recipes: remove secureboot selftest and images

This no longer works and is not maintained and tested. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2025-07-19 12:59:03 +02:00 · 2024-05-28 11:51:26 +08:00 · 2024-05-28 11:51:26 +08:00 · f222ac31c5
commit f222ac31c5
parent b47467609d
15 changed files with 0 additions and 784 deletions
--- a/classes/uefi-comboapp.bbclass
+++ b/classes/uefi-comboapp.bbclass
@ -1,151 +0,0 @@
 # This class brings a more generic version of the UEFI combo app from refkit to meta-intel.
 # It uses a combo file, containing kernel, initramfs and
 # command line, presented to the BIOS as UEFI application, by prepending
 # it with the efi stub obtained from systemd-boot.
 # Don't add syslinux or build an ISO
 PCBIOS:forcevariable = "0"
 NOISO:forcevariable  = "1"
 # image-live.bbclass will default INITRD_LIVE to the image INITRD_IMAGE creates.
 # We want behavior to be consistent whether or not "live" is in IMAGE_FSTYPES, so
 # we default INITRD_LIVE to the INITRD_IMAGE as well.
 INITRD_IMAGE ?= "core-image-minimal-initramfs"
 INITRD_LIVE ?= " ${@ ('${DEPLOY_DIR_IMAGE}/' + d.getVar('INITRD_IMAGE', expand=True) + '-${MACHINE}.cpio.gz') if d.getVar('INITRD_IMAGE', True) else ''}"
 do_uefiapp[depends] += " \
                         intel-microcode:do_deploy \
                         systemd-boot:do_deploy \
                         virtual/kernel:do_deploy \
                       "
 # INITRD_IMAGE is added to INITRD_LIVE, which we use to create our initrd, so depend on it if it is set
 do_uefiapp[depends] += "${@ '${INITRD_IMAGE}:do_image_complete' if d.getVar('INITRD_IMAGE') else ''}"
 # The image does without traditional bootloader.
 # In its place, instead, it uses a single UEFI executable binary, which is
 # composed by:
 #   - an UEFI stub
 #     The linux kernel can generate a UEFI stub, however the one from systemd-boot can fetch
 #     the command line from a separate section of the EFI application, avoiding the need to
 #     rebuild the kernel.
 #   - the kernel
 #   - an initramfs (optional)
 def create_uefiapp(d, uuid=None, app_suffix=''):
    import glob, re
    from subprocess import check_call
    build_dir = d.getVar('B')
    deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
    image_link_name = d.getVar('IMAGE_LINK_NAME')
    cmdline = '%s/cmdline.txt' % build_dir
    linux = '%s/%s' % (deploy_dir_image, d.getVar('KERNEL_IMAGETYPE'))
    initrd = '%s/initrd' % build_dir
    stub_path = '%s/linux*.efi.stub' % deploy_dir_image
    stub = glob.glob(stub_path)[0]
    m = re.match(r"\S*(ia32|x64)(.efi)\S*", os.path.basename(stub))
    app = "boot%s%s%s" % (m.group(1), app_suffix, m.group(2))
    executable = '%s/%s.%s' % (deploy_dir_image, image_link_name, app)
    if d.getVar('INITRD_LIVE'):
        with open(initrd, 'wb') as dst:
            for cpio in d.getVar('INITRD_LIVE').split():
                with open(cpio, 'rb') as src:
                    dst.write(src.read())
        initrd_cmd = "--add-section .initrd=%s --change-section-vma .initrd=0x3000000 " % initrd
    else:
        initrd_cmd = ""
    root = 'root=PARTUUID=%s' % uuid if uuid else ''
    with open(cmdline, 'w') as f:
        f.write('%s %s' % (d.getVar('APPEND'), root))
    objcopy_cmd = ("objcopy "
        "--add-section .cmdline=%s --change-section-vma .cmdline=0x30000 "
        "--add-section .linux=%s --change-section-vma .linux=0x40000 "
        "%s %s %s") % \
        (cmdline, linux, initrd_cmd, stub, executable)
    check_call(objcopy_cmd, shell=True)
 python create_uefiapps () {
    # We must clean up anything that matches the expected output pattern, to ensure that
    # the next steps do not accidentally use old files.
    import glob
    pattern = d.expand('${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi')
    for old_efi in glob.glob(pattern):
        os.unlink(old_efi)
    uuid = d.getVar('DISK_SIGNATURE_UUID')
    create_uefiapp(d, uuid=uuid)
 }
 # This is intentionally split into different parts. This way, derived
 # classes or images can extend the individual parts. We can also use
 # whatever language (shell script or Python) is more suitable.
 python do_uefiapp() {
    bb.build.exec_func('create_uefiapps', d)
 }
 do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME"
 uefiapp_deploy_at() {
    dest=$1
    for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do
        target=`basename $i`
        target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'`
        cp  --preserve=timestamps -r $i $dest/$target
    done
 }
 fakeroot do_uefiapp_deploy() {
    rm -rf ${IMAGE_ROOTFS}/boot/*
    dest=${IMAGE_ROOTFS}/boot/EFI/BOOT
    mkdir -p $dest
    uefiapp_deploy_at $dest
 }
 do_uefiapp_deploy[depends] += "${PN}:do_uefiapp virtual/fakeroot-native:do_populate_sysroot"
 # This decides when/how we add our tasks to the image
 python () {
    image_fstypes = d.getVar('IMAGE_FSTYPES', True)
    initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True)
    # Don't add any of these tasks to initramfs images
    if initramfs_fstypes not in image_fstypes:
        bb.build.addtask('uefiapp', 'do_image', 'do_rootfs', d)
        bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d)
 }
 SIGN_AFTER ?= "do_uefiapp"
 SIGN_BEFORE ?= "do_uefiapp_deploy"
 SIGNING_DIR ?= "${DEPLOY_DIR_IMAGE}"
 SIGNING_BINARIES ?= "${IMAGE_LINK_NAME}.boot*.efi"
 inherit uefi-sign
 # Legacy hddimg support below this line
 efi_hddimg_populate() {
    uefiapp_deploy_at "$1"
 }
 build_efi_cfg() {
    # The command line is built into the combo app, so this is a null op
    :
 }
 populate_kernel:append() {
    # The kernel and initrd are built into the app, so we don't need these
    if [ -f $dest/initrd ]; then
        rm $dest/initrd
    fi
    if [ -f $dest/vmlinuz ]; then
        rm $dest/vmlinuz
    fi
 }
 IMAGE_FEATURES[validitems] += "secureboot"
--- a/classes/uefi-sign.bbclass
+++ b/classes/uefi-sign.bbclass
@ -1,50 +0,0 @@
 # By default, sign all .efi binaries in ${B} after compiling and before deploying
 SIGNING_DIR ?= "${B}"
 SIGNING_BINARIES ?= "*.efi"
 SIGN_AFTER ?= "do_compile"
 SIGN_BEFORE ?= "do_deploy"
 python () {
    import os
    import hashlib
    # Ensure that if the signing key or cert change, we rerun the uefiapp process
    if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
        for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
            filename = d.getVar(varname)
            if filename is None:
                bb.fatal('%s is not set.' % varname)
            if not os.path.isfile(filename):
                bb.fatal('%s=%s is not a file.' % (varname, filename))
            with open(filename, 'rb') as f:
                data = f.read()
            hash = hashlib.sha256(data).hexdigest()
            d.setVar('%s_HASH' % varname, hash)
            # Must reparse and thus rehash on file changes.
            bb.parse.mark_dependency(d, filename)
        bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
        # Original binary needs to be regenerated if the hash changes since we overwrite it
        # SIGN_AFTER isn't necessarily when it gets generated, but its our best guess
        d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
 }
 do_uefi_sign() {
    if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
        for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
            sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
            sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
            mv $i.signed $i
        done
    fi
 }
 do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
 do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
                          SECURE_BOOT_SIGNING_KEY_HASH  \
                          SIGNING_BINARIES SIGNING_DIR  \
                          SIGN_BEFORE SIGN_AFTER        \
                         "
--- a/conf/include/maintainers.inc
+++ b/conf/include/maintainers.inc
@ -46,10 +46,6 @@ RECIPE_MAINTAINER:pn-openvino-inference-engine = "Anuj Mittal <anuj.mittal@intel
 RECIPE_MAINTAINER:pn-openvino-model-optimizer = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-openvkl = "Naveen Saini <naveen.kumar.saini@intel.com>"
 RECIPE_MAINTAINER:pn-ospray = "Naveen Saini <naveen.kumar.saini@intel.com>"
 RECIPE_MAINTAINER:pn-ovmf-shell-image-enrollkeys = "Naveen Saini <naveen.kumar.saini@intel.com>"
 RECIPE_MAINTAINER:pn-rkcommon = "Naveen Saini <naveen.kumar.saini@intel.com>"
 RECIPE_MAINTAINER:pn-sbsigntool-native = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-secureboot-selftest-image-signed = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-secureboot-selftest-image-unsigned = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-thermald = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-xf86-video-ast = "Anuj Mittal <anuj.mittal@intel.com>"
--- a/lib/oeqa/selftest/cases/secureboot.py
+++ b/lib/oeqa/selftest/cases/secureboot.py
@ -1,176 +0,0 @@
 #!/usr/bin/env python
 # ex:ts=4:sw=4:sts=4:et
 # -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
 #
 # Copyright (c) 2017, Intel Corporation.
 # All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License along
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # AUTHORS
 # Mikko Ylinen <mikko.ylinen@linux.intel.com>
 #
 # Based on meta/lib/oeqa/selftest/* and meta-refkit/lib/oeqa/selftest/*
 """Test cases for secure boot with QEMU running OVMF."""
 import os
 import unittest
 import re
 import glob
 from shutil import rmtree, copy
 from oeqa.core.decorator.depends import OETestDepends
 from oeqa.selftest.case import OESelftestTestCase
 from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars, runqemu
 class SecureBootTests(OESelftestTestCase):
    """Secure Boot test class."""
    ovmf_keys_enrolled = False
    ovmf_qemuparams = ''
    ovmf_dir = ''
    test_image_unsigned = 'secureboot-selftest-image-unsigned'
    test_image_signed = 'secureboot-selftest-image-signed'
    correct_key = 'refkit-db'
    incorrect_key = 'incorrect'
    @classmethod
    def setUpLocal(self):
        if not SecureBootTests.ovmf_keys_enrolled:
            bitbake('ovmf ovmf-shell-image-enrollkeys', output_log=self.logger)
            bb_vars = get_bb_vars(['TMPDIR', 'DEPLOY_DIR_IMAGE'])
            SecureBootTests.ovmf_dir = os.path.join(bb_vars['TMPDIR'], 'oeselftest', 'secureboot', 'ovmf')
            bb.utils.mkdirhier(SecureBootTests.ovmf_dir)
            # Copy (all) OVMF in a temporary location
            for src in glob.glob('%s/ovmf.*' % bb_vars['DEPLOY_DIR_IMAGE']):
                copy(src, SecureBootTests.ovmf_dir)
            SecureBootTests.ovmf_qemuparams = '-drive if=pflash,format=qcow2,file=%s/ovmf.secboot.qcow2' % SecureBootTests.ovmf_dir
            cmd = ("runqemu "
                   "qemuparams='%s' "
                   "ovmf-shell-image-enrollkeys wic intel-corei7-64 "
                   "nographic slirp") % SecureBootTests.ovmf_qemuparams
            print('Running "%s"' % cmd)
            status = runCmd(cmd)
            if not re.search('info: success', status.output, re.M):
                self.fail('Failed to enroll keys. EFI shell log:\n%s' % status.output)
            else:
                # keys enrolled in ovmf.secboot.vars
                SecureBootTests.ovmf_keys_enrolled = True
    @classmethod
    def tearDownLocal(self):
        # Seems this is mandatory between the tests (a signed image is booted
        # when running test_boot_unsigned_image after test_boot_signed_image).
        # bitbake('-c clean %s' % test_image, output_log=self.logger)
        #
        # Whatever the problem was, it no longer seems to be necessary, so
        # we can skip the time-consuming clean + full rebuild (5:04 min instead
        # of 6:55min here).
        pass
    @classmethod
    def tearDownClass(self):
        bitbake('ovmf-shell-image-enrollkeys:do_cleanall', output_log=self.logger)
        rmtree(self.ovmf_dir, ignore_errors=True)
    def secureboot_with_image(self, boot_timeout=300, signing_key=None):
        """Boot the image with UEFI SecureBoot enabled and see the result. """
        config = ""
        if signing_key:
            test_image = self.test_image_signed
            config += 'SECURE_BOOT_SIGNING_KEY = "${THISDIR}/files/%s.key"\n' % signing_key
            config += 'SECURE_BOOT_SIGNING_CERT = "${THISDIR}/files/%s.crt"\n' % signing_key
        else:
            test_image = self.test_image_unsigned
        self.write_config(config)
        bitbake(test_image, output_log=self.logger)
        self.remove_config(config)
        # Some of the cases depend on the timeout to expire. Allow overrides
        # so that we don't have to wait 1000s which is the default.
        overrides = {
            'TEST_QEMUBOOT_TIMEOUT': boot_timeout,
            }
        print('Booting %s' % test_image)
        try:
            with runqemu(test_image, ssh=False,
                          runqemuparams='nographic slirp',
                          qemuparams=self.ovmf_qemuparams,
                          overrides=overrides,
                          image_fstype='wic') as qemu:
                cmd  = 'uname -a'
                status, output = qemu.run_serial(cmd)
                self.assertTrue(status, 'Could not run \'uname -a\' (status=%s):\n%s' % (status, output))
                # if we got this far without a correctly signed image, something went wrong
                if signing_key != self.correct_key:
                    self.fail('The image not give a Security violation when expected. Boot log:\n%s' % output)
        except Exception:
            # Currently runqemu() fails if 'login:' prompt is not seen and it's
            # not possible to login as 'root'. Those conditions aren't met when
            # booting to EFI shell (See [YOCTO #11438]). We catch the failure
            # and parse the boot log to determine the success. Note: the
            # timeout triggers verbose bb.error() but that's normal with some
            # of the test cases.
            workdir = get_bb_var('WORKDIR', test_image)
            bootlog = "%s/testimage/qemu_boot_log" % workdir
            with open(bootlog, "r") as log:
                # This isn't right but all we can do at this point. The right
                # approach would run commands in the EFI shell to determine
                # the BIOS rejects unsigned and/or images signed with keys in
                # dbx key store but that needs changes in oeqa framework.
                output = log.read()
                # PASS if we see a security violation on unsigned or incorrectly signed images, otherwise fail
                if signing_key == self.correct_key:
                    self.fail('Correctly signed image failed to boot. Boot log:\n%s' % output)
                elif not re.search('Security Violation', output):
                    self.fail('The image not give a Security violation when expected. Boot log:\n%s' % output)
    def test_boot_unsigned_image(self):
        """ Boot unsigned image with secureboot enabled in UEFI."""
        self.secureboot_with_image(boot_timeout=120, signing_key=None)
    @OETestDepends(['secureboot.SecureBootTests.test_boot_unsigned_image'])
    def test_boot_incorrectly_signed_image(self):
        """ Boot (correctly) signed image with secureboot enabled in UEFI."""
        self.secureboot_with_image(boot_timeout=120, signing_key=self.incorrect_key)
    @OETestDepends(['secureboot.SecureBootTests.test_boot_incorrectly_signed_image'])
    def test_boot_correctly_signed_image(self):
        """ Boot (correctly) signed image with secureboot enabled in UEFI."""
        self.secureboot_with_image(boot_timeout=150, signing_key=self.correct_key)
--- a/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
+++ b/recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
@ -1,129 +0,0 @@
 From b2099e7184d48a6d05c8713b6fd5dac0e2e70963 Mon Sep 17 00:00:00 2001
 From: Mikko Ylinen <mikko.ylinen@linux.intel.com>
 Date: Wed, 2 Mar 2022 10:55:35 +0800
 Subject: [PATCH] ovmf: RefkitTestCA: TEST UEFI SecureBoot
 This patch adds refkit-db.cer (via xxd -i) in OVMF's db
 signature database when used with EnrollDefaultKeys EFI
 application. It's used for testing purposes only.
 Images signed with refkit-db keys are allowed to boot.
 Upstream-Status: Inappropriate
 Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com>
 Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
 ---
 OvmfPkg/EnrollDefaultKeys/AuthData.c          | 69 +++++++++++++++++++
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c |  3 +
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h |  2 +
 3 files changed, 74 insertions(+)
 diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
 index 53ee7f7003..127131cd05 100644
 --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
 +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
@@ -395,6 +395,75 @@ CONST UINT8  mMicrosoftUefiCa[] = {
 CONST UINTN  mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
 +CONST UINT8 mRefkitTestCA[] = {
 +  0x30, 0x82, 0x02, 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01,
 +  0x02, 0x02, 0x09, 0x00, 0xd4, 0xf6, 0x48, 0xc2, 0x68, 0x19, 0x91, 0xac,
 +  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
 +  0x0b, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
 +  0x04, 0x03, 0x0c, 0x09, 0x72, 0x65, 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64,
 +  0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x30, 0x31,
 +  0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34,
 +  0x32, 0x30, 0x31, 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x30, 0x14, 0x31,
 +  0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65,
 +  0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64, 0x62, 0x30, 0x82, 0x01, 0x22, 0x30,
 +  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
 +  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
 +  0x82, 0x01, 0x01, 0x00, 0xb4, 0x1c, 0x22, 0xa6, 0x22, 0x01, 0x57, 0xcd,
 +  0xf1, 0x4f, 0xaf, 0x72, 0xe3, 0xd9, 0x01, 0x80, 0x50, 0x55, 0xef, 0x02,
 +  0x5e, 0xeb, 0x99, 0x35, 0xcb, 0x7f, 0x2a, 0x79, 0xff, 0xb5, 0x3e, 0xec,
 +  0x5d, 0x92, 0x06, 0x30, 0x20, 0xe7, 0x95, 0xad, 0xa4, 0x84, 0x2e, 0x3f,
 +  0xfa, 0xd7, 0x46, 0xdd, 0x49, 0xa8, 0xe8, 0xe3, 0x79, 0x49, 0xf6, 0x8f,
 +  0x0b, 0x1d, 0xfe, 0x63, 0xa8, 0xd1, 0x63, 0xa3, 0xd6, 0x0d, 0x4e, 0x6c,
 +  0x66, 0x5c, 0xd6, 0x66, 0x26, 0xd1, 0x26, 0x98, 0xd4, 0x4f, 0x76, 0xc9,
 +  0x65, 0x48, 0x58, 0x13, 0x08, 0x31, 0xbc, 0xe5, 0x47, 0x25, 0x65, 0x95,
 +  0x39, 0x89, 0x5f, 0x02, 0xf1, 0xc5, 0x06, 0x17, 0x58, 0xca, 0x09, 0xfd,
 +  0xf6, 0x1e, 0xc5, 0x97, 0xda, 0xa3, 0x4e, 0x1a, 0x48, 0xbe, 0xcf, 0x96,
 +  0x27, 0x04, 0x4b, 0xb7, 0x6d, 0x67, 0xb6, 0x50, 0x18, 0x04, 0x73, 0x51,
 +  0xd2, 0x6a, 0x2d, 0xdf, 0x3b, 0xab, 0xf2, 0x2d, 0x95, 0xd7, 0xa8, 0xb8,
 +  0xa8, 0x30, 0xa1, 0xab, 0x8b, 0x92, 0x2b, 0x60, 0x3e, 0x3a, 0xe5, 0x86,
 +  0x40, 0x71, 0xc1, 0x3f, 0x2d, 0x2e, 0x90, 0xe7, 0xd6, 0xec, 0xcc, 0xc2,
 +  0x0b, 0x79, 0x83, 0x71, 0x6d, 0xf6, 0xa3, 0xa9, 0x4c, 0xcd, 0x46, 0x81,
 +  0xdc, 0xef, 0xec, 0x51, 0xbe, 0x81, 0x2a, 0xf1, 0x78, 0x73, 0x41, 0xdb,
 +  0x54, 0xce, 0x7c, 0xce, 0xa2, 0xe3, 0x90, 0x4f, 0x45, 0x1a, 0xf9, 0x3d,
 +  0x88, 0xfc, 0x0e, 0xed, 0xd3, 0x69, 0x22, 0x4c, 0xfa, 0x0a, 0x69, 0xd1,
 +  0x48, 0xc0, 0xaa, 0xa9, 0x3a, 0xb3, 0x8f, 0x10, 0x3a, 0x76, 0xa8, 0x0c,
 +  0x7a, 0x3d, 0xd8, 0x79, 0xce, 0x1c, 0x96, 0x62, 0xf4, 0x06, 0xee, 0x47,
 +  0xe8, 0xe0, 0x69, 0x91, 0xae, 0xea, 0x34, 0xcf, 0xda, 0xa8, 0xb4, 0x39,
 +  0x5e, 0xf3, 0x7a, 0xd0, 0x88, 0x48, 0x47, 0x69, 0x02, 0x03, 0x01, 0x00,
 +  0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
 +  0x04, 0x16, 0x04, 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b,
 +  0x1a, 0x9f, 0x46, 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd,
 +  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
 +  0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b, 0x1a, 0x9f, 0x46,
 +  0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd, 0x30, 0x0c, 0x06,
 +  0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
 +  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
 +  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0xd2, 0x84, 0x7c, 0x43,
 +  0x47, 0xca, 0x6b, 0xfd, 0x87, 0x83, 0xd0, 0xef, 0x75, 0xd3, 0x20, 0x52,
 +  0x73, 0x18, 0xaa, 0x32, 0x71, 0xfb, 0xa5, 0xf4, 0xc9, 0x11, 0xa3, 0x68,
 +  0x4d, 0xb7, 0x9d, 0xe6, 0xd9, 0x46, 0x24, 0xdc, 0xc7, 0xc2, 0x3b, 0xf9,
 +  0xb0, 0x98, 0xfc, 0xee, 0x34, 0x6e, 0x10, 0x9b, 0x3d, 0x44, 0x6e, 0x33,
 +  0x09, 0x11, 0xb8, 0x29, 0xd6, 0x2d, 0x06, 0xcf, 0x67, 0x8f, 0x96, 0x85,
 +  0x9d, 0x63, 0x72, 0xbf, 0x64, 0x5f, 0x0d, 0xe3, 0xc9, 0x63, 0x19, 0x71,
 +  0xd4, 0x7d, 0x4c, 0x9c, 0x77, 0x46, 0xda, 0x20, 0x97, 0x6d, 0xbc, 0xdd,
 +  0xc2, 0x1f, 0xf3, 0x40, 0x38, 0x1e, 0xe7, 0xcc, 0x55, 0x05, 0x72, 0xba,
 +  0x24, 0x4f, 0xb3, 0x8a, 0x93, 0x0c, 0x30, 0x60, 0xda, 0x9f, 0x6f, 0x35,
 +  0xf6, 0xfb, 0xb0, 0x1f, 0xb3, 0x00, 0xdd, 0xc4, 0xa6, 0xbc, 0xe2, 0x37,
 +  0xc1, 0xa3, 0xef, 0xd9, 0xa1, 0x86, 0xf9, 0xeb, 0xa4, 0xa5, 0x45, 0x38,
 +  0xff, 0x4e, 0x87, 0x4a, 0x41, 0xcf, 0x6e, 0x69, 0x7e, 0x97, 0xbe, 0x2d,
 +  0x22, 0xbc, 0x8d, 0xa0, 0x1a, 0x21, 0x8f, 0x4b, 0x72, 0x90, 0x01, 0x5c,
 +  0xba, 0xa5, 0x9c, 0x2d, 0xd7, 0x25, 0x24, 0xfc, 0xff, 0x5c, 0x58, 0x14,
 +  0x46, 0x30, 0x09, 0x7c, 0x55, 0x64, 0x83, 0x0b, 0xb9, 0xdf, 0xcf, 0x25,
 +  0xee, 0xec, 0xf7, 0xcb, 0xdb, 0xd1, 0x5b, 0x93, 0x93, 0xc8, 0x8a, 0x10,
 +  0x46, 0xb8, 0xb0, 0x35, 0x1c, 0x6c, 0x0d, 0x8f, 0x03, 0x6a, 0x8f, 0x1b,
 +  0x36, 0x68, 0xf3, 0x53, 0x89, 0x36, 0x5b, 0x21, 0x80, 0xde, 0xe3, 0x92,
 +  0x52, 0x94, 0x97, 0x9d, 0x49, 0x89, 0x7d, 0x3e, 0xde, 0x29, 0x51, 0xba,
 +  0x11, 0xf7, 0xba, 0x01, 0xf7, 0xab, 0xea, 0xc1, 0xa7, 0x2e, 0xa3, 0x4d,
 +  0x65, 0xfd, 0x40, 0x71, 0xf1, 0xe2, 0x3f, 0x6c, 0x28, 0xcb, 0xd3
 +};
 +
 +CONST UINTN mSizeOfRefkitTestCA = sizeof mRefkitTestCA;
 +
 //
 // The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
 // of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
 diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
 index 094e4c821b..0a7eef54dc 100644
 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
 +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -702,6 +702,9 @@ ShellAppMain (
                mMicrosoftUefiCa,
                mSizeOfMicrosoftUefiCa,
                &gMicrosoftVendorGuid,
 +               mRefkitTestCA,
 +               mSizeOfRefkitTestCA,
 +               &gEfiCallerIdGuid,
                NULL
                );
   }
 diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
 index 56da9c71d6..8de1dfe4e0 100644
 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
 +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -133,4 +133,6 @@ extern CONST UINTN  mSizeOfMicrosoftUefiCa;
 extern CONST UINT8  mSha256OfDevNull[];
 extern CONST UINTN  mSizeOfSha256OfDevNull;
 +extern CONST UINT8 mRefkitTestCA[];
 +extern CONST UINTN mSizeOfRefkitTestCA;
 #endif /* ENROLL_DEFAULT_KEYS_H_ */
 -- 
 2.17.1
--- a/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
+++ b/recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
@ -1,13 +0,0 @@
 require recipes-core/ovmf/ovmf-shell-image.bb
 WKS_SEARCH_PATH:append = ":${COREBASE}/meta/recipes-core/ovmf"
 QB_DRIVE_TYPE = "/dev/vd"
 do_image:append() {
    cat > ${IMAGE_ROOTFS}/startup.nsh << EOF
 EnrollDefaultKeys
 reset
 EOF
 }
--- a/recipes-core/ovmf/ovmf_%.bbappend
+++ b/recipes-core/ovmf/ovmf_%.bbappend
@ -1,6 +0,0 @@
 FILESEXTRAPATHS:prepend:intel-x86-common := "${THISDIR}/files:"
 SRC_URI:append:intel-x86-common = " \
 	file://0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch \
 "
 PACKAGECONFIG:append:intel-x86-common = " secureboot"
--- a/recipes-selftest/images/files/incorrect.crt
+++ b/recipes-selftest/images/files/incorrect.crt
@ -1,19 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDCTCCAfGgAwIBAgIJAIYXAHv3cQNjMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
 BAMMEFRlc3QgWW9jdG8gdGhpbmcwHhcNMTcwMTI1MjI1MjI3WhcNMTgwMTI1MjI1
 MjI3WjAbMRkwFwYDVQQDDBBUZXN0IFlvY3RvIHRoaW5nMIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXD
 SwDVXNWfiKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoeh
 T51gkuTfv7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE
 31hLOkCFb+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk
 /6q5kqNhyrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4
 GqpqeFOPqxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABo1AwTjAdBgNV
 HQ4EFgQURA8KbgpiGfS2+7MT0H5AvpxeYLowHwYDVR0jBBgwFoAURA8KbgpiGfS2
 +7MT0H5AvpxeYLowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAK9n+
 9T+hlM2kEpsUgtyihEJbGHzbw+Pj11b0ICntCVuPKewtBMveYp8lejrQwMFNGRMt
 ZQe1LFb9HcLeM3MLUz9Lm4BJIjkey3Jfq1AskROYk/bJnFIJIx6P3U9gBa20P46X
 LH3g6yub1HR7KZC9nfBsak3FPoJR/SYTJs0HsMeL4878+2IbETA4BL0kbKW48FFW
 jF4f6don0eiaF8b4KkfbWKrCaEm+LMxbyBEQ6fIb1cmGY8A9A5houjmgi6YWSkoi
 SLpOC9TZ2R51fO9rRsv7XwLK0V9o9YaEYPBg6V/TeJl5nxAZBeVTKVTQbBGZY+l2
 nzN0pKsl7RXLf3SRYA==
 -----END CERTIFICATE-----
--- a/recipes-selftest/images/files/incorrect.key
+++ b/recipes-selftest/images/files/incorrect.key
@ -1,27 +0,0 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXDSwDVXNWf
 iKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoehT51gkuTf
 v7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE31hLOkCF
 b+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk/6q5kqNh
 yrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4GqpqeFOP
 qxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABAoIBAQCEtAox86s9N6d2
 164z3998Zmj3UyL+7K9x6JI2YvMabBSYGOeaLOLRj6fjQxdC63H8brBM958p4di7
 Z82XMco4Dok6yoOeJ+hMLYv+gfGvTJxy7DhyVXsSwok99axg9vUsV3TYw3wSdpNF
 EKLkcUldpu0W2ADBHUr4sLI85xctHH3Kt0sNDzhgADFa5rDYACXTKHtFOhEqBIwN
 FmbuRQirnErUkI3Pczgl2Xy1MlaozH9CB+bLAb5q2FYu4DKgjl4UorC+w2HV41KH
 XoL7L36XXqLRHBfEAwOWb8yro+TK8T7gW7aagTI1wgsbbQkjQmOHxclmJACdMOiJ
 DjPeR0GBAoGBAO7i2eaEoKa9QlKokN+93uOJD/F6DBi6jF0vGOqWlF8AVTj3kGL3
 X8fY/avrSlg7hKZWdei+Q5PyZViKxqmHjq781ZisKck52Tqz4s7ylqRXSgStinZr
 UqrkShCqZ3g1W91gIeVPQz0/b+gBskoHzQ5WQHfV5v9S1PaxjzcYtCrRAoGBAMea
 LcA2jjuEjqxa5v5fh8ygcHasJMRKJxW1OCKiQ94DjjzPsdVqZ1sJZChLW/N3nxe7
 wHlNJmsGbJ2w1zD5+qkkPjLq5Q4B5KAd62NNrWaEHFdEc/PPkn4xP7Zkfuu5K+m2
 7z/MF4ibvVh9PvD3HY8FWKEtkqB4rfD8AoUOVd4ZAoGAXxXAsfa8k2Hl0kzyTXyg
 CWV3CSERS46FbFngyw9gw2e4hFJWEG5ym3ONlS60iuY16JelmxyQfYUQPewPI0+n
 xZMx2fE9OLFj+++6KbF5sLRl6/K/mF8jqo3vxS5uvPRQOo+XLlUcaHalrm1ub/Um
 87v1MT3dEmgACKmoXb/hhuECgYAZluiapePiOYJZEmZe4jx0vXTtofAswhz0qYEC
 3663vdj0buQrqjKJ91BB4jdtpT5eOpHYe02blv1B0jQkcUfze1QGDxtCineXF37g
 Aktiwzkm7v22mjv7tbCnX4buDZVVp0BQ+4dg2iaSO6xgFC5T8amFMGSF8jLKnGRu
 ToIvsQKBgADBTse2vnI85NRsYq48ztQuIU2zlGXIAcoPSvGb8Vhty/joc0jWcI5P
 raGXBARbuVlcEapK3mDRfO0CQjDaTPK4EYYJwGp8k33Hkkcbgs4kfm308jRsclMr
 YeMwQsYyOv45x4iPCwrqZEhpPDvACBi7DB6QvZ0++vJbobTt1jyi
 -----END RSA PRIVATE KEY-----
--- a/recipes-selftest/images/files/refkit-db.crt
+++ b/recipes-selftest/images/files/refkit-db.crt
@ -1,18 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIC+zCCAeOgAwIBAgIJANT2SMJoGZGsMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
 BAMMCXJlZmtpdC1kYjAeFw0xNzA0MjAxMjA2MzJaFw0xODA0MjAxMjA2MzJaMBQx
 EjAQBgNVBAMMCXJlZmtpdC1kYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBALQcIqYiAVfN8U+vcuPZAYBQVe8CXuuZNct/Knn/tT7sXZIGMCDnla2khC4/
 +tdG3Umo6ON5SfaPCx3+Y6jRY6PWDU5sZlzWZibRJpjUT3bJZUhYEwgxvOVHJWWV
 OYlfAvHFBhdYygn99h7Fl9qjThpIvs+WJwRLt21ntlAYBHNR0mot3zur8i2V16i4
 qDChq4uSK2A+OuWGQHHBPy0ukOfW7MzCC3mDcW32o6lMzUaB3O/sUb6BKvF4c0Hb
 VM58zqLjkE9FGvk9iPwO7dNpIkz6CmnRSMCqqTqzjxA6dqgMej3Yec4clmL0Bu5H
 6OBpka7qNM/aqLQ5XvN60IhIR2kCAwEAAaNQME4wHQYDVR0OBBYEFGhgESWFFHgb
 Gp9GEuYh5O/7O6rdMB8GA1UdIwQYMBaAFGhgESWFFHgbGp9GEuYh5O/7O6rdMAwG
 A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ShHxDR8pr/YeD0O910yBS
 cxiqMnH7pfTJEaNoTbed5tlGJNzHwjv5sJj87jRuEJs9RG4zCRG4KdYtBs9nj5aF
 nWNyv2RfDePJYxlx1H1MnHdG2iCXbbzdwh/zQDge58xVBXK6JE+zipMMMGDan281
 9vuwH7MA3cSmvOI3waPv2aGG+eukpUU4/06HSkHPbml+l74tIryNoBohj0tykAFc
 uqWcLdclJPz/XFgURjAJfFVkgwu5388l7uz3y9vRW5OTyIoQRriwNRxsDY8Dao8b
 NmjzU4k2WyGA3uOSUpSXnUmJfT7eKVG6Efe6Afer6sGnLqNNZf1AcfHiP2woy9M=
 -----END CERTIFICATE-----
--- a/recipes-selftest/images/files/refkit-db.key
+++ b/recipes-selftest/images/files/refkit-db.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0HCKmIgFXzfFP
 r3Lj2QGAUFXvAl7rmTXLfyp5/7U+7F2SBjAg55WtpIQuP/rXRt1JqOjjeUn2jwsd
 /mOo0WOj1g1ObGZc1mYm0SaY1E92yWVIWBMIMbzlRyVllTmJXwLxxQYXWMoJ/fYe
 xZfao04aSL7PlicES7dtZ7ZQGARzUdJqLd87q/ItldeouKgwoauLkitgPjrlhkBx
 wT8tLpDn1uzMwgt5g3Ft9qOpTM1Ggdzv7FG+gSrxeHNB21TOfM6i45BPRRr5PYj8
 Du3TaSJM+gpp0UjAqqk6s48QOnaoDHo92HnOHJZi9AbuR+jgaZGu6jTP2qi0OV7z
 etCISEdpAgMBAAECggEAbtXplKbUgL4hQ9JKN2Cxhc7qMv0YgI92BVaqQw1S8ffu
 1Q+tynH5MDRPi06gBJ59SvkA6AsZsvrv8nM7zQWd9ZKh+aLHk1X04upOgDoW9JiX
 FV/txlslTUrs/ohIMfsgCrweNXvUSTXZobIi8s8QHyipE4HpXMFjjZYHIV7GTlgA
 PRgGu3NygbWfR8hcx5JtzVz/jka7FFFSbk/pMr0TeJHXP55VfqWLeeSBQmWwooj2
 QcRfqMXgLKgu6uEggaP5HMcfTuWgWNhbke/596CgsUtQ5Gg64Q6v7cKcPy0/lgn1
 PnvfT9uhgEFDLNFkSBxV3ImrNYo73Nqmbp3w5tK9SQKBgQDs/HW7pNnB0LD51qok
 pkX0SBvyKxDT1QuU4z0FY9GT7OKOg8Xa0ZGyErt+ZbyFiyUGF5Axc3rJ3DyGslgu
 5O+AqcpCQOlOyovGQ6ST9x/gEeVcRnZn1MV4vMxwaOSXtY7u0IGyaDlFn1QWHWCN
 imv8OR6YuhivwBIXGzJ16oEqDwKBgQDCj3ls7tlPrLvUQIh8gfjCoInU8fRAqtAe
 Ab/OximLsKQPKLDma6xd+X2Fk8Dowdb88GNT99x3VZjHqVJM9URDkiOGKAXA/rBp
 jAXhnQwahT8YCzOUHqDYNMMQrXHvbiHqLodGrrO2WjYNmH69prQAk8WYAIwl+hdx
 BS70LGLPBwKBgQDU9RinAkBcFjiyieBjBreeCJ50Q5bfhHbf2EOhcE2IbDo6bteB
 Bwmxx3uM3cdHCf6/NrVweqFAfBQ3xlPP8BH4wJrsZoBBOWnZRDfEbzHJnMtK3FbS
 fzTkhmQAL4Ibgh9rIxspQtcUZVSees+k4VqgUIPaIoDEjgizktEJfS2MqQKBgQDA
 rOFtVaRz2PYyHq6LzxMRe3bEIdDn8cEk1kqjdW9TXV07feqiZmNOtXLvRAG4/63u
 1Akp8L6ul2Az6qUMfaBa4nC3vQ7lr9P40qhIZATGhsqS/xTXTPWw55999qZsnL6N
 cgKZpw1mOzRohmqNWnfMUotOGsywF1n7nUyAlyxLJQKBgElTaNTFYF3MbGfhl1He
 fnDXlf8OCOK1i5oIzMLqverb2UN/qp6p0b3SAtcw5cUXcaPlajHrfYgacF/0Qyua
 Cerey9GLEdJ7saDWhz0GyJ8yyEXy8CVs0svVaLPWI0s2B7/obzP9+gTb/WE9qZqu
 bNoVEpJ/wZhk+IL4+KPmqphu
 -----END PRIVATE KEY-----
--- a/recipes-selftest/images/secureboot-selftest-image-signed.bb
+++ b/recipes-selftest/images/secureboot-selftest-image-signed.bb
@ -1,6 +0,0 @@
 require secureboot-selftest-image-unsigned.bb
 IMAGE_FEATURES += "secureboot"
 SECURE_BOOT_SIGNING_KEY ?= "${THISDIR}/files/refkit-db.key"
 SECURE_BOOT_SIGNING_CERT ?= "${THISDIR}/files/refkit-db.crt"
--- a/recipes-selftest/images/secureboot-selftest-image-unsigned.bb
+++ b/recipes-selftest/images/secureboot-selftest-image-unsigned.bb
@ -1,20 +0,0 @@
 require recipes-core/images/core-image-minimal.bb
 DEPENDS:remove = "grub-efi"
 inherit uefi-comboapp
 WKS_FILE = "generic-bootdisk.wks.in"
 do_uefiapp_deploy:append() {
    for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do
        target=`basename $i`
        target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'`
        cat > ${IMAGE_ROOTFS}/boot/startup.nsh << EOF
 $target
 reset
 EOF
    break
    done
 }
--- a/recipes-support/sbsigntool/sbsigntool-native_git.bb
+++ b/recipes-support/sbsigntool/sbsigntool-native_git.bb
@ -1,83 +0,0 @@
 DESCRIPTION = "Utility for signing and verifying files for UEFI Secure Boot"
 LICENSE = "GPL-3.0-only & LGPL-2.1-only & LGPL-3.0-only & MIT"
 # sbsigntool statically links to libccan.a which is built with modules
 # passed to "create-ccan-tree" (and their dependencies). Therefore,
 # we also keep track of all the ccan module licenses.
 LIC_FILES_CHKSUM = "file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
                    file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
                    file://lib/ccan.git/ccan/endian/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/htable/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/list/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/read_write_all/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/talloc/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/typesafe_cb/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/failtest/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
                    file://lib/ccan.git/ccan/tlist/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
                    file://lib/ccan.git/ccan/time/LICENSE;md5=838c366f69b72c5df05c96dff79b35f2 \
 "
 # The original upstream is git://kernel.ubuntu.com/jk/sbsigntool but it has
 # not been maintained and many patches have been backported in this repo.
 SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools;branch=master \
           git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan;branch=master \
           file://0001-configure-Fixup-build-dependencies-for-cross-compili.patch \
           "
 SRCREV_sbsigntools  ?= "9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba"
 SRCREV_ccan         ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
 SRCREV_FORMAT       =  "sbsigntools_ccan"
 DEPENDS = "binutils-native gnu-efi-native help2man-native openssl-native util-linux-native"
 PV = "0.9.5"
 S = "${WORKDIR}/git"
 inherit autotools pkgconfig
 inherit native
 do_configure:prepend() {
 	cd ${S}
 	sed -i s#RECIPE_SYSROOT#${RECIPE_SYSROOT_NATIVE}#g configure.ac
 	if [ ! -e lib/ccan ]; then
 		# Use empty SCOREDIR because 'make scores' is not run.
 		# The default setting depends on (non-whitelisted) host tools.
 		sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
 		lib/ccan.git/tools/create-ccan-tree \
 		--build-type=automake lib/ccan \
 		talloc read_write_all build_assert array_size endian
 	fi
 	# Create generatable docs from git
 	(
 	 echo "Authors of sbsigntool:"
 	 echo
 	 git log --format='%an' | sort -u | sed 's,^,\t,'
 	) > AUTHORS
 	# Generate simple ChangeLog
 	git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
 	cd ${B}
 }
 def efi_arch(d):
    import re
    harch = d.getVar("HOST_ARCH")
    if re.match("i[3456789]86", harch):
        return "ia32"
    return harch
 EXTRA_OEMAKE = "\
    INCLUDES+='-I${S}/lib/ccan.git/ \
              -I${STAGING_INCDIR_NATIVE}/efi \
              -I${STAGING_INCDIR_NATIVE} \
              -I${STAGING_INCDIR_NATIVE}/efi/${@efi_arch(d)}' \
    "
 CFLAGS:append = " -Wno-error"
--- a/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
+++ b/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
@ -1,54 +0,0 @@
 From c3533b8da1e1425801d2fc0bcd231e13d593f16b Mon Sep 17 00:00:00 2001
 From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Date: Tue, 19 Feb 2019 20:07:45 +0800
 Subject: [PATCH] configure: Fixup build dependencies for cross-compiling
 When cross-compiling, custom header files and libraries need to be
 specified. sbsign assumes that all the dependencies are located
 under /usr/include and /usr/lib.
 Prepend these paths with a placeholder that can be replaced with the
 actual paths once they are resolved.
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Taken from :
 https://github.com/intel/luv-yocto/tree/master/meta-luv/recipes-devtools/sbsigntool/sbsigntool
 Corrected typo error and ported to version 0.9.2
 Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
 ---
 configure.ac | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 1459e91..3e34c8d 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -70,7 +70,10 @@ AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "
 ##
 # no consistent view of where gnu-efi should dump the efi stuff, so find it
 ##
 -for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
 +for path in RECIPE_SYSROOT/lib RECIPE_SYSROOT/lib64 RECIPE_SYSROOT/usr/lib \
 +            RECIPE_SYSROOT/usr/lib64 RECIPE_SYSROOT/usr/lib32 \
 +            RECIPE_SYSROOT/lib/efi RECIPE_SYSROOT/lib64/efi \
 +            RECIPE_SYSROOT/usr/lib/efi RECIPE_SYSROOT/usr/lib64/efi; do
     if test -e $path/crt0-efi-$EFI_ARCH.o; then
        CRTPATH=$path
     fi
@@ -79,7 +82,7 @@ if test -z "$CRTPATH"; then
    AC_MSG_ERROR([cannot find the gnu-efi crt path])
 fi
 -EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
 +EFI_CPPFLAGS="-IRECIPE_SYSROOT/usr/include/efi -IRECIPE_SYSROOT/usr/include/efi/$EFI_ARCH \
  -DEFI_FUNCTION_WRAPPER"
 CPPFLAGS_save="$CPPFLAGS"
 CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
 -- 
 2.7.4