diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-07-16 13:04:04 -0500 |
---|---|---|
committer | Peter Jones <pjones@redhat.com> | 2020-07-16 20:58:07 -0400 |
commit | fe6656ad47040a9a7fdf7def7f9156593322e453 (patch) | |
tree | 2895749067e0bbc58beee06fa768d017f4b511a2 /kernel.spec | |
parent | 86f9461052d44cc0358645f7e4cacb2a5fe13f5c (diff) | |
download | kernel-fe6656ad47040a9a7fdf7def7f9156593322e453.tar.gz kernel-fe6656ad47040a9a7fdf7def7f9156593322e453.tar.xz kernel-fe6656ad47040a9a7fdf7def7f9156593322e453.zip |
Fix secure boot signing
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to 'kernel.spec')
-rw-r--r-- | kernel.spec | 70 |
1 files changed, 44 insertions, 26 deletions
diff --git a/kernel.spec b/kernel.spec index 5f95dedfd..818168eac 100644 --- a/kernel.spec +++ b/kernel.spec @@ -637,41 +637,51 @@ Source10: x509.genkey.rhel Source11: x509.genkey.fedora %if %{?released_kernel} -Source12: securebootca.cer -Source13: secureboot.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer - -%define secureboot_ca %{SOURCE12} +Source12: redhatsecurebootca5.cer +Source13: redhatsecurebootca1.cer +Source14: redhatsecureboot501.cer +Source15: redhatsecureboot301.cer +Source16: secureboot_s390.cer +Source17: secureboot_ppc.cer + +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_ca_1 %{SOURCE13} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot501 +%define secureboot_key_1 %{SOURCE15} +%define pesign_name_1 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 +%define secureboot_key_0 %{SOURCE16} +%define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define secureboot_key_0 %{SOURCE17} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else -Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source12: redhatsecurebootca4.cer +Source13: redhatsecurebootca2.cer +Source14: redhatsecureboot401.cer +Source15: redhatsecureboot003.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_ca_1 %{SOURCE13} +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot401 +%define secureboot_key_1 %{SOURCE15} +%define pesign_name_1 redhatsecureboot003 # released_kernel %endif Source22: mod-extra.list.rhel -Source16: mod-extra.list.fedora -Source17: mod-extra.sh +Source23: mod-extra.list.fedora +Source24: mod-extra.sh Source18: mod-sign.sh Source19: mod-extra-blacklist.sh Source79: parallel_xz.sh @@ -1792,11 +1802,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -2086,11 +2098,11 @@ BuildKernel() { popd # Call the modules-extra script to move things around - %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list + %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list # Blacklist net autoloadable modules in modules-extra %{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer # Call the modules-extra script for internal modules - %{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal + %{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal # # Generate the kernel-core and kernel-modules files lists @@ -2187,11 +2199,17 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2921,7 +2939,7 @@ fi %if 0%{!?fedora:1}\ /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\ %endif\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\ %ifarch s390x ppc64le\ %if 0%{!?4:1}\ %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \ |