coreos-base/coreos-sb-keys: Drop unnecessary PK and KEK certificates

These are only needed when you are going to ship DB updates to existing
systems, which we are not going to do. Our EFI variables are only for
testing. End users are expected to use EFI variables provided by their
hosts or hardware vendors. We presumably provided these before because
some PK and KEK does need to be provided, but we can now use the
Microsoft and Red Hat ones provided via Gentoo's edk2 package.

Signed-off-by: James Le Cuirot <[email protected]>

build_library/vm_image_util.sh

@@ -874,8 +874,6 @@ _write_qemu_uefi_secure_conf() {
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --set-pk  "${owner}" /usr/share/sb_keys/PK.crt \
-        --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
         --add-db  "${owner}" /usr/share/sb_keys/DB.crt
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md

@@ -1,7 +1,5 @@
 ## Keys & Certificates
 
-- PK (Platform Key): The Platform Key is the key to the platform.
-- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database.
 - DB (Signature Database): The signature database is used to validate signed EFI binaries.
 - Shim Certificates: Our set of certificates
 

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild

@@ -16,10 +16,6 @@ S="${WORKDIR}"
 
 src_install() {
   insinto /usr/share/sb_keys
-  newins "${FILESDIR}/PK.key" PK.key
-  newins "${FILESDIR}/PK.crt" PK.crt
-  newins "${FILESDIR}/KEK.key" KEK.key
-  newins "${FILESDIR}/KEK.crt" KEK.crt
   newins "${FILESDIR}/DB.key" DB.key
   newins "${FILESDIR}/DB.crt" DB.crt