From: Jan Stancek on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
Forward port secure boot signing changes from c9s to ARK.
eln scratch: https://koji.fedoraproject.org/koji/taskinfo?taskID=111509830 rawhide scratch: https://koji.fedoraproject.org/koji/taskinfo?taskID=111494146
Signed-off-by: Jan Stancek jstancek@redhat.com
--- redhat/keys/redhatsecureboot003.cer | Bin redhat/keys/redhatsecureboot301.cer | Bin redhat/keys/redhatsecureboot401.cer | Bin redhat/keys/redhatsecurebootca1.cer | Bin redhat/keys/redhatsecurebootca2.cer | Bin redhat/keys/redhatsecurebootca4.cer | Bin redhat/keys/secureboot_ppc.cer | Bin redhat/keys/secureboot_s390.cer | Bin redhat/Makefile | 7 +- redhat/kernel.spec.template | 113 +++++++++++++++-------------------- 10 files changed, 51 insertions(+), 69 deletions(-)
From: Jan Stancek jstancek@redhat.com
redhat: align file names with names of signing keys for ppc and s390
Forward port of c9s commit: d8c1f5dbe0f2 ("redhat: align file names with names of signing keys for ppc and s390")
Signed-off-by: Jan Stancek jstancek@redhat.com
diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -702,8 +702,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{301,501,ca5,ca1}.cer $(SOURCES)/; \ - cp keys/secureboot_{ppc,s390}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{301,302,303,501,ca5,ca1}.cer $(SOURCES)/; \ else \ cp keys/redhatsecureboot{003,401,ca2,ca4}.cer $(SOURCES)/; \ fi diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -822,8 +822,8 @@ Source10: redhatsecurebootca5.cer Source11: redhatsecurebootca1.cer Source12: redhatsecureboot501.cer Source13: redhatsecureboot301.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer +Source14: redhatsecureboot302.cer +Source15: redhatsecureboot303.cer
%define secureboot_ca_1 %{SOURCE10} %define secureboot_ca_0 %{SOURCE11} diff --git a/redhat/keys/secureboot_s390.cer b/redhat/keys/redhatsecureboot302.cer rename from redhat/keys/secureboot_s390.cer rename to redhat/keys/redhatsecureboot302.cer index blahblah..blahblah 100644 --- a/redhat/keys/secureboot_s390.cer +++ b/redhat/keys/redhatsecureboot302.cer diff --git a/redhat/keys/secureboot_ppc.cer b/redhat/keys/redhatsecureboot303.cer rename from redhat/keys/secureboot_ppc.cer rename to redhat/keys/redhatsecureboot303.cer index blahblah..blahblah 100644 --- a/redhat/keys/secureboot_ppc.cer +++ b/redhat/keys/redhatsecureboot303.cer
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
From: Jan Stancek jstancek@redhat.com
redhat: correct file name of redhatsecurebootca1
Forward-port of c9s commit: 0aacd971fa44 ("redhat: correct file name of redhatsecurebootca1")
In internal docs (Signing Server User Guide) it is referred to as 'redhatsecurebootca3'.
Signed-off-by: Jan Stancek jstancek@redhat.com
diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -702,7 +702,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{301,302,303,501,ca5,ca1}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{301,302,303,501,ca5,ca3}.cer $(SOURCES)/; \ else \ cp keys/redhatsecureboot{003,401,ca2,ca4}.cer $(SOURCES)/; \ fi diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -819,7 +819,7 @@ Source2: kernel.changelog %if %{?released_kernel}
Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca1.cer +Source11: redhatsecurebootca3.cer Source12: redhatsecureboot501.cer Source13: redhatsecureboot301.cer Source14: redhatsecureboot302.cer diff --git a/redhat/keys/redhatsecurebootca1.cer b/redhat/keys/redhatsecurebootca3.cer rename from redhat/keys/redhatsecurebootca1.cer rename to redhat/keys/redhatsecurebootca3.cer index blahblah..blahblah 100644 --- a/redhat/keys/redhatsecurebootca1.cer +++ b/redhat/keys/redhatsecurebootca3.cer
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
From: Jan Stancek jstancek@redhat.com
redhat: drop certificates that were deprecated after GRUB's BootHole flaw
Forward-port of c9s commit 9cb4544a5b4c ("redhat: drop certificates that were deprecated after GRUB's BootHole flaw")
Conflicts: update also UKI signing hunk, since this patch is introduced out of order
Since newer RHEL should already have newer enough grub versions, we don't need anymore to keep signing the kernel for secure boot with older keys for compatibility with older grub.
The second signature also causes problems because the upstream kernel so far does not support checking more than one signature as reported on bug above, where kexec signature checking can fail in a secure boot enabled environment. More than one signature requires that we patch the kernel for it to work, but we don't need that now since we can drop the second signature.
Signed-off-by: Herton R. Krzesinski herton@redhat.com Signed-off-by: Jan Stancek jstancek@redhat.com
diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -702,9 +702,9 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{301,302,303,501,ca5,ca3}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{302,303,501,ca5,ca3}.cer $(SOURCES)/; \ else \ - cp keys/redhatsecureboot{003,401,ca2,ca4}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \ fi @for KABIARCH in $(ARCH_LIST); do \ cp kabi/Module.kabi_$$KABIARCH $(SOURCES)/; \ diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -821,24 +821,22 @@ Source2: kernel.changelog Source10: redhatsecurebootca5.cer Source11: redhatsecurebootca3.cer Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: redhatsecureboot302.cer -Source15: redhatsecureboot303.cer +Source13: redhatsecureboot302.cer +Source14: redhatsecureboot303.cer
-%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} %ifarch x86_64 aarch64 -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot501 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot301 +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE12} +%define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x -%define secureboot_key_0 %{SOURCE14} +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key_0 %{SOURCE15} +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot303 %endif
@@ -846,16 +844,11 @@ Source15: redhatsecureboot303.cer %else
Source10: redhatsecurebootca4.cer -Source11: redhatsecurebootca2.cer -Source12: redhatsecureboot401.cer -Source13: redhatsecureboot003.cer +Source11: redhatsecureboot401.cer
-%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot401 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot003 +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE11} +%define pesign_name_0 redhatsecureboot401
# released_kernel %endif @@ -2079,9 +2072,7 @@ BuildKernel() { SignImage=$KernelImage
%ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then @@ -2527,9 +2518,7 @@ BuildKernel() {
%if %{signkernel}
- %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i $KernelUnifiedImage.tmp -o $KernelUnifiedImage.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm -f $KernelUnifiedImage.tmp + %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
if [ ! -s $KernelUnifiedImage.signed ]; then echo "pesigning failed" @@ -2620,13 +2609,7 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %else - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %endif + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then diff --git a/redhat/keys/redhatsecureboot003.cer b/redhat/keys/redhatsecureboot003.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot003.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot003.cer and /dev/null differ diff --git a/redhat/keys/redhatsecureboot301.cer b/redhat/keys/redhatsecureboot301.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot301.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot301.cer and /dev/null differ diff --git a/redhat/keys/redhatsecurebootca2.cer b/redhat/keys/redhatsecurebootca2.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecurebootca2.cer +++ /dev/null Binary files a/redhat/keys/redhatsecurebootca2.cer and /dev/null differ
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
From: Jan Stancek jstancek@redhat.com
redhat: replace redhatsecureboot303 signing key with redhatsecureboot601
Forward-port of c9s commit 50f1da0079cb ("redhat: replace redhatsecureboot303 signing key with redhatsecureboot601")
Intent is to separate trust between the different architectures, and to avoid shipping 2 CAs on ppc, since grub is also signed with redhatsecureboot601.
Signed-off-by: Jan Stancek jstancek@redhat.com
diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -702,7 +702,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{302,303,501,ca5,ca3}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{302,501,601,ca3,ca5,ca6}.cer $(SOURCES)/; \ else \ cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \ fi diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -820,24 +820,25 @@ Source2: kernel.changelog
Source10: redhatsecurebootca5.cer Source11: redhatsecurebootca3.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot302.cer -Source14: redhatsecureboot303.cer +Source12: redhatsecurebootca6.cer +Source13: redhatsecureboot501.cer +Source14: redhatsecureboot302.cer +Source15: redhatsecureboot601.cer
%ifarch x86_64 aarch64 %define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE12} +%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x %define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE13} +%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 redhatsecureboot303 +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot601 %endif
# released_kernel diff --git a/redhat/keys/redhatsecureboot303.cer b/redhat/keys/redhatsecureboot303.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot303.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot303.cer and /dev/null differ diff --git a/redhat/keys/redhatsecureboot601.cer b/redhat/keys/redhatsecureboot601.cer new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/redhatsecureboot601.cer diff --git a/redhat/keys/redhatsecurebootca6.cer b/redhat/keys/redhatsecurebootca6.cer new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/redhatsecurebootca6.cer
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
From: Jan Stancek jstancek@redhat.com
redhat: switch the kernel package to use certs from system-sb-certs
Forward-port of c9s commit: e155f90ed44e ("redhat: switch the kernel package to use certs from system-sb-certs")
Conflicts: fedora and ELN doesn't have system-sb-certs
Both redhat and centos are providing now the public certificates we use for secure boot signing through the redhat-sb-certs or centos-sb-certs packages. Those provides the system-sb-certs "virtual" package.
Thus don't carry anymore the copy of the same certificates inside the kernel sources, instead switch to use the certificates provided by those packages.
This will enable secure boot signing for centos too, as centos uses a different set of certificates for signing and we were not using them in the package yet.
With this change, we also drop the usage of the beta certificates and the switch to the release certs: they aren't provided in the new scheme of system-sb-certs and anyway eg. grub2 isn't including/using those certs for signing. If there are still any switching of keys needed, ideally this should be done with the package providing system-sb-certs.
While reviewing/doing this change, I also noted some missing signkernel macro guards were missing in the spec, which I added. Also, in the install part where we copy files to the kernel-doc package, I consolidated the logic and added missing signkernel/signmodules guards, with the existing code things would break if you disabled any of those options.
v2: change pesign_name_0 for CentOS as reported by Brian Stinson
Signed-off-by: Herton R. Krzesinski herton@redhat.com Signed-off-by: Prarit Bhargava prarit@redhat.com Signed-off-by: Jan Stancek jstancek@redhat.com
diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -701,11 +701,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check $(SOURCES)/ @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog - @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{302,501,601,ca3,ca5,ca6}.cer $(SOURCES)/; \ - else \ - cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \ - fi + cp keys/redhatsecureboot{501,ca5}.cer $(SOURCES)/; @for KABIARCH in $(ARCH_LIST); do \ cp kabi/Module.kabi_$$KABIARCH $(SOURCES)/; \ cp kabi/Module.kabi_dup_$$KABIARCH $(SOURCES)/; \ diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -808,6 +808,10 @@ Source0: linux-%{tarfile_release}.tar.xz Source1: Makefile.rhelver Source2: kernel.changelog
+Source10: redhatsecurebootca5.cer +Source13: redhatsecureboot501.cer + +%if %{signkernel} # Name of the packaged file containing signing key %ifarch ppc64le %define signing_key_filename kernel-signing-ppc.cer @@ -816,42 +820,36 @@ Source2: kernel.changelog %define signing_key_filename kernel-signing-s390.cer %endif
-%if %{?released_kernel} +# Fedora/ELN pesign macro expects to see these cert file names, see: +# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L21... +%if 0%{?fedora}%{?eln} +%define pesign_name_0 redhatsecureboot501 +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE13} +%endif
-Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca3.cer -Source12: redhatsecurebootca6.cer -Source13: redhatsecureboot501.cer -Source14: redhatsecureboot302.cer -Source15: redhatsecureboot601.cer +# RHEL/centos certs come from system-sb-certs +%if 0%{?rhel} && !0%{?eln} +%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
+%if 0%{?centos} +%define pesign_name_0 centossecureboot201 +%else %ifarch x86_64 aarch64 -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_ca_0 %{SOURCE12} -%define secureboot_key_0 %{SOURCE15} %define pesign_name_0 redhatsecureboot601 %endif +%endif +# rhel && !eln +%endif
-# released_kernel -%else - -Source10: redhatsecurebootca4.cer -Source11: redhatsecureboot401.cer - -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE11} -%define pesign_name_0 redhatsecureboot401 - -# released_kernel +# signkernel %endif
Source20: mod-denylist.sh @@ -1852,10 +1850,12 @@ done openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem +%if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem cat secureboot.pem >> ../certs/rhel.pem %endif +%endif for i in *.config; do sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i done @@ -2078,7 +2078,7 @@ BuildKernel() { %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed - elif [ $DoModules -eq 1 ]; then + elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed else @@ -2579,14 +2579,6 @@ BuildKernel() { rm -f $RPM_BUILD_ROOT/mod-kvm.list fi
-%if %{signmodules} - if [ $DoModules -eq 1 ]; then - # Save the signing keys so we can sign the modules in __modsign_install_post - cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}} - cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}} - fi -%endif - # Move the devel headers out of the root file system mkdir -p $RPM_BUILD_ROOT/usr/src/kernels mv $RPM_BUILD_ROOT/lib/modules/$KernelVer/build $RPM_BUILD_ROOT/$DevelDir @@ -2610,18 +2602,29 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer +%if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le - if [ $DoModules -eq 1 ]; then - if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - else - install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - fi + if [ -x /usr/bin/rpm-sign ]; then + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} fi %endif +%endif + +%if %{signmodules} + if [ $DoModules -eq 1 ]; then + # Save the signing keys so we can sign the modules in __modsign_install_post + cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}} + cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}} + %ifarch s390x ppc64le + if [ ! -x /usr/bin/rpm-sign ]; then + install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + fi + %endif + fi +%endif
%if %{with_ipaclones} MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*([0-9]+)/\1/p') diff --git a/redhat/keys/redhatsecureboot302.cer b/redhat/keys/redhatsecureboot302.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot302.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot302.cer and /dev/null differ diff --git a/redhat/keys/redhatsecureboot401.cer b/redhat/keys/redhatsecureboot401.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot401.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot401.cer and /dev/null differ diff --git a/redhat/keys/redhatsecureboot601.cer b/redhat/keys/redhatsecureboot601.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot601.cer +++ /dev/null diff --git a/redhat/keys/redhatsecurebootca3.cer b/redhat/keys/redhatsecurebootca3.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecurebootca3.cer +++ /dev/null Binary files a/redhat/keys/redhatsecurebootca3.cer and /dev/null differ diff --git a/redhat/keys/redhatsecurebootca4.cer b/redhat/keys/redhatsecurebootca4.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecurebootca4.cer +++ /dev/null Binary files a/redhat/keys/redhatsecurebootca4.cer and /dev/null differ diff --git a/redhat/keys/redhatsecurebootca6.cer b/redhat/keys/redhatsecurebootca6.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecurebootca6.cer +++ /dev/null
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
From: Jan Stancek jstancek@redhat.com
redhat: Use redhatsecureboot701 for ppc64le
Forward-port of c9s commit dd9a91221db9 ("redhat: Use redhatsecureboot701 for ppc64le")
Conflicts: RHEL has certs stored in system-sb-certs package, but ARK/Fedora has them in tree.
When addressing CVE-2022-1665 the ppc64le signing keys were rotated but the kernel itself was not updated to use the new key.
Signed-off-by: Patrick Talbert ptalbert@redhat.com Signed-off-by: Prarit Bhargava prarit@redhat.com Signed-off-by: Jan Stancek jstancek@redhat.com
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -843,7 +843,7 @@ Source13: redhatsecureboot501.cer %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define pesign_name_0 redhatsecureboot601 +%define pesign_name_0 redhatsecureboot701 %endif %endif # rhel && !eln
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
From: Jan Stancek on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849#note_1727995...
@jmflinuxtx Do you have a way to try this without merge? (In brew, I used to test MRs like these with --skip-tag parameter, so they don't get used anywhere)
From: Justin M. Forbes on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849#note_1732719...
I do not, the Fedora signing method is a bit different. More importantly though, we can't merge this yet. Fedora still needs both signatures while we wait for the updated shim. I was last told we are a month out or so.
From: Jan Stancek on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849#note_1841829...
we have new shim now, so I'm resolving this thread
kernel@lists.fedoraproject.org