Modified to use MSVSphere Secure Boot certificates

i9-beta changed/i9-beta/kernel-5.14.0-362.2.1.el9_3
Arkady L. Shane 1 year ago
parent 12c2d4b3b6
commit 3b69f50844
Signed by untrusted user: tigro
GPG Key ID: 9C7900103E1C4F8B

Binary file not shown.

Binary file not shown.

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
O = The CentOS Project
CN = CentOS Stream kernel signing key
emailAddress = security@centos.org
O = NCSD LLC
CN = MSVSphere kernel signing key
emailAddress = security@msvsphere.ru
[ myexts ]
basicConstraints=critical,CA:FALSE

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
O = Red Hat
CN = Red Hat Enterprise Linux kernel signing key
emailAddress = secalert@redhat.com
O = NCSD LLC
CN = MSVSphere kernel signing key
emailAddress = security@msvsphere.ru
[ myexts ]
basicConstraints=critical,CA:FALSE

@ -812,19 +812,7 @@ Source1: Makefile.rhelver
%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
%if 0%{?centos}
%define pesign_name_0 centossecureboot201
%else
%ifarch x86_64 aarch64
%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
%define pesign_name_0 redhatsecureboot701
%endif
%endif
%define pesign_name_0 spheresecureboot001
# signkernel
%endif
@ -903,8 +891,8 @@ Source84: mod-internal.list
Source85: mod-partner.list
Source86: mod-kvm.list
Source100: rheldup3.x509
Source101: rhelkpatch1.x509
Source100: msvspheredup1.x509
Source101: msvspherepatch1.x509
Source102: rhelimaca1.x509
Source103: rhelima.x509
Source104: rhelima_centos.x509
@ -1247,11 +1235,11 @@ Summary: gcov graph and source files for coverage data collection.\
%{nil}
%package -n kernel-abi-stablelists
Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
Summary: The MSVSphere kernel ABI symbol stablelists
AutoReqProv: no
%description -n kernel-abi-stablelists
The kABI package contains information pertaining to the Red Hat Enterprise
Linux kernel ABI, including lists of kernel symbols that are needed by
The kABI package contains information pertaining to the MSVSphere
kernel ABI, including lists of kernel symbols that are needed by
external Linux kernel modules, and a yum plugin to aid enforcement.
%if %{with_kabidw_base}
@ -1260,8 +1248,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
Group: System Environment/Kernel
AutoReqProv: no
%description kernel-kabidw-base-internal
The package contains data describing the current ABI of the Red Hat Enterprise
Linux kernel, suitable for the kabi-dw tool.
The package contains data describing the current ABI of the MSVSphere
kernel, suitable for the kabi-dw tool.
%endif
#
@ -1360,7 +1348,7 @@ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1
AutoReq: no\
AutoProv: yes\
%description %{?1:%{1}-}modules-internal\
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\
%{nil}
%if %{with_realtime}
@ -1533,7 +1521,7 @@ Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:%{1}
AutoReq: no\
AutoProv: yes\
%description %{?1:%{1}-}modules-partner\
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat partners usage.\
This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere partners usage.\
%{nil}
# Now, each variant package.
@ -1792,7 +1780,7 @@ done
# Adjust FIPS module name for RHEL
%if 0%{?rhel}
for i in *.config; do
sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i
sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="MSVSphere %{rhel} - Kernel Cryptographic API"/' $i
done
%endif
@ -1811,18 +1799,6 @@ RHJOBS=$RPM_BUILD_NCPUS PACKAGE_NAME=kernel ./process_configs.sh $OPTS ${specver
cp %{SOURCE82} .
RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh %{primary_target}
# We may want to override files from the primary target in case of building
# against a flavour of it (eg. centos not rhel), thus override it here if
# necessary
if [ "%{primary_target}" == "rhel" ]; then
%if 0%{?centos}
echo "Updating scripts/sources to centos version"
RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh centos
%else
echo "Not updating scripts/sources to centos version"
%endif
fi
# end of kernel config
%endif
@ -2458,9 +2434,9 @@ BuildKernel() {
%else
SBATsuffix="rhel"
%endif
echo "linux,1,Red Hat,linux,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat
echo "linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat
echo "kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat
echo "linux,1,MSVSphere,linux,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat
echo "linux.$SBATsuffix,1,MSVSphere,linux,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat
echo "kernel-uki-virt.$SBATsuffix,1,MSVSphere,kernel-uki-virt,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat
# Remove the original .sbat section
objcopy --remove-section .sbat $KernelUnifiedImage
# Get the end of the last section
@ -2577,7 +2553,7 @@ BuildKernel() {
# prune junk from kernel-devel
find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
# MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
%if %{signkernel}
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@ -2589,7 +2565,7 @@ BuildKernel() {
%endif
%if 0%{?rhel}
# Red Hat IMA code-signing cert, which is used to authenticate package files
# MSVSphere IMA code-signing cert, which is used to authenticate package files
install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
%endif
@ -3756,6 +3732,9 @@ fi
#
#
%changelog
* Mon Oct 9 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - [5.14.0-362.2.1.el9_3]
- Modified to use MSVSphere Secure Boot certificates
* Fri Sep 08 2023 Jan Stancek <jstancek@redhat.com> [5.14.0-362.2.1.el9_3]
- PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation (Vitaly Kuznetsov) [2211797]
- rhel: Re-add can-dev features that were removed accidentally (Radu Rendec) [2213891]

Loading…
Cancel
Save