summaryrefslogtreecommitdiffstats
path: root/kernel.spec
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2021-08-23 08:33:08 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2021-08-23 08:33:08 -0500
commitfab840e687dce6f1dfab027f9f28af218cf67e63 (patch)
treebaa83dca36042996c8a13525a4c4497ac8eb7405 /kernel.spec
parente6db6208701fde0213d58d7be8ab9cffddfaaf7b (diff)
downloadkernel-fab840e687dce6f1dfab027f9f28af218cf67e63.tar.gz
kernel-fab840e687dce6f1dfab027f9f28af218cf67e63.tar.xz
kernel-fab840e687dce6f1dfab027f9f28af218cf67e63.zip
kernel-5.14.0-0.rc7.54
* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54] - redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849] Resolves: rhbz#1994849 Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to 'kernel.spec')
-rwxr-xr-xkernel.spec70
1 files changed, 29 insertions, 41 deletions
diff --git a/kernel.spec b/kernel.spec
index 59e26b836..6e81ce8ab 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -78,9 +78,9 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 0 to not build a separate debug kernel, but
# to build the base kernel using the debug configuration. (Specifying
# the --with-release option overrides this setting.)
-%define debugbuildsenabled 0
+%define debugbuildsenabled 1
-%global distro_build 0.rc6.20210820gitd992fe5318d8.50
+%global distro_build 0.rc7.54
%if 0%{?fedora}
%define secure_boot_arch x86_64
@@ -124,13 +124,13 @@ Summary: The Linux kernel
%define kversion 5.14
%define rpmversion 5.14.0
-%define pkgrelease 0.rc6.20210820gitd992fe5318d8.50
+%define pkgrelease 0.rc7.54
# This is needed to do merge window version magic
%define patchlevel 14
# allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc6.20210820gitd992fe5318d8.50%{?buildid}%{?dist}
+%define specrelease 0.rc7.54%{?buildid}%{?dist}
%define pkg_release %{specrelease}
@@ -671,7 +671,7 @@ BuildRequires: lld
# exact git commit you can run
#
# xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.14-rc6-125-gd992fe5318d8.tar.xz
+Source0: linux-5.14-rc7.tar.xz
Source1: Makefile.rhelver
@@ -690,26 +690,21 @@ Source9: x509.genkey.fedora
%if %{?released_kernel}
Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
+Source11: redhatsecureboot501.cer
+Source12: secureboot_s390.cer
+Source13: secureboot_ppc.cer
+
+%define secureboot_ca_0 %{SOURCE10}
%ifarch x86_64 aarch64
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot501
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot301
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
-%define secureboot_key_0 %{SOURCE14}
+%define secureboot_key_0 %{SOURCE12}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
-%define secureboot_key_0 %{SOURCE15}
+%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 redhatsecureboot303
%endif
@@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer
%else
Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot401
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot003
+Source11: redhatsecureboot401.cer
+
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot401
# released_kernel
%endif
@@ -1357,8 +1347,8 @@ ApplyOptionalPatch()
fi
}
-%setup -q -n kernel-5.14-rc6-125-gd992fe5318d8 -c
-mv linux-5.14-rc6-125-gd992fe5318d8 linux-%{KVERREL}
+%setup -q -n kernel-5.14-rc7 -c
+mv linux-5.14-rc7 linux-%{KVERREL}
cd linux-%{KVERREL}
cp -a %{SOURCE1} .
@@ -1630,9 +1620,7 @@ BuildKernel() {
fi
%ifarch x86_64 aarch64
- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
- rm vmlinuz.tmp
+ %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
@@ -2097,13 +2085,7 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
- %ifarch x86_64 aarch64
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
- %else
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
- %endif
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then
@@ -2952,6 +2934,12 @@ fi
#
#
%changelog
+* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
+
+* Sat Aug 21 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210821gitfa54d366a6e4.51]
+- More Fedora config updates (Justin M. Forbes)
+
* Fri Aug 20 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210820gitd992fe5318d8.50]
- Fedora config updates for 5.14 (Justin M. Forbes)