From 7d402d9a8bbfc1aaab4608a39bb8ad11a69177c9 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>
Date: Mon, 6 Jan 2020 13:31:57 +0100
Subject: [PATCH] add an error if efitools is too old

---
 tools/ca/gen.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/ca/gen.sh b/tools/ca/gen.sh
index c1b8e46..df46f08 100755
--- a/tools/ca/gen.sh
+++ b/tools/ca/gen.sh
@@ -6,6 +6,19 @@ set -e
 
 NAME="chipsec-sec secureboot test"
 
+# efitools prior 1.9.2 has a bug preventing PK insertion in somes BIOSes
+# See https://forums.lenovo.com/t5/ThinkPad-11e-Windows-13-E-and/Cannot-install-custom-secure-boot-PK-platform-key/td-p/4318378
+# This bug manifests in sign-efi-sig-list so check that if possible
+if [ -x /usr/bin/dpkg ];
+then
+	efitools_vers=$(sign-efi-sig-list --version | awk '{ print $2 }')
+	if $(dpkg --compare-versions "$efitools_vers" lt "1.9.2");
+	then
+		echo "efitools version ($efitools_vers) is too old, please upgrade to efitools >= 1.9.2 to avoid potential bugs when inserting PK" >&2
+		exit 1
+	fi
+fi
+
 rm *.cer
 rm *.crt
 rm *.key