Modified to use MSVSphere Secure Boot certificates

2 years ago · 22e073b08f
parent 468e477c80
commit 22e073b08f
5 changed files with 21 additions and 45 deletions
--- a/SOURCES/msvspheredup1.x509
+++ b/SOURCES/msvspheredup1.x509
--- a/SOURCES/msvspherepatch1.x509
+++ b/SOURCES/msvspherepatch1.x509
--- a/SOURCES/x509.genkey.centos
+++ b/SOURCES/x509.genkey.centos
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 [ req_distinguished_name ]
-O = The CentOS Project
+O = NCSD LLC
-CN = CentOS Stream kernel signing key
+CN = MSVSphere kernel signing key
-emailAddress = security@centos.org
+emailAddress = security@msvsphere.ru
 [ myexts ]
 basicConstraints=critical,CA:FALSE
--- a/SOURCES/x509.genkey.rhel
+++ b/SOURCES/x509.genkey.rhel
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 [ req_distinguished_name ]
-O = Red Hat
+O = NCSD LLC
-CN = Red Hat Enterprise Linux kernel signing key
+CN = MSVSphere kernel signing key
-emailAddress = secalert@redhat.com
+emailAddress = security@msvsphere.ru
 [ myexts ]
 basicConstraints=critical,CA:FALSE
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -694,20 +694,7 @@ Source1: Makefile.rhelver
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
-
+%define pesign_name_0 spheresecureboot001
 %if 0%{?centos}
 %define pesign_name_0 centossecureboot201
 %else
 %ifarch x86_64 aarch64
 %define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
 %define pesign_name_0 redhatsecureboot701
 %endif
 %endif
 # signkernel
 %endif
@ -780,8 +767,8 @@ Source82: update_scripts.sh
 Source84: mod-internal.list
-Source100: rheldup3.x509
+Source100: msvspheredup1.x509
-Source101: rhelkpatch1.x509
+Source101: msvspherepatch1.x509
 Source200: check-kabi
@ -1045,12 +1032,12 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
 %endif
 %package -n kernel-abi-stablelists
-Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
+Summary: The MSVSphere kernel ABI symbol stablelists
 AutoReqProv: no
 %description -n kernel-abi-stablelists
-The kABI package contains information pertaining to the Red Hat Enterprise
+The kABI package contains information pertaining to the MSVSphere kernel ABI,
-Linux kernel ABI, including lists of kernel symbols that are needed by
+including lists of kernel symbols that are needed by external Linux kernel
-external Linux kernel modules, and a yum plugin to aid enforcement.
+modules, and a yum plugin to aid enforcement.
 %if %{with_kabidw_base}
 %package kernel-kabidw-base-internal
@ -1058,8 +1045,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
 Group: System Environment/Kernel
 AutoReqProv: no
 %description kernel-kabidw-base-internal
-The package contains data describing the current ABI of the Red Hat Enterprise
+The package contains data describing the current ABI of the MSVSphere kernel,
-Linux kernel, suitable for the kabi-dw tool.
+suitable for the kabi-dw tool.
 %endif
 #
@ -1157,7 +1144,7 @@ Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?1:+%{1}}\
 AutoReq: no\
 AutoProv: yes\
 %description %{?1:%{1}-}modules-internal\
-This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
+This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\
 %{nil}
 #
@ -1453,7 +1440,7 @@ done
 # Adjust FIPS module name for RHEL
 %if 0%{?rhel}
 for i in *.config; do
-  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i
+  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="MSVSphere %{rhel} - Kernel Cryptographic API"/' $i
 done
 %endif
@ -1472,18 +1459,6 @@ done
 cp %{SOURCE82} .
 RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh %{primary_target}
 # We may want to override files from the primary target in case of building
 # against a flavour of it (eg. centos not rhel), thus override it here if
 # necessary
 if [ "%{primary_target}" == "rhel" ]; then
 %if 0%{?centos}
  echo "Updating scripts/sources to centos version"
  RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh centos
 %else
  echo "Not updating scripts/sources to centos version"
 %endif
 fi
 # end of kernel config
 %endif
@ -2103,7 +2078,7 @@ BuildKernel() {
    # prune junk from kernel-devel
    find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete
-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@ -3017,8 +2992,9 @@ fi
 #
 #
 %changelog
-* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 5.14.0-162.6.1
+* Mon Mar 27 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 5.14.0-162.6.1.el9_1
- Rebuilt for MSVSphere 9.1.
+- Modified to use MSVSphere Secure Boot certificates
 - Rebuilt for MSVSphere 9.1
 * Fri Sep 30 2022 Patrick Talbert <ptalbert@redhat.com> [5.14.0-162.6.1.el9_1]
 - kabi: add symbol yield to stablelist (Čestmír Kalina) [2120286]