From: Bruno Meneguele <bmeneg(a)redhat.com>
redhat: add secureboot CA certificate to trusted kernel keyring
This patch is a forward-port from what we already have in RHEL-8 kernels and
should also be done in RHEL-9 to avoid unexpected failures on customers.
Add the secure boot key certificate to the trusted kernel keyring
(.builtin_trusted_keys) to allow the placement of the kernel signing key
(shipped with the distro) in other kernel trusted keyrings, i.e. .ima
trusted keyring.
The need for adding the secure boot CA cert in the trusted kernel keyring
exists only for arches without UEFI support which don't support adding certs
to .platform_keyring and, consequently, can't add our own kernel image
signing key to trusted keyrings.
The biggest usage of that is for loading signed kernel images during
kexec/kdump process in arches that depends on the IMA infrastructure to
check the signatures, which has the ability to verify appended signatures
instead of the UEFI PE format. Said arches are PowerPC and S390X.
Cc: Justin M. Forbes <jforbes(a)fedoraproject.org>
Cc: Herton R. Krzesinski <herton(a)redhat.com>
Cc: Patrick Talbert <ptalbert(a)redhat.com>
Signed-off-by: Bruno Meneguele <bmeneg(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -1422,6 +1422,10 @@ done
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
+%ifarch s390x ppc64le
+openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
+cat secureboot.pem >> ../certs/rhel.pem
+%endif
for i in *.config; do
sed -i
's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"(a)'
$i
done
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1235