From 1d802e560f4e7b953c08aca5ccc294f0f27c61a3 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Thu, 9 May 2024 15:42:21 +0200
Subject: [PATCH] efi: add Microsoft UEFI CA 2023 data

Note that there aren't any tests for this yet because as far as we're
aware, it hasn't been used to sign anything and so there isn't a signing
certificate in the wild from which we can create mock binaries in the
way that we test image matching with the 2011 CA.
---
 efi/image_rules_defs.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/efi/image_rules_defs.go b/efi/image_rules_defs.go
index ea517d25..77845088 100644
--- a/efi/image_rules_defs.go
+++ b/efi/image_rules_defs.go
@@ -53,6 +53,28 @@ func makeMicrosoftUEFICASecureBootNamespaceRules() *secureBootNamespaceRules {
 			// pubkey alg
 			x509.RSA,
 		),
+		// TODO(chrisccoulson): add tests for this when we find something that it's
+		// been used to sign and we have a signing certificate in the wild that we
+		// can add to embeds_test.go in order to create a mock shim with it
+		withAuthority(
+			// CN=Microsoft UEFI CA 2023,O=Microsoft Corporation,C=US
+			[]byte{
+				0x30, 0x4e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+				0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06,
+				0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72,
+				0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70,
+				0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30,
+				0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x16, 0x4d, 0x69,
+				0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x55, 0x45,
+				0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x33,
+			},
+			[]byte{
+				0x81, 0xaa, 0x6b, 0x32, 0x44, 0xc9, 0x35, 0xbc, 0xe0, 0xd6,
+				0x62, 0x8a, 0xf3, 0x98, 0x27, 0x42, 0x1e, 0x32, 0x49, 0x7d,
+			},
+			// pubkey alg
+			x509.RSA,
+		),
 		withSelfSignedSignerOnlyForTesting(
 			// O = Snake Oil
 			[]byte{