Modified to use MSVSphere Secure Boot certificates

changed/i8/kernel-4.18.0-513.5.1.el8_9
Arkady L. Shane 1 year ago
parent 4e24adc598
commit 23ed0d19b6
Signed by untrusted user: tigro
GPG Key ID: 1EC08A25C9DB2503

@ -10,3 +10,5 @@ cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
905d91a282727c7f5ad433a49ac42a0772311c6a SOURCES/redhatsecurebootca7.cer
95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
6fd8d9d4fd8cd8a9c40cc9d3d24a2d2501369869 SOURCES/msvspheredup1.x509
ec8fefbe48fe852ade37c1c0683b1796605ba19f SOURCES/msvspherepatch1.x509

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
O = Red Hat
CN = Red Hat Enterprise Linux kernel signing key
emailAddress = secalert@redhat.com
O = NCSD LLC
CN = MSVSphere kernel signing key
emailAddress = security@msvsphere.ru
[ myexts ]
basicConstraints=critical,CA:FALSE

@ -415,6 +415,7 @@ BuildRequires: kabi-dw
%if %{signkernel}%{signmodules}
BuildRequires: openssl openssl-devel
%if %{signkernel}
BuildRequires: system-sb-certs
%ifarch x86_64 aarch64
BuildRequires: nss-tools
BuildRequires: pesign >= 0.10-4
@ -447,37 +448,9 @@ Source9: x509.genkey
%define signing_key_filename kernel-signing-s390.cer
%endif
Source10: redhatsecurebootca3.cer
Source11: centossecurebootca2.cer
Source12: centossecureboot201.cer
Source13: redhatsecureboot501.cer
Source14: redhatsecureboot302.cer
Source15: redhatsecureboot303.cer
Source16: redhatsecurebootca7.cer
%if 0%{?centos}
%define secureboot_ca_0 %{SOURCE11}
%define secureboot_key_0 %{SOURCE12}
%define pesign_name_0 centossecureboot201
%else
%ifarch x86_64 aarch64
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
%define secureboot_ca_0 %{SOURCE16}
%define secureboot_key_0 %{SOURCE15}
%define pesign_name_0 redhatsecureboot701
%endif
%endif
%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
%define pesign_name_0 spheresecureboot001
Source17: mod-blacklist.sh
Source18: mod-sign.sh
@ -506,8 +479,8 @@ Source43: generate_bls_conf.sh
Source44: mod-internal.list
Source100: rheldup3.x509
Source101: rhelkpatch1.x509
Source100: msvspheredup1.x509
Source101: msvspherepatch1.x509
%if %{with_kabichk}
Source200: check-kabi
@ -550,8 +523,8 @@ Patch999999: linux-kernel-test.patch
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
%description
This is the package which provides the Linux %{name} for Red Hat Enterprise
Linux. It is based on upstream Linux at version %{version} and maintains kABI
This is the package which provides the Linux %{name} for MSVSphere.
It is based on upstream Linux at version %{version} and maintains kABI
compatibility of a set of approved symbols, however it is heavily modified with
backports and fixes pulled from newer upstream Linux %{name} releases. This means
this is not a %{version} kernel anymore: it includes several components which come
@ -559,7 +532,7 @@ from newer upstream linux versions, while maintaining a well tested and stable
core. Some of the components/backports that may be pulled in are: changes like
updates to the core kernel (eg.: scheduler, cgroups, memory management, security
fixes and features), updates to block layer, supported filesystems, major driver
updates for supported hardware in Red Hat Enterprise Linux, enhancements for
updates for supported hardware in MSVSphere, enhancements for
enterprise customers, etc.
#
@ -807,14 +780,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
%endif
%package -n %{name}-abi-stablelists
Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
Summary: The MSVSphere kernel ABI symbol stablelists
Group: System Environment/Kernel
AutoReqProv: no
Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release}
Provides: %{name}-abi-whitelists
%description -n %{name}-abi-stablelists
The kABI package contains information pertaining to the Red Hat Enterprise
Linux kernel ABI, including lists of kernel symbols that are needed by
The kABI package contains information pertaining to the MSVSphere
kernel ABI, including lists of kernel symbols that are needed by
external Linux kernel modules, and a yum plugin to aid enforcement.
%if %{with_kabidw_base}
@ -823,8 +796,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
Group: System Environment/Kernel
AutoReqProv: no
%description kernel-kabidw-base-internal
The package contains data describing the current ABI of the Red Hat Enterprise
Linux kernel, suitable for the kabi-dw tool.
The package contains data describing the current ABI of the MSVSphere
kernel, suitable for the kabi-dw tool.
%endif
#
@ -898,7 +871,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
AutoReq: no\
AutoProv: yes\
%description %{?1:%{1}-}modules-internal\
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\
%{nil}
#
@ -1750,7 +1723,7 @@ BuildKernel() {
# build a BLS config for this kernel
%{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}"
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
# MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%ifarch s390x ppc64le
@ -2696,6 +2669,9 @@ fi
#
#
%changelog
* Fri Nov 17 2023 Arkady L. Shane <tigro@msvsphere-os.ru> [4.18.0-513.5.1.el8_9]
- Modified to use MSVSphere Secure Boot certificates
* Fri Sep 29 2023 Patrick Talbert <ptalbert@redhat.com> [4.18.0-513.5.1.el8_9]
- redhat: list Z-Jiras in the changelog before Y-Jiras (Herton R. Krzesinski)
- Revert "mm, meminit: recalculate pcpu batch and high limits after init completes" (Chris von Recklinghausen) [RHEL-8539]

Loading…
Cancel
Save