diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2021-08-23 08:33:08 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2021-08-23 08:33:08 -0500 |
commit | fab840e687dce6f1dfab027f9f28af218cf67e63 (patch) | |
tree | baa83dca36042996c8a13525a4c4497ac8eb7405 /kernel.spec | |
parent | e6db6208701fde0213d58d7be8ab9cffddfaaf7b (diff) | |
download | kernel-fab840e687dce6f1dfab027f9f28af218cf67e63.tar.gz kernel-fab840e687dce6f1dfab027f9f28af218cf67e63.tar.xz kernel-fab840e687dce6f1dfab027f9f28af218cf67e63.zip |
kernel-5.14.0-0.rc7.54
* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
Resolves: rhbz#1994849
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to 'kernel.spec')
-rwxr-xr-x | kernel.spec | 70 |
1 files changed, 29 insertions, 41 deletions
diff --git a/kernel.spec b/kernel.spec index 59e26b836..6e81ce8ab 100755 --- a/kernel.spec +++ b/kernel.spec @@ -78,9 +78,9 @@ Summary: The Linux kernel # Set debugbuildsenabled to 0 to not build a separate debug kernel, but # to build the base kernel using the debug configuration. (Specifying # the --with-release option overrides this setting.) -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 -%global distro_build 0.rc6.20210820gitd992fe5318d8.50 +%global distro_build 0.rc7.54 %if 0%{?fedora} %define secure_boot_arch x86_64 @@ -124,13 +124,13 @@ Summary: The Linux kernel %define kversion 5.14 %define rpmversion 5.14.0 -%define pkgrelease 0.rc6.20210820gitd992fe5318d8.50 +%define pkgrelease 0.rc7.54 # This is needed to do merge window version magic %define patchlevel 14 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc6.20210820gitd992fe5318d8.50%{?buildid}%{?dist} +%define specrelease 0.rc7.54%{?buildid}%{?dist} %define pkg_release %{specrelease} @@ -671,7 +671,7 @@ BuildRequires: lld # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.14-rc6-125-gd992fe5318d8.tar.xz +Source0: linux-5.14-rc7.tar.xz Source1: Makefile.rhelver @@ -690,26 +690,21 @@ Source9: x509.genkey.fedora %if %{?released_kernel} Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca1.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer - -%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} +Source11: redhatsecureboot501.cer +Source12: secureboot_s390.cer +Source13: secureboot_ppc.cer + +%define secureboot_ca_0 %{SOURCE10} %ifarch x86_64 aarch64 -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot501 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot301 +%define secureboot_key_0 %{SOURCE11} +%define pesign_name_0 redhatsecureboot501 %endif %ifarch s390x -%define secureboot_key_0 %{SOURCE14} +%define secureboot_key_0 %{SOURCE12} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key_0 %{SOURCE15} +%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot303 %endif @@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer %else Source10: redhatsecurebootca4.cer -Source11: redhatsecurebootca2.cer -Source12: redhatsecureboot401.cer -Source13: redhatsecureboot003.cer - -%define secureboot_ca_1 %{SOURCE10} -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_1 %{SOURCE12} -%define pesign_name_1 redhatsecureboot401 -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot003 +Source11: redhatsecureboot401.cer + +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE11} +%define pesign_name_0 redhatsecureboot401 # released_kernel %endif @@ -1357,8 +1347,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.14-rc6-125-gd992fe5318d8 -c -mv linux-5.14-rc6-125-gd992fe5318d8 linux-%{KVERREL} +%setup -q -n kernel-5.14-rc7 -c +mv linux-5.14-rc7 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -1630,9 +1620,7 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then @@ -2097,13 +2085,7 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %else - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %endif + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then @@ -2952,6 +2934,12 @@ fi # # %changelog +* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54] +- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849] + +* Sat Aug 21 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210821gitfa54d366a6e4.51] +- More Fedora config updates (Justin M. Forbes) + * Fri Aug 20 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210820gitd992fe5318d8.50] - Fedora config updates for 5.14 (Justin M. Forbes) |