[efi][secureboot] Not able to boot livecd with secureboot enabled

[Itxaka]

Kairos version:
master

CPU architecture, OS, and Version:
x86

Describe the bug
We used to be able to boot with secureboot enabled due to using the shim and the grub.efi signed from opensuse. This seem to be no longer the case:

To Reproduce
Create iso, boot with uefi+secureboot

Expected behavior
Can boot with secureboot

Logs

Additional context

[Itxaka]

not sure whats going on. from opensuse:15.5 the shim doesnt pass validation:

b5b8f58fa9c9:/ # sbverify --list /usr/share/efi/x86_64/shim.efi 
warning: data remaining[827296 vs 953800]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
signature 2
image signature issuers:
 - /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
image signature certificates:
 - subject: /CN=SUSE Linux Enterprise Secure Boot Signkey/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
   issuer:  /CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de

b5b8f58fa9c9:/ # sbverify /usr/share/efi/x86_64/shim.efi 
warning: data remaining[827296 vs 953800]: gaps between PE/COFF sections?
Signature verification failed

But on tumbleweed, it does pass the validation, even if it contains the same certificates...

8f2be8e651ed:/ # sbverify --list /usr/share/efi/x86_64/shim.efi 
warning: data remaining[808656 vs 934024]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
signature 2
image signature issuers:
 - /CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
image signature certificates:
 - subject: /CN=openSUSE Secure Boot Signkey/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
   issuer:  /CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
8f2be8e651ed:/ # sbverify /usr/share/efi/x86_64/shim.efi 
warning: data remaining[808656 vs 934024]: gaps between PE/COFF sections?
Signature verification OK

[Itxaka]

Building the efi livecd artifacts from tumbleweed should work, plus this is what we do already for the normal system efi artifacts, so makes no sense to have them from different base images:

kairos-io/packages#376

[Itxaka]

Requires: kairos-io/osbuilder#90
Requires: #1727

Results in proper secureboot booting + proper efi booting + proper bios booting and removing extra files from kairos:

[Itxaka]

patches merged to master and tested.