From 764d81db0af6466d215a89a1f5d23aea606f55a9 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Tue, 20 Sep 2022 11:32:21 +0800
Subject: [PATCH] Debian: efitools: add initial version

This is done for moving packages that are related to secure boot
out of LAT and into integ.
Add efitools 1.9.2-1 for debian.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.

Story: 2009221
Task: 46400

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I672f0c0182bf894d10c508b83b959eec47971ceb
---
 .../0001-efitools-prepare-keys.patch          | 33 +++++++
 ...d-Microsoft-KEK-DB-to-built-in-certs.patch | 41 ++++++++
 security/efitools/debian/deb_patches/series   |  2 +
 security/efitools/debian/meta_data.yaml       | 14 +++
 .../0001-LockDown-add-system-warm-reset.patch | 46 +++++++++
 ...the-error-message-with-3-sec-timeout.patch | 95 +++++++++++++++++++
 ...kefile-do-not-build-signed-efi-image.patch | 33 +++++++
 ...disable-the-entrance-into-BIOS-setup.patch | 49 ++++++++++
 ...do-not-remove-ms-uefi.esl-ms-kek.esl.patch | 30 ++++++
 security/efitools/debian/patches/series       |  5 +
 security/efitools/debian/uefi_sb_keys/DB.crt  | 19 ++++
 security/efitools/debian/uefi_sb_keys/DB.key  | 28 ++++++
 security/efitools/debian/uefi_sb_keys/KEK.crt | 19 ++++
 security/efitools/debian/uefi_sb_keys/KEK.key | 28 ++++++
 security/efitools/debian/uefi_sb_keys/PK.crt  | 19 ++++
 security/efitools/debian/uefi_sb_keys/PK.key  | 28 ++++++
 .../efitools/debian/uefi_sb_keys/ms-DB.crt    | 35 +++++++
 .../efitools/debian/uefi_sb_keys/ms-KEK.crt   | 34 +++++++
 .../efitools/debian/uefi_sb_keys/tis-boot.crt | 20 ++++
 19 files changed, 578 insertions(+)
 create mode 100644 security/efitools/debian/deb_patches/0001-efitools-prepare-keys.patch
 create mode 100644 security/efitools/debian/deb_patches/0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch
 create mode 100644 security/efitools/debian/deb_patches/series
 create mode 100644 security/efitools/debian/meta_data.yaml
 create mode 100644 security/efitools/debian/patches/0001-LockDown-add-system-warm-reset.patch
 create mode 100644 security/efitools/debian/patches/0002-LockDown-show-the-error-message-with-3-sec-timeout.patch
 create mode 100644 security/efitools/debian/patches/0003-Makefile-do-not-build-signed-efi-image.patch
 create mode 100644 security/efitools/debian/patches/0004-LockDown-disable-the-entrance-into-BIOS-setup.patch
 create mode 100644 security/efitools/debian/patches/0005-do-not-remove-ms-uefi.esl-ms-kek.esl.patch
 create mode 100644 security/efitools/debian/patches/series
 create mode 100644 security/efitools/debian/uefi_sb_keys/DB.crt
 create mode 100644 security/efitools/debian/uefi_sb_keys/DB.key
 create mode 100644 security/efitools/debian/uefi_sb_keys/KEK.crt
 create mode 100644 security/efitools/debian/uefi_sb_keys/KEK.key
 create mode 100644 security/efitools/debian/uefi_sb_keys/PK.crt
 create mode 100644 security/efitools/debian/uefi_sb_keys/PK.key
 create mode 100644 security/efitools/debian/uefi_sb_keys/ms-DB.crt
 create mode 100644 security/efitools/debian/uefi_sb_keys/ms-KEK.crt
 create mode 100644 security/efitools/debian/uefi_sb_keys/tis-boot.crt

diff --git a/security/efitools/debian/deb_patches/0001-efitools-prepare-keys.patch b/security/efitools/debian/deb_patches/0001-efitools-prepare-keys.patch
new file mode 100644
index 000000000..02d40171a
--- /dev/null
+++ b/security/efitools/debian/deb_patches/0001-efitools-prepare-keys.patch
@@ -0,0 +1,33 @@
+From 7092736065bf9a0ce96b2ac1d4168bbaa13a16f5 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Fri, 19 Aug 2022 10:08:12 +0800
+Subject: [PATCH 1/2] efitools: prepare keys
+
+Copy uefi keys (example keys) to the proper path for building.
+Replace the DB.crt (example key) with tis-boot.crt (public key
+in use for verifying signed shim image).
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/debian/rules b/debian/rules
+index 89115b3..c20cd9a 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -4,6 +4,11 @@
+ # Uncomment this to turn on verbose mode.
+ export DH_VERBOSE=1
+ 
++override_dh_auto_build:
++	cp uefi_sb_keys/* ./
++	mv tis-boot.crt DB.crt
++	dh_auto_build
++
+ override_dh_auto_install:
+ 	dh_auto_install -- EFIDIR="debian/efitools/usr/lib/efitools/${DEB_TARGET_MULTIARCH}"
+ 
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/deb_patches/0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch b/security/efitools/debian/deb_patches/0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch
new file mode 100644
index 000000000..b08bc00b9
--- /dev/null
+++ b/security/efitools/debian/deb_patches/0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch
@@ -0,0 +1,41 @@
+From f97a150fbf94be75381d90396ac7be5b2edf95d2 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Tue, 23 Aug 2022 14:51:09 +0800
+Subject: [PATCH 2/2] efitools: append Microsoft KEK/DB to built-in certs
+
+While BIOS of Dell PowerEdge host enables EFI secure feature,
+it uses Microsoft KEK and DB to verify NICs and disks. If one removes
+the existing Microsoft certs and uses LockDown.efi to insert self
+defined certs, the NICs and disks are missing. So append one Microsoft
+KEK and one Microsoft DB to built-in certs for LockDown.efi.
+Reference:
+https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#multiple
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+[lz: Porting the patch from yocto to debian rules]
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/debian/rules b/debian/rules
+index c20cd9a..78bca19 100755
+--- a/debian/rules
++++ b/debian/rules
+@@ -8,6 +8,13 @@ override_dh_auto_build:
+ 	cp uefi_sb_keys/* ./
+ 	mv tis-boot.crt DB.crt
+ 	dh_auto_build
++	cp -f DB.esl DB-orig.esl
++	cat DB-orig.esl ms-uefi.esl > DB.esl
++	cp -f KEK.esl KEK-orig.esl
++	cat KEK-orig.esl ms-kek.esl > KEK.esl
++	rm DB-orig.esl KEK-orig.esl
++	rm LockDown*efi LockDown.so LockDown.o
++	dh_auto_build
+ 
+ override_dh_auto_install:
+ 	dh_auto_install -- EFIDIR="debian/efitools/usr/lib/efitools/${DEB_TARGET_MULTIARCH}"
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/deb_patches/series b/security/efitools/debian/deb_patches/series
new file mode 100644
index 000000000..6855a947b
--- /dev/null
+++ b/security/efitools/debian/deb_patches/series
@@ -0,0 +1,2 @@
+0001-efitools-prepare-keys.patch
+0002-efitools-append-Microsoft-KEK-DB-to-built-in-certs.patch
diff --git a/security/efitools/debian/meta_data.yaml b/security/efitools/debian/meta_data.yaml
new file mode 100644
index 000000000..51de784ca
--- /dev/null
+++ b/security/efitools/debian/meta_data.yaml
@@ -0,0 +1,14 @@
+---
+debver: 1.9.2-1
+debname: efitools
+dl_path:
+  name: efitools-debian-1.9.2-1.tar.gz
+  url: "https://salsa.debian.org/efi-team/efitools/-/archive/debian/\
+        1.9.2-1/efitools-debian-1.9.2-1.tar.gz"
+  md5sum: e81aa4822cfcbca81074c9cb07951e75
+  sha256sum: 69f02c5b588b666075ed4d390655cf3bfe7f7e2daae643423cd052e081e1368a
+src_files:
+  - debian/uefi_sb_keys
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
diff --git a/security/efitools/debian/patches/0001-LockDown-add-system-warm-reset.patch b/security/efitools/debian/patches/0001-LockDown-add-system-warm-reset.patch
new file mode 100644
index 000000000..9f2045286
--- /dev/null
+++ b/security/efitools/debian/patches/0001-LockDown-add-system-warm-reset.patch
@@ -0,0 +1,46 @@
+From 54d6a97ca89dea6b93a6a2a9290cd2d6b0122b2e Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Fri, 25 Mar 2016 10:52:34 +0800
+Subject: [PATCH 1/5] LockDown: add system warm reset
+
+Upstream-Status: Pending
+
+Run system warm reset after the key provision success.
+In addition, BIOS would stop at its setup screen. The end user can thus
+enable UEFI secure boot immediately.
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+[lz: Adapt git log and do some minor wording cleanups.]
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ LockDown.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/LockDown.c b/LockDown.c
+index 29df9de..3a2b476 100644
+--- a/LockDown.c
++++ b/LockDown.c
+@@ -99,5 +99,20 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	}
+ 	Print(L"Platform %s set to boot securely\n", SecureBoot ? L"is" : L"is not");
+ 
++	/* Reset system to go back to the real UEFI secure boot flow.
++	 * If SecureBoot is still false, the user needs to turn on
++	 * UEFI secure boot in BIOS setup.
++	 */
++	Print(L"Prepare to execute system warm reset after 3 seconds ...\n");
++	if (!SecureBoot)
++	        Print(L"After warm reset, enter BIOS setup to enable UEFI Secure Boot.\n");
++
++	BS->Stall(3000000);
++
++	if (!SecureBoot)
++	        SETOSIndicationsAndReboot(EFI_OS_INDICATIONS_BOOT_TO_FW_UI);
++	else
++	        RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
++
+ 	return EFI_SUCCESS;
+ }
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/patches/0002-LockDown-show-the-error-message-with-3-sec-timeout.patch b/security/efitools/debian/patches/0002-LockDown-show-the-error-message-with-3-sec-timeout.patch
new file mode 100644
index 000000000..ad5b5e271
--- /dev/null
+++ b/security/efitools/debian/patches/0002-LockDown-show-the-error-message-with-3-sec-timeout.patch
@@ -0,0 +1,95 @@
+From f7d36914894dda2c30e73e257d25339021e4e344 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Tue, 17 Jan 2017 12:48:27 +0800
+Subject: [PATCH 2/5] LockDown: show the error message with 3-sec timeout
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ LockDown.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/LockDown.c b/LockDown.c
+index 3a2b476..090d48f 100644
+--- a/LockDown.c
++++ b/LockDown.c
+@@ -26,12 +26,12 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"No SetupMode variable ... is platform secure boot enabled?\n");
+-		return EFI_SUCCESS;
++		goto out;
+ 	}
+ 
+ 	if (!SetupMode) {
+ 		Print(L"Platform is not in Setup Mode, cannot install Keys\n");
+-		return EFI_SUCCESS;
++		goto out;
+ 	}
+ 
+ 	Print(L"Platform is in Setup Mode\n");
+@@ -44,7 +44,7 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 				     KEK_auth_len, KEK_auth);
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to enroll KEK: %d\n", efi_status);
+-		return efi_status;
++		goto out;
+ 	}
+ 	Print(L"Created KEK Cert\n");
+ 	efi_status = RT->SetVariable(L"db", &SIG_DB,
+@@ -55,7 +55,7 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 				     DB_auth_len, DB_auth);
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to enroll db: %d\n", efi_status);
+-		return efi_status;
++		goto out;
+ 	}
+ 	Print(L"Created db Cert\n");
+ #if 0
+@@ -64,7 +64,7 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	efi_status = SetSecureVariable(L"dbx", DB_cer, DB_cer_len, SIG_DB, 0);
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to enroll dbx: %d\n", efi_status);
+-		return efi_status;
++		goto out;
+ 	}
+ #endif
+ 	/* PK must be updated with a signed copy of itself */
+@@ -78,14 +78,14 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to enroll PK: %d\n", efi_status);
+-		return efi_status;
++		goto out;
+ 	}
+ 	Print(L"Created PK Cert\n");
+ 	/* enrolling the PK should put us in SetupMode; check this */
+ 	efi_status = RT->GetVariable(L"SetupMode", &GV_GUID, NULL, &DataSize, &SetupMode);
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to get SetupMode variable: %d\n", efi_status);
+-		return efi_status;
++		goto out;
+ 	}
+ 	Print(L"Platform is in %s Mode\n", SetupMode ? L"Setup" : L"User");
+ 
+@@ -95,7 +95,7 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to get SecureBoot variable: %d\n", efi_status);
+-		return efi_status;
++		goto out;
+ 	}
+ 	Print(L"Platform %s set to boot securely\n", SecureBoot ? L"is" : L"is not");
+ 
+@@ -115,4 +115,8 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	        RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
+ 
+ 	return EFI_SUCCESS;
++
++out:
++	BS->Stall(3000000);
++	return efi_status;
+ }
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/patches/0003-Makefile-do-not-build-signed-efi-image.patch b/security/efitools/debian/patches/0003-Makefile-do-not-build-signed-efi-image.patch
new file mode 100644
index 000000000..3f5ea4951
--- /dev/null
+++ b/security/efitools/debian/patches/0003-Makefile-do-not-build-signed-efi-image.patch
@@ -0,0 +1,33 @@
+From 35157f9762530271cabc78e645f02dc34b0c025c Mon Sep 17 00:00:00 2001
+From: Yunguo Wei <yunguo.wei@windriver.com>
+Date: Tue, 17 Jan 2017 17:24:51 +0800
+Subject: [PATCH 3/5] Makefile: do not build signed efi image
+
+Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
+---
+ Makefile | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index fc061a6..8e7a926 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,5 +1,4 @@
+-EFIFILES = HelloWorld.efi LockDown.efi Loader.efi ReadVars.efi UpdateVars.efi \
+-	KeyTool.efi HashTool.efi SetNull.efi ShimReplace.efi
++EFIFILES = LockDown.efi
+ BINARIES = cert-to-efi-sig-list sig-list-to-certs sign-efi-sig-list \
+ 	hash-to-efi-sig-list efi-readvar efi-updatevar cert-to-efi-hash-list \
+ 	flash-var
+@@ -30,7 +29,7 @@ include Make.rules
+ 
+ EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
+ 
+-all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
++all: $(EFIFILES) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
+ 	$(KEYUPDATEAUTH) $(KEYBLACKLISTAUTH) $(KEYHASHBLACKLISTAUTH)
+ 
+ 
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/patches/0004-LockDown-disable-the-entrance-into-BIOS-setup.patch b/security/efitools/debian/patches/0004-LockDown-disable-the-entrance-into-BIOS-setup.patch
new file mode 100644
index 000000000..f688d0d6a
--- /dev/null
+++ b/security/efitools/debian/patches/0004-LockDown-disable-the-entrance-into-BIOS-setup.patch
@@ -0,0 +1,49 @@
+From d3d22b8a9e415d343e58a2502cb4865e65ad21e1 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Wed, 15 Feb 2017 14:52:07 +0800
+Subject: [PATCH 4/5] LockDown: disable the entrance into BIOS setup
+
+Disable the entrance into BIOS setup to re-enable secure boot.
+In most cases, this step is not necessary.
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+[lz: Adapt git log and do some minor wording cleanups.]
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ LockDown.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/LockDown.c b/LockDown.c
+index 090d48f..c8b89bd 100644
+--- a/LockDown.c
++++ b/LockDown.c
+@@ -19,6 +19,11 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	EFI_STATUS efi_status;
+ 	UINT8 SecureBoot, SetupMode;
+ 	UINTN DataSize = sizeof(SetupMode);
++	/* This controls whether it is required to enter BIOS setup in
++	 * order to re-enable UEFI secure boot. This operation is unnecessary
++	 * in most cases.
++	 */
++	UINTN NeedSetAttempt = 0;
+ 
+ 	InitializeLib(image, systab);
+ 
+@@ -104,12 +109,12 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	 * UEFI secure boot in BIOS setup.
+ 	 */
+ 	Print(L"Prepare to execute system warm reset after 3 seconds ...\n");
+-	if (!SecureBoot)
++	if (NeedSetAttempt && !SecureBoot)
+ 	        Print(L"After warm reset, enter BIOS setup to enable UEFI Secure Boot.\n");
+ 
+ 	BS->Stall(3000000);
+ 
+-	if (!SecureBoot)
++	if (NeedSetAttempt && !SecureBoot)
+ 	        SETOSIndicationsAndReboot(EFI_OS_INDICATIONS_BOOT_TO_FW_UI);
+ 	else
+ 	        RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/patches/0005-do-not-remove-ms-uefi.esl-ms-kek.esl.patch b/security/efitools/debian/patches/0005-do-not-remove-ms-uefi.esl-ms-kek.esl.patch
new file mode 100644
index 000000000..7a4724353
--- /dev/null
+++ b/security/efitools/debian/patches/0005-do-not-remove-ms-uefi.esl-ms-kek.esl.patch
@@ -0,0 +1,30 @@
+From 7946f6515c1607337f6c45e1deffc7603b462f99 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Fri, 19 Aug 2022 15:55:33 +0800
+Subject: [PATCH 5/5] do not remove ms-uefi.esl ms-kek.esl
+
+Keep them for Microsoft Cert appending
+
+Upstream-Status: Inappropriate [OE specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile b/Makefile
+index 8e7a926..e390c30 100644
+--- a/Makefile
++++ b/Makefile
+@@ -53,6 +53,7 @@ lib/asn1/libasn1.a lib/asn1/libasn1-efi.a: FORCE
+ .SUFFIXES: .crt
+ 
+ .KEEP: PK.crt KEK.crt DB.crt PK.key KEK.key DB.key PK.esl DB.esl KEK.esl \
++	ms-uefi.esl ms-kek.esl \
+ 	$(EFIFILES)
+ 
+ LockDown.o: PK.h KEK.h DB.h
+-- 
+2.17.1
+
diff --git a/security/efitools/debian/patches/series b/security/efitools/debian/patches/series
new file mode 100644
index 000000000..cb9789833
--- /dev/null
+++ b/security/efitools/debian/patches/series
@@ -0,0 +1,5 @@
+0001-LockDown-add-system-warm-reset.patch
+0002-LockDown-show-the-error-message-with-3-sec-timeout.patch
+0003-Makefile-do-not-build-signed-efi-image.patch
+0004-LockDown-disable-the-entrance-into-BIOS-setup.patch
+0005-do-not-remove-ms-uefi.esl-ms-kek.esl.patch
diff --git a/security/efitools/debian/uefi_sb_keys/DB.crt b/security/efitools/debian/uefi_sb_keys/DB.crt
new file mode 100644
index 000000000..2e941ea72
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/DB.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIJAI0bLNOM0aWNMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
+BAMMDkRCIENlcnRpZmljYXRlMB4XDTE3MDgxNDA3MDYwM1oXDTI3MDgxMjA3MDYw
+M1owGTEXMBUGA1UEAwwOREIgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC+g3ENj4IetsbFa7JjBCENIxhrL4OilIyk/nknlsSQL0lG
+MgR7JZrpG7gdm0+vSNARloniDcveCl49PgzXKpu0LEovnDHn8lPaQN46jCBOw28D
+n2S71XARTWSLDpYWwr9FsxLeT/yyGVi5fnPpneKzf6aZ56WLzS/tggQ2UhwzNXqU
+KVAcmPdn0RADbDJRWiB4PrqX0bWNrHyuPka1trX9lYWTgk/WTlhy7+8lcRdqikD6
+2madBvnMNiRYoAfw3s2R8bLcom+YBDXfqfc47NgAeh6Q/zWUhNWlddGz1pShhHUn
+yEqCsOqGOelWxtliUmk8TBRrnBJYQN03BW204etZAgMBAAGjUDBOMB0GA1UdDgQW
+BBR7zQZjndyd5y4J+1Otdy3Ez8WsBzAfBgNVHSMEGDAWgBR7zQZjndyd5y4J+1Ot
+dy3Ez8WsBzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBmEwENJJI/
+PZsB22GoSEAuJGWQ0RUregnrSYi5NiewC+bknwmo1cdPrfl9zFoMaKS23xWIvZuw
+56DewI9qO6c/blWrxIixjWI2fCPuMTHd0vWsbU5m5eIZ7i3v2LWz3r95n8o4IIg3
+OF1V4ddSp/2/xndeJKqib8j/YLnjKKT+fahCJtbb6+uP3oZS/Ao+q5RDVQy9UiDr
+nBCTWPdE+hQbo0xYF5PQeArUVFbagm1qK3rfpehO8FYaInacZC/Jw9TehcwttFRJ
+FGePC/VEDDC6tb9IZNHoHbrRc3wrQb6lm1Mxzq3sqAKrOu2VT2ToHAEbK1xV+3pt
+6dbvq/7f66dx
+-----END CERTIFICATE-----
diff --git a/security/efitools/debian/uefi_sb_keys/DB.key b/security/efitools/debian/uefi_sb_keys/DB.key
new file mode 100644
index 000000000..77a253ccf
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/DB.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+g3ENj4IetsbF
+a7JjBCENIxhrL4OilIyk/nknlsSQL0lGMgR7JZrpG7gdm0+vSNARloniDcveCl49
+PgzXKpu0LEovnDHn8lPaQN46jCBOw28Dn2S71XARTWSLDpYWwr9FsxLeT/yyGVi5
+fnPpneKzf6aZ56WLzS/tggQ2UhwzNXqUKVAcmPdn0RADbDJRWiB4PrqX0bWNrHyu
+Pka1trX9lYWTgk/WTlhy7+8lcRdqikD62madBvnMNiRYoAfw3s2R8bLcom+YBDXf
+qfc47NgAeh6Q/zWUhNWlddGz1pShhHUnyEqCsOqGOelWxtliUmk8TBRrnBJYQN03
+BW204etZAgMBAAECggEAXBJ4O76Ee0WIUPcYkmP3eTrh3UNsUdGLG15kvS5PNwOz
+XPplUgK9mDUuSRi7bRI6hJWFc7uJMHlATEbFu+M6ttvEyrepItjpj4xUGmWIY6ht
+6YlKDME9VQ9bLR1SihN6jzvZPZnYnVZEm/kyGdCVNHzXzn+2cRcsN5PjZ0FNoa07
+skI72YHxX8tk+xmCTrfmugzGt43jygmxOVZkt6JGgSWK6Degp/fXmpf8z7e5DxVV
+sj/Zhm1SmadAGKJzcv96+qnkcyUhqBb/VdyFyvb9WU29bD+HLEWycTWHXGINRvCm
+fkbLjgceIqLCt3/Le/OfVWmQxB27EyJizgaWpPe0AQKBgQDvjbiuUA0iZJxDi1s3
+mxij/4vl6TwMnWcq6/Oour8+xVBRhYOq/Y61duRIRLXLUBj0Q7P0SB7xn+SVq2lL
+TJWU10PjyjaM4FdtnMH8OSACP4S021L7KiDEhrh4oia+bkaUJKRoOqWx2DP2xM4T
+1C8su3mU5BrfnNdyf8MEJd2XgQKBgQDLl9Bm3OIAZuo9FG2gd8q1enkAcD8qUTWj
+E+NrCRhYNikPLw5n8IP1T3Hs/RjjL0jOwngwDVo26jp5uClLe1cVW852LeXF0gbo
+aC8qqppv/dP0BOQCxtD/kMDBEYvOqL8+1eptFdI84GtGsyeeWT6Je0dGJ09JX10N
+DSqH66P/2QKBgQDIrDvtKfoWuZl9q5u6NR6rI0OaUYuQNbta5VW0HtxeRQRHhkUK
+VGXb9cC+GXEA5BRDawOwu0nQt1TRXEpUXc9gZAPnKloQIU6b8BlApMn/mB4fMyuM
+Y3oXp5OY2p0CIXbWWuuutJJhLPA65BqN2c2690GeTIeGkuiYbhZ7vwymAQKBgQCH
+dq3to06k4dU9atg+izZPZfwY9Jayu3Iq3dLVpymRmAfd2HuHYRsMIB43h3gFwbJ6
+EB8UKe4618KstoKTfK/GwF0xePyHkWWTQa8Qfo9fsM5UcOSdjFgHk/MNA3W4vcLy
+NjdS+c/3PYNjeVUFIXBg3avg28r/kPpC8t23rmxikQKBgFT1y2xdxa7il4pB8H+K
+KuDTkQddjhnZif8SyNuirvk9WCTnQnLcF+Fhs5OyW86k8gbUlYrXikV5XqHAa/db
+Gh3ffLGggdiuG80caLuBcWN0ovsZdAE5IhvH/HGA9wsDmAWgvnb+Zl+DNyjGxYJb
+zDeJtd1uv51/28q5xSXURAsx
+-----END PRIVATE KEY-----
diff --git a/security/efitools/debian/uefi_sb_keys/KEK.crt b/security/efitools/debian/uefi_sb_keys/KEK.crt
new file mode 100644
index 000000000..60349de95
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/KEK.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAe+gAwIBAgIJANEYnLFAMnAlMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMMD0tFSyBDZXJ0aWZpY2F0ZTAeFw0xNzA4MTQwNzA2MDNaFw0yNzA4MTIwNzA2
+MDNaMBoxGDAWBgNVBAMMD0tFSyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANj3djm8TJoMQp0ciMs0zt5JRAf2tU7HmE5kt3qMkNcv
+f1SoEvcOp3Wys6he9ZEEcHVedQvmEtF98vSh/93CtHGURyEYXwun2wGqr/POh8Pq
+y4H0pnXcldbyL7cR/V3gcj7x39n+Tdfhsvns9Rvh4YIdRUlx2gOeJHAH766h1MUJ
+IS5K5uxso4J4Vkil9uwdDdQ3tXcEMYjhhLdEPcHz/+hR8ydSYT8Z+E2oRHqUqvDc
+6hachPmVAPParxngu7CpEa6231H/W9HNPg0kxKQ2QuDREM9g1vhU9Z04VjZoPBNs
+3Pzd0eMtmKWFxwwgAKoiJzIkY4mtsXEW3bt5vYgFFRECAwEAAaNQME4wHQYDVR0O
+BBYEFGfd5E5+TJIAksK2XmhMoBCBEVy7MB8GA1UdIwQYMBaAFGfd5E5+TJIAksK2
+XmhMoBCBEVy7MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFnUF9pS
+iu9uMGMo27WZ9b02RfNa0NGc+ykjMyArQGSJzetxlYrqqcGTnUp1awUZkE7Wcait
+DpmhzF+DZIqmaBLNaTRCKd2b7JsGmv9zHn+mxJb8g19BNJqMyUQB58+s2boGHPfU
+KlN84NtK6mBww9rgAVzvT166OxbaIZ81EXrlOi4CW+eIasAUP2lftGIOW6SKHNHi
+mZH0TaCfB3EXPeuJdawEDsk8J0N9rJ/wql4EpTwh2BhTrTas3K/Qf0qlHVq/GUpz
+DtZhPfaRjBRH9JdYyPSSbk2Nc5bHEvFpezgc6+1/K4uE1U2Vd6xuQ10ozQxZvyee
+Ai4vXOcgFdN/5P4=
+-----END CERTIFICATE-----
diff --git a/security/efitools/debian/uefi_sb_keys/KEK.key b/security/efitools/debian/uefi_sb_keys/KEK.key
new file mode 100644
index 000000000..9a68e8d0b
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/KEK.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDY93Y5vEyaDEKd
+HIjLNM7eSUQH9rVOx5hOZLd6jJDXL39UqBL3Dqd1srOoXvWRBHB1XnUL5hLRffL0
+of/dwrRxlEchGF8Lp9sBqq/zzofD6suB9KZ13JXW8i+3Ef1d4HI+8d/Z/k3X4bL5
+7PUb4eGCHUVJcdoDniRwB++uodTFCSEuSubsbKOCeFZIpfbsHQ3UN7V3BDGI4YS3
+RD3B8//oUfMnUmE/GfhNqER6lKrw3OoWnIT5lQDz2q8Z4LuwqRGutt9R/1vRzT4N
+JMSkNkLg0RDPYNb4VPWdOFY2aDwTbNz83dHjLZilhccMIACqIicyJGOJrbFxFt27
+eb2IBRURAgMBAAECggEAHFJ5WWIOMdHF5FJ0POqA0p2Hxu5ajpUZeapGFTZCNgTa
+P0fNafi8vW19bE4xCiQlNf0FlG8NJ9GkJHD9QIqJGYZ8noJa7d+UhCwu2cmtCVMe
+C7HPBPWtjaiBuAkeJOIGp9bVHNTIfpTU0zEucdxTnrOJduPozK4ZHZK7o/U2HB4u
+aPgmaao7GyOOEm3P/OP71rOOce+cqdd/YwwJ8aHgMb1bl49Qhd03BkAWM86J3oBR
+0d/JvqahKDu2TFygC5dH9RrE2dEqckdIfLsdbbY8tGxEsWGbfNIWXUIMVDPAN34Q
+u6GrY+bpniF9hApB1YH1q6WGLfW1gX40n+TLjGIBPQKBgQDzyawL1oq+gev+Wf+7
++NjDLt0BGVie2uHXkVnV+HOyNfoNvlB/uOLpnsf6a18lqGXkwJAOQJ2Whs3a9x0h
+5idorW3Kep/rkGB7zkF8S1IAdZxKdMR2TevamCk9UZgFSShTpQIQ7+n66gpgkev4
+p6EYckQnA6Ihe3c7xvpiqwa4mwKBgQDj1dYViFo501+C0Fb6n1xUJCkWDZeBhQcm
+iJeixvaJ2v5agV5IqsKYrcP/X0sirqZZ3Z3Bm/V59e0u3PvJLyk/io4eEf5TwS23
+Q1vAf1L3QoKiN1nzQCnAOE51cPmdyAPVgkdUdWUGlbb1rYec44n4On+tQ0m7A5tR
+722BygFVwwKBgGtPapwLZCdXqTndA+UKNOA10LKbJZdHYgIxyQmWw9a+S8Og8m5G
+RBvx+LUSbl91MOTwnninmLaZwCOSgxBY7x/0t09Ziut2MgJNWCYOQZpSKunbXF93
+DUq7j+ud7vzkpwuqpq4t7SC1xLudf/GEWDUal0VVJBj48BMwEyc7gUnhAoGAFZFc
+ntU1lVvJIt0OHtOPLffuW8QVn5E0SBWOJT6ogAxXH8I3ZrGjkkiA0V/4AOR/ouoz
+0OwupMj/FvycaUMpqHY5VedmKA+VgE/EE8j51aZaL3kF7t0YFrY91yhGuQUCN+gJ
+UJl8Ys8xbrhqqhNwMCt5grFn/Wgt/+emei7hSXkCgYBTh+Eu1c/YaFxwGUXPrltA
+p7JGgT7BP3dmYdivZWq49tdwSEvFzfX7z1zyu/qTDSYj1xGskqoOl78HaYuUxuGg
+Fw8dUOU5nyQYfSc3iu54zCEsSs9I3+iMxjvcOYnAzzYl6lGDlaAWfsuk7XWEgT2A
+WC6NH6QxuP8Amdpq8lyPWg==
+-----END PRIVATE KEY-----
diff --git a/security/efitools/debian/uefi_sb_keys/PK.crt b/security/efitools/debian/uefi_sb_keys/PK.crt
new file mode 100644
index 000000000..9df35b31d
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/PK.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIJAMhCGK1rqfOxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
+BAMMDlBLIENlcnRpZmljYXRlMB4XDTE3MDgxNDA3MDYwM1oXDTI3MDgxMjA3MDYw
+M1owGTEXMBUGA1UEAwwOUEsgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCjNl1enfgWg05myL5r2xaDfPSzRFUgnwUwLaR8L0V4lUOm
+/TsnESNuf8BEvt4oC53fnK56MQQ8THFKxCMSbvVqZ9rVZpzldfpTqOfQbQZKM1zk
+Omx69MO6clNfMeuZfLCmunept9N/6d65jNUYdpF6yitmlzVjhr3HXoHwn7eRX4dx
+XWNG3s35LVwvMe4CP9juGaR4D6RTV2DS8mGr32zBhclPOzGZjpw0ZO7D2apwIWpi
+Fu9048IIYCrQfzcNpM+AVtCjIFR9NR4K89LplQHIleGEsHE63yMmT2GMUCc+BI97
+EsK0a70zxgRrTyOAP8358EyyK3LqPefqpsW1iyi7AgMBAAGjUDBOMB0GA1UdDgQW
+BBSVggNE952zQm2SBUL+odEOo1VJmTAfBgNVHSMEGDAWgBSVggNE952zQm2SBUL+
+odEOo1VJmTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBuwyMzSenn
+1yMkMMT0C0pbWKl6VY5sCwOX/OZ+UpvaXyGUsD6J8cAn/9+t6qseQhd/GlKl2k8D
+oGw4ItKHU5vMZcCY5H7Iqp57w+0kZJ544vk1vXjy5RhtoZXHStgr/Sfj/Tk4f1DQ
+Yi3uHHS2YxmlMVpD5hT7AHUfTmdel9PFMQw61Lja6r3NchZhgkRQNeDihKyCvK7s
+ckJ/lXcaUZ1jWl4g68nkZh6p/VgStjN9tekv75O9mF40VVZfLk91zAGjGkv3zIUC
+tnX+YlbRwBPQtaHuEm+AXxCrHEQvi0QYhE9iA91h3GeQlNn3JmiKhJ7CRu8uo7r4
+dj3IfaewIPA7
+-----END CERTIFICATE-----
diff --git a/security/efitools/debian/uefi_sb_keys/PK.key b/security/efitools/debian/uefi_sb_keys/PK.key
new file mode 100644
index 000000000..2f02c49a3
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/PK.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCjNl1enfgWg05m
+yL5r2xaDfPSzRFUgnwUwLaR8L0V4lUOm/TsnESNuf8BEvt4oC53fnK56MQQ8THFK
+xCMSbvVqZ9rVZpzldfpTqOfQbQZKM1zkOmx69MO6clNfMeuZfLCmunept9N/6d65
+jNUYdpF6yitmlzVjhr3HXoHwn7eRX4dxXWNG3s35LVwvMe4CP9juGaR4D6RTV2DS
+8mGr32zBhclPOzGZjpw0ZO7D2apwIWpiFu9048IIYCrQfzcNpM+AVtCjIFR9NR4K
+89LplQHIleGEsHE63yMmT2GMUCc+BI97EsK0a70zxgRrTyOAP8358EyyK3LqPefq
+psW1iyi7AgMBAAECggEBAJwP/dPdZT3RrIQn670iLzLnpuxLqMKai9F3s1JzuRAG
+Wjww5AEFKEYerfCOOcs84GbTYRrCB/TIe4QsbATSSKTITb3Ecr4Ow6B/X7oypdMJ
+rgclvlkL9qQvcX0TNN79FcU3g/irJ/el3yy5d4H+zjkFW96rM4fJbWpX+hPmBRdh
+JC5pt803+B8kosWkQdXTrjOIY3KLWwsE/UZi1T8tOqKWITQJo9huPkA8xe0s9Pg6
+ZjK7lODLBclVvebxPgF5oOMDsdP/zI1iX2FVAIitkEgcLgHJVuQTg9cMGOPFx5BF
+03i9XvVn1/oRoK3JGv0ME4RnOZSbrGRaEXDwydN7T+ECgYEAzHNft8yPHSir4TZn
+7tAgGQlP98EjPa+zqQ/fUKiqnmcLhWbPBcHBLtFf9ewo8mAK1ul9gObiexWLkLGs
+7kKFCLHxjmk3B0I17h+3RMC2sw6azaM5R1jD9MIIldkURMmFf3jIlaud1v7hvM0O
+RSKNaH1OkMrlgzzfG3swOUJQmzMCgYEAzF0xD2WPRk9hF/ifFq1I/Cci6jNOB49W
+EOs7JsUeQ9W9YphI6KJBAn4oL3P58uRv1bgsYFQksWoNrLir8ge1WUn19Z1UPZAr
+HaKNT6RODH2/WBg96VtJUbnYJ1z+YZv2HO6ao2T0LfupDvF16ktEu3xHBOwMNYAh
+JXaJoZ5F/FkCgYB+a2joceickyWU4NtrY+41DPkRra9o2VgyVco0SdcWk4kgN+4T
+FTerB3Ra0GiRVqndMguUxS+OBEiEdBkGSsOQGNfQw2ZvapWGZL4iGTffiExYk3E7
+mLuygLhmUBCkaCfQJpOBWNkEtB5JbFJClZby4WjPR2abu+wJRicPgN3u2QKBgAwm
+HhyENRhA78y1AwAeHRCgYvr5QdJBOySWV1XesgXmVvPdibgKrUKwrULk6h7+ZYeX
+A0xWtDe3zkhOUip5OtasBusrBy8Buw5v82agpeMoNo/OISAWRS2OlsMATD8RPnhJ
+1vePsNRq+Ynh4Nik0Nk0ciRgw/kKPO41Ncld11tBAoGBAMR5T7zKRWTs75G0jeo2
+MKODpVNJu8sGgy/AZDuSweNzHAidlZDZB6g7rCXvxpjwAN6B/3EjWbbIxN1hAaws
+KrF/PuYhoLQE07jWCT4SnrrOfU6zlb1sEMBN5E4gKaFKB+z7TatLlhfknQc3RIS9
+azMzcv5iYJ/XJEDg2W9pII0L
+-----END PRIVATE KEY-----
diff --git a/security/efitools/debian/uefi_sb_keys/ms-DB.crt b/security/efitools/debian/uefi_sb_keys/ms-DB.crt
new file mode 100644
index 000000000..d7c29ef55
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/ms-DB.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG
+A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
+HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z
+b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN
+MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
+Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0
+aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug
++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI
+rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ
+E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp
+XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L
+71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB
+AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW
+BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA
+QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD
+4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p
+Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f
+MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw
+Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv
+b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q
+aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz
+Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g
+Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX
+i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM
+sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh
+aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk
+BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs
+deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5
+QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7
+5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu
+AkXuZcK2o35pFnUHkpv1prxZg1g=
+-----END CERTIFICATE-----
diff --git a/security/efitools/debian/uefi_sb_keys/ms-KEK.crt b/security/efitools/debian/uefi_sb_keys/ms-KEK.crt
new file mode 100644
index 000000000..37c814a77
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/ms-KEK.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF6DCCA9CgAwIBAgIKYQrRiAAAAAAAAzANBgkqhkiG9w0BAQsFADCBkTELMAkG
+A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
+HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z
+b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN
+MTEwNjI0MjA0MTI5WhcNMjYwNjI0MjA1MTI5WjCBgDELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
+Y3Jvc29mdCBDb3Jwb3JhdGlvbjEqMCgGA1UEAxMhTWljcm9zb2Z0IENvcnBvcmF0
+aW9uIEtFSyBDQSAyMDExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xOi1ir+tVyawJsPq5/tXekQCXQcN2krldCrmsA/sbevsf7njWmMyfBEXTw7jC6c4
+FZOOxvXghLGamyzn9beR1gnh4sAEqKwwHN9I8wZQmmSnUX/IhU+PIIbO/i/hn/+C
+wO3pzc70U2piOgtDueIl/f4F+dTEFKsR4iOJjXC3pB1N7K7lnPoWwtfBy9ToxC/l
+me4kiwPsjfKL6sNK+0MREgt+tUeSbNzmBInr9TME6xABKnHl+YMTPP8lCS9odkb/
+uk++3K1xKliq+w7SeT3km2U7zCkqn/xyWaLrrpLv9jUTgMYC7ORfzJ12ze9jksGv
+eUCEeYd/41Ko6J17B2mPFQIDAQABo4IBTzCCAUswEAYJKwYBBAGCNxUBBAMCAQAw
+HQYDVR0OBBYEFGL8Q82gPqTLZxLSW9lVrHvMtopfMBkGCSsGAQQBgjcUAgQMHgoA
+UwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQY
+MBaAFEVmUkPhflgRv9ZOniNVCDs6ImqoMFwGA1UdHwRVMFMwUaBPoE2GS2h0dHA6
+Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY0NvclRoaVBh
+ck1hclJvb18yMDEwLTEwLTA1LmNybDBgBggrBgEFBQcBAQRUMFIwUAYIKwYBBQUH
+MAKGRGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljQ29yVGhp
+UGFyTWFyUm9vXzIwMTAtMTAtMDUuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQDUhIj1
+FJQYAsoqPPsqkhwM16DR8ehSZqjuorV1epAAqi2kdlrqebe5N2pRexBk9uFk8gJn
+vveoG3i9us6IWGQM1lfIGaNfBdbbxtBpzkhLMrfrXdIw9cD1uLp4B6Mr/pvbNFaE
+7ILKrkElcJxr6f6QD9eWH+XnlB+yKgyNS/8oKRB799d8pdF2uQXIee0PkJKcwv7f
+b35sD3vUwUXdNFGWOQ/lXlbYGAWW9AemQrOgd/0IGfJxVsyfhiOkh8um/Vh+1Gln
+FZF+gfJ/E+UNi4o8h4Tr4869Q+WtLYSTjmorWnxE+lKqgcgtHLvgUt8AEfiaPcFg
+sOEztaOI0WUZChrnrHykwYKHTjixLw3FFIdv/Y0uvDm25+bD4OTNJ4TvlELvKYuQ
+RkE7gRtn2PlDWWXLDbz9AJJP9HU7p6kk/FBBQHngLU8Kaid2blLtlml7rw/3hwXQ
+RcKtUxSBH/swBKo3NmHaSmkbNNho7dYCz2yUDNPPbCJ5rbHwvAOiRmCpxAfCIYLx
+/fLoeTJgv9ispSIUS8rB2EvrfT9XNbLmT3W0sGADIlOukXkd1ptBHxWGVHCy3g01
+D3ywNHK6l2A78HnrorIcXaIWuIfF6Rv2tZclbzif45H6inmYw2kOt6McIAWX+MoU
+rgDXxPPAFBB1azSgG7WZYPNcsMVXTjbSMoS/ng==
+-----END CERTIFICATE-----
diff --git a/security/efitools/debian/uefi_sb_keys/tis-boot.crt b/security/efitools/debian/uefi_sb_keys/tis-boot.crt
new file mode 100644
index 000000000..2bb80ca65
--- /dev/null
+++ b/security/efitools/debian/uefi_sb_keys/tis-boot.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQCndPpvXmatAzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJD
+QTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZX
+aW5kIFJpdmVyIFN5c3RlbXMgSW5jMQwwCgYDVQQDDANUaVMwHhcNMTYxMjAxMTc1
+OTMwWhcNMjYxMTI5MTc1OTMwWjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250
+YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZXaW5kIFJpdmVyIFN5c3Rl
+bXMgSW5jMQwwCgYDVQQDDANUaVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDGBF2js8+W952j9b9bPQKme51pepk9zV56dHWlYHwHT6OxRwnIUaa6z4Hb
+qGBBfKc6VqYY5K/PmDb41TXgIwmjDgxn8Nz4Vr8odKz8IsPUl5PzRN1LFKx7S+Bl
+s7LiOw8ZEGYT68VdYp+hwGhas7r2/jFd8K7od/fcmQkPUQyqeZAA+F9gcQNuXlh8
+wFID0d3ek4jmiCj4AcOHCiFeg/gz21dKHdpl0/WQ3NiDASghuvE22lZGz6SrQGFX
+xhC3UFkDQ83MlT1vS4ESfNS7o8Cq5Itnhe8MgI6nfPQrp3pgRNSGu8YU9HSCX5SD
+d/rwaOpVzQtsmI1hj7BouTuwVrhNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAkZ
+Mwub8wHuY7hfpw+q3YjksYQvWVErgH3I5Bs6GQpGhat1t1XnFrD17vrif9ri7sbd
+beaISeyk5YCdTJCejXEbpL6GBppaSghtP9wAKtKLzlAz6Ta1GhSzKSVXdHl/JUVG
+7n7gwiP3Sik2ZRVEdKZiODrVb7c8ga1SaiT/dexyKf+Qt3LmMe6QRKGXgsQVSgoI
+0O1WTzpAJRZa1Z6lMOlzpho7rYdAlSIA0tydxx8rOykIPHRItnW/p79WsoQp646F
+cS1ZaZ5XXRtgaO6AAZ+BKJGnie/xl1sNYah7quASYGwADzUpnN4QeiS92YN26eis
+a16FUsgrac0uAQa55IQ=
+-----END CERTIFICATE-----