value=on \
+		-drive if=pflash,format=raw,unit=1,file="OVMF_VARS_4M.fd" \
+		-drive if=pflash,format=raw,unit=0,file="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd",readonly=on \
+		-boot menu=on \
+		-cdrom ${ISO_FILENAME}
+
+run-nosb:
+	bash -c "if [ ! -f ${ISO_FILENAME_NOSB} ]; then make ${ISO_FILENAME_NOSB} ; fi"
+	qemu-system-x86_64 \
+		-enable-kvm \
+		-machine q35,smm=on \
+		-m 2048 \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-bios /usr/share/ovmf/OVMF.fd \
+		-cdrom ${ISO_FILENAME_NOSB}
 
 run_yubi: iso
 	qemu-system-x86_64 -cdrom output/livedeb.iso -m 2048 -bios /usr/share/ovmf/OVMF.fd -M q35 -usb -device usb-host,productid=0x0407,vendorid=0x1050
 
-usb: iso
+usb: ${ISO_FILENAME}
 	test -b ${USB_DISK}
 	@umount ${USB_DISK}* || :
-	sudo dd bs=4M of=${USB_DISK} if=output/livedeb.iso status=progress
+	sudo dd bs=4M of=${USB_DISK} if=${ISO_FILENAME} status=progress
 	sync
 
-cd: iso
-	wodim -eject -tao output/livedeb.iso
+cd: ${ISO_FILENAME}
+	wodim -eject -tao ${ISO_FILENAME}
 
 clear_docker:
-	docker rmi ${TAG}
+	docker rmi ${TAG} || :
 	docker system prune -f
diff --git a/resources/grub-early.cfg b/resources/grub-early.cfg
deleted file mode 100644
index 4ac44b5..0000000
--- a/resources/grub-early.cfg
+++ /dev/null
@@ -1,3 +0,0 @@
-search --set=root --file /live/filesystem.squashfs
-set prefix=($root)/boot/grub/
-configfile /boot/grub/grub.cfg
diff --git a/resources/grub-standalone.cfg b/resources/grub-standalone.cfg
new file mode 100644
index 0000000..774d3b4
--- /dev/null
+++ b/resources/grub-standalone.cfg
@@ -0,0 +1,3 @@
+search --set=root --no-floppy --file /live/vmlinuz
+set prefix=($root)/boot/grub/
+configfile /boot/grub/grub.cfg
\ No newline at end of file
diff --git a/resources/grub.cfg b/resources/grub.cfg
index a518a29..9022870 100644
--- a/resources/grub.cfg
+++ b/resources/grub.cfg
@@ -1,9 +1,11 @@
-search --set=root --file /live/filesystem.squashfs
+search --set=root --no-floppy --file /live/vmlinuz
 set superusers=""
 set default=0
 set timeout=0
+set check_signatures=enforce
+export check_signatures
 
 menuentry "LiveDeb" --unrestricted {
-    linux ($root)/live/vmlinuz boot=live quiet
+    linux ($root)/live/vmlinuz boot=live dm-verity-oncorruption=panic quiet
     initrd ($root)/live/initrd
 }
diff --git a/resources/isolinux.cfg b/resources/isolinux.cfg
deleted file mode 100644
index 4e7b0ca..0000000
--- a/resources/isolinux.cfg
+++ /dev/null
@@ -1,4 +0,0 @@
-DEFAULT linux
-LABEL linux
-    KERNEL /live/vmlinuz
-    APPEND initrd=/live/initrd boot=live quiet
diff --git a/resources/skeleton/etc/default/nodm b/resources/skeleton/etc/default/nodm
new file mode 100644
index 0000000..4692e7b
--- /dev/null
+++ b/resources/skeleton/etc/default/nodm
@@ -0,0 +1 @@
+NODM_USER=satoshi
diff --git a/resources/skeleton/etc/fstab b/resources/skeleton/etc/fstab
index 2ff55ce..4ac7753 100644
--- a/resources/skeleton/etc/fstab
+++ b/resources/skeleton/etc/fstab
@@ -1 +1,2 @@
-/dev/usbdisk    /media/usb      vfat    noauto,user         0 0
+/dev/usbdisk    /media/usb-rw   vfat    noauto,user,rw         0 0
+/dev/usbdisk    /media/usb-ro   vfat    noauto,user,ro         0 0
diff --git a/resources/skeleton/home/satoshi/.profile b/resources/skeleton/home/satoshi/.profile
new file mode 100644
index 0000000..cf88704
--- /dev/null
+++ b/resources/skeleton/home/satoshi/.profile
@@ -0,0 +1 @@
+[ "$(tty)" = "/dev/tty1" ] && exec startx
diff --git a/resources/skeleton/home/satoshi/.xinitrc b/resources/skeleton/home/satoshi/.xinitrc
deleted file mode 100644
index 1a6ed56..0000000
--- a/resources/skeleton/home/satoshi/.xinitrc
+++ /dev/null
@@ -1,2 +0,0 @@
-setxkbmap -option terminate:ctrl_alt_bksp
-startxfce4
diff --git a/scripts/mkimage.sh b/scripts/mkimage.sh
new file mode 100644
index 0000000..105efff
--- /dev/null
+++ b/scripts/mkimage.sh
@@ -0,0 +1,178 @@
+#!/bin/bash -e
+# Transform long options to short ones
+for arg in "$@"; do
+  shift
+  case "$arg" in
+    '--no-secureboot') set -- "$@" '-n'   ;;
+	*)          	   set -- "$@" "$arg" ;;
+  esac
+done
+# Default behaviour
+SECUREBOOT_ON=true;
+
+# Parse input option
+while getopts "n" opt; do
+  case "$opt" in
+    'n') SECUREBOOT_ON=false ;;
+    '?')
+		echo "ERROR. Script usage $(basename \$0) -n [--no-secureboot]" >&2;
+		exit 1
+		;;
+  esac
+done
+
+# At this stage we have all the unsigned binaries/files we need
+# We check if we want secureboot or not and then we move accordingly
+STAGING_BASE_PATH="staging"
+STAGING_EFI_PATH="$STAGING_BASE_PATH/EFI"
+SOURCE_DATE_EPOCH=1231006505
+SECUREBOOT_DATE_EPOCH=1748476800
+
+mkdir -p staging/EFI/boot
+if $SECUREBOOT_ON; then
+	# Create bootloader
+	grub-mkimage \
+        --disable-shim-lock \
+        --compression="xz" \
+        --format="x86_64-efi" \
+        --pubkey="secureboot/signers/ccc.pgp" \
+        --output="staging/EFI/boot/bootx64.efi.unsigned" \
+        --config="grub-standalone.cfg" \
+        --prefix="/boot/grub" \
+	    all_video \
+	    cat \
+	    configfile \
+	    crypto \
+	    disk \
+	    echo \
+	    efi_gop \
+	    fat \
+	    gcry_dsa \
+	    gcry_rsa \
+	    gcry_sha256 \
+	    gcry_sha512 \
+	    gzio \
+	    help \
+	    iso9660 \
+	    linux \
+	    ls \
+	    normal \
+	    part_gpt \
+	    part_msdos \
+	    pgp \
+	    search \
+	    search_label \
+	    squash4 \
+	    test \
+	    true
+
+	# Sign bootloader and kernel with Yubikey
+	# NOTE: key with ID=02 is the `Private key for Digital Signature` one
+	# NOTE2: we make use of `faketime` here for reproducibility 'cause digital signatures are based on timestamps
+	export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so
+	SB_TIMESTAMP=$(TZ=UTC date -d @${SECUREBOOT_DATE_EPOCH} +'%Y-%m-%d %H:%M:%S')
+
+	read -p "Insert Signing Yubikey and press enter..."
+	echo "Signing kernel and bootloader, please wait..."
+
+	# Sign
+	faketime -f "${SB_TIMESTAMP}" sbsign \
+        --engine pkcs11 \
+        --key 'pkcs11:id=%02;type=private' \
+        --cert secureboot/keys/db.crt \
+        --out staging/EFI/boot/bootx64.efi \
+        staging/EFI/boot/bootx64.efi.unsigned
+	faketime -f "${SB_TIMESTAMP}" sbsign \
+        --engine pkcs11 \
+        --key 'pkcs11:id=%02;type=private' \
+        --cert secureboot/keys/db.crt \
+        --out staging/live/vmlinuz \
+        staging/live/vmlinuz.unsigned
+
+	# Verify
+	sbverify --list staging/EFI/boot/bootx64.efi
+	sbverify --list staging/live/vmlinuz
+
+	# Clean unsigned artifacts
+	rm staging/live/vmlinuz.unsigned
+	rm staging/EFI/boot/bootx64.efi.unsigned
+
+	# Sign grub.cfg, kernel and intird with PGP
+	# NOTE: optional, but useful since GRUB can perform PGP verification on boot
+	faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign grub-standalone.cfg
+	faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign staging/live/vmlinuz
+	faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign staging/live/initrd
+	faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign staging/boot/grub/grub.cfg
+
+	# Set final ISO name
+	ISO_NAME=livedeb
+else
+	# Create the bootloader
+	grub-mkimage \
+        --compression="xz" \
+        --format="x86_64-efi" \
+        --output="staging/EFI/boot/bootx64.efi" \
+        --config="grub-standalone.cfg" \
+        --prefix="/boot/grub" \
+	    all_video \
+	    cat \
+	    configfile \
+	    crypto \
+	    disk \
+	    echo \
+	    efi_gop \
+	    fat \
+	    gzio \
+	    help \
+	    iso9660 \
+	    linux \
+	    ls \
+	    normal \
+	    part_gpt \
+	    part_msdos \
+	    search \
+	    search_label \
+	    squash4 \
+	    test \
+	    true
+
+	# Here we simply rename the files in the expected convention
+	mv staging/live/vmlinuz.unsigned staging/live/vmlinuz
+
+	# Set final ISO name
+	ISO_NAME=livedeb-nosb
+fi
+
+# Create EFI image
+dd if=/dev/zero of="$STAGING_BASE_PATH"/efiboot.img bs=1M count=4
+mformat -i "$STAGING_BASE_PATH"/efiboot.img -h 64 -t 32 -s 32 -N 0 ::
+mmd -i "$STAGING_BASE_PATH"/efiboot.img ::/EFI
+mmd -i "$STAGING_BASE_PATH"/efiboot.img ::/EFI/boot
+mmd -i "$STAGING_BASE_PATH"/efiboot.img ::/EFI/HP
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img "$STAGING_EFI_PATH"/boot/bootx64.efi ::/EFI/boot/bootx64.efi
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/PK.cer ::/EFI/PK.cer
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/KEK.cer ::/EFI/KEK.cer
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/db.cer  ::/EFI/db.cer
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/DBX.cer  ::/EFI/DBX.cer
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/PK.bin ::/EFI/HP/PK.bin
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/KEK.bin ::/EFI/HP/KEK.bin
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/db.bin  ::/EFI/HP/db.bin
+mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/DBX.bin  ::/EFI/HP/DBX.bin
+
+# Create ISO
+find staging -print0 | xargs -0 touch -md "@${SOURCE_DATE_EPOCH}" && \
+xorrisofs \
+	-iso-level 3 \
+	-o output/${ISO_NAME}.iso \
+	-full-iso9660-filenames \
+	-joliet \
+	-rational-rock \
+	-sysid LINUX \
+	-volid "$(echo CCCDEB${TAG} | cut -c -32)" \
+	-eltorito-alt-boot \
+		-e efiboot.img \
+		-no-emul-boot \
+		-isohybrid-gpt-basdat \
+	staging/ && \
+sha256sum output/${ISO_NAME}.iso && \
+chown -R satoshi:satoshi output/
diff --git a/secureboot/keys/DBX.bin b/secureboot/keys/DBX.bin
new file mode 100644
index 0000000000000000000000000000000000000000..c5a234ace17a4c368bab7cf9855a6ac24e1597f1
GIT binary patch
literal 3531
zcmb`Jc{mj8`p0KuY(tVIn(QOX%ZxB~DGCuYWQj2LbvP3uON=qd60(cNI@#+*#bk{}
z*`gB363QM~W61HI^PcN^&+mGFzu&peInO`$b6?N>+|Tn|*Z28ep9Lt>DRv<tz(0ln
z%h3$<oil%^)@ah>o8g^urEs*RD-}tE?t_3p6c-Z4%<4!s0J?%9ARrR}$<E9wLpC7q
zz<^L7g~()uBr=&JiC_&17z6}?PKe3PHhZz!UknV|{h96LiJ*`jxqoZ%`yL?sQ42K`
z8mY_-z6t?z$m^OIUeOgfkHdS5=w1@}Ma10IIgsEga^BA`K;+D2*ANl?U}p~;-rZH?
zD3L~<=7%XNBb60ZQ7A>UqRKUX*xBDwmEY6<q%{#F_Q#7Jy%kIZaRHD-5F3aH0s@}u
z!00AVWf1&T50h~Bta|Dr-ZXnmG+d3kA-~I8T(ejDUg))1In#RI(^L9+;q9TwKzH>Z
zx2Sc|RAJtVUR787uCb2ko6+sUw4wt~im&wA!2ShnK2KF0v_JY5K(@(#BciFf`m;nB
zu<iC@OwZecuMUf0>JykC+eqK8Z-yDHGc&%Dxv#`+(Ks%UvLz~inDoxdR0d8dGfydF
z>hREkgnje-b)iNDaJtMn;mdw(x7qU3s?+v`T>0`uHAdDZA8g&H_SC9U(I&>ABVKrH
zg6h^jo!y^#1?7<@%+4~BBhabzG(OiTa31y8#DO=8E|)Ok*T-gECdrl7AEFojDLk2(
zd*EE$+Chmt8d;C;xrFC9jMv-JkK1@FU?naR17o}Wy#5LGx~Xh(iy6XGC$j!c96e~H
z<HOYWUT(ovHE7EA*6prXTR*S_%eq`t1C>-fp+;}Ile#NocZZ~!<du*VBp4Ne3CJI4
zgztEU=-X~kYtLL9<X|h9m}T1qqgA4fe=_zMRMiS4lUG}XkFGGuZqE>{=b|kwpXfVe
zv{;SgyzdRd657ngKO_!~35qJyO6FFwRu}5ovJs~rGpeXLJ6*>>Z5)aoL~_APoq*CT
z*6-?aVlJ_7NIXhn?$vAaZ@43zuaMgzfU~iZU3O+Qdn*fVt0~^}zE%(z2mltFBQZ$$
zk#^yn5I)EWddi+j+CaX02A3yE6uX;Q>sCCB6#i{l93p_^i~REfuHOoHfWSit6B2wB
z{wTYn|8XQcARsyks)wgH+YK#JYVVs(NcN4ck|;wVd2Z&8Ed^7ituUDs%VDwo{`r87
znVOm0v1tRQcPA=o=5yI*?hFBOmuDG~CU^!bzxQ{oEt$pR;fOITl{I?RT($Sd<zscp
z;&ag%Sb}zo#TUF9&WOvWBh~0xIt1?-aa~=)_<N{Zi=DuOD)p`mgkoJj66L5O2M5XN
zgyTcV7EL<VXYc7xJd7*W&|vc#L)lr2b&rk+a^Gjyn>XC4Ypndd_7U*#p`U!@3rwN$
zU^bj<ZOH$khEUm;%%q>_WS>LE!&U=+@o~_d3hHqoT#a>s|KwGxX3c(X$z-)dg8|X>
z2)Bt6B7#3D-G3l4Ujh|EGW_}Gd|w)aT0nJPdahH%d&3OxEAWU9TC}>}gZ=t?v~NWP
zN_X8^zoD0RD6|^G+p;z5U+~?eCZ@S`J;%FOcF}GVZTn#Jhea#*K5R|%P%w14^ngc_
z$r3ZfJ4LzjL4Do>xs9bE8EVYSQWxDyQ=qy1SNdAWx{2gbN7i)qn@yJ`<ey!PFSB}_
zo+4KNGKiyvXwewad&<B4<kGp6>(_~$FpuidPffZA>7jXpAi)>SH<=<a4xJA+i*@MC
zCvNe2YqfTG)z0YNM}5evX1<j+)S*HUG_C)^nM5c%I~$_*Is5|D*VL|~ba|RxW#}+3
zzZ*pag&kQ>@R0`}Dem8Q%>Uhy|7hxeFz6%SgAhT0*fbG80aqKYJWtjS4sl^qRWi-j
zP+TRP&L1nKnAm(VstJqrzm%$cVVO4h&SE2i<9KP#8yGH?LBvaJYUz?X-|E#jJes|P
zLAG3|Ijk0y3s{Bp42PEN*E5m)xNZm6<KTlux7^U5vKm@NT?r0KwHS7Pi>*f50+!bN
zt3_Pm!SRehSu}&Jf)0Cy^p*PY`ZlFNY~}%bxpYxmD>~QB`m}!2B+bjV(qXr~Ic$lW
zd|~$62E6B5>J^d(C3QGgDpoAO22!EyRTurh*X6lJkQ^&F<3;i9`->t<Tf5L7<t)Ak
zrKW5Cq4%6*)(c~_cIag5(&a5-CF7jDGn~D9Py7^sN(JI9!Zx(Nxsf_k%*jtC0*Yw~
z1poW@)g>PlzCZZrxX9gaKS+4VOip()=$e+4Z9BbM=_UnH4lxD^M{<VwXG#{~i;Sl5
z1J%~G?ghDm7ArKithon1@1oKjhcC^<39(<$_<#eL-!G{?!#tu~C8ye_!uHxn<sQSX
z0A}ghKgXyRw~gfE*Id<x$#c})BFq@g-}PF3hWMg|Ie&gHvF-Z9*zw8Qz&qTh7&Fvh
zBk4rh+OM(C__Z?W=QD05Z9G}gY&@gml$kyj-kVwWM$i4COl59+RE~DlNK^FL0l^!E
zB$wa^ujnH=-rv6UMkAerH&44^PI}xka}h1HX)B#gry9jJRPx%%t`Ulv{!R?BNAZnY
zIKN5jIpc(Vc;i-|tnLv4+&Dr2+usoYN_w@kz1Jei+>%;!yuk)8lzEx<KP(Puh`NN-
z|2qO`|DOn8?&*%l1^f*Od~nX*KAtxMMD%b0I49hVKScucKO+J9+JEz?{|^x|l^em3
zeTKemwv_eA!;Nz~53U|V1y<<3=gZG@k_!+X4u^F{+VtPnI^dIMDgRPAes0_b@n+G6
z$a?F9gT08DRU&lMyQUT5V9{Atk*c(=3@>z_GA;b5Dx*Ek);-<0{z5Y(+N4B2(;Bri
zn(dGbEC2ESi%1+FA$L8V2&nv(_iG!L_6Y1~HP~#z1I?*Vi1sHEJ|Dd2+A#Qp(`{OA
zSC(?y+NW;yeiYBMhnwQpI%>F;ODyw5Wj7l}I11HE_2bk-w>hOZwrzr+oNtgzjIpe2
zdX)8v<g?qoV6pHH32F&GCa{og6%pC{!-;)5I)2PpfA_O=)nM}QBz?ocB~d|}(vgYi
z%R(`v-X)&N=U=B>dcC>6kQ!}UP75+1DYV+DEmKZuSOi$AXK|&kg{*%uow?N~I8MC;
zoYH+JP^MG%n4q7rue~*>m)Q`qX@=GuJB28bEI8&9H%X$wjrW=iX8B=R1WF^eGRODE
zCGr>{5+1bm;@wget7rWy<se+nFYy%}UWV)N6}G#yCyj<Hu?H*4S6@H@2Ql8mvQ(L7
zsD#a)E_-`B3o>aw-%0ZrTWAIfuHh2Ft#R)yBGtlyL%#?0M1k|JfKd73SYfTO;!Se3
zm?{_P93F0GlCvobJU7lKNZg#{_0{gg$?HVag3kQJLQnqaGgbIAL;%AH#64+KnW5li
zPn~RtnqU*!?w=6hPYeDPL@+ar2bt(PwIaYtEtLE{+*5I^v_N9*yt_{dT1l7A^rCbx
zu^X<a>5Yh*0xiFMChG;^=vtFowj3CJygy}r+d^7M>p=AJeznQX_zxAz&swP!g8g;+
zKUGESx+BLf|GJT8-;(P)AXG#n$epb=HYSBIyy7m?tfe}O2CDXq7F*kzwik$POY*gj
zgVjI5p?i6k2}Mho^RGXbD<@$4t=X#6wyWt$ceAp19;VPwu81wwu}zzkn=um`N!)R@
zCu0YbCx@J|F6uz`21GsW>tC{S#-BG{wQA#SP}s#30L$>F=Iz6+Bf!sh5Mqg|xjI?F
zSb&`2n&D9OsB_PKS<l_ikA)Q4f5K)%b~|MbmMuMP#tXDKCoU)`ZUA@?gvD#`Pbzq2
z&NWOv7nayul0I=f%|DY2zcxcQ)Eopm&jg<kNVs_H6UR0>Axu@hfPKnN?Yij9ySY^l
z^7{#VeTSpO_So1N$LZ92JSSXo+9{ZhNT~T<5l@9meUDD@O0#@SSGPf(NpWx;Uk)JR
zazJ)#@FAfKYkhGgne8|%N~3Xo!;7wMvH3}d%4!u`z7rlwc<RW)C}QPk<8QeV;2OFF
zJ{vyV*G+qBG_ozk92~foQvv#XSKGDZT%Ayk!rMSW?UdEQ-M=vDV%sS%%?CJ4C3X*E
PikBYiu7l^)LJR&1_7M#w

literal 0
HcmV?d00001

diff --git a/secureboot/keys/DBX.cer b/secureboot/keys/DBX.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c7901fe6a15def1190daa566e3071b7be988e408
GIT binary patch
literal 1399
zcmXqLVl6gkVvb(G%*4pVB*NZu^82@6`&8NXO<W|jHBwf3n)hx4UN%mxHjlRNyo`+8
ztPBR8hVBNgY|No7%sh6EzMg)L3Qmc6*$R&C3c3oxsmY~9sR~Z{`6UV(!I|lKi6vlu
zPGWL)PG)h5f=gmaVp3vps)BcFrKW+LIIoeZfvJ&&p`nqvk$IFjuQ7;g2IW%IswO5S
zWREbiGB7tW@iQ1SF>x_9F)=bsGu_F|^5?f}^bGZg8!J9L*v}6YFf3i=cvWofv?QGp
z`D?YjM;ao})!Y6R)8knAboE__yOC-aUPU%>R*A&NDJX^au;0vHx1S|G<jAsB6HPvu
z$}UWQ;J@&eg_hkTt`m=TemZPZ+3dSSZ(4-m_nR}~`*>IWxcXF~L#$}lr_LsZ)tf}0
z9SGXJfjJ@k;$B~2_L*C{n+uwX9{#<`|JmbCqT{YN2Tj$}zW!PM^~^2h*>SS|c^?j~
z6Es~CHd|5q%hnq_3$2#Ac34$^<J0{7EwW;p(^j3H*09yPHcY?MlJoP#%aE5>44C#+
z2uQq~5nk7D=0_6uqvp=rKCV9>YOcB1ckTZ1&mJi~`gRKrO;bBN-SD^il^%_`;-40{
zpZfCY<;3RbmAlJ4TJ-nFSiV^xV;xcwW;LCE%7@BNPyHWPot3(~+@0}(;|_^s_RBUF
zxla9K_w}O7w5^q20?ci0%cw0;ohOjfald7^tk17q9#6!1rxz{Q8MJz4Zn1mY?V<+R
zvag4)yk5hZx#gs3S>jCH&Q*u9JU_|4<?7$PZKvnk_P=jULl3hv{B6y?roCKiFS|<Q
zFGuc!2RRISU(8Li5#XwxYA9=+QYUCV`Lf!?ka!-~(}vsh`T8ZKSH8NvaJ{@ydD~hg
z3;q^|JlPoEnP0RS9qx)rHGR1+nrn9?QO~|^J(I@2Aa=<gXZ`h=m>C%u7Y7>z8ps0E
zwk#iu7>fwAY*EuMO@FOR6>l=_XRugG?J|!skOxUCvq%_-HDFi34^kk^$oQXy)qojD
zAtyUv{sAUCMuq_YP9|T+r2T5lz55o-{gt>~IY?8YXZ?%xoC)S8j>lOKFa6bXLe|J8
zTdnZ{)0<;Ew6j=vj(*U26L$XQ#y<~&>q9i9ZT~86{Ik}#yz}}h(;fSluaY{q+4Y}=
zLd=PV+uoZ#Pm0?&EBCzgqTNM0#%q0iS}K2Mb$IWNP(QNh{F+~0ul66<_3dTTf!BKL
z6E3d($6Wnuws+B@*MUx_9<DU)4muaXwRY0Cwa0t=r%xANG2yu6Tcy{VxgG_#?G3#5
zxmU1by=42vzWbMwgHo&*xwooq+5N0=#>~5Wc7}!@5Z$W(GjJZ`vOJj=akUY3%zM78
zDfPUcWk0<lh(X8mgXg8SH<M4#(a!w&aHF*T!GF9@Dt{i)`uip<GxF{{TfTeF`bM7_
zgw={(MO~HD&zkmp>-|0QDqmh}iU>_AnARp6^|;N`<|1?Q;|dXpZa0BDJm1W_Yb>nh
zaX*N$j8%Mm<@x)JwyXE@wj4@O`F8uZM#7_slZ8c6W*%G+c&LFr_}3!gRc2dG+b@2*
zSFiQx36IUbiz_yZ&19(aE}5~v;(yW6pa{3OeOyAkjn+Fqea<>=7xLwf{c_Im_Lbjj
ztBbZLaQt4x$#Xz_pI=F8^=oG1+G}S|?B4Em<C`>FMd^o`tC$}4+odjX*epF$|8l96
k-GuiSe-^Sj1|3{*EciT+zsk@5t&3l8bo|8p+_HKe02%&gZ2$lO

literal 0
HcmV?d00001

diff --git a/secureboot/keys/DBX.crt b/secureboot/keys/DBX.crt
new file mode 100644
index 0000000..4143133
--- /dev/null
+++ b/secureboot/keys/DBX.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFczCCA1ugAwIBAgIUB4TJ9/b6viUGvpGiErVZHRuWS7swDQYJKoZIhvcNAQEL
+BQAwSTFHMEUGA1UEAww+QU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChTaWdu
+YXR1cmUgQmxhY2tsaXN0IERhdGFiYXNlIEtleSkwHhcNMjUwNTI4MTEyNzI3WhcN
+MzUwNTI2MTEyNzI3WjBJMUcwRQYDVQQDDD5BTUlOQSBCYW5rIEFHIC0gU2VjdXJl
+IEJvb3QgKFNpZ25hdHVyZSBCbGFja2xpc3QgRGF0YWJhc2UgS2V5KTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJY1uQME/PtFW5gnWNio80A/n1UQMXWq
+QdUWnZZiLHQf1n0NxIBZzn89/RYuCKnlq91A3Vkm0OpZggl6FF9eICJXjAfZa66/
+BF9UxKaqkTTyNR2hZ+BPodo4Kj7iCsjiufLDPHmDTaQullgx99mYX44NqfjV5SCI
+FnKa8omCAKuyFebAUruwA2BX0b1NEweZtIuDcIJy4f3VD/NI3GFBuuzBNSdm9fyn
+9czaI5teHU9u8MKuETWkVpshK/S12AyhOqVFiDp79g4p8/ZZeLZCtSyMhVarurCX
+3IRs+cjpVOnUMAK+eBAY6ZhXfoDM+GIL4oOJ20xF+eEprNGO1t/H80hkjC8+oMKW
+Js2XMfsn1IwonRfyoEfK9PLpkYNbqbt2SIQvv1w57KAcO1R0VjqXD5TwefLlT+N6
+zRrdp0cB4EG4GKY/prFyRZX8PvXRRJa1efRQNzzbHCakJZ4QbIjfhLsdTPq6SOQX
+DZdyoLlSq5ltc0eG23KAHXb1w9TrrAlptMk1dmGZLYmqwmpJ8h3tCo+7trlJ7Yf9
+7TVVwwcA/YVr1iunKr0HJFn6QQvBwQgwjeidYjwQCnuVMR07ZH4RO5PTJpFUXwxF
+yzG2Lw6PGBup6tuhrx8yd4atIjgPhEBuHVxNmfQrAUDdFhqC9N8VbT7EYS4/fq8C
+KP5SBxn4zU8vAgMBAAGjUzBRMB0GA1UdDgQWBBQDHXKC+ilPKtJ47Gk/mAQ5Gro3
+XDAfBgNVHSMEGDAWgBQDHXKC+ilPKtJ47Gk/mAQ5Gro3XDAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBQT4kCTUFivyYDjb6gnfphtyNSKRiMr+hn
+bJA3NEHHBcOl+ozIHTI8ayaB4ALsxrgragQMxfAs7FbP2bH84FN/VCkbPf0hsfyt
+TXeJ16o1uL+nqhrOs0X+OCBcyIDbS7Lzkl6+mm3PG6K7ciwzrUxMhHn7aohLu1gn
+xKLPrPpK6r/AuvbpgsDrLq9g0a3+A3v6m0tyoutRQsrhqTWLUs5YCq2S9q3HjY+X
+lxOokMcZ7SLrswriU4a9Ud7zjRGIrxmH0Y7f0mNSZDoBC7UmtLvmcZiZ3by5VVfA
+FbUv+VGeAaZuHOhefVh+A7z3JiKM75o/l3hSACxJ8EnSrdljy5wrafnhsRsvwf4N
+5Hn5xCr97FZpWd2ePQ7eQy8y8wATJnLqWtUZL2qW57XfvB8k9OspFBKScJaGHVrj
+hkk80QNj43gUGItGENwM9jeLfDg6ngvgXDldIePU5+9ohtXebrTCYCT229soYOKR
+kxMUZJnBoFHCgAdT+qITqja0yz+j7b0uhcXISLNNo3izFpkAfkt0mL94/3LFUlhG
+7Y4KEg2BO7ny82rHPlT03D+nCVeHqfd9e3K3YAj7ogkMwBe+TnRle+sDM33Wzci7
+t0rY9hsGeHXwmaoC4Y8+ZaRAsxuZL9N1Gj6Q79H5cQVBUsGgxlPPDE8k+f+Fo+ux
+QfID5zl7ng==
+-----END CERTIFICATE-----
diff --git a/secureboot/keys/DBX.esl b/secureboot/keys/DBX.esl
new file mode 100644
index 0000000000000000000000000000000000000000..79be0294c2b47f0c5f800cb88cd51dc04431bf5d
GIT binary patch
literal 1443
zcmZ1&d0^?2Da*aux2_hA(f&}hn3Vwx+JW?iv|4fB{SH3ee`I%lJ*(|#(8OA7(8L_Q
zfSHMriAjXL<>dEozxJuJ?VGqrXltab^fd3?2E1&XT5TR}-+37sxmg(uJPq9qT-lgI
zS(th39DP0g92J}r^Rg8j-4%2df>V=Ai&7Pw^7Bg+G=ekJ^AbzI{G7z(?3~Qv5(SsU
zlEkFM;#39i)JjbQIdNViQv*{Y3qwOAb0hO8ab9B(*9^*~rd3T$O2{5zWMyD(V&Z2o
zXky}GYGPt!m}a_@ndQ%K*XSAQ5jR$RcCeoxDqvW;%JHh$+-XTVCGyv5d5<(io~yV0
zE2hV>^6Bck4tFEfF1(6t;;a&hk5f<z?_s~0y>35Ce8`byt0tO!GL>DJ{=k3XEekEX
zM_eZ!?fi7urn1?0iQcpb!|yj|#P{*8{BiZELWfw<tWTXy468SZK06S!djoSq_{F`x
z!t67*bT=0?6+QfWmH)HHokYi7Zw{KOr+xji{Og%p%CqBS{qsH?S|@0_By6^#_Lr?U
zcoteMb?vaK{>G>I`CDYgHm9vRJ*{D@cWsz{rzPj-iI*WSuNW}xs}PWQIU~HT;mnUD
z?nlj?w|!iHKGa-uvG3ab<DWfJdi3oU9Ga$fcDmtj^(#FZbHzU`a6k3s)60p?(JObC
zd9>*7kFk8SK*l<xB+P0$|CA4vpPu?Zt~x7qcey*`1IHZ_%j}nJEOMRt$L{MzmuXuo
zzXX`u+?G*WqB>6?r{jLhZdspSyF8wV^G+{Xurp}&%-mx4w%bJwvSnWnUwOTTGjq#H
z)3U^wx}B>IWqE#*eaqFqd)rRWx9xx5nuZ=`XZYKieNB70)?Rj%$X|}!2M=->^uCyz
zWFx>;J=IXwI;Bp~dh%tpi6QYkuBQ#R>GSnVNUwZ#d*OO{qw==3N*4Sr4tcUMzB9jQ
zGdkQAlWO{MUo_Y5NTQy7-FhaCe?jb$KhFB=GchwVFfI-@2sDrdrfpe17BLnPX4#^q
zUz+|}mnz<5+RtFIl-gw;V;~QbR%Vef5Np7$fFGnln33^63#$P$kU~y&!2APDc8m-G
z{+&#|j!FB~n0xmvnENYnyK<1GM9=yc={Xb3O&pK29$xyZ=Y*`0O}1L&1Ex2}c4%j@
z@ErZ1^Cs;4&5eH^1lNaXO56Tb-1uj$Z+YkSRi-=kFJC2fZnNt@3x${y4Y$2FeV!Dz
zZ&vPk=|#JXbd1;f__S31&g$^q9ie_?(fKvMyk6};u<P5)rUS3_)+bzC`;WQ$*KF^i
zMXv*$PCZ;{+8uN*f@|%hZ)=bD_D`QKykf#}$+t?cH*-A-ZrdAp?{lwU$9l>3i+%Sm
zB?qNgF>-HJ+p_yv;f$Gg_v{P}KOnkQ|7YMl#$|ajFXCz=>X`R@S5xYFKg)i4MG%9I
z=LgSAYi}l>o}-=l^WjEm{e%B_pH%)lqV@MpSZ3tidA5A_ob`=9GYG2{y^6Xjsh>6N
z`PTb;<W;`B))Wz%R4}bgHtKPkr_Dv?<i`~v65VbBcX+;;ch^{0&EtL$V;QUX_{#J5
z8EseZ<!w2Xpz`hZZH<IS6DJFcq|7|HAn;HFd+@JC!mG@-oVH*5cCTLR(Gwn<eHT}3
z7MsaX=Up;mf5rczqd^gFZ~M4}cpI&Ee)^ns+%DwH9sA{+;q5EG*H#y8PvH2yh?D1l
z_&&dq)auvF#<kbZp4h$J>&7=}wu;gZGgmP^?6*r@;;>nIrvBwpDZ2^pFa9iKbqqSV
Z;8^f^9)Fde|63Qo-st#=`MG8FJOB-8c{>0A

literal 0
HcmV?d00001

diff --git a/secureboot/keys/GUID.txt b/secureboot/keys/GUID.txt
new file mode 100644
index 0000000..67135ea
--- /dev/null
+++ b/secureboot/keys/GUID.txt
@@ -0,0 +1 @@
+177d66d0-bf4d-4c40-8bfc-1db9f5cd2b41
diff --git a/secureboot/keys/KEK.bin b/secureboot/keys/KEK.bin
new file mode 100644
index 0000000000000000000000000000000000000000..10ff825039b305bb1e92dd84ddbbb56b41ae15ac
GIT binary patch
literal 3487
zcmbuBcTf|`7RHl6h?Iy(m4H%16%#rr0xAed2N4A+(p%ut6g8B9H0ebFNhGu&RRx65
z1rd}EO1U7tcR~#Tc{umJ8SfiknfvyivuF0~H@h=uzuzuEz+Ch&7~r3S;l%L_v~d#K
zTcS1QxT+cXN*XO^Vn;w=AnPC?5Xp#u($HFkY5?u1s6jw506|YfD;la1x(fwDfEgID
z9s&ctfxu8nWl({DAP|d-L|emiP$XJ1(ah&2@6N$vwK20F5`XRi(jQC6Af*sU8mgPr
zR1Bi3I-0twJXfqyE<CE&dCv0~+1dDb+VNa*clYKI)_1k`ws-e*<GEqyCxST34waNa
z$Vkc~k&<$fGI!XaQa@7JKhwV}ivjWde8A&7Qei-h00ag^2f~1WfbzU#>P^{84WHs4
z=b<&vXH<q5eUNhOaB=i?bPx<O!|(P~Uzu7S82`G`zJ?WItI5f9%I!>KgOQ8^9|!!t
zD{dup)}nvR8820`Dq@3?4@{7~pr#S){Y|=S%~|W2sU+eZOB_qS2_(DwvSw`p68ZgP
z>zHL!dj@3L)<=#AIlnKIINtU4I?L>m2=Ro{oPJ@uD>N{@_cT$eRx18_ccBebsghuq
z5<IK#x99I<v-ZSRn+IQw>=di?SrXzv+uv%xH>Bk`Pg6D^dgBP_4*9HxZ5<dQ`6ni5
zp{r}oze`)ViVNyLEFTO{GQzD=g`TeQr2gdKndL*v`3fB}<!w6m=8S){#In6#3c@l%
zBTyp-B74tK?`ce=L#KDGtaHLEKKUs1LH!$@GU?xplksLp)vo=sH?OejQPh}BZBe9q
z^sP6DYyvx$_x5Lq^+ZoNo}GS?>~f{N&4sqhey`td@V=)<9d(JNo$I*~%I)B~w1?Wf
zW3OKiky}qWDku0rk<DAxy2Fi~--lXsL9<?87Kd{9n-aJ-hm;Nmrf&h?E9E}Y#)25}
z_8#HC!PDJDy~X=1P`(O4+RGDd`)v(}tz=`y$@l_6?ZeT&XI#)rrDeRSinXzCCy7;t
zO>#wDgVVc4O(N*e@?I3J*Lea%E`5^C8*Tu6B3I=2m=uT#2modoAq)`Q$34q^lA4X0
zg}sQM$1VPApEPtW^R#>tg1Yb$6XM*DWqxW71Y6**3mAVCFav={)L;bFarn9Ij^D*`
z+W`Sa53WmrXmSYHCPP*QOzg_tc!^1tLo;#>GswfnZ2gfczbaA~JDDy_@hW(;^D;>K
zp&?wWAr#_KxE+*QJI?04)ic8)NZge9INw-}O3t%pTen(bI@BoU=wH9|ZoBcUP()(<
z6)4Q*%oi@9L+$`7zcB3v9V}N~W(6!g7s94)bUyu_pOOwV)}klS@l3#>gxH!CzF<1Q
zstvPY+D;Y{u~^j=QRY3!z$}k`i~6Ebu@HeTZ@W^8U9Jz%;g9K#PG)nj%;TOvV8lwQ
zM0RCwQoRip22a3zFZ6Iq??Fy^By&{N>==i>j%X4{?qYlz1^{brb&FXA#zmFa(OQU6
zBFD0V#0{kbCm&`3N61V2mk#}e!z+~wp%mxqq!6b-Yv4xy4VMOk2jtYrQ?vF+%--C{
zOw!=1x2*1A&EWD$;XU%zqES@+1dLPKm`n?=mwrJpz;LYD5P4Y>Z<kwKyPfGTD7DLW
zlu}l=dtdS#Lr^_{i}>Jm*t#dbK~c@8m&2<~oqE&@cW+AtRJ`GP&k<CQn2-TrS5!He
zcFak`8q0;9Ga=jGE}nSvRc4j7D1?uuEjP<S_d#@F1sijAiL=!*vky~RVHp52C?+Am
z?O0J4sV4Q2+0X<M8=<=xt}(~o&@<-pYP4R65dz^>8BQ0!AkL#)!395`(*#3eKo5?s
z$NSiO5jua<(*C^*|7_$xnewscQDZ=Wi}mEGIm4YT70tfbY}d0{ALnn&XwGZO<7;pp
zQTLvHUnHJ>(vPbI_Z{Hyt?}@28BT<qm%;(pNH_^|z^M{EdFQuEzTQ1os&Qe>IM|q}
z(U^~qOhcpCBb%<JU2$%D3D&~P<pZeY_jLN>44SeyWFCzYOd|=->OZ|4=I#??`If%x
zHk$USdiLOI>~f5Xa)F*6*K$w+W{9VbFW}2Ehf~SO{i;k?HL88)i<(8?{P+Ob$B^IV
z?@HS<c?QtgsUKFGm%(tq+s%(m-8s^y;L2&h`4M;x1)l{gG=~@WrY^#KtT*T+2U12W
zW#Z;ISJBJCwWfl%?&<VQFxApe_5;1HdJzl&+gZ06JH^gB#7|0(DtidZgbO5ilz-BT
zd9Yh5`ew|6x{x7b77TSMK8Il26lPIeC?k+#O4+fLbgePDN`7t|xvsSJyj<<0-{x>1
z!@egbcCdhEApkA_h83`W6Q)!wr3Jfg+l-3Wn-;KqENrgQtWtXZ9o_9hf_Z!lH14pR
z<i_C{wwy>-D+Rix!LjHX9$zmUx<bitqUY7j*7io2$@t(4pOezGRbTV(E<v??<RZF?
zODiTkl67=aJFVUbhZ{U8=H?uZ((DV`9uA&RCBY&bXNf4fBmlE4XnpO`N?t@|v~^r-
zMZR*`g-l&+xl0PU;~*J-yCG*fiJ%o$UchQDw(c1W{^OV6a2&hs(d;_)D%wvExQW{x
zVyeg3H#)}t#XqsnCq7;4OlzU;<4gXYa?c5#5o*QsFZPB|K*}Lx{=mM(f5iSV?RnH5
z*f?6F9PECDe%ZgGU-r)bBmLj-U!e?b(WwxHvlr$?TPNOXEA#KJbsR0f8RR8FX3Z+z
z&-n`btp5s3>ZssSdx3uc2;t+P=xZND;*CGYn%^#OXVE;|IC($#{kiJQL#GTkk@c>F
ztA<$S!cs_Q@I!!DmBpriRc+CPz++%Tz~Ym(zQb9|#m9=H2EJy2Zq2Kj$+S~bZh~o_
z_|4?389_28NNj(|ms@(G+!?t>ak=0|M`h~AtL|?Xie&+3b8Vi^9E7#%FIN<vwZJoC
zB`^w<=UZ%0l4}XqnsnxtfktD*x#3ZQ{rkz3&S$zv$AokACk9hFK1f$Yq-pugBj4y)
zvIez?KOJ=Mpfk-CWK8JvyM`V?$Ivi!sf4c|W=qH+%1~|BQ4B{B*S6KdH~Tnl@$)=^
z(goC%y(8S!6N{<ShdU_;mUV}>_zpG>jDOot!`)PX#O-VcG>4hFQwf|Pi3gPvLb65`
zTB;)B$)e_wA@b4APosS~gZvG=v0X&&T_-;^vrR&YuzC*z9d2}*j!Y#d8?61EvQHt%
z=S%B++Qz@u1&i%WVNB<OO-$aYSti%r8chA#?rZ4TV8lNV)jQ0|D^s04xAJ^#p^PpC
ze)bKekdV6Dd<xXSAnAw+#eG!v&UsF|p(xI08`d4dEY0Uov_9X><Zq)J`kopf6(-nh
zu3x;rve2*==hD(q|112r#O>=ObYUHm8J$9S4av_+?6dm+g8yF@{4e+qj)q)AwbYvT
zE@qUZ>yHX{46TJ^^!mN9H?pe3jqBAzMdM8R`3^egy*H<dr_zQeHNan33aX9fQuG}t
z9Q?MG$$>g33N5?KhSIj^;%PK|*pNUQyk;cdzIWqPX$=2daI&H2<vQaTl!CPuqibWl
zR%H@3%E|w(qJZ|sBl|jYj+cds&B<`dQY->#B`eMi5?4l}{6dYZlue}))kgEevo2nw
za~?*ToAR{|4RSK2(_fp{+$|**OsxM7$jft=2y8OIYxksZGp_e~s9%KT&OD3$E*Il^
zM9HhyVCVk^ip(dRhFKSz;ylJ~-m1OS$s`z~aHP@2o8)glnvH?8M<;o7MPUVyej%FQ
zyRUR4PzX4J%~FkWCaae|%8lbS8zgg$)MhyQd8lJW7Sdw3OY*w*;t00(gtcya+5@+t
zQ~abhhm`8lF1BdCC1>_>YtOiz=>WQZ>4@{ua?T;MAlSs9mvuZtcR+F85wT-fji4yd
zEDNdI=fpwMI(0khLRF(ehpcFm=<iqE5Rj-;kI23CCMk}u?4vJ39mbgG-_GUn{>+j}
z+}*pF4^YRVp^++8xJd83hA(GR?R{{df#rvnTUp92G%OEUU6kq@olB-v(~$!&ifA4t
n^ft<Ra_W`sos9O(m74Zbm_T2JxapZU<}6Rr%l00<z_$JaKM@Xq

literal 0
HcmV?d00001

diff --git a/secureboot/keys/KEK.cer b/secureboot/keys/KEK.cer
new file mode 100644
index 0000000000000000000000000000000000000000..b74cb9cdba4615f792410bba565950d08c37d08b
GIT binary patch
literal 1367
zcmXqLVhuKEVzyqu%*4pVB%-AAWN#K{oLgzx&wn$LGSwEeB?ubuvT<s)d9;1!Wn|=L
zWiYTbG&eA1V-96u=FxNX_4IR8a7xU}R&aDz&{YUdO)f1;RdCABFHz9&POVgMtw_#D
z%u7#I0CF@9<ivT6ObtwpEDQ~e%#F;V#CeTDTr((_5~G`#l#m_D$jZRn#Kg~F(8R>W
z)WpQdu-%^bxbJo?HSskodJ`vypWae;VQ<F0t)Y#@dOt-Mulu$1s`ROVm8_r6ZkKVL
zU3;+Fpfug8EUodA;zW7TRc9<x<Br}w^r*b~p#1Jde=`^4YJNEX$2n-O@S4r+=bEb+
zw0FgQuG_VD?L(Cs#sl@QT2Ej8`z-!djn%!tvgn4~qwhSYaz1{Xt2*nXa<q9OKa**g
z;oNI2SHk_ZWEU(8p0JGdP=-BA&Aa?fFV~qd$Sq6me)^~VM8KQvYvke<^3T<4viv>$
zix}^xob@vAO%{C#^f=ThfBW9@w1bakoSWunm@!G7o8!hzi6bW4J7;;7zA)VA8!y^;
zT&Md+{#mYwWvcv>&Q-e9-l^?l6Fl$G@!{_hJ#&LCd8gg;c>Z^~e0A;kd|4t~S)rAe
ztA5XxZOdc*wfpu3sAbwWY`M^JyzIuI>ksb!nl&%fl6}Iruk}aUqw|?nI6mn#Ze8B8
z_@3qQU0oA@YQ=Q5SoCIf_m)XD)&-W#J-<`-duF9;^ylU4HQX-paLv2-gzG1>xmmN%
zzu&)pFSl4_;(PMz!VP|`+TR{GMLcf~3)|)zKXqUDjhR=^lm!(X2v)w{bLqB}qUr7>
z&)-ge|8fi03^lopzt=3E`TeK>(*Yi%jHb4E$Lvd%PUrk+rK6P6exXI!L@9mkhZh$F
z>yrK24ze&9x2qnF30U{*?aKr2CuAQ#yPt`fk%4h>utA`KEHLfL^0A1qh#a5r%XiZG
zx#?5+Gg}mceokATw)mQXJV;uZMZ!R=0lNZzkOE;w#{Vp=2FySTIoSd82Qb+&GBo$H
zyW}0;8*}N^g7tF(?x~)=`MzbrrOMf9!3q23J@DVpt2H6)n$n+hFG@Z?UiWy`?MEK0
zS439t4t_o(ApN(5a>|aW4ZeB5ImNR-+J4n~B~+_+J7_s)^ZQ_nGe5iqHuot%Z=M=d
zWVbKmX`W@G7k|#7iC#OVu;gXd#agNOe5_8}7b7u$jn&bqYDSyq8W<*+>Buta*w^M&
zwuS7nk1(F>dT&L?Vry%ztlNe$5lSa+-jEWU!|n3I^ZVwVs~>*2#js*UzFx!Oz=b{+
zXUOt@xK!X~ExqjNwBCQ_eL4Ssuh{P)u6&oNYt?cg>BMyr^9t^VhVQjGC#c$I`QPKb
z;*`3ydrO+s#CxX{obQ>dVp!SY`R{_$*-5{b&s(1SdXN1g(c*x-T!{^0?2F!iIvw=v
z)XlSR&Df8pe*aYLGW);u`&Q9?U!N4r`{=u_b??$oGqcZVzl!-{9zFldkC6R>e|SIG
z{FkbJv-Gd9Dr;EaCD8{9{H|NQ$T0X8wA<jfCEFWyx3r}b*k_&dJG-yVv8U~30_PO&
z@?G94dOO@YmxXVfGC^s}u`-^0O(8q$&d3xTlzi<lAvU(@2ye#Pn|F3Os%c(&;ZY`a
zcyBptLty-o`Ck^>A7>M(63w>Ve<*AHW5+p$*JrO~tD1D_kXezG|CS$oy+zB6pHx~t
XtaWD3^^ZBU^vxq~vrGSH&piPEahPR`

literal 0
HcmV?d00001

diff --git a/secureboot/keys/KEK.crt b/secureboot/keys/KEK.crt
new file mode 100644
index 0000000..d3abbb5
--- /dev/null
+++ b/secureboot/keys/KEK.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFUzCCAzugAwIBAgIUIizkvWoJXkZ1dvn+mGJpJqCGYBEwDQYJKoZIhvcNAQEL
+BQAwOTE3MDUGA1UEAwwuQU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChLZXkg
+RXhjaGFuZ2UgS2V5KTAeFw0yNTA1MjgxMTI3MjZaFw0zNTA1MjYxMTI3MjZaMDkx
+NzA1BgNVBAMMLkFNSU5BIEJhbmsgQUcgLSBTZWN1cmUgQm9vdCAoS2V5IEV4Y2hh
+bmdlIEtleSkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3Pw3HTbcq
+JhesqI1hk1fLtH7QvWjetVWBcy75FaOu+qXVG8pQqQXyzbccRZt9wXswdWc6dmaB
+8iGRHxWqzDhlXsXbwuJ3g8Efu6L9aaBtKfDP/ENSnROsswfOg3oAK7pe8366va3h
+JHwBwH/qhcvT/eZf6nw63lF2W4Btxe5JlQnj420lmskjWzdhDwI1VjGd1oTUV08q
+HaCmU5CmBcJoPwR87m+y6a42AB6mY4vl/IfIUOy3rB5eoQ+dLoI5+5f0Fg3ybK8c
+7zSi9FFIwokf296nZsHimM6WTjFokh8LCNiZGMQ0t4maSnXoMbFNXxWBxyyL2G/N
+ClimJQ+SznlEfdx9jgYRz0CI8P2kLjcwtG7LR24M/4lE9UWI89MYVyMghQ0Kf7y0
+tqddTyuOvlAmaT+AtNCIx3bYwtfg3fqanlU5B5D29X/Fh1tvAyQI8iyBtaeEo945
+x7qKkfkqXIqEOI1qi412GoF+UXSdz7kd92l5RVvzp68oRtEMCp7e5Ar5Azc2g0z+
++/r7pziqNE3J9aGwTgUr9uOCWOeDVla2RV+VvlfYmdXMdlJywFMj14zS2xohNbuk
+5+2X7+m0CpgmHrH7rKeZ98UQAsAMMmiChp7GP3SllwnxOiwiZIfQhBM0Imet8OjQ
+EX5jTobBBAAzhyXFXFCu+u3pwO+Qa8fNvwIDAQABo1MwUTAdBgNVHQ4EFgQUx5D6
+TZLPnWeVD2mEIVL5lq9mo9YwHwYDVR0jBBgwFoAUx5D6TZLPnWeVD2mEIVL5lq9m
+o9YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAg40HRG7HvVzS
+6qCvnFDeJc3Z74Sg0nmbZlNgvp7gT78NKpBW1iL8zuh08+Ou45rb4kgF1BSru1Pn
+mFBn+xgjZLiVgE1u+wkXa/E99SrqEn0m21KnCYPvUzjM+EsQs44j54OVUnI+vlTl
+bjlhSg9swpFKuJQEbml+XTokTPF7Zr5cGJ+sOsWVJjKznTAxYDYsHQIsP31ueYZU
+uj9YM5NF3qiIozs7CmrbMVxYIsjZ2BoRnAtE6En3s7mr4fDaAKioby6Aw1GhTNGY
+HQ/w0nBGOxum5ZaN/jeObP/7qL9IFyPdAoqqpxIbYa5YnnDfVVe9PM4RJY45/0jP
+IZR+Zt6kgiYXjZRwz4ydJDF5hEn+0ELNkvunnqdj67w/ohVzUG5tGLAWB6Lv8stS
+5srZze02B8dl9/JzRJv/G++FFb715HCe8U2uhb2l8plrzCvqXPQ3W5/0+FS/EfwN
+8Dz/Gnvspf0TJQVWUdIV4KBO1zroaDD2Ursw+zkG7CdGZqWQB5rOTs2+hkGMhtlg
+CZQLd7pLJC64RommV7GUkCK0xnYMvoJUuX7MHHDBGetAkF1dgsQNaK3Z3LpBJinS
+6Eh2GsO9dwWAUV/En/SjP8cGFHoVaz2/wmqv40GcMdebrQZ6ktLCNnIaT7T4Do1y
+pjPkeTnhfUMHbU9cwqXs4gs20v+bncg=
+-----END CERTIFICATE-----
diff --git a/secureboot/keys/KEK.esl b/secureboot/keys/KEK.esl
new file mode 100644
index 0000000000000000000000000000000000000000..8e188dc143bc1b28b3bd1f03d612cd5265c83c00
GIT binary patch
literal 1411
zcmZ1&d0^?2Da*aux2_hA(f&}>%*p@;=|K8ITCKS6eg~iKKe9W&p4E0VXkraEXkxZr
zz|6$R#3Z7m^JH%pXPjGU+0TD7k}}m6v?T}{@Un4gwRyCC=VfH%W@Rw2G&DCbWn&Iy
zVdl|u^!4;}RB%en%T{o7SI|`mPE9T?N>y;m&o5EX@J_8%aIHwrNX$!5RRD4{4dldm
zjZ6(pjVufejm(YAqQrTPL0mH^mlC6!n3Rwm%E-#V+{DDsV9><G#ni;a$gtg>_qgwN
zEj95qD|!<rho9b3cVTbFy{(~*#d<$Q7q9!Z^s4l!fR(JD&Tf}+on3pd+MqPusw}PX
zlj1~q(N$+GQsa)^KJ=)(`JnvnMSn9F<Z6C6|HnCKuJD@8?B|-R7_@iAeXiTJckM%!
z8pZ?luUb!E{`)NcRgKlXz_RFu+@tS2r*b}ioU1zPq;j-*B0rO9nBm-OEmy+*wPY78
z3!boy^-zXAOU=9dO)uA(F~}`T?tc2G{Y1c<?Q7)X7V^*4YqI=3{fijyr=0aN?@bnc
z3G_JBDS!Lk^0b4GW}KVmXP7Zbo}1&wOo<~V+dF4@mA)|C=o>HEcwDFZM*dl@h-Iq$
zlg?GT)ZVG>V-q~@(DC8#5<PQ+EqSNi^LYMux_ou*_<UI+Tv?%&m#coymTk*p{k8k{
z1*m1(H*C4kalGutq3aLs{+cx})RKL|x3Bd_+oSWDRX9HBG;UqqviP3m@m*aLe`>{a
zwOI6Kb@!G@HP!`|%sszT_IqZfYxL*k>owdi@^H<&_k`;wv$<Kb&%fWlelNFJW#W7C
z>%t9wtlHlmH$^;e4h!4n8b5Vk_>GxY&y)of9SByw-gD`;l%nbGCC}eZfB$j|*9<ke
zjlb6{pZWc$0Mh{;ql~7udB^NamQLsVXr-f+(te>u*hDFP?S~f^1nZLh+77ZX7`Lk)
zjR{!y>+Q<}?<Zs*Kf9lanUR5Uaj-$4fh;iX%JQ*@v4|X>@XL47`MK#+`7>J-gMLn1
zpSJj#fjmfBnMJ}ttO2_MevkrTM#ldvtOm?L3OU&U^9L~5F)}pwvb*FR-y3u3)q?eN
z0`94vz4^Xn!KKRCX~7Bm<~{J=&#N^d?3&V_b1zChKVJ8E*6l|gtXD)<?+$)GBOv{^
zgmTJ`sSUn)zd6OTKiYoPdL>k=b~|V}XY>1Di!(pG1vd97KX0BIRAjd=<Y}H|q8ES8
zp^08Qrm*B?*2P+>_<XER+ZQ7-e~s1AscJ@>=NcF$nCZwe>DbriRknrfvX3yH?0RoS
z$6{-1uB_XJF%e29Zr+d*oWt$%!t?v)ovR;yxW%wyMZR9c;lPDH7iY-wf4EfOW-Yz!
z>9pQ|=6yN;f3Mi@A+CIvscY48A?d_*5%UV}hlcO9IVY&vXZhdbyyBF)w0ldM)WmzI
z6rAswt72H$;`#4_)7eSCm(N?C{Cbc5BGKZ2yj+P5V(g3Fe>xrX?9|P(Z_U_`r+)ub
z>@xem^!rxPeP5px%=_rOu66IyPcyU6Xupd2VjeyJ%a4%#f`52F*!-8OezWwiuqta<
z;3d%q3;eEIy~r^57PQ;ow<X&fb+@#o6WC{+^E<n*&9SHLW&-CF?($vUDtbHII+ulS
zoH9Xa%ds+^eN7=d>(0m&9F%<RFd;U!=?HJe+M9QFIjU)1df`zfb$D+%YeQiCk@;U1
z+aG5WsS?e$-G3-+{bR>DhSz7WWviNW>5y5Gl>e3=e7!}>jGt6mKCE?S&-ITvwDip*
MZnI1OXU{zW0MAEv82|tP

literal 0
HcmV?d00001

diff --git a/secureboot/keys/PK.bin b/secureboot/keys/PK.bin
new file mode 100644
index 0000000000000000000000000000000000000000..f4fd037b11f7c546124b2393e5ff3c0d4b98ce46
GIT binary patch
literal 3479
zcmeH}do<MD8pr4Nn;An)2tzJ4Zn-mKh&n2lWL$GekzyFPjF5(iVN8yD<W{PgGVXG%
z+$PGDqFzENal}YbAtU8(@=oi#XRZD?=bv|-KimI2`&s+h-?jHz&;ES(X9QecSWXV|
zpCKa1pMhVuGG5l%a02J7(<%)pMo0b1F*L+H2mn}73{pUdkc0>PpfC`CLomVuLYhhV
zq-7+4019dF!x$Re7DI#L3ZWnXf|4ZNZuS*0jiR6H5#g%1v=M8`@%Sn6*B(HaFJXwq
zVXy*FR~S@8)6Cx5!3=Hg9YR8zS)p~%E`G#_a6hzpXeb%2?ilP%_74p|jkfiR*1+tL
zM(P`44E2q%SbZaX!{gFO+|P9PU+LeKrGZMn9*}=WC=C>aU})eLkOl&f#)^E{x7{Y}
zXW6k86l<NrmPD7wxWMP6z{tP=)dUab@{3mU_p@)tUw`T0GSpCQrA4R8dUH{73og{y
z_<t>H6V!Hi4swE+xVkwFBF&hZvs=#+pG6)u=;H?2Tz1pPG)Z2Pymb^&(!byOehwD<
zW9w6nS4K}EV%9gph=tHuQ_CIiyJICeHKV~2-1pJ3x+fS(rN7+9!rjMZTlH5Hk^5T8
z{R%EjIYzI<og#Ao>1&5(wqkp=S|VoDWGMc}dVGd$!aoT#ywSAX1VRyiSTdfz8D5CX
z&9R}hw&^ro`)qL|VUX82l#=IiV-A|Mtt}k(EFio%LP)lflK7tN_VM=ixF@=^{?P>(
zuT(r0pNZJ*6L>g1GcBN(e1CUPPNkA@#-Slc+g?NZ=#hM;$7XBr;FPPm)ZukYaW~(P
z1s~z3wk(v&l9$igB&(ejzKba>JiSUXZ|o)s_4%(1`VE~64|@Qs^YRPc`F7p?!h>t)
z?G!on^~0-A#R3oHL?E$GzPCDzJnH>1+~ojHoqaVuT&moWBmZr9-^QB{$AE|X%3|yo
zpeWNnEal8D`e{wF_JC(d<Q_n1|GVzBZZ_}f>Jib2>?&0|-q^rpd8EnR2F0s;?`Pea
zVBK@>FskVr`mpTMp+Wh>`0Tn(eTB*}X+ZzU*V7PYu6)`!2M0m{2vF>Tal$C@dsbm9
z3<Z;vu2Dvx&VD^$faDf!GtR@ns!hZ(JAW=K!(=ch>VGc~{aGLZ0Glv42Fee=wjKXn
z@Y@c6xI|guK!MV7Mu)T19$MCyli9ixl01*qHVH6{=rJE-rfh~)XH3x5*UwhnUb>lJ
zaNc>B4Lb=DR=t>T_5L`D{QbqGq$=y1Vdtkuts(gp-l%!Pj5rTpD>FE6(zN(!hgxcG
zwmDLcwEdO58c!h}8l7y%wr9v!6gA7y%MhqTE;@9d=zaFcEYBCz!0quoT`ew-S@j{F
z&`ta5*0ZXn;W_7^aX@jSkTyFun(+$X{5h4`*lm87G20$*ubkO`F&`D$Qlao^LzJO!
zn$}nH4SMH-I{cknq}~fzgB65WSia1?wxuIU^{E{y`F*14$q=~p_kJw`^-@OT10heX
z^)ya#g0`~(b>e(6@OE`(&4d@Np3-ul8o3^1wUBs<>J5CoWlLf^MXg?)5S#MH(pEmc
zoy;4mydxEw`~==Op}w+eQ8O0O{!UKT;K-`bu6Bd#>rONoE|H}umFwQ<dC<KmP8GL|
z+AL^zuzXH`r$|COM4lB@pFAI~>{QeC?B>W^NAF?S=acTZ_~zS64`mYCG4Bi^j4x&~
z;!7tMM)0%My_1QHqyG@R{n~I&swPoMpu4O%z#-~lbu&t$q%MdsD-j`nt-1k%7}C;J
zQ3z~)kY<VNlyE+Z$VzpXPQiavX20N&D#zN@L=gxD(-FG1o;LbGv-~cd(hfN+4UFQW
zhs<X$#{O?2?SE7FSCIb#Wj^y@G!Q~Yf<^<fkNcd`;>7iWr;QJyUWfWJ9@8`ScJ^L$
z<Ho3=O$+^NSq~463f$crfVtRwN^j6(D8ON*>KK*Ke~q9jo}PDW-alZ^t$Rd;<70s_
zJV|${mx9SlMjadUld)^b1?z_<N8`#}3wCI}t5neg+#I?FMQVEkKShL&ur^bTCBz-c
z&#!t_>r9$(KWnHIooJcPGRM!qygcvo=F%2#q(Mb<ePMC1wM2kU<ox?Cu_dc9-Rn8z
z?#B}E8Enq*fJJ+x<J*$ivotLWe0iF?={S)ErW~J6dFI`l_$s<$X5;8NMcHwZm$S*2
z`U!1E({G4u)8YN}kfl9dTz2D+B%)qV)mUNFxstF8I8?#)D%Ob857!_oj%vb{4f9iO
z9@l?loFkLqPmr|@S8+i+d`~WGjB>9(*}Afoc!nrr+7S?23vV$PmRS@c<BW?ob%bvh
zAMCs+VUcZFQ^4)Y8I55!(rxRywphkZ#darT9@l8P1fzbLDsa(DzDZam+*`*t3|buL
zMfzn*QzncGjg=@P-XgG>g*_u>oFU)xN$I-yyY?Z);(N7;nHj=dGoVxb<2F)g_qZgs
z>{@g7<c&+Xv~)p*&=2j~&$5MV*qy#730H7t<6W}Q+08S1^Ee`<olVO6`FR>lLB&l*
z(dHcO?q<5JSW}y^yP5>kon87NuiPfNu}bQM)_iyj{NKL>FMjOzr%2nko7$ysD6kfv
XYnlDF{ol6#+xCCk{%_m=zu5ktNYef&

literal 0
HcmV?d00001

diff --git a/secureboot/keys/PK.cer b/secureboot/keys/PK.cer
new file mode 100644
index 0000000000000000000000000000000000000000..eb21d31b2679cb469ac13e6562a987d144f5bc3b
GIT binary patch
literal 1359
zcmXqLV)Zs?Vm4mD%*4pVB$BOn`oMIiu3DqX(WRk^-~QCN-j6omW#iOp^Jx3d%gD&h
z%3xq>Xl!7}#vIDR%%kP#>*?pH;FOq`t>EacpsNs^np|3xs^FBLU!tH9kds)FmS2>s
z;GJ5jX&@)gYh-F*YGh$(Xk>0=8YRwa4C0zWx#Sw##H57mKt@&u<|Zb727@LhE~X|X
zMux2`rm}oCvpH~bV$F(LPu&GOT7r)lXPnK>D9cD!ZH!*{{o-z?$8WAbxcc_Y`?>03
zdzLQBTy}1<nDnRMhMM|Y-*pny<>Id0&su1_{+(uWlSRWMGksT&{*t>U=ig^}O^Yxx
z*d{VTWK|gZk_&d8dnXwh{^L7wKfdS80`@m4rRF=?b$_W(esF%1yU4TGnmajcp9ict
zlf&CE=aSG)<Gscc-7l<3=C$3iJatC%vw+GUb(zWUTT^@#7Vb7Yr@f=}wYo%YTKJiy
zn_fjP*tT5P^8U}5&wk2v?uqL+Kh;g1<W;+SkM6cvFP-N#Ui-WCM#q%kdGDCpg!UA%
zoJ=oTT*@i6vbN=MNyPJwl66P*-lSE|Fo^H;Xz=J`H%rR!@9yhLKUcEXENjwAC5s-n
z8v)+uOy}GUnYu9g|L&Y?&qAF<{eQa(Mx^9@O5#4@y;Dr(TYS>5r#tuWEK*x2&i(3V
zw$s+r*_`Loeq2kvQC?KAk7a#)YL5J!-;vGxW>xtp-rum{=FbxX8TOM(c@2+#+3k1x
z(7As%kNYt_E57pT=2GRulVm>MwEc7aNjT#{+hx^0bD8)TrWJG)s?EvOD$%(dmse)V
z$Z7ZR^smzg{+{?5!vAREYE_@V_byM9;kDVkMRBIp-u_LGcJ2x~Y`*sVjVIrO4{O$*
zvMB!TwPA(I&FsrYM?dB=ESxOU_29lS6Eh<N<Kke0Km%D|nw8~a5n~Y%U#qN;JMrpe
z6W;fWge;~Qu&l8WG>`{LE3-%#h&5nWzz<R&%*gnkh1Gx=NFgUXV7>q*J4S}!3U^~B
zwx!GG9u5+<Z0dg-J5leE$lvIndxV(^lA}LVJ1RRGYRr8!N8@+#>W$y#H=0xhsd*h}
zV=q|qwQ=U&2Vx~(E<P1e-TB${*o#BE^QNvy6#J0yTJW#OI*Dr^Y_@$pB&Xgvd7=}q
zbhhLb8TG%i^~{y+J_mf~%B)zlU3$(kb}_eL-8o5>w!XamaTgmhB<ug`X}>pKxcW(b
z!s(`u5odm?YsS6v)3jIov!LnCy}LbEJhs2=T)6eL)8@Hv_SgF=_g(0nDwe-vh3tzz
z{Bw;Qy3Q~8%)F^tgY}_wnf^s7lOOB?1ydz<?fDkcwxRQ|%GC4x-R%slo?k9#Cp1jx
z*}9K2PWyM){l$$sK_(54sunZe`T6>n&EHCmjve-Ecz<WPe`?8WNM!uD$~*f&V8zdw
zj|85j88-cRe&^|w8!I=7=C>bZ-TFx5$4}?A_wx2Xl$J6H`N^ra-(>dhz$S_J$vYKA
zCr56LbBSD3r)vCN?Ej1{`@WYO$@4VsXOP)hv7!A#k#gYLJtybies}nsKg-M5NaOnL
z8<h@9H10QeXv#46t)qnCx0p}2J>IN2_q65fU2BewS54oEu5D3bJH2dix?e@_n(bo3
zOV(#4yb&%HoV8{P1N#kaJr&uE?fbf1jgJWjg|YW{`n~G#c&>cl;{EKE_x7vvv$M-O
T+@7POucKhUT}DlJ>0xOA)Rb9J

literal 0
HcmV?d00001

diff --git a/secureboot/keys/PK.crt b/secureboot/keys/PK.crt
new file mode 100644
index 0000000..c1f1935
--- /dev/null
+++ b/secureboot/keys/PK.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSzCCAzOgAwIBAgIUay7LwJcCin0yk1t1VSH2/HxF31swDQYJKoZIhvcNAQEL
+BQAwNTEzMDEGA1UEAwwqQU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChQbGF0
+Zm9ybSBLZXkpMB4XDTI1MDUyODExMjcyNVoXDTM1MDUyNjExMjcyNVowNTEzMDEG
+A1UEAwwqQU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChQbGF0Zm9ybSBLZXkp
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtaiVBPM2PMDJkXyofUkt
+oLiEU8QzaM1raHZoZyWBW6H30btC4+zX4NXtzO+dJxa8paJpps6TFhvyU4B8f9r3
+LGAnHl7W32qhM6/uKWOCOICSNi9FSI903TTP72pKllgyMLYUkBSqVgek0D5JvZIx
+Mf4OyN9fjMygB+xkdTe5By36J5Pgz7JHFObrKbkIPedQrMxsDYCc0hK5M70zkUfQ
+rGMNPbinZZiD5lB5+H5pY++FZEwgobsxziu4desnGH1mV8xi2Upy6Aa01ypL/wFv
+B8pFncjX2fJ+k5JKfbu8Lbaa6UOegdb9tdiIlFOe7gOGErxyBMlncqN1CRqpfYTj
+dFjnsRl+xS7sZnmYMF+JSIBIjgc2YmhPi46KZ850vTZqkqkiOIxG2FBLzjWc3VSV
+oVv/u2zW5lVCFU/7RRFYZG7yYgvIS7kWJPZfYvrlub+5ciahFwvq+WtCtctrCc9m
++NZl2HdycL4Er19lbB/c+1mDvpp6TCHfsLDZ+cgQaD+SdQ0xxfS7TtvCzv7Zx04C
+5nPU6tmlI8OSHPPZPfzX5FcBwT2me0ydAg+hZnCIcSacbSp0LNNebnY5AQk+4cv6
+y8D9yPlUD+KRqyVM/d7TlhwNPLO0IZk6vY+y4rm6UsM3rc/Y5PdTwyl9yjhz+0qw
+qCTZa9MyxfFtAKGTHIrg3zMCAwEAAaNTMFEwHQYDVR0OBBYEFBetIyBtkdXTNA3v
+ohI4lDAErDwRMB8GA1UdIwQYMBaAFBetIyBtkdXTNA3vohI4lDAErDwRMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFN4RzMCBqWnncNSFTmCj+1d
+kS7iFP1b+bwTAnBjW/B7QSNBMSid4pwo+3OrsfafgTR6UiZKwIYHcKz1gZm94BZ0
+9NHlFCW58zXG6MK7bpWoYRbwYOsR/UiuGNbwPLb1wh4niZORQg0baxnUHCf9HX8D
+eYdMwE2dHKiitxucpgcWRlMtnGJ5PU0Nj17RgGgZf/0uK+8zoavkf2DLgvFYzPkn
+KV7uTik/Ifygguze3YzUSLfpiaG1y0Kzney/f00jjtCNlRZvuKgd6PwPnTJAis+k
+8wOygygF4Rt2L9EaNPgHEHCVGLq89lSGsInDJJXPD4uHAAVJ9NArYICQjLW+CV4r
++4rfo4EsUjSA4nqjAdz56/o8/XkoiLg/rA37akfyhGmAYQHxqktrwFF4+ZniEOZm
+MYL459zllNipshVvh8UFteIo+PlDrd5uv+EbGjRU+QkmvzSb+1GCGO9juSEVk1m1
+XkRZon4lM/cW/5i0vvd3Mh8Mgb8AHLl4sIfwciNRrbzJn9vuw85PBOldWTN/t7Ei
+wRiBvzDhNQCd7UEYEfZc8ttI7KzO5YT13TsIsdU17hWthCIGy6ajZ054jay3FhOk
+r2pg7BN1EZqstAAH2CsuJB1ot76KRTPGE1JWB4+JTuqISOcjwNHfa6nevycPBwcd
+QNucLC8sID+3HCYtpcMb
+-----END CERTIFICATE-----
diff --git a/secureboot/keys/PK.esl b/secureboot/keys/PK.esl
new file mode 100644
index 0000000000000000000000000000000000000000..d1df6d76392087969886ee021116b1698ecb3b85
GIT binary patch
literal 1403
zcmZ1&d0^?2Da*aux2_hA(f&|W&B_1<@j&`QTCKS6eg~iKKe9W&p4E0VXkzs?Xks>A
zz|6$R#3Yifcly9|rmk9}$<d{uir@a!xZaO8;AP{~YV&CO&dbQi&B|b4YG`a=$i^JX
z!px)P=<Dg{sNj^Cm#yIFuAr+BoSIx(l&avApI@S&5s;Hul9peTtKgklsc9f5&TC|9
zU}|JxXlP_^WEv&TYYgI=LAm4_+r*@V>_A3V2IeLveg=akCN8EXCPs#>E2gr1HnTZ!
za$?PjT2I{tJ6eK|7-yW#&M3=BS8a@5`2FH;r^j!uKe+n#%=@|OVtbY@%3OACvY7Oz
z;D(y|Ti<mO)aBx?-OpNRy#AeLa+5{FBr|<ikN%RoCg<O0c}<HjGT0_EL1a}J`;rTG
zo_i-58vf%uaX-H2%mVf|DW&E+*>!)ZPkwNIle@^X*P1&yY@Y|LIg`WNFz1rcPUF4C
z6WuSYN#?cPu{?D~^Rs};A9b0@?^{!R6c+9_Jg2>*^tHM~ZCd!5q?=wvFW9zR*Yf_)
zn9qL7b?%AlH$T-)p5#@#dynq6SudUEHD3F>^+v~(;Cb(u+l2NMv7AgVT3pI0wX(M5
zaY@AUjgoao_1>ga&M=7Y^l0$tV>e66@bB*HN<UY!*DPz&N+pXPw;KW8=S=6^4Vk(y
z`v2~nYtKTRME!re3Pz;leM;g!;k{E#<y(Bxuctfr?<`VVD9-)rXSUPU)7hNo(|%k_
zy-{9Nu#aVZd}@yTo!^no`({=7DBj<&;pWd10vYy`N_h>Be%bAJ`_Q?6H;?-<JuANQ
z>gH1A!;@q_-?aU6{Yg0ELEB~3K69D)7p4_-6spb1)hf}s9G6#S$;fH<@bs_K2mYS;
z8N&Z);%Zf&zxOUrli{`5yhU-Q)!zP1k9O_~I&8l7{Ea8ygAZ%gp0X(Z?X_Wr%FXP{
zMn^y9GAx`d)AiuKF%vT*1LNXggFpjWV49WXV-aH!5nrpUkUR0}WfR`_i-atu7_h9d
z5j2noNh`BR7>G4sSHKTaAk4`4pM}+c8Au@~J7B&5CObxk;0kwRCbp%^=N=9cwQTBt
z8#__&k;vcZpL>Lv3X-EgR68m=8fwgaG)Loi@#>A=<~N#D1*v%*Xk#x}^R;p2-UnhO
zUoJisQQi63^w^6-yYr^5NEG{!@LKS%$2y5?A8fXLJtU{zIeDTJuXMKL6&dxvvh~cB
z?LG&5=gO>Dv|W16GIlYyVBI-MmA1aT{c#r?G9>H&>S@0>Uby;6eZuLcj}d2ns%yr*
z^V76f{Ij6x&Aq!lS3I`A>|D6@wA1FfZ}!*wD)(LJohp{UV}<OCKm2oz9J<ag`OLhj
zS%dYVbeaA|DU%=U0tHhgcJ28V(zc=Vu*%f){N3#gte#&kXeTsG=-IlDGfw+=*Zswf
zIzc84kE#|k-ue0Zm(AZwjgB4mYj}TWxqoWOY)EAMxXL^GKw!nsnU4gXr5QH;cz);U
zlp8BIiRQN-W!?Hn<Ht|uwfFM&Ka`d-3HiyXw%=s-@4zOB_sKgIMJGpYjdO`yRHthE
zUF`piE&INg8_DxD?q`tMS+Sx0Ly>ae+C3-d-+p)aoIlIU*hu60?HiR2N;K{_cxcKn
z_pPIZ;J27hw>{phIrp^X>s@P(jaN<IiLPx?VmrNTak^hc@0#sm!b{d?CA<+X6`ZwZ
z3j_NNZ9Ns)jP3inT#b(j2Zgcscly2R@OZ9#;Nt!4mG}0m^Ru(dI^3S4qpzc2zg<R6
Icj;ki08e9T&Hw-a

literal 0
HcmV?d00001

diff --git a/secureboot/keys/db.bin b/secureboot/keys/db.bin
new file mode 100644
index 0000000000000000000000000000000000000000..5928043912229ccd1b16f8853c2aeb0e81f5d3c3
GIT binary patch
literal 3511
zcmbuBc{CJiAIHrM#x^7kGGuo{X$BcXXk_0RjH0q+XGpRXVTQ2_4T(mU7|Bv05o3u=
zvNdE$$aXEs7TI}q?tRa>_dWMr&U>GKe$VebzvuTn&pF@cdp>huCP8)>jNzYypXG1{
zT;U|s%MHfd7WLzvD25`fohfiUcozr&Ah_TVW>$Nm9>5vI2m~-Oz}cBuWr%vj4F~`X
z$iXvV;dmwt91l{>0RaI(;4!gNQ}rIKS9ER$Z0%<_x=ZB{?YV!p_<aw6{jdcJfrOuB
z23awJIONdA`X*=*O$VH(2wGR<v<Sx8>878vh^CK^zsN~L=U@@-ASX8moU60QVImDb
z!3U8)3qLEbj6ldE<&`e+K@@(bO24Onr!^iZ_Q#7Jz7>QAaxuX1KsF#A2w<qzfV3G`
z%SiE+6eT*`!@jS)(^Ky@T4fb+Lv9P2U$$NF5!P<@glV<2T2MPHwCOhdrmISTOT?;Z
ziZHaeL)rOC>u~c#AfZY4b>5zPj<@u3_wEG?GEYebxQlR$LALhF_dB)qrQ;GIfX1--
zsQ0~lzh0dWQ5iK4unqTaUDQuwot*TR%zP(qi*(=up0!4h`y>0XrZPe~g_z_*re-${
z#*jsy7jtDw3?~Ym;-`0`X=V%6B`2=ra*^fmsGa+3ypUC|a=|6Vyft&Z=2+q3QHo2`
zL`GM-3BoN^n4M+t0e_2Pb!?`=%~`~A<Ezk!wo~zgKAmhfg_2yUUBOzRpF@+Fxx3HD
zEbl#*L&7U@?{#q;2eDe~+A-gI`LW_6Q4qGUy2_W7%cinPR5K}ejqu8zn6`ky=7BFG
z+nL!`C~)$R^|01xTOW`F%j&6!DoSMjD5|YCE@ex`E-q3z(IY-FKp^6dxj(tPMrgx5
zSljkHrTnDM2M)IE(J8hq5K@U?w7;{xLs2ePG=8_9`^<z%_QxdNW`<yG{ZjjC8WlVE
z;A2OCg<m5^d?0~7EFgOJ_2Zdu_m}1>*)pU~Jl`pyJlJSG0&L`vcf%92-)i_5+-F@;
zIVE;2x+juHQOvb;dA5i9j*|(oiIG7eTC&y7tZe(+T;o!*XIp0j5CmWV<YVCGaG^u(
z3UM;>G9GJ7-ZoC{CcCC_xkrjxY^9gG<oCmce=dtN^22$<|GI$dX8{iYaKOj}2OWk#
z%I@%g9Lf&BKu82@;o9o$=<_+{56wm;JBOAcbLhcYE*N`i_7~Fzh)l9|zu0cqtpE4P
zvdPTh2|cF1V^3dWW-`oNclgDxy-Eu=#_h23d9J9f%gi4Ql^V97uo9Lq${m}AM=FxU
zX9#H)e(F@qX&lPIfXk~n#o!f*5$AsAvWkS!%54{_9si>emDV&V`3f=|VXt&b2zW{(
z6c<ditktklxTif@6qB#2%H}bQu(J`P4Gju#KV;XM)!(S7c{;xQiJ_>-M=t!0d9Kli
z3?Z&%y04BZtZ+I#aUYrFb+A*^pvNaZ0*ouB9ECZQ*<|~USz+tXb#Y53p$_!AMM-yD
zMjzv)_!3FJ-3ep~L~x}3evf8n>JBBF;`FsnBM*AR4Cl@Nj2E1@wEEuS*Y=^#Z%W`c
z=Z)1HT3H9Mr6?$Meabg`#kef0zF_r%XNT;(-5S#N(b}eE1NSau`P_lP?S+Cp9!Vx^
zb2{`(j>&+^tQ-7?#cTKuih1D|9hZV+aAucDCzXg!AP(8HlGp=l4JG7W>BJUdpOccs
zD&GchQ1O;EcRB=pn~r}ypM3c;z6Ih|I`p{~EhSB#)e8`KQy<6_Zhp1p(OSMn8}qSS
zP*1gnW{>ho^h3lzRw?tXRC=?LpMYuQCTF5wp~6%!YCQA;*xS^uxnN;}U5S2>MW!L}
zz>q`h2|D!PL&g37j`{B$`H!al2ZKKJJw`l`!Pxv+F8ZaK-`ndDt6VqF#`P|)SI%h>
zIA>bGy9iA7l;Z@KWe&oS7I@sk$$~eerb|&{2{y*4;k27p{L!FE^R>vlxYt&9EW?6b
zVRLe4NoBj1w7MM|&oA!59t6Ifa8K8RzCGRz1M#ura;jt-!yuZsbNY>gTf^z9Y1fa$
zd_<}6H?`!I!OZ4jCzwsxA`mxpY5r<e5KGCrai8!5KNRo&pyH~Cb6E3gp6m-R{Vn7D
z$Ld;gSV)n#@qW2Z(1Mye(aBd)O&qG<Tyx<%nl|A`?1;5ByJ{G_7k%Lrm;ilgc?-EU
z<RU<pnw+$Pvmp0jgb~&XSB1dExnEpuS*6wE&@E&$d7paTtg9v$l@xqzW*7UbQPA!b
zP}Omp6f@EJe4av8_cGd7iN1Z5dM>bZAWx{w)zs{9Zs?ik+bZsl)}hC>0(;=M=SR+Y
z0>WNL{Q5&PjUR@&@cG(9Oj@U^c|lW;;?N8+agDPxDtUr*na})M-6ac)G&OlszxY8!
z%x9Lk=U#$L`O~I={0~UhrS3OIJ;WSNqmZ`=v$EAvr>S>C{e#>xw;*19(F?ZwERlHB
zNz^CKyT)%;cbQnz8aSI*zmTuZv{3>QD+)vW=%9mluUm3nRc&?~Ch<>O-WQjsFVylh
zO1l}$`;LkBlw$hQ4TszHJL72}doTB5W5E=OVh~;R6ly2C?01*xH)6PP7<*ho`HUOR
z8^!Mm)vR~Qq7M<^>LCK?{*C}bJ6I>6vfZXnx{rTRaRs77wT=2O76;crsKHf#LjcA9
zhyWOOSDb_YPbAQC@ON-@xbc@Dfc!HEATRy>1O6KhylxSojSwUjoN(_&j?`(vun!03
z`0I~#>FJ1fdjZ(ptM_{8It>G2<*=zbJ;Sx^mUu9X?tF%tVV-OrBj!sJs=ohul<bnU
z;7Hms@><SG&s5+(0rHnwPA2d-(KZYaK4Ih)LKtx(ASAxilw76xSmp(x!v4#+e;mCz
zd)`w;kIH^e-=-GO$CqC6KrOxaX(=P`*<yKqb0;Hj!sN)w@nMKczb8wMx*4pyiNIzp
z^sQL&q6*c3)cQzwdRni#(y&r+a@f<u$vGG@$T$SQCe?9*79dya&K74q5<2v~Bx__p
zVj|(k(b<!T!FUhmZ<vb?<V|ROW|+-oQu`wwrSg(#JOp*%dN9r?Z3lf4rC*ad#wn<3
zXqm@8q#>Jr4Dq%9xGqRka5%EQelWQ*(^1}&JU@xxIi2C$PUSdiID&1nc3qCL0`FFa
z^z|EP8@j%lq>JhEB)#Z)c|Lg$|DGJUR7gcC;kaW7`7`bK5G)slu3{AY1`vBTA!>KV
zeXwgRbZN0Vtl{kV!1<<-$7l~K4<GjKVw8QECHKd>9U@1Qd~ZpAnVf!muz1dbTH5!l
zvmsfWPVKyWL4NpsT$bd$hu9}~%RHXtpMytGYDwKK@tbJU6URD%6QmM#QlwEhbWb1u
zX7XKj)wiH&QaqFL1nVqE9MI_Cn{e-6;ecT+Po70tjV^g3a{Y|M7RdLsVey}E;4cgQ
z7aTa9;)N`|y%%|==!%2z6gHG0rr7>86kF-&E2?81Cx(sUj#EgJZG1bAth@2TEE{JW
zJzjkvs?8G%Ruv^p>WOnu5XMq5^FFv#qvWb^e?N)B{04JdtR#!_4^`3jm~2jYIdrMM
zK5hYaoIVyA#7FEmzc4mJ2;AE~fds~~2ehW8@N{ZodO5|;I9c!QR-z(4F0MHuG)dI`
z>v1*-{<ymBS2?2efZG*-GNn@Y=aioFcWE~{H+qAFAGW&CZGH^j9XXORvIF<OgxXD=
zodqBL@FCu;ZlHb^d@-YZ3K&DYB-89r=sY`IA}s37=|}seqMrvH>2jT)W7CQ{P@U&7
zmm@{knW>4nJ>mUqlEl<55BvB8t?)Idm*WcGB@jGr_*P)5$!@&O7Mt`^Ln=Bv`g0!`
z#@;AcYS=Lo{)4SbJLwZk?~04wjQdkJ++u=pmdhyGN($;LG@&jgpq<g!{wey%n%?my
zYZ`o`wMdtlMb5MGz>|B$vzMcwO<JSO<0R2)q(r>%-tO2bhq#c1>rzLmBQ;p%9xB?U
z-P6m6wuGmg6KGoQi&100%)K8Fd+|InJ2g5NmDfdira7@4!c2@2a!dHU7fJ=m+xuBQ
zwNyiJ1bzA@HfUL)yMuYwekEt6(g(h&+<$&YWR4OQKUM9PGUIqpIJCGO)A8XSoPG&g

literal 0
HcmV?d00001

diff --git a/secureboot/keys/db.cer b/secureboot/keys/db.cer
new file mode 100644
index 0000000000000000000000000000000000000000..dc6f0cdef69be9b3204d53fc34b302dd636d1438
GIT binary patch
literal 1379
zcmXqLVvRRwVs>A^%*4pVBqIAeJekQN=12at{E`)`HXEL?KEBU@myJ`a&7<u*FC!y2
zD}#Z(p{;>68*?ZNGmnX*ucx1*f>UB%wt}O(g04bvYI12&s)AE~eu;ucaAta5VhM=v
zl30?Mlvtdq;GJ5jX&@)gYh-F*YGh$(Xk>0=9wp9e4C0zWxs+Sb#H57mXhv2B<|Zb7
z27@LhE~X|XMuy!-q)yyzR(X@0cUnPUkBfBpoa-+o_KKYIa8o{?!^oYv{qN;VZu_q*
zt(ShX$HV)}yd&N0(w9>8_ss~L5ZIwqa6)$b^gH+FruDr^n)1^p=fi?&vy27hm`k)i
zOlX!kc;dU4VSfGGkInUMkIHJg&-%~Z>a;{_Q}gD82M<fSE*+ZpD%;9qANOR>h+T|V
z#HX#9X*+Gz>a{FlrmKu30+W4mn;+lRczB!F>RL9(0=od|^9P%`!ermBGKsX>=QZW%
zeD|kMJ+^Q0-Xin(c6L^BY9;RtmYW7CYG>q5l<Dot<mw8$TYK~Kn%Q^%H9qS3CiFtX
z@J4qQ+uPvC#JN92_s*)1h@En3zOdQ)HBXy(E&r$gf5@U4Bf7HHbLXu4d@|PFA&a<g
z+G|e}F?@YZ(w$jR=61{8y*DOonU!ReJ@?gPLt)(+si*ew2zlQPKOUC;p*58K&z71i
z*SuW4(|0_+q~s~wx9P$*hY5e1PR}iWzigkmS)O2L^Wx{Hnrg!NgD+Y6R32vRH0^2q
z^E~s$x%;*6-)*noZ~E}M!@-&*j#>MJ#l!pGwI-|!5xm-eMnR~rpi1+><EO{|zq1M2
zxAw}0v->9~U)pyz*4gOx>8{zTljnr5>|d9)VX=)t<MLfo&L8Ri;W%Yw(jF<fDQoPe
zwD>fL{`G7+{P^U&t#2!yPU&W~c*OaFr;Eww|6BRXOw5c7jEjQ}0u5w==~$MJMT|wn
zdzbK{pmjUl=YDVbs-O6ixj@%@m4Q4+TA4+{K&%0~0)CJJVMfOPEUX61Kngk80rLtl
z*)cNcPRuc1Tm831e??rP{FCrnhK^MUx}xD*k_r^v!n%~gTLrs}r)nQK_R4%u@uq-z
zdA{urxBpjk74BrWR-E$KLz!o}p|4uUtNgr4J`=V!loY8fTf9FoI$V{*;+wVNsg8Mk
zMtY8GJw5Z@NK0P2-%=sob}i8P{@v#CzrW<nnL4@4j!vB@eAX%WGM|!ua@gNLTPz!|
zzWb77=rm>DzrwDFo|3#hzjiE8yi``bnQ@)j+RTm1FF5p{DCPTpxk7%<(X>ku-){Hc
z6_|MUw?Rpi<)29}Ua$*Yyx1ME=lb3k?2$9pKVj-<i_$ujxGeR>?KSd>xqL+@)Hh!f
zc5F#2l;HUhy6^h-MOiNws5Sq7zO$qHQSOGvQ&>+KNnc&*X#Be3GEba%6th9s?W*!g
zet)_nesXEP-#^K*q5aMkc4_VdGHbohJa72Mwbixn7RTj}X&%orS7+qC>+zkPcF!?X
zO|(Gvk)4v1>x=`ZZnX=1@sK<icEaHM(G~7&9D3PX{$~q*%)ZRC^th(|x-5;h(7S7t
zmree2UnjAv=1rlR!1fk<PQ5uMF;gdd%xDiWm}nz)@WYi3TkcrFe`TGK4(9VFwJ)?>
zbZ+?ur$@hP*xEW|GkWg)t=-3Llu#71I>gqHr{dOIr5hoe-G2vfI2E_x<Cc7b9~Rdf
aek;6O-rD_Sd&b1)Nt5MkSDgwza}fYa<73AF

literal 0
HcmV?d00001

diff --git a/secureboot/keys/db.crt b/secureboot/keys/db.crt
new file mode 100644
index 0000000..3a67d4b
--- /dev/null
+++ b/secureboot/keys/db.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFXzCCA0egAwIBAgIUHftXYwI4XPhvlm90qKqzMcw7x74wDQYJKoZIhvcNAQEL
+BQAwPzE9MDsGA1UEAww0QU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChTaWdu
+YXR1cmUgRGF0YWJhc2UgS2V5KTAeFw0yNTA1MjgxMTI3MjdaFw0zNTA1MjYxMTI3
+MjdaMD8xPTA7BgNVBAMMNEFNSU5BIEJhbmsgQUcgLSBTZWN1cmUgQm9vdCAoU2ln
+bmF0dXJlIERhdGFiYXNlIEtleSkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQC7xBrI3YMk7GNuyyAQvEQbV5zX6Ri9FM5IRiPPbAELabf909JGv9cirxvk
+vEhL9J7Eiwcb0mUvvphRkFGIInDIHbeX3N6dZo7sYpT5TGzwoJaaMxEeA3Qq8JCD
+GMHI90oxb3+d8YN/huJ2fIvNT521QqQqsoOzYODhdIrSwp7qazpIvguTSVi6AdQX
+lqyZPZaqq60EFjWqMhhRY0xtg+PdKOHbDTrWawigPlAbz8GDClYd7ao0WTq+SpTF
+n0fl5Ui3tEu0HOPba2pjZXkN2ATZMGQmzB7Idi66aQqKVt192fOsm93+geKM9hLo
+KDHYi2oG7VNZYZ34Fb2af1hdlMqfEzavrOWCDTn/Z//hBClcFamFSbma3w4cO0tU
+ogvZPyuWFDHr1hlHAyEc24S9vdiQtJpiMmud6uMxEy2YZcq+DBJL3VfHVmfwhVUH
+/LR81NZKRUtnuOPSIkkTjrLQtkCQ/YLLnXfvpr43Nm4RiYOj58qCfFcPU9I6THnD
+AYk1jIX852nYzt997+63f7814ddAwXykQWq+ExdXj+6FYK5UEdWPzCASjnB6KeDj
+5cb/7jxSvq3UsM2/kCPSvs1dQzLby4qbJZOcV6mPrmqwozwwgae6lM/Ei/hBlKli
+vBoelKw+lIRMgBX9SYLD48mete145ZSLBTjiCegMigJM/+0f0wIDAQABo1MwUTAd
+BgNVHQ4EFgQUS7oTolKuuUed94T1L2H5A3AtS6owHwYDVR0jBBgwFoAUS7oTolKu
+uUed94T1L2H5A3AtS6owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEALZFsN617/YQvqF5hH+RXfQCIqmAtFVe0YnAhRlaKIleFEYozlSvAxuo3vHOy
+UJ5uTYfht/8hRROJBzshlONIIwynMU0miOpvbpJMkLWAdHIkpqO/UVtXJQg49jsh
+yoieDjIuQa1JSW7sGxnS34R4F4bWUUPf3YN3/foeNwKJC3bFlZETzUJT0w4iL2NW
+/fy0OYHV7vRiMUKUvv5xiliMdG68+rigIdJ2e7MBrjatabGn0ECPyHUO99N4H5zF
+ZtJY9tuP3RCR3fswdFo5/JLo6AcS0dGLULzXvegHWZiv5AKIhloqwmGmZejbrB8h
+bQ5yyCez1hNBhGZxGAz4Vb7Xt6Jq6aAmg/vnuYh74m2w45QFyjIb1alBM+t40wxe
+F1oDMIrbeneSTvyLWPkKKe+/kkGAh9zUBxsLwBytS8zngPYKtUWO2gjT8WZI52mr
+aG7ujE2bZt5BVSYVcB3iPiIaRZjAytqHEPRIGcFWyDD3xahHBggua7T/axHxa9MM
+pccpP65qKIZV3awjppP83yxhinzscSYQt4Q/CS6cNFyVk0iYh1QwkTwawfDUiD0L
+XRH+dolZQDeekoehOaLOp7BC4vp8BoaIHWiM3P19vgMyYHJUq1Q9MQx42u0i2FSz
+R/tTsMpeoPG0bzD4ONZA+yDpp4WL5Ldokedikx99qspTzNE=
+-----END CERTIFICATE-----
diff --git a/secureboot/keys/db.esl b/secureboot/keys/db.esl
new file mode 100644
index 0000000000000000000000000000000000000000..55dc85657065f0f6e434ab3b0cd6aea536fbd563
GIT binary patch
literal 1423
zcmZ1&d0^?2Da*aux2_hA(f&}>&&mJ>#X$N(TCKS6eg~iKKe9W&p4E0VXkv{wXkvC>
zz|6$R#3Um7J3N`mBIZZ_wEU74t2P^+u|B@ffR~L^tIebBJ1-+6H!FjIy`imvH5+p%
z3p0<2qpzo*qk>anUbcdxyMnGlaB6aCQL2JdetwC9MsQ|&USbJ|?~+)On3PzYs^Fbk
zsc9f5&TC|9U}|JxXlP_^WF95XYYgI=LAjJ$(8Q#K>}W<-2IeLveg=akCN8EXCPs$c
zN2E^NZB}`coOfD5V2_J*_?+u6CH9J(^Ker>pTo$Vx&80uOK$tGE3KD)vd6>w%e*7q
z?9!J~_4myPoDkTdRB%Fe`}8~a=BD+%Nt*K0C+EY0X|s$4<(NyfK1^tqIC$c_mtlVW
z+>g!mZI8-oy3hL0-RiVNYg6;)ga;2xx-K1>_bS`UV;}cq&xl=&SH!2SnQ1$1)#|k@
zVy3H%Bm$Fta+@FD)p&TD*Xmj}#{#<m>GKDhxx!@Mt}=<V+UGUp=zRC5Pd&D8@!lfy
z_;z+ya%v^-4VIe*DQairPL%2G%H-+_yIXtn^P1Ur|2019`6l#2!|+CT7Teq4$i%rn
zMEB0BkBFUeYQC`9`ZZ6RcrE{@|9{A$86&!~)pO^p`+PFi-XV*)Z`x~56ES>!P12oN
zQRa5b-n};_Y?+m0ls)&=V?$xx8L6lC@d$a}4L=^1{-HIL{m+(~E7!bSz0-F*zNF+S
z+_&k%Hirp+n@-Oyf4^*>xmliIXY=Ccr<!WQ`GYT6`BWZe>@@9Z{qsEY#<}~o@84~&
z-*5Wxy2HVmC5~D9gvG=A-?b*J3lY59e?~#5ub@iv!Q-dL{=c&c+PC(~hO_%8C|}xl
zHrCnb_UW$Ks*~r0uk2r!wPCT1LF4jWQ_dgh{^2-fWzrrgxhZSxrnLApi2n6#I{f(L
zysd95o=)jzwRpt&f~Skg=l@&z%S_CS42+9|4FU~hf$3P5k420{#Cw<UqM&s<-RFL9
z`Kq7zles|GdzFDaNLrai!a%G6y8?cY0%1nR|17Kq%s>h`*#YwkFxfFO=uXTrUt9gR
zMSn$HqWqKaT855Q3A&=;TapSC-NL$*!dnHqjHhZJIQGhXPw}RJd3nC=54ZnUbQSJo
zw^p3;*h86TxuLIG$E*CjNj?*{Hk1^pEL*%kFgje7!{VE@;;D{#d`5bXYdt;l-bhPc
zy5CYE-gYg}`TpJJ^1r|2%$Yj5%Z^T+D16o__%ff8esb8~KU*vtufF?|Wau<y-@n4H
zh@O(XJ->D=P`p%Dy_s>H+1kvF%P%<epD5+~ez`(^&e60>5#Mh2-xZj6_qRbwl;xjE
zFJ7<<UA)*Gu;=>T7wnNU)<0qDXp7Q1l(;PQ#qBlnin)A6C)77z6LxG#E0o~*5xVdC
z_C;AQ7pOJ=e!jD#`cdwN$5U8O8A)GV>1h1A;xbR1coefi*X^qENq&F2BYtvezTZE|
zv7!CW6?SRv12Sv9&pdDV#<kV8?-s}9k7*vyGgoKiz3cIvop#SLR86!%_K}^El<SNG
zr*5?ieDRPx7<R(o`_UEdY#e&oTmEMYe$2kiv-G&8{kklTw$Qt4l$TBZb6+R1tL9Ci
zn!xrJdrrMMCNWbdd(3DLF_>s0b@0QL4qNV6!GC3)kq+kbCbciLTy$>v2B$~AYS`L3
zWHWm1{H@)`Y?M$GvO2`pkf-9-TcsNzo85m0Z#WgV;NzBjgC7>x9DXajT;AIKWP8TM
P=Sh?0Yge5LK64QO{?T=9

literal 0
HcmV?d00001

diff --git a/secureboot/signers/ccc.pgp b/secureboot/signers/ccc.pgp
new file mode 100644
index 0000000000000000000000000000000000000000..6b9788d17b748d32a7a651276d0f7725e2f2b804
GIT binary patch
literal 5028
zcmajiS2P@8w+7%bL>oP#GfI@v+YrI1QG?Ni=$$Ar5jAS`UZaO75hcnH3<;wf5<>J&
z^xjRhlfSL=U!8NaFTS<jyKg=3-q}D>JSRz-UpN$i(UEukI7oi~FI|YtPrenKc$`_t
zugQd8(Z4G>71K<8<%hRI`k$h(?Y%lyMGv*McjG35Zo~*J_ymXC7o*B0l%54WrPb-m
z*biVOW7#q_?KpnpJ<zE%c$Eo}fi?tHfD={z1O-@NRd5buFMe`%Fb8SW;ZaUC@Q>*c
zSRfy->%yX5j(9SMzB{R(zU{$Jhe%aQm+EDC@QC%U)xz$rEeswfB@qfdA-6~)zGc*P
zBm;6>kg;zu2)*!--Z2A_jLl5Q(1Z<&aQlUy*g^X*cFoIMM^1#dxr%Wf;gJI>6Mon*
ztY~@qS_Uq4HYO|LD9dJdUKl+TxD)EA^#18)+$fCPNPhM9_ze#y&A}QnXed~DLX)4D
z^kj;9eKP8BfM4!Og64aAKGO8sgc&oIr4sVUAUU^0f`t6yIZ>rP9T>|F9Y`Zy2en-=
zk0cm;(;H2JTY~NTBh9~HbuZXOSH-Z^gBD}HD=E-jFt8B1=Rt0cPqn4F_w=qh+k6f0
zL*D2Lplx_E`@qc&$AjbdxwxkEZO8a6Z83$lV9Co8p4A}QV1MxsJ3WQMlS(8!@+RRS
zz1YoQcylY`JB#?_MT4(Iq@=GO@F0p?LEwd{kIY*B0qp!T5MR^*8WpZ(PN51N-Au(O
zJ)t^Vopa>LYlW06{-Ijlu%-kYER=;J0F*cYoCX$KTU%D1zXQT5^LNTyyE(gCJ9>F|
zdkWfmxWQt826*>zhygGfHoWnVeo2Mwmc<K(`CcNsCNJ)l9h=_+{^K_R8FB6rQ4Qe&
z?tzF134r(yh=~Y6Ks*{CE)I|d2S^(NASR;tPh>8E0#NaDPDdd*@0aOQti4d<ZrHX5
z>q$D5dMW0+Hs>=>L_i-aQ;=FKU0wcU6>FcY>9aYu7fcDgPedPgSjrOC=2C+cVmXId
ziV?&R$vA27AD0v|=7S``BMmSG;Y@IFtl>yv6ZG1#XvwgZMwI~LGkW&@rbGk153D@!
zn$2W4-!D11i0P=8<xK^c9ur#T-cKuI@4eFVW4F_AtvaISm!kb9EOjB+rEze@cTPn7
zZaMk^>r#N=ZFL<qTyCKIV^$?@2hFh7-gw`P(#Q8Ygo4wuuaav3WiZoK;xh?ZwB`gT
zTOme3ioSJD<b(RC;0hCTWeCSPu$1R>`&gvo^j672to^T#))FP_NbL~eKWy*1i-QkR
z;U-rSv`50n`MNT0*4&d_Da>j&>KDzPySyn9YkogZpdPwUx{IC4)aRY2$imKGTos{o
zXK5Xv-a~k)Nk6>Jml}VB5(E7jnu$O!<VNnBqU`1E&mu^Tvc7FG*HfBHE^O@*DjFYp
zasQ0_dYUMnTGjzQTx)J*T0>eOWs`f+KBdj++T0c%MhDkVw{Hl3om(`1ir7LqRaMhh
z^3{0R*{>Rm#T3F#*ClovsY}LAak0f0>+f7Y&TnG{oVQX!cz9toF%RG1NVW!;!Agm|
zB-KwobB^(?IQW9?cJG^$hT`&Qw#g2N!dw2u(D+}5w)t(;8r09xd0+?op;dw$O`;*c
z2J(YYtq+`5#k#DS$HhCiXl_n*8lM|AgCykO)-x52OzjwCcC?^K_}!Y|fM6RALcjj;
z_V@b(h==2Q{p#z*+2S-arvvqCWYrbTO`8t6sMoBG`TWMmGd!UQQ&m{q^nk=slS*T{
zARww^=#w~A8{rqX+eoh|bQQ;RY8HzwvO=141F43#5fM=jvZrFn?VjoxBcTWHdhV_~
zNRE0Ot-f#OsD1Up8?#*y+Y_<ehDgQh;LSb4k+P`Yzas<TnfIgFI1@YDr+EoJNmR`9
z`@mBt{T?e68Zo*TifBJI(ImRe*bxN)VybA>6l=$4!?eW3Lp%><QVs6WRy+#Ty!t)t
zjZ6*?8v#cPDpQTuW4CXzQ>^b-T-OH!vqP1g(dh?dph&_8UmCt3=A!yTH+U5W^dpF0
z=Yh<sBYv^ZB<!Jfsb5J`@$9aKIP-M=;iRvAV7g}R>DC?(-QIX%GHYJmSp#XhRNyK=
zAOzB;6}kDVr%&<f0MTUXTv!KbPWV<8DdEL*+%DO2i`<8HmHJkPU=n|<hE5}+8*IbO
zW0Y9xF#d7Rgbx>q>|Vv~MO>TlZhDnPZ}JcBW?q*I-{#Ebq1+cY+RH{X!jK<j2?H5=
z0zU6eL*?H3Ylxg@lN?V?@Jvd%IXwselc5+qFFd-x%y9i*%!~sWf&XF#DF45lpkJ}#
z(f^Gy|BXU5t(m0Qy#%Qn7JbbNQe$W=gW>-aYWyDn{pV%uocvC2sryRV55v#V+c0OM
ztoyiTNN@b$S))_GDY+gJA9~yI14Ee)e3s~$(iX9|eSI|F&1Za}@8g8kXTn9l`bNmT
zuji0tM7#DF<BA@=4@r}G?Me{vN6;_hM74>p<*nu5^q#&W)tNaze2N3=qOhks%-I`t
zUsR(;!bF6ubcC_x+&dGEx?yJzH5u{l<+QnXb+YKYk-?*@wq64JWD_kcMm<jMh~1M`
zjG83gpES+^1hdWLhm1POmx#*}W#;n<GAXpK#R`JvA%+bXSax(vpD@gP(%E)+jNPKU
z<8y};$$=$mH{^ZdTQR7I0^McM%C?4&n6SaMd(Hf}5d%7^mh_kXrDBKIz8!2Xmaj!z
zxL=#%Rn=DoT8g<XBxs}yhF7WoC=<$qcG&(1F%x2?Qz1m*tCm<wXzH#>)a68uoKr>%
zUih_(#oetfVIYw7=V(o`YkOyWL&Ms<TT|xW9n|${n8;VCFsk@eyKhJJu9hy6&<eOy
zc3p1ONxiZYPm*4J-Vq&qNpT5`m|UG0qxt4x&z59pKy`W}_YhpboY+?$*ks>+&Q8>^
z+NguW@eU;QIfmT~A}^A=c5>(*6+!f&R48Ri*zIUQz)`9T&+hr!1wE5uaOHBJYMB_}
z5oUXjJDTa9@a&c{Slmz3Dx(F_1`wM_+T=gGYL&U50OS%2Oaq$D^1p2II7vHx5A!*C
zLdc?8SRqGMom1Kwctz+9m{z5T13ffhddTBv!^e`L_aMB|HJnRJwUs8>9?M^KI%Ozg
zMKBDJStrq=-J}U#S)stqH!0q1^g?HM^^rvpk@IinZN$i0+GM)h{`3`(BCY=;3z}!m
znlL<}jHs0{kwY!Te_0suk+ri&E_e|d!3$>Jy~_Vi<ZuL%6J;j$Lx<ikxTC9y3h~tO
zPgOae|0Cl(Lrm9%tD2UH#VZ<Te=|mV%|d8xh07xJ!-W7{XT~(h<WAFn!&@`F&cBel
z+8F0SWmOJl6CjK=4SySX$3Hv*o|*BDU+rh{r^NMP*1;!&5X$6i>)$*YsG3-NzL;Fi
zml-U=d#O}rJlZrG?1=g9ED*c@Q)x3>G1uekG=~boQU~0|qm9+;rSfSRf5<@X{a@9t
zi5tj8CJgw)+qwQnV&xm*_2BjAQfGxzzi`YgXA?EzlJ6#6FX*&mYpnwrnVkENwt~pe
z={k`$QX|hd_1fzq%Y}XvJvxUozXS>D`GMn$athS4&BZQIce-17{pvcntG~cM#A?qp
zO(JkVI;E)&OkA+|r&!WsM3I*4bqYuly}_2I@k)7DRWVNgN4QTh3T%thxeX`_Ijz&j
znu{(Ue^Y|HybUj7fzTcFmDlMOG+mzr<o@pxn)q8n==ccEcOdRUxm?9`?1<V-+$?i|
z?^cfNaJwRdWYnfMof0E&QzZoOqO4*ys7a60vS)+2nb(det@X{tXy&*2&q--ZCmMpS
z(_}SU9iBS^#+=W-vKiPXcpL7cRBh+-jT;!ggh!vlW%)#xUfah<Fn$dez6TKhh=_VV
z7e3bhOV>Eex9xgpJ<11bJs2|ZAj+RrzEaT4+ff`#1B;U+-CX=kTF_XB^QvC50ajw1
z@{7qGaHV*7{#gmxeGro{1!6pUBcNarW4%@^RC`oFU@LnSyDuDrE{aqP53y5SUp=g5
zAWG?r@r>WQ^Dm_+)eGrt1eaavPp5V>?!|pyW<nawRNcZq@L;p!Zp|gM*{&W}i-}B9
z&-F!B>NPdO`Qi{M7VL4CkMim2;}Ra@zVZ6NEzo_S5|KswI0DGomsax<cS;AJ;UbYD
zf0%woc|<M)|6~!dVPmR$Q@CBf!m4IWk#}o`Z(&CY<j5E<LG8V5y|?<4>gN%9q0#83
zbT_55kK{NSRv#Lv^0f9z=Bv?@$TH%`86%nt+?WjKJz~}pjv|;UMrkQqt|E0@u^<s*
zjFA(;2$Z`jSM}yO!Kt$+0BS$B+3*f5%E~%lTEfGXBQlERF4XW+TFKuMkZudDTqGn%
zw(jUOOE*khne(K<eA{-=TMJ=jJYQ#}{#8Oing73pCV-5r|0<#X-f7#s$*;+bWK8VJ
zSFNUgdnG+YnCw!^x_bNevO<SzglDa&be=rRV&;4AuQPEdx+XpL(V{}@o#+Y;6L{tm
zaJqFYd!j3pAT!AeIr{s119<Ntxo+%x0kNvoD~Gb%(YYL#A{<$PUk}8|hszXQQ?eQ^
zv7Eq$w~+A(O5syq;X`L|k0rrrSM^gL7xOP#3>q40P}@Gxdz?c4joIBM$rv??m~b8c
z;759#AqT=QwHYZ@qy?e-kQ}r>jxed;kbJX;3&~<4r5n?ezIQ%2V_lb($fdVEPMxbT
z0l)hb8@*KUCa#_qX`AuW&jx_g>!QvCMkhloP^;#E(Lu+pkW@)e&x<Qd6VGgU3}}6h
zVsW3zgfNgMUHawbsZfmA)vh8FvCBBAcRQ4fBk4bRc`o-#Ox$fEMW9mK^n=bodNCz$
z(&2O%obvZY0*9!sL$KE0Ba)hak+Ju(Qm`7PToGPWDgC0o0X(f`__|_ElU*wWv{vHZ
zMAD@Hr9k&JmQ+iYfQE<?#T>YTVb$l14wKdI-;Ii2H`D@4I^GM+{T)N|9<84lBnv|r
zh`UwiP3z}XE=CI#4)pTciN#k1E0oc`#-tdWcnx~h4mi)m%lhp?RbAIfM`=miuPxI4
zG?LmjEUUzizw0lxSn~*`BpJ7zQtb@OO)HW)ozPR*-~V2B`1aqNO#bDhYx$*ZJ)XF^
zImT-(flV0y(nIo($%t&MB(GtdUU$q^U7l1WO+C@bUfiG&-=Li^x%mj0kH=C{lJ9nD
zho$}ca~fDrSHzMwy8?(lkKKdy7pruR7x>s+lOA<{7<L=I)R;8*jdDM||72o^Og@7B
zMNlF?soICMM|qBVUo7VCWR}~`xSTCdkoMJNRS&uI;uT+K$k1?_dp9%L_aS^*T9Gwy
z@HfQsP<(-*q+Cnu!KX_Yyh4Z044nf{uEYFKPx>428%463Rvkp1PN_M*v5NCI>+bAo
zhxF`p>`(ypr^mgu2Xo18`U9D!pOO1XlB)D9v`3w*g}0d@2F`8t9h)~JqQL=SZmrfX
zm?Gx@rf@3hkb#jv6ztPbz*$-Lxd3!dMJ>7ao)Ehz=Dn(cUvqJgaz5rc0fVuVESIzA
zbGj9Tl_`T?z>CtCII#?rE1!CS<fvEkQd-0{6#!Q51Ld1fPZqXGZPhZTM=;f&O($P(
z2oX7HwcAF<qnHsODHX?-3w{AkjW><6qFJ!iZ3$UINs<?nl0sH$ly!ceRUg321-ny!
z-Op*67iPV^4D`v-`!dr;|8U*p+NmDbitYhFiELdNTt4`z6|n{^pW*|Vnka*V9kPDr
zGE1keMq#=Egimc<u;tdQK%-moatk*qZ>bOpatQD_2yXEO{hJese{#b5f9<rBKt_`P
zh9oPO{1)Z{xwJk7Q3ks#<oG%PoPU=y4RS@4mE!T&=B<S{l7xP;{My|?_?}cTaMf$<
zEPP}Wg6bD_)xuSA<ls4Pm#EAtDAka<3zA=pSjP&@)&6|_Q$9;Xh89#!b8I}=*Q47+
z?lcdJCMFhu&C`;T4Sf_}zPh-=e%Q>2d<d&bq4WASTPDFGO_|*W$qpMWvYF#A>OSs$
z_5*HQhjP@kcH5e{dO%o?%4sgNmd~@lJ`+%nzYQbJZn+zVOh&iFPvHgDCZH7M1LrK!
z3lYe9dp<vH{iDu`ak;7dl9KB79{I(<l|s+Ms9YZs#G=ud`PklwNNB&%RYFM;;v`-w
z@hZw0vJ@O=R37$^v+sG>M19r^NgUgtfy-ED21j#ZdB~i~;#oHbS6T{;837hDB0S{g
z16Nok7XN;)J)qAT<La^5o1^3?T#CNTY3-tH{(daLqfgvgO<nc*BWF29Qhk!zcRLh^
zj+eFy;1l>wFi3+j8!9*?nyvSF+VXznb1Ra){a1PU;o%M`bDSKcp`4>zov{^dB}036
zR+7ubDH?3=mQt6Y&d2JXO^m8|w3#X7o3065{1a=iiwvnZ6b!W}xVCbGO|AzM`~h}J
zep3#-qwo=~N4Ed8y5n*d8C5($B-&Ru3-z7pm3ClpXPUh`J~NvTdta@Ui;$7~A8YGp
APXGV_

literal 0
HcmV?d00001


From 3dbe8f24e98beea350590488a84b5945b5daf65d Mon Sep 17 00:00:00 2001
From: Richard Ulrich <richard.ulrich@aminagroup.com>
Date: Thu, 4 Sep 2025 15:17:27 +0200
Subject: [PATCH 2/2] updating libs for the hardware wallets and testing with a
 Ledger Nano S

---
 Dockerfile | 17 ++++++++++++-----
 Makefile   |  8 +++++---
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0f5e19a..ac2cc8b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,6 +21,8 @@ ENV VERITY_UUID=12345678-1234-1234-1234-123456789abc
 RUN apt-get update \
  && apt-get -y dist-upgrade \
  && apt-get install -y --no-install-recommends \
+	autoconf \
+	automake \
 	bash \
 	build-essential \
 	coreutils \
@@ -39,11 +41,13 @@ RUN apt-get update \
 	libcryptsetup-dev \
 	libengine-pkcs11-openssl \
 	libsystemd-shared \
+	libtool \
 	locales \
 	mmdebstrap \
 	mtools \
 	opensc-pkcs11 \
 	openssl \
+	pkg-config \
 	python3-dev \
 	python3-pip \
 	python3-pytest \
@@ -129,6 +133,7 @@ RUN mmdebstrap \
 		openssh-client,\
 		p7zip-full,\
 		pcscd,\
+		python3-btchip,\
 		python3-ecdsa,\
 		python3-hidapi,\
 		python3-mnemonic,\
@@ -167,13 +172,15 @@ RUN mmdebstrap \
 	--customize-hook='sync-in resources/skeleton/ /' \
 	--customize-hook='sync-in /usr/local/bin/ /usr/local/bin/' \
 	--customize-hook='chroot "$1" chown -R satoshi:satoshi /home/satoshi' \
-	--customize-hook='pip3 install --no-cache-dir --no-warn-script-location --no-deps --root "$1" \
-		bitbox02 \
+	--customize-hook='pip3 install --no-cache-dir --no-warn-script-location --root "$1" \
+		bitbox02==6.3.0 \
 		base58 \
+		jade-client==1.0.32 \
 		noiseprotocol \
 		protobuf==3.20 \
-		ledger-bitcoin \
-		ckcc-protocol \
+		ledger-bitcoin==0.2.2 \
+		ledgercomm==1.2.1 \
+		ckcc-protocol==0.7.7 \
 		keepkey' \
 	--customize-hook='chroot "$1" /usr/bin/busybox --install -s' \
 	--customize-hook='chroot "$1" systemctl enable NetworkManager' \
@@ -181,7 +188,7 @@ RUN mmdebstrap \
 	--customize-hook="download /vmlinuz staging/live/vmlinuz.unsigned" \
 	--customize-hook="download /initrd.img staging/live/initrd" \
 	--customize-hook='set -e; mkdir -p "$1/etc/udev/rules.d"; for f in 20-hw1.rules 51-coinkite.rules 51-hid-digitalbitbox.rules 51-safe-t.rules 51-trezor.rules 51-usb-keepkey.rules 52-hid-digitalbitbox.rules 53-hid-bitbox02.rules 54-hid-bitbox02.rules 55-usb-jade.rules; do \
-		wget -q -P "$1/etc/udev/rules.d" "https://raw.githubusercontent.com/spesmilo/electrum/4.4.5/contrib/udev/$f"; done' \
+		wget -q -P "$1/etc/udev/rules.d" "https://raw.githubusercontent.com/spesmilo/electrum/4.5.8/contrib/udev/$f"; done' \
 	--customize-hook='wget -q -O - https://gethstore.blob.core.windows.net/builds/geth-alltools-linux-amd64-1.13.11-8f7eb9cc.tar.gz | tar -C "$1/usr/local/bin" --strip-components=1 -zx' \
 	--customize-hook='wget -q -O - https://github.com/wealdtech/ethdo/releases/download/v1.35.2/ethdo-1.35.2-linux-amd64.tar.gz | tar -C "$1/usr/local/bin" -zx' \
 	--customize-hook='wget -q -O - https://github.com/ethereum/staking-deposit-cli/releases/download/v2.7.0/staking_deposit-cli-fdab65d-linux-amd64.tar.gz  | tar -C "$1/usr/local/bin" --strip-components=2 -zx' \
diff --git a/Makefile b/Makefile
index 4441efb..758c5cd 100644
--- a/Makefile
+++ b/Makefile
@@ -77,24 +77,26 @@ run:
 
 run-nosb:
 	bash -c "if [ ! -f ${ISO_FILENAME_NOSB} ]; then make ${ISO_FILENAME_NOSB} ; fi"
+	$(shell lsusb -d 2c97:1015 | sed -E "s/.*Bus ([0-9]*) Device ([0-9]*).*/sudo chown ${USER}:docker \/dev\/bus\/usb\/\1\/\2/")
 	qemu-system-x86_64 \
 		-enable-kvm \
 		-machine q35,smm=on \
 		-m 2048 \
 		-object rng-random,filename=/dev/urandom,id=rng0 \
 		-bios /usr/share/ovmf/OVMF.fd \
+		-usb -device usb-host,vendorid=0x2c97,productid=0x1015 \
 		-cdrom ${ISO_FILENAME_NOSB}
 
-run_yubi: iso
+run_yubi:
 	qemu-system-x86_64 -cdrom output/livedeb.iso -m 2048 -bios /usr/share/ovmf/OVMF.fd -M q35 -usb -device usb-host,productid=0x0407,vendorid=0x1050
 
-usb: ${ISO_FILENAME}
+usb:
 	test -b ${USB_DISK}
 	@umount ${USB_DISK}* || :
 	sudo dd bs=4M of=${USB_DISK} if=${ISO_FILENAME} status=progress
 	sync
 
-cd: ${ISO_FILENAME}
+cd:
 	wodim -eject -tao ${ISO_FILENAME}
 
 clear_docker: