From 16419c7076c4360a089aa6bdc4d7bd6599a37ae2 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Tue, 28 Nov 2023 13:00:16 +0000
Subject: [PATCH] efi: resurrect a deleted test key

https://github.com/snapcore/secboot/pull/274 deleted a test key that was
used by the mock dual signed shim. Rather than resurrecting the entire
certificate chain, this brings back one deleted leak key and then
uses this to create one of the signatures on the mock dual signed
binary.
---
 efi/pe_test.go                                |   4 +-
 .../amd64/mockgrub1.efi.signed.shim.1         | Bin 5056 -> 5056 bytes
 efi/testdata/amd64/mockshim.efi.signed.1.1.1  | Bin 7304 -> 7304 bytes
 ...+1.1.1 => mockshim.efi.signed.1.2.1+1.1.1} | Bin 9136 -> 9096 bytes
 .../mockshim_initial_sbat.efi.signed.1.1.1    | Bin 6744 -> 6744 bytes
 .../amd64/mockshim_no_sbat.efi.signed.1.1.1   | Bin 6176 -> 6176 bytes
 .../mockshim_no_vendor_cert.efi.signed.1.1.1  | Bin 6800 -> 6800 bytes
 .../amd64/mockshim_vendor_db.efi.signed.1.1.1 | Bin 7304 -> 7304 bytes
 efi/testdata/buildenv.yaml                    |  72 +++++++++---------
 .../src/keys/TestUefiSigning1.2.1.key         |  27 +++++++
 tools/make-efi-testdata/apps.go               |   6 +-
 tools/make-efi-testdata/certs.go              |  14 ++++
 12 files changed, 82 insertions(+), 41 deletions(-)
 rename efi/testdata/amd64/{mockshim.efi.signed.2.1.1+1.1.1 => mockshim.efi.signed.1.2.1+1.1.1} (77%)
 create mode 100644 efi/testdata/src/keys/TestUefiSigning1.2.1.key

diff --git a/efi/pe_test.go b/efi/pe_test.go
index c9f0f2ea..8b0304bc 100644
--- a/efi/pe_test.go
+++ b/efi/pe_test.go
@@ -193,8 +193,8 @@ func (s *peSuite) TestPeImageHandleSecureBootSignaturesUnsigned(c *C) {
 
 func (s *peSuite) TestPeImageHandleSecureBootSignaturesDualSigned(c *C) {
 	s.testPeImageHandleSecureBootSignatures(c,
-		"testdata/amd64/mockshim.efi.signed.2.1.1+1.1.1",
+		"testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1",
 		[][]byte{
-			testutil.DecodeHexString(c, "f1260899324e0ba7d98058decd55df34faf9884b5429288e0e67bbb2917e4609"),
+			testutil.DecodeHexString(c, "713af30678aba44b6c437cfc4fec26d386d3e2fea75b055df010d4af7b11b484"),
 			testutil.DecodeHexString(c, "4c503fa92a4d6ab180962c29aa8324cc873e8f74b259fb28347443ac8fef6af8")})
 }
diff --git a/efi/testdata/amd64/mockgrub1.efi.signed.shim.1 b/efi/testdata/amd64/mockgrub1.efi.signed.shim.1
index 358fa6f8f55a0b34db2d97b24a31c0f3784813a6..6f73204babcaf8729a7c7b546696074306e7aa47 100644
GIT binary patch
delta 299
zcmV+`0o4A$C%`9=*ahWI000V;K>;VT1Oe_43NbM<I59FcG%+-j{1L!^j*~kvC3g%q
zpb+X`r=Uzo#rU`AhrS*b-^vs^UXcaiQsY-5H@WX)Z^fXvGE7w0U;%<(el!1`-scel
zQUFzK2SFF<+rGr>HP0rf8a%~TrCk+07TS6|U@ns?@am?t)`e%#bEXZd3pj(siNsPn
zMp2&lDAq!cl8jN{!uaWb1QC9`9~Tx}>$9maAMIEE|Bgc8J&(c$&%@O;BxqF6w|&B|
zcg1<-!%)ZE*0Q}kn2)jO_By|-ST5O6U%|P|59lfhupuh*!&P>c*6^b2Yj?pDZt>mH
xFfJBhD#7!p7XrN9uAa07#MF#TkfCxA;l7Df46O4}lNDVgM~OxTNk9Mq004^AjbH!(

delta 299
zcmV+`0o4A$C%`9=*agRo000V;K>;VT1Oe_43NSS>I59RgG%_-i{1L!^PI3fN-}~W+
z)8jY;1uk#@K=n`rmTCy;5fx~j?Wv31=)Hs8ny9Au|NWT-go{)7zvm|xr&;a&Y2+Ta
z!nzi5OcT=&gQO<ICn-GGcG*IN2+n?kgO7G)h6WYSWR#1cJLinbIeK}y1MID?-~z#A
zh}}BRxoj@ImL>vGnrusdDkJv@>tqrPPJa_Wzlxt`Q8)d8*zN5dhSt2#3rv$|5c}bJ
z|4(t8j79L13n5*zlYsE_T7CwQ*Su8mqbIMhk?7c&G!Bt9utRA}18>pbN-pe^Zy?~B
xX92|;*_cOGly?hlWzL_(kjI#ud8i5gI6m7>1)_Z|A8$D<S<q|-tMLE;001Tiji3Mk

diff --git a/efi/testdata/amd64/mockshim.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim.efi.signed.1.1.1
index 3d8e364671b897f71a7194cca52cc93c55a2da04..18f8aee9d86eac4596c0a1657f1c65b2cb968910 100644
GIT binary patch
delta 295
zcmV+?0oeYCIfyxs*aZvl000V;K>;VT1Od7k3NbM<I59FcG%+-j$Qr<ZH+cJ>dtzp#
zdNg}P{syq3A=1gdhp0|bb8}|}W`)fpJw`0eL(<4SNZ$dEQQF#;WA5g}yjjn32jRN$
zuJU!jHWVK3n56>jB2B;P8e!bwCh}>06F=vUs?638SA}fEC@5rP454upeHVdp|Ad9H
zd6k+d`2uFw9gAP7Wgf<VHuK`)G?s*z3MUWuspb<C>|MvAFhd|I7pV8wWg1l583puz
zu>31e1k6Llda$MD>}{!zVjSNmpWA6op-KAQoU(E{YOO!!Z_MQPXKY%je^aPb&1MjW
t#lcVaJ5nqJkHn@IFru-|d>$40Li_Koxc`kafHnhz@7u*ylsQrYE0O{rjg$ZY

delta 295
zcmV+?0oeYCIfyxs*aZ`&000V;K>;VT1Od7k3NSS>I59RgG%_-i$Qr<ZFkr_hkv<!E
zi$c9h=;2o;-%?az6o`IOaw9B{!dgg6s0#WjDe(qe&Jt=*7=^QFLi7@jWHFeK07ma~
z6HQF`3jlODW%6tuoMc1D!fUdP@6yNbp<_MVJ0;VyBiVSjM3V=9X-w{8xaBni$zP#M
zDNQke32&d%KgWA^OOoS%tA)fpEGflyFxf}sqQhwl%?~LMR-nV7juM0yyAa{^Y28{M
z5`jH62sHlyU=LQ07ultt`6E%u+xR|s{jpWQ`h)=+y~b#3?L~g~?Dq=W=C&nukw}z8
tvcGOr>u$;lwKW6X7*k)t#JEk^198w4`l1M~4a1$oZ!peTjt9>Ikhgrfg%|(;

diff --git a/efi/testdata/amd64/mockshim.efi.signed.2.1.1+1.1.1 b/efi/testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1
similarity index 77%
rename from efi/testdata/amd64/mockshim.efi.signed.2.1.1+1.1.1
rename to efi/testdata/amd64/mockshim.efi.signed.1.2.1+1.1.1
index aa936687d9d46806d7589a03b3f3b117cc213912..70a332d632d472060ae7f72baa73088849021e5e 100644
GIT binary patch
delta 1200
zcmV;h1W)_0M~Fv|*ahs{000V;K>;U|1OX@k0JALtTNJaf95n#}GLy*`Ba;apmw)Z3
zezAJ?W(Y`sx?(r#Ze&YN`xMHmDWzdtN7OSYfj~gYQa)sXqtR5D=AVcz(r`{T9<3T-
zzb)0&`~A3Th!9teE4MA+xAJ9&Keqf#PdNl+8nmN!@8xK<=nX{O<cx}RH3)&V=OvDB
zG#$`-0ePj=v(l-$0`Qrdh%Ey@Tz~jp)Tg`Hd51e_PiiSyo`B0c3r<Vnt)t5=3>A*3
z?CUS|7n*D<-HbXPr{iPb4D#fHLO>9VSTBzoLbykeq%K8Ogt@v`-@zR1L{01}-TfIy
z=b9vX{>p=O*VfoNAai?h#|N!`<g%ebx^QzMp_&tpC*?yxfUA}5$iGDHs{(_8lb|0*
zf3|RE&D@%>`mCQW^&`y}QR5F3nJ^y)163U(1Q;+DfE3W9o(TdfG7iGI_6fakGnl03
zva&D@1_>&LNQU<f0RamI00V*n0RVBh9;T+F^ZwUhIT`r;;C{)Q7+$S=+*uMwp!87O
z*xf@}dreyPKORq!zATINf@Lb#caq$Se^;z-D4Z$csaq=O#i}5j0{FYTJ7Jv`w^zp?
zHZo+a@RB%<Cqec}>*S0Jtm)Q2`NbZi_vRH{F<vZ%{{l~ZB=FzHMD!nQ@-nlq+y`K#
zN%ARX>HZ3<aSs0MaMC@`lqNL~{l{Cr?KdVnYXFV`%9dE30`qm=-EUp<^xh&gOF>!Z
zdr&5}arjmX*bK%(;}1BPTnS2P01SA>fIQLN;LDO-!j=0U5}zwo_YkA@y{@zAO23%g
zV>yOK1_Jc8j5Na_3y$!OKoccRlQ1E20Wy=F8bb;(F)}zYGBq?YG?VZlz<(BkrNdl0
zw=Z`|{eIK`pFQZq1>r|9y8{7v)LAwRcuYrak8RtGe@z4i*atv1ZrT!nNzZ5X=*xtF
zm&_f~uRY$a3d%NLD1&Een?CMOEl~V(2Z)5M(@CiAab(*1A;lHVFffIV%B<gnI0%rs
z&*8Sc0;Iv%21rsLow<yXm4C5W-MI$%YPwl+o($P>z9K92fVq-T;09e0d|}9x%v(^J
zz>ph(URY{9J56vn2MoF`xd;fqfc7N#^{=15D#h!H&^mx+MH}GsbQQ8-tywX4pln<%
z+#-iY8uJzVF3Yf%`q8(CO2TQ-00qggoXJ~r;X}N$a-MRp<PapQSORa}v#=aC1qv}S
zGB`0ZH8e3alkg$He>ZshpL=3vrFt}bME(Y_q9M}BzK5tzQFC)=1!jfKBt1qf%|p`2
zJxJdHk5Ss%mSgVb#JpM0atGnM@vic9z%~>f@0g_m>>^FS=^A0&;U@BFeG@<Dj;hSo
z4_Ae3#3(3aWDKEk6nz(ga{q*dv3Zr6DER_r*By&rsbwC<e>U^t;WU<nm<lHk_o?O+
z6YO2bqA)`sDHo{s*JT=1+ZhG)f3W;3PXx?E#d@%%=Im{$j$$0&C!gDCO`%Ep-kh>>
zI%=&y=5Ng8_h)Qcsee<bRLy1(hQ+~8_d8N71dqg~7cio+&3qme`a=8fuDJh=Gk`V&
OgYVnLRg^hW0xOaOSU(g1

delta 1396
zcmb7^e>l?#0LJ&-Fy@vui;anrnA+pJX%e;$Wq#&K*o8_=`4yVQYInwH)VXb1-I*wq
z3K1r9OY$R{j);UMEz*yRCFDnXoa>MK<NoXY^L?K8pU?X~Zx+3ZE*{k6A^`|O;tW_y
zGyp5WN=5{NF{T^g5C{Ycg@AmxftHT7z+Etp1mMs@J{-Pk!6et$<>*X+eAp|H5ABpV
z8(@KW32BYlW;BS>f(2;6^>thi9}8neF^@)&Hh`x8dI){2b6h+-GJ<6$xnSZAO-ucr
zgo$A=?|$yVK8LZix%V`VUENE^dsEU=^;wdu1rGWrY|F$$C;Qu!0|KiWV=|-GR}kh;
z9^PF`P0N?|;q#XCqutLUzuGjfHFJ)&5-n+FicY5KVb(9x^KC~r0^SgE&7QL6;dY9;
z$o<xitrr909m0rFBO_-tQf}S$wZCAmY1VGZtIBy+W%Aj#YUj;y%HkHhggtj;5A&&;
z^$=QMLD6DWRlAvTJ#JJUnS9q~x^EO&T(M;-ut9N;Sn6|mLG(+)J8sXP^2?@S&v9_A
z86$@i4Rn{Y0uxLQ)V6DUp^1>Nu0UAAD1~U(q4Ikz{eJNFYk~w!qNy3G-O{(Au=X-&
z4nxAh(s@%Vec7N`aihFzZd3G_NsZm$_V90rP0Tg0pg}4o?fB=8QjKXI3$-T%XJnD;
z^E>_vi2SccKvxq2;{yN$Qz7zvd<|f{TD)q|Bc5}+7SZqYWQBRjBSQR9exS^4IS_rX
zC0SPUz$0tJ$`zxyiCW`RbtoPQZ8XbH>~til)01=&h_GsHhp3?bj0#!2pA`3MHpWnt
z8~h?WNqr@&%<{g+0WjgYzkMB^bUpO=WC_}W^0Y2fzTPm%gm1+j*o*OcQ-7*{dp^MG
zWyIR1pr@<sSY_M_tQwLW{vr1wo)hWf#ELmPJs62^7<`wnk(3u5B!Vt9X3ATmu<-gf
zwbF{i0%^neMh%8b(Y}Pz>YX-?l}b(P2zm0ObY>G)KQO)R{bEk6@@{hdwt+9f3u_EN
zft*y8_e^8V@Q=+TJ~VT6!Rb%{0NLPoPM9F!Zg53_6p}s3j<StRmOM1N&$AQKyQMc7
zLL0UR4t4c?e>TB=4Ybr|Q@5Tgxq(rFquC#|-bL{kcUgN$@rc@S{-G0rh0ilK;Htt_
z7%flFOx_l(3oVQ@Kewoipn5NVP}@4{&M-ayD!<Uv%ccLU%oah58|cq^;PbO0n%9a#
z=UH>-==uFG#m-0LgviglyNM5?F<JHuqh@Rf`3O-c2|)oM@Kw}{NLf*cWODYzj*uy0
zNBLVqy6i>k(oY`?xMxb6WyfIUG*ccjrSv5(u1wW>5qGewJ!ZrW$G9}$bVoeJEGJS`
z%ftLnc}g<vb>ZxcqA1DMGm)4y&zZ`8Jud!(%T%O}RT8zeA0@0F$EsvmcstGi!vRA(
zta50^oL^lUJ>RMrn@9cp4`Z@Y{8;8&MJ++@UN;a+)`V%TkZyFeFZQ%7(q$GcWRh~l
z5I1$AzK{2UE`)6#@hNtFKGXGKOH9pg>L(rQqHyYSM~l81^C3?CE(x3$<vkUC=QRbU
zI8@|C@FAt@#9!{)*}+ZnIyc5EKix*%N_db24$;SpTcZ$NdIVHpVQY~Pona_Pspg_a
zf=tnAREqYt6-cOFpvZ8jq;S!EuR^&%<9w|SXj;kuj2qh{V<vZ}%zv0iC@1PHPUN_s
w-&NBT=l^$HC*n2*HiF%EsJZQq&mio04`!)YyAs)2&>9bR?-#-!L&f#~08?07^Z)<=

diff --git a/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_initial_sbat.efi.signed.1.1.1
index ffc70d0ebe350afe29aaa8994e9c1091a84c7175..218f6f83e0c7052f0168746ea34a9328c4564fc6 100644
GIT binary patch
delta 295
zcmV+?0oeZ7G}ttd*aei_000V;K>;VT1ObW{3NbM<I59FcG%+-jm>9r+uS2!iTVnpb
zG$RN$nb1n)0d?d*C9|dvTZZ!{|A;5~coV9VO5iY(Mr$@Kx5oAwI7OPV;rh8T8-v1%
zp=eay`Q6z16i-`H5Wh+YV+J<687_qPsa5_5Z~D)jFR7>%f{#AM4h<P-=^ckWJ}_i$
zOdZ_8`3^rrXKoROLmp>;9Jbwm)KXkLLjHY(`xKPN<A%11OL%Mb-@K}Vqv)E7PP+@$
z#zrp29ZFf3a=3{Wy-gjP7t8FjsU7x)nd1Dr8CT*)r41-nkm-9$4=&pMm5bU@&1opN
tRQC4#lit9ZKM7~MpcDew1+Tbp9@g_fdSnPlD`3i4wR^k<fbjGJpR1w#i@E>+

delta 295
zcmV+?0oeZ7G}ttd*acG-0RRe<K>;VT1ObW{3NSS>I59RgG%_-im>9r+cT!Yb;UjeP
z27oMw9C%0#LNiF8`Tj5r8*N{86Mpl3A04DZF5O;M@YX!XHvgg#KG1d&3>Zsu^=u3y
zlqTPB1eQ;?iwClHH!?2^kt9;mKfYv**pAZ$!f??bybqPU^|{gn4D7j(<|4{f)E;8t
z=vAeNTvL30je*Se*IGG$cV|M1^#}94(ET971Ra~+#=zOx6a42?#{d^@aI;Mhk!4e2
zlavZlGg}=xjex*$%tvezpxo*s3t{Zw5mVb6gYhX~-0D$Z<5Qt#@E~@<OXFEa?vM&a
t5$&O7JR7az{nGtBuDl{A^EjFT0%D$EebQm>R~p!lm;632=xDA2^j-^qhOqzu

diff --git a/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_sbat.efi.signed.1.1.1
index dd6c31eecaee4cd23e78257373eb3760f4c97064..b66819e89b41f0222aab0b015b9df948ebbf377d 100644
GIT binary patch
delta 295
zcmV+?0oeYaFrYAy*ah?D000V;K>;VT1OZYN3NbM<I59FcG%+-jU>3lCZfm7_dHh8N
zmeQns;1kw*N<m-vF7*#H*92`O0Orv0rBmSWI2U&#^vLpY4Y{BnSgun+$Xw^E?S?KM
z3~*VgE~7rR5M{~Ua_UmD8)gLOwsaa>-U#&<*Ns#P&;$yTN#tM`<+p)e;mcU_UU8EU
z<MbNLsyzmq%ktbY)ESX~h&icplp)#4|11ghZ-hkGCmAO6Q#qWLWh*$R)ffyrJf_Y&
z>O3<U=K27ysf<mX75&Fb(b^i#(ponc>J(i+>@z~yOS+~%ak%ld10F?94NG-*TuP!|
trnSwo@Xl-VMs#im>O^vVaxGP+xzAwlSbGLG1!oh3(8}fs>Jb70u?%dMhp_+v

delta 295
zcmV+?0oeYaFrYAy*ab{b000V;K>;VT1OZYN3NSS>I59RgG%_-iU>3lCThyLp5W-sb
zWKCXk^Z3+yC%PmC@H3E8e&Ct!5gYklCfKdR**{~~0#=XtKM-xdJ3S|M$i&H((Da`=
zq}9kGKodL-hyP$>-{uz?+)-K0C!=#qw7(Bn#hv(Hj-antDkO0Ba`EAmwmr?2mDq^R
z%DNIm&wr#eG|VyxzuFRid(oz~hu?CdfxiDn#+E-NB#a-{y2C>%(S1;e*vR)CUyR~`
z_xOF*zuoq7_rfK^!Bv3nkxZ$=&wGA*XuV84-e&b`U5lGtHYJl%O&6bzV_AG6d)Z&|
tBKy2WQvF&yIYCQ0zGwJ~l689nb7d~*YuwH19<^4v!F2zQn*iJb)xzgZlPdrK

diff --git a/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_no_vendor_cert.efi.signed.1.1.1
index daaff3f1bba61dbeb8375bb635d37f0b496290d0..3ab45db67efed11d55fb93e78a1f691ec83e40d5 100644
GIT binary patch
delta 295
zcmV+?0oeYKHIOxs*aa$A000V;K>;VT1OdVq3NbM<I59FcG%+-j&=|mf6#=FL1P7%R
z1c~U2>ux9Pp)maD)G%7x?UtN4{2vnlK6U=wiZdz+bY|eV_3;7mZxI-3(Rlv2Zrm4I
zcfcuLA!qtV3i8vA=Y+v8oX7{t-UuF<YAO??y!8F*3>LJ#azP|50B!>yAgblR69Ad}
zoR=Hc%MQ?*)f-fcJuUlxt&y?$TR`sP%`q&E9|>Wh-8sp#=N_WS&2;L1^HU3atEQW|
zGBwoBZu(Pz;Hkfyrpc|lwqAb_mOh-aoVjA9hR%}@{=;Q?8F@PZ!!Ri+U95+_TW;*l
t<@p-fFEL|T9ei6+g!d&a5*w<~)Qb!`1|Zo?xrVkM(@=|Xfm+Z46BG<UiG%<E

delta 295
zcmV+?0oeYKHIOxs*adx%000V;K>;VT1OdVq3NSS>I59RgG%_-i&=|mfW4d#VFye}C
zm`<1k<Sb^b<_55;9tidpav-z2fobrNw^U6&#dd*WEOri9fNmB^7ktym;b!G-Kk$h3
zDkj8qNd%Cxq9#5E_^n2?L=n{EM&~auAz+ZnfI$*sS9{ag$#Si6QZHS-CbF}?!OU%3
zGPieR*=D2T{M^L@@GKR7ff(Ak^Ml_fhIByDw)GLITkt><L<iIf<Ld>Mv{xQMPHGXV
ze@q%G%9~wrIuINs7+H&q$b0vUkjYOWS^-*=X!Q4ALQ9|@`Dg_{CEUy<XLFC@;<`Im
tHNTF+^<OhT+Es$8pGg24zOx8y6uAsIC#R*ZaapMVi+;1F28P`Nlo7XfgrWcd

diff --git a/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1 b/efi/testdata/amd64/mockshim_vendor_db.efi.signed.1.1.1
index 040f4c5b9bce2ec8a9921761451f3581c357718c..0b1a67d480e7a260834fa6d1c05d8038e624ab43 100644
GIT binary patch
delta 295
zcmV+?0oeYCIfyxs*agD~0RRe<K>;VT1Od7k3NbM<I59FcG%+-j$Qr<ZOGvAFLXX=>
z16_$+dV5OevD?}XWtUNH%EEQ#5#yx-PZK_|I1SQw-Z^mc4~H(W8ti$*Cn?o<oX*Ka
zS&&Ki;!}Ns!YN!u_8DV8Gv1AZv?b6s6EdOvD)&eeDhxl<zD^6xEz;9K-r$wd0d<!9
zcABjP%2R$z0V7e&LB245(ba@>nm)$!Bc+`dYY)Fs-!r1PAdUSBnXykZxF0I>tKBqi
ztLd#R0B@|63&)^QKr`RPv5M!AXgS*sGSayzGrx(7#<{ymPoLdNv38M|%YWyMAsRmJ
tBy#kARLq^59xdX;{1Wl2%H=5*<SYOEWP%J)1ZJRC80T#XQezYX-?MIPiM;>-

delta 295
zcmV+?0oeYCIfyxs*ah<q0RRe<K>;VT1Od7k3NSS>I59RgG%_-i$Qr<ZU!xP%#Ft0o
z@mw)`V>3#d?{{ozwuz+#dpG0hPAGwZp*jEY$N2d@CWCxT(c6Sd-xKtfUup4Q=!mer
zPdrD^oI7<%;~^%;S*_!46nN8On}dWd<Ce<`Ih_ML4Sa@h{<c&q@ZV@eyJuri59mrz
z16&eB;@rLyy~5CtD)z5`Epo(ixScBTJ*eA<Q*!_nBRTxEX~M%TSn+?5Crq{I#>6h=
zi9<y~A9oDS2^S<`ta5md^|y81A{2DEZ}9-Asuk&?zTgO&EK3n>7UR`V)7KP1{(2hl
t=<aSYjtuB)<{JZB{o7#Zd<IrZ24ecedcp8^KE|x(!@Bl227^rkibjGUjU)g7

diff --git a/efi/testdata/buildenv.yaml b/efi/testdata/buildenv.yaml
index 216e7fa3..4697f3c0 100644
--- a/efi/testdata/buildenv.yaml
+++ b/efi/testdata/buildenv.yaml
@@ -1,7 +1,7 @@
 go-arch: amd64
-go-version: go1.20.3
+go-version: go1.18.10
 kernel-version: |
-  Linux version 6.2.0-20-generic (buildd@lcy02-amd64-035) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.2.0-17ubuntu1) 12.2.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023
+  Linux version 6.2.0-37-generic (buildd@bos03-amd64-010) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~23.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.40) #38-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 30 21:04:52 UTC 2023
 os-release:
   BUG_REPORT_URL: '"https://bugs.launchpad.net/ubuntu/"'
   HOME_URL: '"https://www.ubuntu.com/"'
@@ -20,13 +20,13 @@ packages:
   base-files: 12.3ubuntu2
   base-passwd: 3.6.1
   bash: 5.2.15-2ubuntu1
-  binutils: 2.40-2ubuntu4
-  binutils-common: 2.40-2ubuntu4
-  binutils-x86-64-linux-gnu: 2.40-2ubuntu4
+  binutils: 2.40-2ubuntu4.1
+  binutils-common: 2.40-2ubuntu4.1
+  binutils-x86-64-linux-gnu: 2.40-2ubuntu4.1
   bsdutils: 1:2.38.1-4ubuntu1
   coreutils: 9.1-1ubuntu2
   cpp: 4:12.2.0-3ubuntu1
-  cpp-12: 12.2.0-17ubuntu1
+  cpp-12: 12.3.0-1ubuntu1~23.04
   dash: 0.5.12-2ubuntu1
   debconf: 1.5.82
   debianutils: 5.7-0.4
@@ -34,44 +34,44 @@ packages:
   dpkg: 1.21.21ubuntu1
   findutils: 4.9.0-3ubuntu1
   gcc: 4:12.2.0-3ubuntu1
-  gcc-12: 12.2.0-17ubuntu1
-  gcc-12-base: 12.2.0-17ubuntu1
-  gcc-13-base: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  gcc-12: 12.3.0-1ubuntu1~23.04
+  gcc-12-base: 12.3.0-1ubuntu1~23.04
+  gcc-13-base: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   grep: 3.8-5
   gzip: 1.12-1ubuntu1
   hostname: 3.23+nmu1ubuntu1
   init-system-helpers: 1.65.2
   install-info: 6.8-6build2
   libacl1: 2.3.1-3
-  libasan8: 13-20230320-1ubuntu1
-  libatomic1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libasan8: 13.1.0-2ubuntu2~23.04
+  libatomic1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libattr1: 1:2.5.1-4
   libaudit-common: 1:3.0.9-1
   libaudit1: 1:3.0.9-1
-  libbinutils: 2.40-2ubuntu4
+  libbinutils: 2.40-2ubuntu4.1
   libblkid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libbz2-1.0: 1.0.8-5build1
-  libc-bin: 2.37-0ubuntu2
-  libc6: 2.37-0ubuntu22.37-0ubuntu2
+  libc-bin: 2.37-0ubuntu2.1
+  libc6: 2.37-0ubuntu2.12.37-0ubuntu2.1
   libcap-ng0: 0.8.3-1build2
-  libcap2: 1:2.66-3ubuntu21:2.66-3ubuntu2
-  libcc1-0: 13-20230320-1ubuntu1
+  libcap2: 1:2.66-3ubuntu2.11:2.66-3ubuntu2.1
+  libcc1-0: 13.1.0-2ubuntu2~23.04
   libcrypt1: 1:4.4.33-21:4.4.33-2
-  libctf-nobfd0: 2.40-2ubuntu4
-  libctf0: 2.40-2ubuntu4
+  libctf-nobfd0: 2.40-2ubuntu4.1
+  libctf0: 2.40-2ubuntu4.1
   libdb5.3: 5.3.28+dfsg2-15.3.28+dfsg2-1
   libdebconfclient0: 0.267ubuntu1
-  libgcc-12-dev: 12.2.0-17ubuntu1
-  libgcc-s1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libgcc-12-dev: 12.3.0-1ubuntu1~23.04
+  libgcc-s1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libgcrypt20: 1.10.1-3ubuntu11.10.1-3ubuntu1
   libgmp10: 2:6.2.1+dfsg1-1.1ubuntu1
-  libgomp1: 13-20230320-1ubuntu113-20230320-1ubuntu1
+  libgomp1: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
   libgpg-error0: 1.46-11.46-1
-  libgprofng0: 2.40-2ubuntu4
+  libgprofng0: 2.40-2ubuntu4.1
   libisl23: 0.25-1
-  libitm1: 13-20230320-1ubuntu1
+  libitm1: 13.1.0-2ubuntu2~23.04
   libjansson4: 2.14-2
-  liblsan0: 13-20230320-1ubuntu1
+  liblsan0: 13.1.0-2ubuntu2~23.04
   liblz4-1: 1.9.4-11.9.4-1
   liblzma5: 5.4.1-0.25.4.1-0.2
   libmd0: 1.0.4-21.0.4-2
@@ -83,27 +83,27 @@ packages:
   libpam-runtime: 1.5.2-5ubuntu1
   libpam0g: 1.5.2-5ubuntu1
   libpcre2-8-0: 10.42-110.42-1
-  libquadmath0: 13-20230320-1ubuntu1
+  libquadmath0: 13.1.0-2ubuntu2~23.04
   libselinux1: 3.4-1build43.4-1build4
   libsmartcols1: 2.38.1-4ubuntu1
-  libssl3: 3.0.8-1ubuntu1.13.0.8-1ubuntu1.1
-  libstdc++6: 13-20230320-1ubuntu113-20230320-1ubuntu1
-  libsystemd0: 252.5-2ubuntu3252.5-2ubuntu3
-  libtinfo6: 6.4-26.4-2
-  libtsan2: 13-20230320-1ubuntu1
-  libubsan1: 13-20230320-1ubuntu1
-  libudev1: 252.5-2ubuntu3252.5-2ubuntu3
+  libssl3: 3.0.8-1ubuntu1.43.0.8-1ubuntu1.4
+  libstdc++6: 13.1.0-2ubuntu2~23.0413.1.0-2ubuntu2~23.04
+  libsystemd0: 252.5-2ubuntu3.1252.5-2ubuntu3.1
+  libtinfo6: 6.4-2ubuntu0.16.4-2ubuntu0.1
+  libtsan2: 13.1.0-2ubuntu2~23.04
+  libubsan1: 13.1.0-2ubuntu2~23.04
+  libudev1: 252.5-2ubuntu3.1252.5-2ubuntu3.1
   libuuid1: 2.38.1-4ubuntu12.38.1-4ubuntu1
   libzstd1: 1.5.4+dfsg2-41.5.4+dfsg2-4
   login: 1:4.13+dfsg1-1ubuntu1
   make: 4.3-4.1build1
-  ncurses-base: 6.4-2
-  ncurses-bin: 6.4-2
-  perl-base: 5.36.0-7
+  ncurses-base: 6.4-2ubuntu0.1
+  ncurses-bin: 6.4-2ubuntu0.1
+  perl-base: 5.36.0-7ubuntu0.23.04.2
   sbsigntool: 0.9.4-3.1ubuntu2
   sed: 4.9-1
   sysvinit-utils: 3.06-2ubuntu1
-  tar: 1.34+dfsg-1.2
+  tar: 1.34+dfsg-1.2ubuntu0.1
   usrmerge: 33ubuntu1
   util-linux: 2.38.1-4ubuntu1
   util-linux-extra: 2.38.1-4ubuntu1
diff --git a/efi/testdata/src/keys/TestUefiSigning1.2.1.key b/efi/testdata/src/keys/TestUefiSigning1.2.1.key
new file mode 100644
index 00000000..24bcb636
--- /dev/null
+++ b/efi/testdata/src/keys/TestUefiSigning1.2.1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA7ah+sXr2ZghIf7piN+puZEtO+xTKqimlYVxH1DMogUBAylI+
+ZIGj0VSY5p+ILtJwTjYerRphvy3V1Pv9uGqIEFeNK7ct4LfyZYc/tvxMTzkEZBq0
+o3bv5Wi16A1E3eSMinQ1CIG15yWObzQd0HoBeaXUs9KpugLwmZqILQM/XPhe1Ke7
+2HmHO2hPailZnoDLOwtOS+Gto8stDBWOqOzrL/QXmmwr3Yw6H6fjY+AM8uSCQkAQ
+jFgvjxtCuEeQpC5FVYS5ulffwRztRE3sKt39GUfnmiR6/sqDddfW2Dogc3txxwet
+fuSyoUG6cHMioZoTjiflQ0CAq5XtyL9E7quDgQIDAQABAoIBAQDs83gOAGk25b9T
+CkPvOB+Eg8llcR93dTpcziMXoUIbTDLNBh8LGm54wX4JQroG5O3wLOl88bbPZCW0
+yuH3QtASaxhno6VsTjqxm52dFgQHYPPN0wqTiHw7IKFtkf09tyegy6gsqRbyNXHD
+0hR/zYU3Am4GNF3hBhlZLMflCT3dtCDAVWJfga5/qqiYgeC6MnQU8XKhZCpYlU/v
+96fbNDHbXaoXbXfNMFVTPSEEuYH/odod8vs/F8VmpHuX6ZxZAgkKi2qII2Xkl6bG
+DG/HVRzJNr87hm8lnfmEZoGh93jPd3uBu/01jsF4/NIrcZQb39M2HzFATmuHIB5k
+131YgGyBAoGBAP9u8Ew22PFU9Zk8YvXSZbWn3AMt0hPm28OSlnScLgvqoyS+PqlU
+T96z+NX1S9uxaLLEmFwbp61zeiXGjT6Z5XP7gfF3J9iWxzouKKSDNwRVp5U6eiTB
+tZCC7L9ocsDvCJeUP9SsxxHS/aVcqFr+cY7YekiDcNNvrQuWrC551HrJAoGBAO4v
+di96HpdiOVpzGHK/XD6s70cIIC6Q+G/LAUbf2s1gMcvLe0xBcdFriHvyeZ5lDOmz
+t5NFer7fQ3vBLlOw6rX8sZur12f5tU4r+Jv5yFHq3IWMLGYhEpoJKe0FKXkU4gN2
+1eyLhCl6GACD8gXS1LYdK6Lg9R/HKsSasHuLdGb5AoGAQN7n4DM9vWyaQyR27X9V
+nWDYG2aTp8JFpdGgrFTNzPD2Jeq69z4WWrTSSWRWs6DGuj/7gcj0OLTPHLDkRjXH
+dEE3qx9b20HPrxLx93XrjwpB2UBUrOkVN3JItgPMwPrz76sS2uxWUkyHZmu1xgZA
+yMppo+jdypTeGcdWSyddsyECgYA5UF5mCkK2NsKKS0vEwNtXkZF6TDBCREwjynui
+LFegN9eDrJEcxlq3A+MxwCUXwkUbL02rOHrS1zKL4u5c4SN5azbpuK36rRG9n8MQ
+9UgIvjUWRaahZK/vNOlLyYQzSJ0iLERJyUCiImkIJrfkQtlAgUBwzyTs4qYd7QMu
+l14JMQKBgQCJkEkQu3TFeBHY8BB5uieTiEb6sLtCi9IWrXIcKQ1M5ymDzZlk8jeM
+dhKv2KPIV1W6Hb5yTEzD/exJtRuwe13Jke/nshM9qht8lO8YVS6ozNfM7UIqc89J
+RoTLxQsOSg7Y/m1S987Ax0dVrJwi9GIOAx2z08rtstFiY7QASbFlfA==
+-----END RSA PRIVATE KEY-----
diff --git a/tools/make-efi-testdata/apps.go b/tools/make-efi-testdata/apps.go
index 3b75f590..8db3a832 100644
--- a/tools/make-efi-testdata/apps.go
+++ b/tools/make-efi-testdata/apps.go
@@ -94,9 +94,9 @@ func newMockAppData(srcDir, vendorCertDir string, certs map[string][]byte) []moc
 				"SBAT_VAR_LATEST=sbat,1,2022111500\\\\nshim,2\\\\ngrub,3\\\\n",
 				"WITH_SBAT=1",
 				"WITH_SBATLEVEL=1"},
-			signKeys:  []string{filepath.Join(srcDir, "keys", "TestUefiSigning2.1.1.key"), filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")},
-			signCerts: [][]byte{certs["TestUefiSigning2.1.1"], certs["TestUefiSigning1.1.1"]},
-			filename:  "mockshim.efi.signed.2.1.1+1.1.1",
+			signKeys:  []string{filepath.Join(srcDir, "keys", "TestUefiSigning1.2.1.key"), filepath.Join(srcDir, "keys", "TestUefiSigning1.1.1.key")},
+			signCerts: [][]byte{certs["TestUefiSigning1.2.1"], certs["TestUefiSigning1.1.1"]},
+			filename:  "mockshim.efi.signed.1.2.1+1.1.1",
 		},
 		{
 			path: filepath.Join(srcDir, "shim"),
diff --git a/tools/make-efi-testdata/certs.go b/tools/make-efi-testdata/certs.go
index 30ef2283..8e102239 100644
--- a/tools/make-efi-testdata/certs.go
+++ b/tools/make-efi-testdata/certs.go
@@ -100,6 +100,20 @@ var certDatas = []certData{
 			CommonName:   "Test UEFI CA 2",
 		},
 	},
+	{
+		name:         "TestUefiSigning1.2.1",
+		issuer:       "TestUefiCA1.2",
+		extKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		keyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment,
+		serialNumber: big.NewInt(1),
+		subject: pkix.Name{
+			Country:      []string{"GB"},
+			Organization: []string{"Fake Corporation"},
+			Locality:     []string{"London"},
+			Province:     []string{"England"},
+			CommonName:   "Test UEFI Secure Boot Signing 1",
+		},
+	},
 	{
 		name:         "TestShimVendorCA",
 		isCA:         true,