diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2020-07-17 16:39:43 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2020-07-17 16:39:43 +0200 |
commit | 1e058a4487de61d8fc9a84c744b5b2ea891f1b8b (patch) | |
tree | ff31f3b581aff73d1e369ec9381ca3664a0d815c | |
parent | 5a7e3ce5bc36ce8ec1120d261aeac00b0cb03f1c (diff) | |
parent | 1a35ea6540f24eddac705d04900d9eb371a147ef (diff) | |
download | kernel-1e058a4487de61d8fc9a84c744b5b2ea891f1b8b.tar.gz kernel-1e058a4487de61d8fc9a84c744b5b2ea891f1b8b.tar.xz kernel-1e058a4487de61d8fc9a84c744b5b2ea891f1b8b.zip |
merge origin
-rw-r--r-- | kernel.spec | 71 | ||||
-rw-r--r-- | redhatsecureboot301.cer | bin | 0 -> 899 bytes | |||
-rw-r--r-- | redhatsecureboot401.cer | bin | 0 -> 978 bytes | |||
-rw-r--r-- | redhatsecureboot501.cer | bin | 0 -> 964 bytes | |||
-rw-r--r-- | redhatsecurebootca1.cer | bin | 0 -> 977 bytes | |||
-rw-r--r-- | redhatsecurebootca4.cer | bin | 0 -> 934 bytes | |||
-rw-r--r-- | redhatsecurebootca5.cer | bin | 0 -> 920 bytes | |||
-rwxr-xr-x | scripts/create_headers_tarball.sh | 6 | ||||
-rw-r--r-- | sources | 1 |
9 files changed, 50 insertions, 28 deletions
diff --git a/kernel.spec b/kernel.spec index 74c7f11fd..86989125f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -652,39 +652,49 @@ Source10: x509.genkey.rhel Source11: x509.genkey.fedora %if %{?released_kernel} -Source12: securebootca.cer -Source13: secureboot.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer - -%define secureboot_ca %{SOURCE12} +Source12: redhatsecurebootca5.cer +Source13: redhatsecurebootca1.cer +Source14: redhatsecureboot501.cer +Source15: redhatsecureboot301.cer +Source16: secureboot_s390.cer +Source17: secureboot_ppc.cer + +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_ca_1 %{SOURCE13} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot501 +%define secureboot_key_1 %{SOURCE15} +%define pesign_name_1 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 +%define secureboot_key_0 %{SOURCE16} +%define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define secureboot_key_0 %{SOURCE17} +%define pesign_name_0 redhatsecureboot303 %endif %else # released_kernel -Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source12: redhatsecurebootca4.cer +Source13: redhatsecurebootca2.cer +Source14: redhatsecureboot401.cer +Source15: redhatsecureboot003.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_ca_1 %{SOURCE13} +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot401 +%define secureboot_key_1 %{SOURCE15} +%define pesign_name_1 redhatsecureboot003 %endif # released_kernel Source22: mod-extra.list.rhel -Source16: mod-extra.list.fedora -Source17: mod-extra.sh +Source23: mod-extra.list.fedora +Source24: mod-extra.sh Source18: mod-sign.sh Source19: mod-extra-blacklist.sh Source79: parallel_xz.sh @@ -1807,11 +1817,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -2093,11 +2105,11 @@ BuildKernel() { popd # Call the modules-extra script to move things around - %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list + %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list # Blacklist net autoloadable modules in modules-extra %{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer # Call the modules-extra script for internal modules - %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal + %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal # # Generate the kernel-core and kernel-modules files lists @@ -2195,11 +2207,17 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2928,6 +2946,9 @@ fi # # %changelog +* Fri Jul 17 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.9-100 +- Linux v5.7.9 + * Wed Jul 15 2020 Justin M. Forbes <jforbes@fedoraproject.org> - Make some killer wireless ac 1550 cards work again diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer Binary files differnew file mode 100644 index 000000000..20e660479 --- /dev/null +++ b/redhatsecureboot301.cer diff --git a/redhatsecureboot401.cer b/redhatsecureboot401.cer Binary files differnew file mode 100644 index 000000000..247666cfe --- /dev/null +++ b/redhatsecureboot401.cer diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer Binary files differnew file mode 100644 index 000000000..dfa7afb46 --- /dev/null +++ b/redhatsecureboot501.cer diff --git a/redhatsecurebootca1.cer b/redhatsecurebootca1.cer Binary files differnew file mode 100644 index 000000000..b2354007b --- /dev/null +++ b/redhatsecurebootca1.cer diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer Binary files differnew file mode 100644 index 000000000..8cb32e68c --- /dev/null +++ b/redhatsecurebootca4.cer diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer Binary files differnew file mode 100644 index 000000000..dfb028495 --- /dev/null +++ b/redhatsecurebootca5.cer diff --git a/scripts/create_headers_tarball.sh b/scripts/create_headers_tarball.sh index 9a59f03a5..f6aa13fe4 100755 --- a/scripts/create_headers_tarball.sh +++ b/scripts/create_headers_tarball.sh @@ -30,17 +30,17 @@ BUILDID=`grep "^%define buildid" kernel.spec| cut -d ' ' -f 3` if [ $RELEASED -eq 0 ]; then cd kernel-$MAJORVER.$BASE.fc?? NEWBASE=$(($BASE+1)) - KVER=$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV.$BASERELEASE$BUILDID + KVER=$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV cd linux-$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV.$BASERELEASE$BUILDID.fc*/ else cd kernel-$MAJORVER.$BASE.fc??/linux-$MAJORVER.$BASE.$STABLE-$BASERELEASE$BUILDID.fc*/ - KVER=$MAJORVER.$BASE.$STABLE-$BASERELEASE + KVER=$MAJORVER.$BASE.$STABLE fi # ARCH_LIST below has the default list of supported architectures # (the architectures names may be different from rpm, you list here the # names of arch/<arch> directories in the kernel sources) -ARCH_LIST="arm arm64 powerpc s390 x86" +ARCH_LIST="arm arm64 powerpc riscv s390 x86" headers_dir=$(mktemp -d) trap 'rm -rf "$headers_dir"' SIGHUP SIGINT SIGTERM EXIT @@ -1 +1,2 @@ SHA512 (linux-5.7.tar.xz) = 45bde01593f6147c8c169b9e46b4b56eee998142552ae0ff82f1dd21b1fd54f3b32f6283f6bd77ea717d374672167849e468c157f235d2f12f7d7816e4623bf6 +SHA512 (patch-5.7.9.xz) = 30eaa543ee1d371b5d05c7d8268e2e4fb55b5fee8f509070c677776744af47a743a36f655e5244e79d87a45a0ca7aae3eacdc9969e26d6b1d443a42db4bd5588 |