Check module signatures with the platform keyring (if enabled)

Upstream has made a keyring to the platform keys. The "KEYS: Allow
unrestricted boot-time addition of keys to secondary keyring" is
available upstream for the platform keyring.

The only issue is that module signatures aren't checked with the
platform keyring, so this introduces a patch to add that which has been
sent upstream. At least our carried-patch count hasn't gone up.

1 files changed, 7 insertions, 2 deletions

diff --git a/kernel.spec b/kernel.spec
index 30e58a93b..2f4e38231 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -539,8 +539,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
 
 Patch201: efi-lockdown.patch
 
-Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
-
 # bz 1497559 - Make kernel MODSIGN code not error on missing variables
 Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
 Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@@ -637,6 +635,10 @@ Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch
 # CVE-2019-9503 rhbz 1701842 1701843
 Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1701096
+# Submitted upstream at https://lkml.org/lkml/2019/4/23/89
+Patch521: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1910,6 +1912,9 @@ fi
 #
 #
 %changelog
+* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
+- Allow modules signed by keys in the platform keyring (rbhz 1701096)
+
 * Tue Apr 23 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2019-9503 rhbz 1701842 1701843