diff options
authorJustin M. Forbes <>2020-08-12 08:27:52 -0500
committerJustin M. Forbes <>2020-08-12 08:27:52 -0500
commit426b17af14a269cc24d57e3d1346cd06ba40e98e (patch)
parent424795858b70c4e654727cae7e4782f816c7cbbe (diff)
More files for stable Fedora
Signed-off-by: Justin M. Forbes <>
-rw-r--r--redhatsecureboot301.cerbin0 -> 899 bytes
-rw-r--r--redhatsecureboot501.cerbin0 -> 964 bytes
-rw-r--r--redhatsecurebootca1.cerbin0 -> 977 bytes
-rw-r--r--redhatsecurebootca5.cerbin0 -> 920 bytes
-rw-r--r--secureboot_ppc.cerbin0 -> 899 bytes
-rw-r--r--secureboot_s390.cerbin0 -> 899 bytes
10 files changed, 338 insertions, 191 deletions
diff --git a/ b/
new file mode 100755
index 000000000..c4c4f8f6d
--- /dev/null
+++ b/
@@ -0,0 +1,56 @@
+ cat > "$buildroot/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__
+ # This kernel module can be automatically loaded by non-root users. To
+ # enhance system security, the module is blacklisted by default to ensure
+ # system administrators make the module available for use as needed.
+ # See for more details.
+ #
+ # Remove the blacklist by adding a comment # at the start of the line.
+ blacklist $1
+ if modinfo "$1" | grep -q '^alias:\s\+net-'; then
+ mod="${1##*/}"
+ mod="${mod%.ko*}"
+ echo "$mod has an alias that allows auto-loading. Blacklisting."
+ blacklist "$mod"
+ fi
+ P=$(nproc)
+ bgcount=0
+ while read mod; do
+ $1 "$mod" &
+ bgcount=$((bgcount + 1))
+ if [ $bgcount -eq $P ]; then
+ wait -n
+ bgcount=$((bgcount - 1))
+ fi
+ done
+ wait
+[ -d "$buildroot/etc/modprobe.d/" ] || mkdir -p "$buildroot/etc/modprobe.d/"
+find "$buildroot/$kernel_base/extra" -name "*.ko*" | \
+ foreachp check_blacklist
+# Many BIOS-es export a PNP-id which causes the floppy driver to autoload
+# even though most modern systems don't have a 3.5" floppy driver anymore
+# this replaces the old die_floppy_die.patch which removed the PNP-id from
+# the module
+if [ -f $buildroot/$kernel_base/extra/drivers/block/floppy.ko* ]; then
+ blacklist "floppy"
diff --git a/mod-extra.list b/mod-extra.list
new file mode 100644
index 000000000..8140f5c9e
--- /dev/null
+++ b/mod-extra.list
@@ -0,0 +1,196 @@
diff --git a/mod-extra.list.rhel b/mod-extra.list.rhel
index c0c730e56..e69de29bb 100644
--- a/mod-extra.list.rhel
+++ b/mod-extra.list.rhel
@@ -1,191 +0,0 @@
diff --git a/ b/
new file mode 100755
index 000000000..7dc075b98
--- /dev/null
+++ b/
@@ -0,0 +1,86 @@
+#! /bin/bash
+# Destination was specified on the command line
+test -n "$3" && Dest="$3"
+pushd $Dir
+rm -rf modnames
+find . -name "*.ko" -type f > modnames
+# Look through all of the modules, and throw any that have a dependency in
+# our list into the list as well.
+rm -rf dep.list dep2.list
+rm -rf req.list req2.list
+touch dep.list req.list
+cp "$List" .
+# This variable needs to be exported because it is used in sub-script
+# executed by xargs
+export ListName=$(basename "$List")
+# NB: this loop runs 2000+ iterations. Try to be fast.
+[ -z "$NPROC" ] && NPROC=1
+cat modnames | xargs -r -n1 -P $NPROC sh -c '
+ dep=$1
+ depends=`modinfo $dep | sed -n -e "/^depends/ s/^depends:[ \t]*//p"`
+ [ -z "$depends" ] && exit
+ for mod in ${depends//,/ }
+ do
+ match=$(grep "^$mod.ko" "$ListName")
+ [ -z "$match" ] && continue
+ # check if the module we are looking at is in mod-extra too.
+ # if so we do not need to mark the dep as required.
+ mod2=${dep##*/} # same as `basename $dep`, but faster
+ match2=$(grep "^$mod2" "$ListName")
+ if [ -n "$match2" ]
+ then
+ #echo $mod2 >> notreq.list
+ continue
+ fi
+ echo $mod.ko >> req.list
+ done
+' DUMMYARG0 # xargs appends MODNAME, which becomes $dep in the script above
+sort -u req.list > req2.list
+sort -u "$ListName" > modules2.list
+join -v 1 modules2.list req2.list > modules3.list
+for mod in $(cat modules3.list)
+ # get the path for the module
+ modpath=`grep /$mod modnames`
+ [ -z "$modpath" ] && continue
+ echo $modpath >> dep.list
+sort -u dep.list > dep2.list
+# now move the modules into the extra/ directory
+for mod in `cat dep2.list`
+ newpath=`dirname $mod | sed -e "s/kernel\\//$Dest\//"`
+ mkdir -p $newpath
+ mv $mod $newpath
+# If we're signing modules, we can't leave the .mod files for the .ko files
+# we've moved in .tmp_versions/. Remove them so the Kbuild 'modules_sign'
+# target doesn't try to sign a non-existent file. This is kinda ugly, but
+# so is modules-extra.
+for mod in `cat ${Dir}/dep2.list`
+ modfile=`basename $mod | sed -e 's/.ko/.mod/'`
+ rm .tmp_versions/$modfile
+pushd $Dir
+rm modnames dep.list dep2.list req.list req2.list
+rm "$ListName" modules2.list modules3.list
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
new file mode 100644
index 000000000..20e660479
--- /dev/null
+++ b/redhatsecureboot301.cer
Binary files differ
diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer
new file mode 100644
index 000000000..dfa7afb46
--- /dev/null
+++ b/redhatsecureboot501.cer
Binary files differ
diff --git a/redhatsecurebootca1.cer b/redhatsecurebootca1.cer
new file mode 100644
index 000000000..b2354007b
--- /dev/null
+++ b/redhatsecurebootca1.cer
Binary files differ
diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
new file mode 100644
index 000000000..dfb028495
--- /dev/null
+++ b/redhatsecurebootca5.cer
Binary files differ
diff --git a/secureboot_ppc.cer b/secureboot_ppc.cer
new file mode 100644
index 000000000..2c0087dbc
--- /dev/null
+++ b/secureboot_ppc.cer
Binary files differ
diff --git a/secureboot_s390.cer b/secureboot_s390.cer
new file mode 100644
index 000000000..137d3858f
--- /dev/null
+++ b/secureboot_s390.cer
Binary files differ