From fab840e687dce6f1dfab027f9f28af218cf67e63 Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Mon, 23 Aug 2021 08:33:08 -0500
Subject: kernel-5.14.0-0.rc7.54

* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
Resolves: rhbz#1994849

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 kernel.spec | 70 +++++++++++++++++++++++++------------------------------------
 1 file changed, 29 insertions(+), 41 deletions(-)

(limited to 'kernel.spec')

diff --git a/kernel.spec b/kernel.spec
index 59e26b836..6e81ce8ab 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -78,9 +78,9 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 0 to not build a separate debug kernel, but
 #  to build the base kernel using the debug configuration. (Specifying
 #  the --with-release option overrides this setting.)
-%define debugbuildsenabled 0
+%define debugbuildsenabled 1
 
-%global distro_build 0.rc6.20210820gitd992fe5318d8.50
+%global distro_build 0.rc7.54
 
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
@@ -124,13 +124,13 @@ Summary: The Linux kernel
 %define kversion 5.14
 
 %define rpmversion 5.14.0
-%define pkgrelease 0.rc6.20210820gitd992fe5318d8.50
+%define pkgrelease 0.rc7.54
 
 # This is needed to do merge window version magic
 %define patchlevel 14
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc6.20210820gitd992fe5318d8.50%{?buildid}%{?dist}
+%define specrelease 0.rc7.54%{?buildid}%{?dist}
 
 %define pkg_release %{specrelease}
 
@@ -671,7 +671,7 @@ BuildRequires: lld
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.14-rc6-125-gd992fe5318d8.tar.xz
+Source0: linux-5.14-rc7.tar.xz
 
 Source1: Makefile.rhelver
 
@@ -690,26 +690,21 @@ Source9: x509.genkey.fedora
 %if %{?released_kernel}
 
 Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
+Source11: redhatsecureboot501.cer
+Source12: secureboot_s390.cer
+Source13: secureboot_ppc.cer
+
+%define secureboot_ca_0 %{SOURCE10}
 %ifarch x86_64 aarch64
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot501
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot301
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
-%define secureboot_key_0 %{SOURCE14}
+%define secureboot_key_0 %{SOURCE12}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_key_0 %{SOURCE15}
+%define secureboot_key_0 %{SOURCE13}
 %define pesign_name_0 redhatsecureboot303
 %endif
 
@@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer
 %else
 
 Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot401
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot003
+Source11: redhatsecureboot401.cer
+
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot401
 
 # released_kernel
 %endif
@@ -1357,8 +1347,8 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n kernel-5.14-rc6-125-gd992fe5318d8 -c
-mv linux-5.14-rc6-125-gd992fe5318d8 linux-%{KVERREL}
+%setup -q -n kernel-5.14-rc7 -c
+mv linux-5.14-rc7 linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .
@@ -1630,9 +1620,7 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
@@ -2097,13 +2085,7 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-       install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-       ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %else
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %endif
+    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
 	if [ -x /usr/bin/rpm-sign ]; then
@@ -2952,6 +2934,12 @@ fi
 #
 #
 %changelog
+* Mon Aug 23 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc7.54]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Herton R. Krzesinski) [1994849]
+
+* Sat Aug 21 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210821gitfa54d366a6e4.51]
+- More Fedora config updates (Justin M. Forbes)
+
 * Fri Aug 20 2021 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.14.0-0.rc6.20210820gitd992fe5318d8.50]
 - Fedora config updates for 5.14 (Justin M. Forbes)
 
-- 
cgit