ipxe: Use iPXE Secure Boot CA certificate as vendor certificate

Switch to using the iPXE Secure Boot CA certificate instead of using
the Extended Validation Code Signing certificate, as recommended in
rhboot/shim-review#319 (comment)

Add a DER-encoded copy of the iPXE Secure Boot CA certificate from
https://github.com/ipxe/secure-boot-ca, remove the old vendor
certificate, and update the Makefile and documentation to match.

Signed-off-by: Michael Brown <[email protected]>

Author: mcb30

.github/README.md

@@ -4,11 +4,11 @@ This is a lightly modified version of the general-purpose [shim][shim]
 used to enable UEFI Secure Boot for open source projects.
 
 This fork includes modifications to simplify the use of shim with
-[iPXE][ipxe].  In particular, this shim is built to trust the iPXE
-project's [EV code signing certificate](../ipxe.der), and includes
-logic to automatically determine the iPXE filename based on the name
-used for the shim itself, by stripping out the shim portion of the
-filename.  For example:
+[iPXE][ipxe].  In particular, this shim is built to trust the [iPXE
+Secure Boot CA][ipxesbca] certificate, and includes logic to
+automatically determine the iPXE filename based on the name used for
+the shim itself, by stripping out the shim portion of the filename.
+For example:
 
 | shim filename         | iPXE filename         |
 | :-------------------- | :-------------------- |
@@ -24,3 +24,4 @@ unsigned binaries.)
 
 [shim]: https://github.com/rhboot/shim
 [ipxe]: https://ipxe.org
+[ipxesbca]: https://ipxe.org/secure-boot-ca

Make.local

@@ -1,2 +1,2 @@
-VENDOR_CERT_FILE = $(TOPDIR)/ipxe.der
+VENDOR_CERT_FILE = $(TOPDIR)/ipxe-sb-ca.der
 DEFAULT_LOADER = ipxe.efi