merge origin

9 files changed, 50 insertions, 28 deletions

diff --git a/kernel.spec b/kernel.spec
index c35e25045..7559ca0d5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -652,41 +652,51 @@ Source10: x509.genkey.rhel
 Source11: x509.genkey.fedora
 %if %{?released_kernel}
 
-Source12: securebootca.cer
-Source13: secureboot.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca %{SOURCE12}
+Source12: redhatsecurebootca5.cer
+Source13: redhatsecurebootca1.cer
+Source14: redhatsecureboot501.cer
+Source15: redhatsecureboot301.cer
+Source16: secureboot_s390.cer
+Source17: secureboot_ppc.cer
+
+%define secureboot_ca_0 %{SOURCE12}
+%define secureboot_ca_1 %{SOURCE13}
 %ifarch x86_64 aarch64
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot301
+%define secureboot_key_0 %{SOURCE14}
+%define pesign_name_0 redhatsecureboot501
+%define secureboot_key_1 %{SOURCE15}
+%define pesign_name_1 redhatsecureboot301
 %endif
 %ifarch s390x
-%define secureboot_key %{SOURCE14}
-%define pesign_name redhatsecureboot302
+%define secureboot_key_0 %{SOURCE16}
+%define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_key %{SOURCE15}
-%define pesign_name redhatsecureboot303
+%define secureboot_key_0 %{SOURCE17}
+%define pesign_name_0 redhatsecureboot303
 %endif
 
 # released_kernel
 %else
 
-Source12: redhatsecurebootca2.cer
-Source13: redhatsecureboot003.cer
+Source12: redhatsecurebootca4.cer
+Source13: redhatsecurebootca2.cer
+Source14: redhatsecureboot401.cer
+Source15: redhatsecureboot003.cer
 
-%define secureboot_ca %{SOURCE12}
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot003
+%define secureboot_ca_0 %{SOURCE12}
+%define secureboot_ca_1 %{SOURCE13}
+%define secureboot_key_0 %{SOURCE14}
+%define pesign_name_0 redhatsecureboot401
+%define secureboot_key_1 %{SOURCE15}
+%define pesign_name_1 redhatsecureboot003
 
 # released_kernel
 %endif
 
 Source22: mod-extra.list.rhel
-Source16: mod-extra.list.fedora
-Source17: mod-extra.sh
+Source23: mod-extra.list.fedora
+Source24: mod-extra.sh
 Source18: mod-sign.sh
 Source19: mod-extra-blacklist.sh
 Source79: parallel_xz.sh
@@ -1814,11 +1824,13 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
+    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
+    rm vmlinuz.tmp
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
-	rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
+	rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
     elif [ $DoModules -eq 1 ]; then
 	chmod +x scripts/sign-file
 	./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@@ -2108,11 +2120,11 @@ BuildKernel() {
     popd
 
     # Call the modules-extra script to move things around
-    %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list
+    %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list
     # Blacklist net autoloadable modules in modules-extra
     %{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer
     # Call the modules-extra script for internal modules
-    %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal
+    %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal
 
     #
     # Generate the kernel-core and kernel-modules files lists
@@ -2209,11 +2221,17 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %ifarch x86_64 aarch64
+       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
+       install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
+       ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %else
+       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %endif
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
 	if [ -x /usr/bin/rpm-sign ]; then
-	    install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+	    install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
 	else
 	    install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
 	    openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
@@ -2943,7 +2961,7 @@ fi
 %if 0%{!?fedora:1}\
 /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
 %endif\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
+%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\
 %ifarch s390x ppc64le\
 %if 0%{!?4:1}\
 %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
@@ -2996,6 +3014,9 @@ fi
 #
 #
 %changelog
+* Fri Jul 17 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.9-100
+- Linux v5.7.9
+
 * Wed Jul 15 2020 Justin M. Forbes <jforbes@fedoraproject.org>
 - Make some killer wireless ac 1550 cards work again
 
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
new file mode 100644
index 000000000..20e660479
--- /dev/null
+++ b/redhatsecureboot301.cer
diff --git a/redhatsecureboot401.cer b/redhatsecureboot401.cer
new file mode 100644
index 000000000..247666cfe
--- /dev/null
+++ b/redhatsecureboot401.cer
diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer
new file mode 100644
index 000000000..dfa7afb46
--- /dev/null
+++ b/redhatsecureboot501.cer
diff --git a/redhatsecurebootca1.cer b/redhatsecurebootca1.cer
new file mode 100644
index 000000000..b2354007b
--- /dev/null
+++ b/redhatsecurebootca1.cer
diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer
new file mode 100644
index 000000000..8cb32e68c
--- /dev/null
+++ b/redhatsecurebootca4.cer
diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
new file mode 100644
index 000000000..dfb028495
--- /dev/null
+++ b/redhatsecurebootca5.cer
diff --git a/scripts/create_headers_tarball.sh b/scripts/create_headers_tarball.sh
index f9c3cb9c5..f6aa13fe4 100755
--- a/scripts/create_headers_tarball.sh
+++ b/scripts/create_headers_tarball.sh
@@ -30,11 +30,11 @@ BUILDID=`grep "^%define buildid" kernel.spec| cut -d ' ' -f 3`
 if [ $RELEASED -eq 0 ]; then
 	cd kernel-$MAJORVER.$BASE.fc??
 	NEWBASE=$(($BASE+1))
-	KVER=$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV.$BASERELEASE$BUILDID
+	KVER=$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV
 	cd linux-$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV.$BASERELEASE$BUILDID.fc*/
 else
 	cd kernel-$MAJORVER.$BASE.fc??/linux-$MAJORVER.$BASE.$STABLE-$BASERELEASE$BUILDID.fc*/
-	KVER=$MAJORVER.$BASE.$STABLE-$BASERELEASE
+	KVER=$MAJORVER.$BASE.$STABLE
 fi
 
 # ARCH_LIST below has the default list of supported architectures
diff --git a/sources b/sources
index 82099a097..695f098d8 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (linux-5.7.tar.xz) = 45bde01593f6147c8c169b9e46b4b56eee998142552ae0ff82f1dd21b1fd54f3b32f6283f6bd77ea717d374672167849e468c157f235d2f12f7d7816e4623bf6
+SHA512 (patch-5.7.9.xz) = 30eaa543ee1d371b5d05c7d8268e2e4fb55b5fee8f509070c677776744af47a743a36f655e5244e79d87a45a0ca7aae3eacdc9969e26d6b1d443a42db4bd5588