From 8ca65946257d7683fcd0c3df8c9c016a66ab1f82 Mon Sep 17 00:00:00 2001 From: tigro Date: Mon, 15 Apr 2024 12:25:32 +0300 Subject: [PATCH] Modified to use MSVSphere Secure Boot certificates --- .kernel.metadata | 2 ++ SOURCES/x509.genkey | 6 ++--- SPECS/kernel.spec | 62 ++++++++++++++------------------------------- 3 files changed, 24 insertions(+), 46 deletions(-) diff --git a/.kernel.metadata b/.kernel.metadata index 4ed61e7..df26f1d 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -10,3 +10,5 @@ cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer 905d91a282727c7f5ad433a49ac42a0772311c6a SOURCES/redhatsecurebootca7.cer 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509 d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509 +6fd8d9d4fd8cd8a9c40cc9d3d24a2d2501369869 SOURCES/msvspheredup1.x509 +ec8fefbe48fe852ade37c1c0683b1796605ba19f SOURCES/msvspherepatch1.x509 diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index b1bbe38..b1d1678 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = NCSD LLC +CN = MSVSphere kernel signing key +emailAddress = security@msvsphere.ru [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 331e81d..300b040 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -414,6 +414,7 @@ BuildRequires: kabi-dw %if %{signkernel}%{signmodules} BuildRequires: openssl openssl-devel %if %{signkernel} +BuildRequires: system-sb-certs %ifarch x86_64 aarch64 BuildRequires: nss-tools BuildRequires: pesign >= 0.10-4 @@ -446,37 +447,9 @@ Source9: x509.genkey %define signing_key_filename kernel-signing-s390.cer %endif -Source10: redhatsecurebootca3.cer -Source11: centossecurebootca2.cer -Source12: centossecureboot201.cer -Source13: redhatsecureboot501.cer -Source14: redhatsecureboot302.cer -Source15: redhatsecureboot303.cer -Source16: redhatsecurebootca7.cer -%if 0%{?centos} -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE12} -%define pesign_name_0 centossecureboot201 -%else - -%ifarch x86_64 aarch64 -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot501 -%endif - -%ifarch s390x -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 redhatsecureboot302 -%endif - -%ifarch ppc64le -%define secureboot_ca_0 %{SOURCE16} -%define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot701 -%endif -%endif +%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer +%define pesign_name_0 spheresecureboot001 Source17: mod-blacklist.sh Source18: mod-sign.sh @@ -505,8 +478,8 @@ Source43: generate_bls_conf.sh Source44: mod-internal.list -Source100: rheldup3.x509 -Source101: rhelkpatch1.x509 +Source100: msvspheredup1.x509 +Source101: msvspherepatch1.x509 %if %{with_kabichk} Source200: check-kabi @@ -549,8 +522,8 @@ Patch999999: linux-kernel-test.patch BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for Red Hat Enterprise -Linux. It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for MSVSphere. +It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -558,7 +531,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in Red Hat Enterprise Linux, enhancements for +updates for supported hardware in MSVSphere, enhancements for enterprise customers, etc. # @@ -806,14 +779,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-stablelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists +Summary: The MSVSphere Linux kernel ABI symbol stablelists Group: System Environment/Kernel AutoReqProv: no Obsoletes: %{name}-abi-whitelists < %{specversion}-%{pkg_release} Provides: %{name}-abi-whitelists %description -n %{name}-abi-stablelists -The kABI package contains information pertaining to the Red Hat Enterprise -Linux kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the MSVSphere +kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -822,8 +795,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise -Linux kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the MSVSphere +kernel, suitable for the kabi-dw tool. %endif # @@ -897,7 +870,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\ %{nil} # @@ -1749,7 +1722,7 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le @@ -2695,6 +2668,9 @@ fi # # %changelog +* Mon Apr 15 2024 Arkady L. Shane - [4.18.0-544.el8] +- Modified to use MSVSphere Secure Boot certificates + * Fri Mar 29 2024 MSVSphere Packaging Team - 4.18.0-544 - Rebuilt for MSVSphere 8.10 beta