Fix secure boot signing
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
Justin M. Forbes
Peter Jones
parent
78cd327119
commit
b5970da6c9
7 changed files with 42 additions and 24 deletions
66
kernel.spec
66
kernel.spec
|
|
@ -634,39 +634,49 @@ Source10: x509.genkey.rhel
|
|||
Source11: x509.genkey.fedora
|
||||
%if %{?released_kernel}
|
||||
|
||||
Source12: securebootca.cer
|
||||
Source13: secureboot.cer
|
||||
Source14: secureboot_s390.cer
|
||||
Source15: secureboot_ppc.cer
|
||||
Source12: redhatsecurebootca5.cer
|
||||
Source13: redhatsecurebootca1.cer
|
||||
Source14: redhatsecureboot501.cer
|
||||
Source15: redhatsecureboot301.cer
|
||||
Source16: secureboot_s390.cer
|
||||
Source17: secureboot_ppc.cer
|
||||
|
||||
%define secureboot_ca %{SOURCE12}
|
||||
%define secureboot_ca_0 %{SOURCE12}
|
||||
%define secureboot_ca_1 %{SOURCE13}
|
||||
%ifarch x86_64 aarch64
|
||||
%define secureboot_key %{SOURCE13}
|
||||
%define pesign_name redhatsecureboot301
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot501
|
||||
%define secureboot_key_1 %{SOURCE15}
|
||||
%define pesign_name_1 redhatsecureboot301
|
||||
%endif
|
||||
%ifarch s390x
|
||||
%define secureboot_key %{SOURCE14}
|
||||
%define pesign_name redhatsecureboot302
|
||||
%define secureboot_key_0 %{SOURCE16}
|
||||
%define pesign_name_0 redhatsecureboot302
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%define secureboot_key %{SOURCE15}
|
||||
%define pesign_name redhatsecureboot303
|
||||
%define secureboot_key_0 %{SOURCE17}
|
||||
%define pesign_name_0 redhatsecureboot303
|
||||
%endif
|
||||
|
||||
%else # released_kernel
|
||||
|
||||
Source12: redhatsecurebootca2.cer
|
||||
Source13: redhatsecureboot003.cer
|
||||
Source12: redhatsecurebootca4.cer
|
||||
Source13: redhatsecurebootca2.cer
|
||||
Source14: redhatsecureboot401.cer
|
||||
Source15: redhatsecureboot003.cer
|
||||
|
||||
%define secureboot_ca %{SOURCE12}
|
||||
%define secureboot_key %{SOURCE13}
|
||||
%define pesign_name redhatsecureboot003
|
||||
%define secureboot_ca_0 %{SOURCE12}
|
||||
%define secureboot_ca_1 %{SOURCE13}
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot401
|
||||
%define secureboot_key_1 %{SOURCE15}
|
||||
%define pesign_name_1 redhatsecureboot003
|
||||
|
||||
%endif # released_kernel
|
||||
|
||||
Source22: mod-extra.list.rhel
|
||||
Source16: mod-extra.list.fedora
|
||||
Source17: mod-extra.sh
|
||||
Source23: mod-extra.list.fedora
|
||||
Source24: mod-extra.sh
|
||||
Source18: mod-sign.sh
|
||||
Source19: mod-extra-blacklist.sh
|
||||
Source79: parallel_xz.sh
|
||||
|
|
@ -1782,11 +1792,13 @@ BuildKernel() {
|
|||
fi
|
||||
|
||||
%ifarch x86_64 aarch64
|
||||
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
|
||||
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||
rm vmlinuz.tmp
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
elif [ $DoModules -eq 1 ]; then
|
||||
chmod +x scripts/sign-file
|
||||
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
|
||||
|
|
@ -2068,11 +2080,11 @@ BuildKernel() {
|
|||
popd
|
||||
|
||||
# Call the modules-extra script to move things around
|
||||
%{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list
|
||||
%{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer $RPM_SOURCE_DIR/mod-extra.list
|
||||
# Blacklist net autoloadable modules in modules-extra
|
||||
%{SOURCE19} $RPM_BUILD_ROOT lib/modules/$KernelVer
|
||||
# Call the modules-extra script for internal modules
|
||||
%{SOURCE17} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal
|
||||
%{SOURCE24} $RPM_BUILD_ROOT/lib/modules/$KernelVer %{SOURCE54} internal
|
||||
|
||||
#
|
||||
# Generate the kernel-core and kernel-modules files lists
|
||||
|
|
@ -2170,11 +2182,17 @@ BuildKernel() {
|
|||
|
||||
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||
install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%ifarch x86_64 aarch64
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||||
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||||
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%else
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ $DoModules -eq 1 ]; then
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
else
|
||||
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
|
|
|
|||
BIN
redhatsecureboot301.cer
Normal file
BIN
redhatsecureboot301.cer
Normal file
Binary file not shown.
BIN
redhatsecureboot401.cer
Normal file
BIN
redhatsecureboot401.cer
Normal file
Binary file not shown.
BIN
redhatsecureboot501.cer
Normal file
BIN
redhatsecureboot501.cer
Normal file
Binary file not shown.
BIN
redhatsecurebootca1.cer
Normal file
BIN
redhatsecurebootca1.cer
Normal file
Binary file not shown.
BIN
redhatsecurebootca4.cer
Normal file
BIN
redhatsecurebootca4.cer
Normal file
Binary file not shown.
BIN
redhatsecurebootca5.cer
Normal file
BIN
redhatsecurebootca5.cer
Normal file
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue