summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2020-07-16 13:04:04 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2020-07-16 13:04:04 -0500
commitfbc93f939b1c352dd45543f475358d9434bd7a13 (patch)
tree66749d605301c207f9678f35707e958faca932dd
parentd09e44ea796e7b018d5bf8bd84f4d90d29ee3522 (diff)
downloadkernel-fbc93f939b1c352dd45543f475358d9434bd7a13.tar.gz
kernel-fbc93f939b1c352dd45543f475358d9434bd7a13.tar.xz
kernel-fbc93f939b1c352dd45543f475358d9434bd7a13.zip
Fix secure boot signing
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
-rw-r--r--kernel.spec60
-rw-r--r--redhatsecureboot301.cerbin0 -> 899 bytes
-rw-r--r--redhatsecureboot401.cerbin0 -> 978 bytes
-rw-r--r--redhatsecureboot501.cerbin0 -> 964 bytes
-rw-r--r--redhatsecurebootca1.cerbin0 -> 977 bytes
-rw-r--r--redhatsecurebootca4.cerbin0 -> 934 bytes
-rw-r--r--redhatsecurebootca5.cerbin0 -> 920 bytes
7 files changed, 39 insertions, 21 deletions
diff --git a/kernel.spec b/kernel.spec
index 004ac6c94..91d1ea541 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -584,34 +584,44 @@ Source10: x509.genkey.rhel
Source11: x509.genkey.fedora
%if %{?released_kernel}
-Source12: securebootca.cer
-Source13: secureboot.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca %{SOURCE12}
+Source12: redhatsecurebootca5.cer
+Source13: redhatsecurebootca1.cer
+Source14: redhatsecureboot501.cer
+Source15: redhatsecureboot301.cer
+Source16: secureboot_s390.cer
+Source17: secureboot_ppc.cer
+
+%define secureboot_ca_0 %{SOURCE12}
+%define secureboot_ca_1 %{SOURCE13}
%ifarch x86_64 aarch64
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot301
+%define secureboot_key_0 %{SOURCE14}
+%define pesign_name_0 redhatsecureboot501
+%define secureboot_key_1 %{SOURCE15}
+%define pesign_name_1 redhatsecureboot301
%endif
%ifarch s390x
-%define secureboot_key %{SOURCE14}
-%define pesign_name redhatsecureboot302
+%define secureboot_key_0 %{SOURCE16}
+%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
-%define secureboot_key %{SOURCE15}
-%define pesign_name redhatsecureboot303
+%define secureboot_key_0 %{SOURCE17}
+%define pesign_name_0 redhatsecureboot303
%endif
# released_kernel
%else
-Source12: redhatsecurebootca2.cer
-Source13: redhatsecureboot003.cer
+Source12: redhatsecurebootca4.cer
+Source13: redhatsecurebootca2.cer
+Source14: redhatsecureboot401.cer
+Source15: redhatsecureboot003.cer
-%define secureboot_ca %{SOURCE12}
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot003
+%define secureboot_ca_0 %{SOURCE12}
+%define secureboot_ca_1 %{SOURCE13}
+%define secureboot_key_0 %{SOURCE14}
+%define pesign_name_0 redhatsecureboot401
+%define secureboot_key_1 %{SOURCE15}
+%define pesign_name_1 redhatsecureboot003
# released_kernel
%endif
@@ -1638,11 +1648,13 @@ BuildKernel() {
fi
%ifarch x86_64 aarch64
- %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
+ %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+ %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
+ rm vmlinuz.tmp
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
- rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
+ rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
elif [ $DoModules -eq 1 ]; then
chmod +x scripts/sign-file
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@@ -2045,11 +2057,17 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
- install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %ifarch x86_64 aarch64
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
+ install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
+ ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %else
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %endif
%ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then
- install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+ install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
else
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
new file mode 100644
index 000000000..20e660479
--- /dev/null
+++ b/redhatsecureboot301.cer
Binary files differ
diff --git a/redhatsecureboot401.cer b/redhatsecureboot401.cer
new file mode 100644
index 000000000..247666cfe
--- /dev/null
+++ b/redhatsecureboot401.cer
Binary files differ
diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer
new file mode 100644
index 000000000..dfa7afb46
--- /dev/null
+++ b/redhatsecureboot501.cer
Binary files differ
diff --git a/redhatsecurebootca1.cer b/redhatsecurebootca1.cer
new file mode 100644
index 000000000..b2354007b
--- /dev/null
+++ b/redhatsecurebootca1.cer
Binary files differ
diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer
new file mode 100644
index 000000000..8cb32e68c
--- /dev/null
+++ b/redhatsecurebootca4.cer
Binary files differ
diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
new file mode 100644
index 000000000..dfb028495
--- /dev/null
+++ b/redhatsecurebootca5.cer
Binary files differ