From 2b485a272e2b8b8f21d301c694f0b6a168ccbad1 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 8 Dec 2023 12:12:43 +0000
Subject: [PATCH] efi: add some documentation and increase test coverage

---
 efi/grub_test.go                              |  12 +++
 efi/pe.go                                     |   1 +
 efi/shim_test.go                              |   2 +-
 efi/testdata/386/mockgrub.efi                 | Bin 0 -> 3761 bytes
 .../amd64/mockgrub1.efi.signed.shim.1         | Bin 5568 -> 0 bytes
 efi/testdata/amd64/mockshim.efi.signed.1.1.1  | Bin 7304 -> 7304 bytes
 .../amd64/mockshim.efi.signed.1.2.1+1.1.1     | Bin 9096 -> 9096 bytes
 .../mockshim_initial_sbat.efi.signed.1.1.1    | Bin 6744 -> 6744 bytes
 .../amd64/mockshim_no_sbat.efi.signed.1.1.1   | Bin 6176 -> 6176 bytes
 .../mockshim_no_vendor_cert.efi.signed.1.1.1  | Bin 6800 -> 6800 bytes
 .../amd64/mockshim_vendor_db.efi.signed.1.1.1 | Bin 7304 -> 7304 bytes
 efi/testdata/buildenv.yaml                    |  12 +--
 efi/testdata/src/grub/Makefile                |   2 +-
 efi/testdata/src/grub/elf_ia32_efi.lds        |  86 ++++++++++++++++++
 efi/testdata/src/grub/main_ia32.S             |  13 +++
 .../src/grub/{main_x86_64.s => main_x86_64.S} |   0
 efi/testdata/src/grub/mods.S                  |  14 ++-
 tools/make-efi-testdata/apps.go               |  38 +++++++-
 18 files changed, 167 insertions(+), 13 deletions(-)
 create mode 100644 efi/testdata/386/mockgrub.efi
 delete mode 100644 efi/testdata/amd64/mockgrub1.efi.signed.shim.1
 create mode 100644 efi/testdata/src/grub/elf_ia32_efi.lds
 create mode 100644 efi/testdata/src/grub/main_ia32.S
 rename efi/testdata/src/grub/{main_x86_64.s => main_x86_64.S} (100%)

diff --git a/efi/grub_test.go b/efi/grub_test.go
index 4b76f741..91f1989a 100644
--- a/efi/grub_test.go
+++ b/efi/grub_test.go
@@ -53,6 +53,18 @@ func (s *grubSuite) TestGrubImageHandlePrefix2(c *C) {
 	c.Check(prefix, Equals, "/EFI/debian")
 }
 
+func (s *grubSuite) TestGrubImageHandlePrefix3(c *C) {
+	image, err := OpenPeImage(NewFileImage("testdata/386/mockgrub.efi"))
+	c.Assert(err, IsNil)
+	defer image.Close()
+
+	grubImage := NewGrubImageHandle(image)
+
+	prefix, err := grubImage.Prefix()
+	c.Check(err, IsNil)
+	c.Check(prefix, Equals, "/EFI/ubuntu")
+}
+
 func (s *grubSuite) TestGrubImageHandlePrefixNone(c *C) {
 	image, err := OpenPeImage(NewFileImage("testdata/amd64/mockgrub_no_prefix.efi"))
 	c.Assert(err, IsNil)
diff --git a/efi/pe.go b/efi/pe.go
index 057947dc..6091bc45 100644
--- a/efi/pe.go
+++ b/efi/pe.go
@@ -51,6 +51,7 @@ type peImageHandle interface {
 	// Source returns the image source
 	Source() Image
 
+	// Machine is the target machine
 	Machine() uint16
 
 	// OpenSection returns a new io.SectionReader for the section with
diff --git a/efi/shim_test.go b/efi/shim_test.go
index 02a73433..2b140462 100644
--- a/efi/shim_test.go
+++ b/efi/shim_test.go
@@ -320,7 +320,7 @@ func (s *shimSuite) TestShimImageHandleReadVendorDBEmpty(c *C) {
 
 func (s *shimSuite) TestShimImageHandleReadVendorDBNoVendorCert(c *C) {
 	err := s.testShimImageHandleReadVendorDB(c, &testShimImageHandleReadVendorDBData{
-		path: "testdata/amd64/mockgrub1.efi.signed.shim.1"})
+		path: "testdata/amd64/mockgrub.efi"})
 	c.Check(err, ErrorMatches, "no .vendor_cert section")
 }
 
diff --git a/efi/testdata/386/mockgrub.efi b/efi/testdata/386/mockgrub.efi
new file mode 100644
index 0000000000000000000000000000000000000000..2e2bdd8bb415c60ad861de8ececf59a748801ae5
GIT binary patch
literal 3761
zcmeHK!EO^V5S=towSfi>+;Jri93q==;J|5H+DJ%6Af@8KCGlq6jYYhUyk1f`@d=gq
z6%G|AB+fl^?H|A&EHj%82@#;sThLB4w&!`~tvyM+o@cMlpbh}nQ1cw%9D9<WX#d{4
z$LZ$XPfhr^eX)C9JG$6C9_o~hosFF|Y#@`wdKN0?vV`e`9X#(cV<W|Pb{h9e>KBIq
zN44uys|m1;qf6MV->7ZehYd8gO2^ySld=Vy=9eTIBY>Ov05xbV&CN`rSy=-3BhShl
zzj5SVoqEKJwNOKQp)X-U7(ky#(o4i{5{^LOw@Joa0)WrlsgWI&YenFf+?B2f?_>T`
zG8yVY9~*k^QlbKYfTy9P^?gN+`q+?Pu?Xx-3D9pguKM-NK=FV7a&k8NtmiJORbMp&
z#tvS`E(@<3U&XC=2DUEqeChaK?+sO}|ECNXZDM+@GgP_<-a!?Iou?uTv&3g;Rq{V)
zfUbG1cB{L;cg$WYmuj1|N^I!;IDITcto<+x`M?_ChM~1yq(f~)II^KIQYV6fxrrL|
z9zm{-Q;K!%iJwTPSjT1w-eHNin19G0JZjCTCzA<}lZ;yzi?oao<R%I-E(b;-;~sYG
ziFIS^7MR*UX~>Q1<c%EZs0go4v{iqzT%BsV=Tik%L#;!U8S@rLRCv*)zYZfAs!<z<
zg+)kDP0JT5TqtS-da0L=h)_zTtZ?QCji|)={w>extih<Vx}h0*79wg6O?_@5UikG=
H{Z7FT{|utX

literal 0
HcmV?d00001

diff --git a/efi/testdata/amd64/mockgrub1.efi.signed.shim.1 b/efi/testdata/amd64/mockgrub1.efi.signed.shim.1
deleted file mode 100644
index 2db4a6f3cbde10a9599c6c83913787263cbfa102..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5568
zcmeHKeN<CN7N7T#1j0wq0HWgh0BsR4c`t~91qz}-Rm6&NDo2ETJVG>ik$ecWSTQPE
z=(Zx_Y6Xj0ceQJ`;<89tKd53`*Mlh9RZux}m8vLyRI&KU&V(Q-yYA^9?jFw`CTHHe
z_jm8y+_`h-zL|uSb$|c>kg)gk08j(ps6|<y|M`&*#jc}kT|t#&gHH`Mv%zO>rp8Du
zG3eC>xsFoGIZkh)6f9*hbCiaorY0s)I=zaOxVQ+%*i6r!27s!7*UPyA;0UQZfR8)j
zxIe%l<6u*CgKyOP8lsVWKnu!;0Gv!zHvqx`vKO)TW?!UJ1ATK4Kq>X>?Y_v?zr!Ua
zHpc`7R$uz&h8D%HQ2?Y%46IhKwD|x5YYg~yN|1~KV2VT~H_0LGf<!dz_OV15Y*7Hz
z!SygAItV?Mz>f3=1TG4yN{k9Q^6wn%L4A78kg;n~R+DzXAo<EiApYAr<l|A%=vA-0
zuY(T0{0KP0S~Fm~zx+QLwD`(KK&MwORvXL;=9Tqu(6Rq!1aumm8rk=<{fYG)0BLk4
zbcbC!E%q&`Sz+c(W}C*~>;EYN=vWuT1SL(0o=YXO2BSvL1=+AnlWB=@vQ(<pm@>@@
ziBhkV8Zs4ny-8}!)aaxNtzIG3$u*o54VLIsLR3eftylxgQc3y@Q?}f|Qn7k72hXC&
zu2n9R&=Z6DOlN0jOVpfMqBp3eM%xG}Qj=PZN#sf$3oS;&7Zsy7EYTb6EHTf`AT^1G
zTPoLTRMz2xU$kGFqY^epgU<EnYJ<T}0F_y%%Y_uWiJ>Y$0IgiXYHc3~bUh$I8ryqa
zfrkg{C>*32O>zS=)Q{M1H2nyo(3R%t?VcWF8IH2uQjo-ku)PqvxAY<+NLlsLjGA{@
zq=_1d9L8}#Tln34$AE(Pf}dS50bXI@Ux!dTj$w?5cHujw7sO*MLE;z>&^dfzARi+!
z%Oo5lD;Ck2bg&&FqQ?>#sGzq0Cf^%`TYrf_0gONow15RB*dx)8W(L?Lso<LqpKS>&
zYnVO1Q5n|JfECDMBWHQ+&01Kr;P70b-<k>w(L`H_le7h|t{`v>$8q91vSRZabAsNf
z7$@41Ps}6vVmxjN<3_t8#z8EY#;LV(PGy}BL<C~~Og*R4bBsGZ6sZWsPRT3;4Afhk
zQo?xCBM?f6#dBGsiJAusINaG*c}z4-4Revva0(1<Z7E(N8S@K(&VEULNa^vte!TWC
zek8F<Gb{~LU@f7NG-^)6sVRoGV7~S-fh$H>FcDl~Oo&@B3><u{ObN?d66i0vRN5&{
zp53;#t~esPu`EGS%04-o`n#$U`pltpiARrnV(8Aa*6w|5<k|D1tDGV#7tE?`E9PxT
znDUp0+#cd;!12Nft)ywEc4&D>+`)IFzc{&}B4kHLbMSBHFa4;Xe&3htYsSUgPWt&+
zVf~{gW#3M4KQpSeIAZf`OZ@uxLb|?Oe=7a8sMbU0;zC#Ulx*p2NnL-+x$A~&wLE8!
zs&nS4&<IV?%>3GwnMS{rVQsz_Iz}gn#(mZjwkLG6sh-4I&NxI>E|oDCN?qEU&SPWQ
zrjWe+`-O|ZL0!lGO222O8OuEH9?2sc2*JhX?sFXV`1Y~V)3S>{UBY2{Vmr*V(V7{f
zL>SgXk_66cqs1`LqsEfXw2<!rGn~g05CrXvKrvFnX+V!coGa-`y8pTBCynRZY3zX}
z&qp(I-bh<mSNH=x8j1Z#FWNKTz3I-7n6Q(%Pu2CyG6FB{yG7(&n_<5&Fj?WkU|{N%
z3GRx&SC+4;c(U6!pIA^5RxLi&;*+Zl$(uAOJpQXA2f*dk<9&y6g`18X7``#!AB9^b
z(ud#8`I}jP?rvDXmfAa!yX0D3Vu#l;ukF<n5>j`3gMYa9`iVc4?mo|RYv8@Ve6q`k
zH@**8@rMz!ir&#BezT6LtVnLixapABe3hJP9KW;h__Pn&vmdpTb{&7vJZ$8_tDRTW
zkIOcf8`AuG8nH38N2(IRt%<(Rl$)~jfBouqr?(r^etLV>qz}ojI}PpEKPQhiIl5h*
z{=?+%ZJV2aoUFb4&=lxd`k-#vLT^{+59T+PI(|3g*__rjw^D_bCCS5@x_BA8h%gJW
z=~<O}+IGf*FM~Te7uFhj(f?-q_SFr$s#dY0ogV(Yk~k8Kvt3OiY43g!j}gJmAIvba
zP$pQ$Opv9}(tat)_>xrC)^(91!71;Phtt+RSfl;u6M6l~5qHMNO{}cn;y!<|51rdT
zK*VU_w4I)pSS-Mv@w8`fl$gD>ju61??W18G1o<$v`gtsh7Vvq2t^_XlCGKyZfv_}?
z77XN+uJ&k~*zG@jda#S@ACn(Y^MpQ$&2QHDi~Yl{8ES6M*%oteXv^CB%lU7wif9Ub
zefRf%ZtvY|50O5rE8gp0ba-;t@?+saxvlBp?N9f6-uv`ol5xznqti#k3)j`vdZhBP
zL#}L1LJs%N*&ADBYvaC7{ldF~|Nbs)h0E{N0j15pQ*T^LPx`c0744>KYn*XsfBD6%
zknl~XulAgH?39d;jm|E1_;}pC*FRpRbX>b3G~XkosJTW09(1@j7lXu&hqu+-II+#y
z{cdFKk8hs6d)7x@GBP4|NB4!s3_<XYk=1iPQ7)w)l?h^J8|upMXMG;SQMVSe<xN)(
QI~8pl;w#&>8hr=<2>^rz!T<mO

diff --git a/efi/testdata/amd64/mockshim.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim.efi.signed.1.1.1
index 77103be20ffc5c10c83092d52079c0c0cbf49bd4..ae9bc9da034d5112b0a5f718e24b9a50c944ba2b 100644
GIT binary patch
delta 294
zcmV+>0oneDIfyxs*ab<;000V;K>;VT1OdAl2{JJ;GBYzaF*%dS8o+<Qd5F*XvqvI6
z+Q06qR0768g}1hJJCvz6z`B*>8FsL$XlkR)+h14e$LZAKx}|;hj#`c$<wt!%Ovm|c
zE-{!0fgWV$7iIZ}cci7}C7&Km3j=QA-p)`WlFS;@JjdF|{ka~XPD`_bn&49;`W@O6
z5+pAPKKuEq5-<OTFzJ8YZ27)dy^x?!2(e)<-%2+y2u`_Vr3yf__5VcOW+GO)W?Y$*
z7N3Oz<=Oet@8FSDD&rVCU`$roeB=QTm)>Rzo&cL4z@%MPi!9F&oxu-cp$JZw-MX=z
s_LCAMl50@c=;HCr6D7XvcRE?iJMQL;pU!3#MY_iQ))jqOE`|c_>1yMUk^lez

delta 294
zcmV+>0oneDIfyxs*aaw|000V;K>;VT1OdAl2{AG_F*7qVH8hjR8o+;vb=nf^lOdRl
zX&O5_T0S3vYJDg!O>aF+2y@&`FMR?yILOdisIb&6H?O~VfkO(0BSFXA0MnT)(*z>~
z){VwyS4=lyR~bb7!+S`wC@D6acgf(pXF$%$Ddgh^Cf?u|l?tBTj8Fvq=1vJ<j7@-3
zRWBS@<GixviE{Gydk}vOoyUJ0Wx)76!f@hEKEU1CK7rM@Fwe>KCuUFNELj!y6caVC
z<bBnTRjKXvp3PBg;Wk0F*TyF{&q-B$LYVrIEj5`*OKB8b)I-K6n_dM5ZaJ#>gNLgP
s4%uimn>h(3Et6bg4KzbsnG!~<)w}Riq2QwIgsPQ55Vw_C`;!7#{%~!C2mk;8

diff --git a/efi/testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1 b/efi/testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1
index 11603a720f3e4843ee0fcc883af795bc97388517..ae95cf40efc52db73276f3e49211bb2be8a98299 100644
GIT binary patch
delta 572
zcmV-C0>k}?M~Fv|*ab=;0RRe<K>;VT1OdAl2{JJ;GBYzaGBA_K8o+;4V}>%ZaiGIz
z_fRTWG!rKz{&@9>$OMVG;tb}Xee1l|Uae61_BwaEWr*qY;*?(kS>-J&9K^H@i-WX8
z5qw||rDD1*AT59&{DXK;S~cA)m=;O?r@W!OC2>l_ysUWKk|4|f0#>hgo1KzTT(7B0
zm8{e8oNVx;n8^>!PCS3+ZSp?Py%jAK;63_e=N>9#doplNwX;mgN$|auINWE~SVVRR
zSC-LvLZJ(;>G$a4n*{%7%PGYu5As$IQsr<N<j?m$bqD;tuo(3t7%n|)sa&X7gAw~O
zqZtPI+fVk+y(^m^r^i%^hsHUUn{XDSF_l#I*5s{$h8q?DR{R3cptFb^Hw6hYF)=bT
zGd40XlgJvte+6V3`Cq1<4R~4SWF_QxM3-KqvMJqO1p|=PBa16cF^;ptit=4HGUmIH
zbfpExcKR$AyfXFQQSDgWoUGrf-s}2zhCbTXTYaS%yMl6&l^;uT?-%DnhV!)P;HVu}
z0dl#KH44qU=ibR7sM~_gY~u`^nUbL58B}kXpKd$Pe_fr%`S+W)%G+G90}Y$D(8Jw%
zD0e?kMp}`0=b>@^Uc5_yf^7AOsN(WeTCN7-7eY<;;W|}m4WCdeo1}RwRoOIBcjPk&
zLzPs7^fG<Q6lbJ`J!D3~&ik`Pbb5SWV@gfnhi6x*M8H<ZCMa%s?6XytwLaM!s=h6f
KD3>|>0&<?yff#52

delta 572
zcmV-C0>k}?M~Fv|*aaps000V;K>;VT1OdAl2{AG_F*7qVH8hjR8o+-`*K)e{E~dld
zBFbS!^cGNuIPt0xQ+!M{>eP4Os~-mD_P;AReEAt#>KiJ!JCk#4fVSxN>y8lnwy)mM
ztf-C132l#p)sKJ=v&>eU8*IS))sXtjLZ_~OfA@eE1T)PA4(L$b-Rpt>fG6AEwpMN6
zrjT~mu|zOvjIf%Smui2PMl{2dc+E{|OE%Q2Uc}l7*}-KuCd|x0y#p+meCowqu3VTR
z&OuQeYhBcSXC)tlp|awT?VAQn8-<c$-a=(VX@2wRHaya6yfQPJ#K(CMVPDp-#x(E#
z6j<6|WBGK;M!NL)fQ&v$<cqPVu8VIdZV?#NB28N<-18KV@|yzWc(aHcHw6hXGB`0a
zGcq+algJvte~ES466=#8n2c!}J3CrFAAxFpC@xKJJxmC5+)Xci0ysFx&|0Xl)Gar!
zzj%Q|3Wg&=$K3$anJm);BLvos#%5PcH(^&9MEt{hNU|s?Hk^0K;Jar)&dDj{;|C_*
z;1`t&p5Ba51pVet31Ey(fKyd399QGKvgL_#^7nfXe+`|-e;Z}M_&maJ;!Qrl-Pt~Y
z)weLu$@C{?Pvk6F74{SpHLv7-)sI!F?e?C{QEcHhLABS$CpOPXReVC2`jIU)nMq4&
z6kOCp#wVLz1qN<8s`!J4s|^m>Xf>NT2_-F)Tw)D0LtL2>My%Dl@KmATqU?mKl|T@;
Km0A0f0$BbcWD-aK

diff --git a/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1
index 22e4e1424909fef7a4a194f812f06e2278a6ebda..1d5dbc2435efbd01b02eb474e6decccfe7516501 100644
GIT binary patch
delta 293
zcmV+=0owl9G}ttd*#rmy01A^q0VlHr0gD$2GBGhSGcz_aFq4=Vz<-#AC$Q>X{uVIX
zefD=icX9w8i}u9^>`tNeXJD)hE>8;bAzg#?%sbuckoXfAZC8lN5uNOjv-{ny6Vv;S
zvf%&OhgE+HH#H+{ZS}nG_pj%`C@a=FrL<0j5W9so^<U3n2qg$+jHG&fbBpJiutogL
z%h+)H9ciI@A9kI-?td*u(g%auOGNJ~;_!MPYu^!A#N$TCj1i!(a?4F0A%xS`rn}>@
z?Y&kKc!83ek(J+gK^bB#u--=naTwi$w8}CXLot%v43f<DCrJlTc9(>Y4}gkrPn_wP
r-7j*XckXe+&e(PCteE&hLU%;7(y?S=_18dlhR{3@><3+z3<AK9-rbPq

delta 293
zcmV+=0owl9G}ttd*#wpV01A^q0VlHr0gD$2F)}zYGcz(ZG?SPZz<+nrIHBfV$9xgb
z;leylGAzrlxwT)!^n7SZUeoGz$DE=3Sw)qgA#t7exx#wX17bMsjnNTG+QSA80R5AM
zSa5r5Hypw05De>OR)2PLXSSy;2M4l)Wj*vn(G}i8t<IwA(rl4gIc<tT^ExEJd)czm
zYO$*=+a80qF;;;w5r4tjpkI&1Ys=ud(Rb~{AdTDGC;i5k#Bg}Q1RoyD*8k0^Xe>Ce
zdNmt;Iq<iE&7nC8!4aYeo<7duUA@fE`Xja8#MQdl)OmJPco90+V9}6V$Bd<3Ld@e(
rh8)9=x=S_`T|9R4A&AU~0tHd3?nt~;)lRwcXtKs!wQZ5jkped&c;Au$

diff --git a/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1
index a8b9857462dfd1475c51f581d4ffec1ed920c4be..724b561280442a7fd644b6069fe4c5c2d9523fea 100644
GIT binary patch
delta 294
zcmV+>0onebFrYAy*aeYA000V;K>;VT1OZbO2{JJ;GBYzaGBA^17QlZ#r!1g)E@^Pu
zVd=&h6t#HAd!^5u)JS_#CAAy}QQARTs0!JtwzuNlEpB|kCn>`MmV4k~e(Avm2X<vC
zx#?>nVr#Lw4*!^j_mfh2tS)jW-K|5lhd46fBzTh=a{;k;PTuB1m{06I;g`3Ia50CF
zl33vskQeuMNc2hTbp?N@8$y1W8Sh6Bz3$Sp_r&C;qS#_YXv`u`7%oR^DmOB+*w{!5
zC0L&1_=WA*<7nhiSA0~idhp}9Gq!2cv_=a`yoy$C1FuJba4ItQFN}-g?&8OBp&T?H
sr9~*$E@1Xx=Fl!1WI+hPY9}JiO;J|?Fb-it1|#17;9#}*MhgO+P?}zcdH?_b

delta 294
zcmV+>0onebFrYAy*agn4000V;K>;VT1OZbO2{AG_F*7qVH8hi87QlaKYdn<H$`k&w
zLw1($<q3>#O&`0gmarL)@1nCR4@}XpB9BkNMq#QsgCKThPbW}~7O`k)U!1h8aQs2i
z`J!>5p1IQ&czFIHvj535eQ9K?XhX2=^{;k!V@_};&>Ln`830n<Oq%Mr`{4C17p)zb
zC>V>P{yrZ&n-Hd4G-ZEtNL0a{qvhQd9DcgTJy#7gR#h2S19I{KO7kDj6_b`wS|itE
zyP@8Aj_m|gC=EW|amt3Yr#8>xHkD>?JM=pgsvJ{Ne%D=s-VA_Apq8zTf7}`n!q4(_
s4&dX_93cRz!+-Qy?IuaX;2{JU0o9hI*l4DNd_-Axr#Ufv3q1m4Fob@E#Q*>R

diff --git a/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1
index 50295a97de659e65b21346ba81bc17069361431f..1baf8610ebe1b1969feb0e09ef13f1a572a16649 100644
GIT binary patch
delta 294
zcmV+>0oneLHIOxs*ahD!000V;K>;VT1OdYr2{JJ;GBYzaGBA_S7{GrPem6pOx-KrQ
z`_a1hdX$cOOKnuC_19^!oM!-D9DK}vLv9Khmn$=xE&<H(ct^}^%}Q5Po5NY@#T3`E
zX3G|48s}l8b!x+b)Q@@E5t6*7VCNLK2l*h-8L$SaU9rlQymCAip`Z(L_UvkS;*L3Y
z66CP>!)>C8fh8k!Y>a;-Q)=3!<9mlM@U|K?$+_Yv=R5AunQ>795{>i7>nauj;=nmU
zL$77XV_l{}SpX%@eIVGM#x1DxWnwJ)=i*-#YBV7yGCDR6nZC<&VC_bsN7VgC7;#QX
s5@i-xn$YGZI9(T!eyZcFSvNwg4Xi&_7{p@(tRpZmJAi?w@ZSPOEMv8XX#fBK

delta 294
zcmV+>0oneLHIOxs*acTn000V;K>;VT1OdYr2{AG_F*7qVH8hjZ7{GsU3Fyfk{H^vj
z(|SI3k+iU<9N-`X{K;Mv$y<x+@xh*8s8$4oqyOgBZS}UT3^DXa#J{lQm|7wp+kN+M
zMZ1lS*9n2z{wSmk6#UXAe&#P>BcJJ;;3carsdjnA*XZsJyOMX0hu#Fm{i{-w^qWX9
zYpyVN6#t~pxL6Pu64HNDsjWHG$6#aDj4Rg<?|h6~KgFR%#F7vrn0sUxi|N2pQhkQQ
z3kEJAccv5ruZ3Xe>@6f<zZ$^W+8%JwpF4uXmhN>~Ri)<86L?-tE;4UmI~tiXk;t_g
sB{{^oM4cx=;cm8f@pDv2jHgkB{BN?+^ck10;L8XZ9;$?;D;@%ts`V3&oB#j-

diff --git a/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1
index 6a4e06a96187c5e32aba4a054f3531fe9527f62b..cf597039c6193323a4ccd0e7fd76618870740c9d 100644
GIT binary patch
delta 294
zcmV+>0oneDIfyxs*ahiO000V;K>;VT1OdAl2{JJ;GBYzaGBA_K8o+;0^amjq*WXPq
z6YcGVfmYOvouNw7!>3Jxtp+ZnbZ2Ej=4MUx9+4h^+oUO6CRBb}gS>kW<eB3RU0E6S
z+L9hxSZ~C6Aa0Ry&T(n6KLJd%z4csWAZFXdj$}{2r|CYg=htEWAhj{{3UV}&cao?~
z#?n7XSKy_+;CVgDZAyPpbo?Jkg$F{R`4%y)2h=G!AYR?T`)SD@8>a^LMyu`@b#Nr<
z?Jp#??}w|Zw>7mTRKfIEv^&DplEZf$%$$+;Vu+L4f%Hp}z!YfjoGjMwZzW}w*3_cP
s&<fYe(PsQ)>A$(unP(LV$`1q1vnr3}-f<>)N>f={DdZ1z8|wlo!)KX}VgLXD

delta 294
zcmV+>0oneDIfyxs*afSo000V;K>;VT1OdAl2{AG_F*7qVH8hjR8o+;AVz!95v9)b^
zyN7VpyV$={O5DhNM6&d`O`dnxYr9smXk+v`=iuTT#g@Mq(M>I=3x3!j#}WI4&=r<Z
z!7)p*QRZX63WN_TswllPU=-fMMaF&b+2tiwxNe*1ykpW%-*`1_k0|B@Lwa?Slxms2
z<1M`_&}?z|WCfEj)EIx@LrJebG|JgP`05l|IQSVE(6_n%i*;d8g=eG)L4g0pMaPJv
zb)AIVHPJEt!`#GlX`5U&57K0BoBm5fMBc{QrkW<I$~Vf!ad#nzw5TT=)I4=d8!EwM
sJz$sW$*jdG{IF@51c3`-lc~%H+ggFar)uqRFJupG`n;zztGoiC(7TJ0k^lez

diff --git a/efi/testdata/buildenv.yaml b/efi/testdata/buildenv.yaml
index 4697f3c0..af676f59 100644
--- a/efi/testdata/buildenv.yaml
+++ b/efi/testdata/buildenv.yaml
@@ -1,7 +1,7 @@
 go-arch: amd64
 go-version: go1.18.10
 kernel-version: |
-  Linux version 6.2.0-37-generic (buildd@bos03-amd64-010) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~23.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #38-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 30 21:04:52 UTC 2023
+  Linux version 6.2.0-39-generic (buildd@bos03-amd64-014) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~23.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #40-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 14 14:18:00 UTC 2023
 os-release:
   BUG_REPORT_URL: '"https://bugs.launchpad.net/ubuntu/"'
   HOME_URL: '"https://www.ubuntu.com/"'
@@ -51,8 +51,8 @@ packages:
   libbinutils: 2.40-2ubuntu4.1
   libblkid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libbz2-1.0: 1.0.8-5build1
-  libc-bin: 2.37-0ubuntu2.1
-  libc6: 2.37-0ubuntu2.12.37-0ubuntu2.1
+  libc-bin: 2.37-0ubuntu2.2
+  libc6: 2.37-0ubuntu2.22.37-0ubuntu2.2
   libcap-ng0: 0.8.3-1build2
   libcap2: 1:2.66-3ubuntu2.11:2.66-3ubuntu2.1
   libcc1-0: 13.1.0-2ubuntu2~23.04
@@ -88,11 +88,11 @@ packages:
   libsmartcols1: 2.38.1-4ubuntu1
   libssl3: 3.0.8-1ubuntu1.43.0.8-1ubuntu1.4
   libstdc++6: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
-  libsystemd0: 252.5-2ubuntu3.1252.5-2ubuntu3.1
+  libsystemd0: 252.5-2ubuntu3.2252.5-2ubuntu3.2
   libtinfo6: 6.4-2ubuntu0.16.4-2ubuntu0.1
   libtsan2: 13.1.0-2ubuntu2~23.04
   libubsan1: 13.1.0-2ubuntu2~23.04
-  libudev1: 252.5-2ubuntu3.1252.5-2ubuntu3.1
+  libudev1: 252.5-2ubuntu3.2252.5-2ubuntu3.2
   libuuid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libzstd1: 1.5.4+dfsg2-41.5.4+dfsg2-4
   login: 1:4.13+dfsg1-1ubuntu1
@@ -103,7 +103,7 @@ packages:
   sbsigntool: 0.9.4-3.1ubuntu2
   sed: 4.9-1
   sysvinit-utils: 3.06-2ubuntu1
-  tar: 1.34+dfsg-1.2ubuntu0.1
+  tar: 1.34+dfsg-1.2ubuntu0.2
   usrmerge: 33ubuntu1
   util-linux: 2.38.1-4ubuntu1
   util-linux-extra: 2.38.1-4ubuntu1
diff --git a/efi/testdata/src/grub/Makefile b/efi/testdata/src/grub/Makefile
index ef68df56..58114769 100644
--- a/efi/testdata/src/grub/Makefile
+++ b/efi/testdata/src/grub/Makefile
@@ -35,4 +35,4 @@ $(NAME).so: $(OBJS)
 	$(LD) $(LDFLAGS) $(OBJS) -o $@
 
 %.efi: %.so
-	$(OBJCOPY) -j .text -j .data -j .reloc -j .sbat -jmods --target=efi-app-$(ARCH) $^ $@
+	$(OBJCOPY) -j .text -j .data -j .reloc -j .sbat -j mods --target=efi-app-$(ARCH) $^ $@
diff --git a/efi/testdata/src/grub/elf_ia32_efi.lds b/efi/testdata/src/grub/elf_ia32_efi.lds
new file mode 100644
index 00000000..f27fe5fc
--- /dev/null
+++ b/efi/testdata/src/grub/elf_ia32_efi.lds
@@ -0,0 +1,86 @@
+OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
+OUTPUT_ARCH(i386)
+ENTRY(_start)
+SECTIONS
+{
+  . = 0;
+  ImageBase = .;
+  /* .hash and/or .gnu.hash MUST come first! */
+  .hash : { *(.hash) }
+  .gnu.hash : { *(.gnu.hash) }
+  . = ALIGN(4096);
+  .text :
+  {
+   _text = .;
+   *(.text)
+   *(.text.*)
+   *(.gnu.linkonce.t.*)
+   . = ALIGN(16);
+  }
+  _etext = .;
+  _text_size = . - _text;
+  . = ALIGN(4096);
+  .sdata :
+  {
+   _data = .;
+   *(.got.plt)
+   *(.got)
+   *(.srodata)
+   *(.sdata)
+   *(.sbss)
+   *(.scommon)
+  }
+  . = ALIGN(4096);
+  .data :
+  {
+   *(.rodata*)
+   *(.data)
+   *(.data1)
+   *(.data.*)
+   *(.sdata)
+   *(.got.plt)
+   *(.got)
+   /* the EFI loader doesn't seem to like a .bss section, so we stick
+      it all into .data: */
+   *(.sbss)
+   *(.scommon)
+   *(.dynbss)
+   *(.bss)
+   *(COMMON)
+  }
+  .note.gnu.build-id : { *(.note.gnu.build-id) }
+
+  . = ALIGN(4096);
+  .dynamic  : { *(.dynamic) }
+  . = ALIGN(4096);
+  .rel :
+  {
+    *(.rel.data)
+    *(.rel.data.*)
+    *(.rel.got)
+    *(.rel.stab)
+    *(.data.rel.ro.local)
+    *(.data.rel.local)
+    *(.data.rel.ro)
+    *(.data.rel*)
+  }
+  _edata = .;
+  _data_size = . - _etext;
+  . = ALIGN(4096);
+  .reloc :		/* This is the PECOFF .reloc section! */
+  {
+    *(.reloc)
+  }
+  . = ALIGN(4096);
+  .dynsym   : { *(.dynsym) }
+  . = ALIGN(4096);
+  .dynstr   : { *(.dynstr) }
+  . = ALIGN(4096);
+  /DISCARD/ :
+  {
+    *(.rel.reloc)
+    *(.eh_frame)
+    *(.note.GNU-stack)
+  }
+  .comment 0 : { *(.comment) }
+}
diff --git a/efi/testdata/src/grub/main_ia32.S b/efi/testdata/src/grub/main_ia32.S
new file mode 100644
index 00000000..0c33fe18
--- /dev/null
+++ b/efi/testdata/src/grub/main_ia32.S
@@ -0,0 +1,13 @@
+/*
+    A simple EFI application that just returns 0 with no dependencies
+    other than the assembler and linker.
+*/
+
+	.text
+	.align 4
+
+	.globl _start
+_start:
+    mov $0, %eax
+.exit:	
+  	ret
diff --git a/efi/testdata/src/grub/main_x86_64.s b/efi/testdata/src/grub/main_x86_64.S
similarity index 100%
rename from efi/testdata/src/grub/main_x86_64.s
rename to efi/testdata/src/grub/main_x86_64.S
diff --git a/efi/testdata/src/grub/mods.S b/efi/testdata/src/grub/mods.S
index 3686304d..f94651f2 100644
--- a/efi/testdata/src/grub/mods.S
+++ b/efi/testdata/src/grub/mods.S
@@ -1,10 +1,22 @@
+#define GRUB_MODULE_MAGIC 0x676d696d
+
 	.section mods, "a", %progbits
+#if defined(__x86_64__)
 	.balignl 8, 0
 .Lgrub_module_info:
-	.4byte 0x676d696d
+	.4byte GRUB_MODULE_MAGIC
 	.balignl 8, 0
 	.8byte .Lgrub_modules_start - .Lgrub_module_info
 	.8byte .Lgrub_modules_end - .Lgrub_module_info
+#elif defined(__i386__)
+	.balignl 4, 0
+.Lgrub_module_info:
+	.4byte GRUB_MODULE_MAGIC
+	.4byte .Lgrub_modules_start - .Lgrub_module_info
+	.4byte .Lgrub_modules_end - .Lgrub_module_info
+#else
+# error "unrecognized target"
+#endif
 .Lgrub_modules_start:
 #ifdef GRUB_PREFIX
 .Lgrub_prefix_start:
diff --git a/tools/make-efi-testdata/apps.go b/tools/make-efi-testdata/apps.go
index d4ef0fb5..b5edf385 100644
--- a/tools/make-efi-testdata/apps.go
+++ b/tools/make-efi-testdata/apps.go
@@ -30,7 +30,21 @@ type mockAppData struct {
 	filename  string
 }
 
-func newMockAppData(srcDir, vendorCertDir string, certs map[string][]byte) []mockAppData {
+func newMockAppData386(srcDir, vendorCertDir string, certs map[string][]byte) []mockAppData {
+	return []mockAppData{
+		{
+			path: filepath.Join(srcDir, "grub"),
+			name: "mockgrub",
+			makeExtraArgs: []string{
+				"GRUB_PREFIX=/EFI/ubuntu",
+				"WITH_SBAT=1",
+			},
+			filename: "mockgrub.efi",
+		},
+	}
+}
+
+func newMockAppDataAMD64(srcDir, vendorCertDir string, certs map[string][]byte) []mockAppData {
 	return []mockAppData{
 		{
 			path: filepath.Join(srcDir, "shim"),
@@ -154,9 +168,20 @@ func makeOneMockApp(tmpDir, dstDir string, data *mockAppData, arch string) error
 	args = append(args, data.makeExtraArgs...)
 
 	if runtime.GOARCH != arch {
-		args = append(args, "CROSS_COMPILE="+crossToolchains[arch])
+		if runtime.GOARCH == "amd64" && arch == "386" {
+			args = append(args, "ASFLAGS=-m32")
+			args = append(args, "CFLAGS=-m32")
+			args = append(args, "ARCH=ia32")
+		} else {
+			cross, exists := crossToolchains[arch]
+			if !exists {
+				return fmt.Errorf("unsupported architecture %q", arch)
+			}
+			args = append(args, "CROSS_COMPILE="+cross)
+		}
 	}
-	args = append(args, "-f", filepath.Join(data.path, "Makefile"), efiName)
+	args = append(args, "--debug=a", "-f", filepath.Join(data.path, "Makefile"), efiName)
+	fmt.Println(args)
 
 	cmd := exec.Command("make", args...)
 	cmd.Dir = dir
@@ -246,11 +271,16 @@ func makeMockApps(srcDir, dstDir string) error {
 		return xerrors.Errorf("cannot write certificates to tmpdir: %w", err)
 	}
 
-	for _, data := range newMockAppData(srcDir, tmpDir, certs) {
+	for _, data := range newMockAppDataAMD64(srcDir, tmpDir, certs) {
 		if err := makeOneMockApp(tmpDir, dstDir, &data, "amd64"); err != nil {
 			return xerrors.Errorf("cannot create %s: %w", data.name, err)
 		}
 	}
+	for _, data := range newMockAppData386(srcDir, tmpDir, certs) {
+		if err := makeOneMockApp(tmpDir, dstDir, &data, "386"); err != nil {
+			return xerrors.Errorf("cannot create %s: %w", data.name, err)
+		}
+	}
 
 	return nil
 }