[OS-BUILD PATCH] redhat: add IMA certificates
by Jan Stancek (via Email Bridge)
From: Jan Stancek <jstancek(a)redhat.com>
redhat: add IMA certificates
Forward port c9s commit:
7ff63254426d ("redhat: add IMA certificates")
Starting with RHEL9.0, installed package files will have IMA signatures
if users choose so. The IMA subsystem will search for the certificate in
the .ima keyring to verify a file signature thus to make sure this file
hasn't been tampered with. To be able to add the IMA code-signing
certificate to the .ima keyring, this certificate needs to be signed by
a CA certificate in the system keyrings.
This patch builds the IMA CA certificate into the .builtin_trusted_keys
keyring and installs the IMA code-signing certificate to
/usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like
dracut to add it the .ima keyring.
Signed-off-by: Coiby Xu <coxu(a)redhat.com>
Signed-off-by: Jan Stancek <jstancek(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -918,6 +918,17 @@ Source87: flavors
Source100: rheldup3.x509
Source101: rhelkpatch1.x509
Source102: nvidiagpuoot001.x509
+Source103: rhelimaca1.x509
+Source104: rhelima.x509
+Source105: rhelima_centos.x509
+
+%if 0%{?centos}
+%define ima_signing_cert %{SOURCE105}
+%else
+%define ima_signing_cert %{SOURCE104}
+%endif
+
+%define ima_cert_name ima.cer
Source200: check-kabi
@@ -1893,7 +1904,8 @@ done
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+openssl x509 -inform der -in %{SOURCE103} -out rhelimaca1.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem rhelimaca1.pem > ../certs/rhel.pem
%if %{signkernel}
%ifarch s390x ppc64le
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@@ -2712,6 +2724,11 @@ BuildKernel() {
%endif
%endif
+%if 0%{?rhel}
+ # Red Hat IMA code-signing cert, which is used to authenticate package files
+ install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+%endif
+
%if %{signmodules}
if [ $DoModules -eq 1 ]; then
# Save the signing keys so we can sign the modules in __modsign_install_post
diff --git a/redhat/keys/rhelima.x509 b/redhat/keys/rhelima.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima.x509
Binary files /dev/null and b/redhat/keys/rhelima.x509 differ
diff --git a/redhat/keys/rhelima_centos.x509 b/redhat/keys/rhelima_centos.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima_centos.x509
Binary files /dev/null and b/redhat/keys/rhelima_centos.x509 differ
diff --git a/redhat/keys/rhelimaca1.x509 b/redhat/keys/rhelimaca1.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelimaca1.x509
Binary files /dev/null and b/redhat/keys/rhelimaca1.x509 differ
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3094