From 95e7e57992f0ea28ab6fad1b10ef26cf90fba9ec Mon Sep 17 00:00:00 2001 From: tigro Date: Wed, 20 Dec 2023 14:02:39 +0300 Subject: [PATCH] Modified to use MSVSphere Secure Boot certificates --- SOURCES/x509.genkey | 6 ++--- SPECS/kernel.spec | 61 +++++++++++++-------------------------------- 2 files changed, 21 insertions(+), 46 deletions(-) diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index b1bbe38..b1d1678 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = NCSD LLC +CN = MSVSphere kernel signing key +emailAddress = security@msvsphere.ru [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index d73d7e4..a85e2f0 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -447,37 +447,9 @@ Source9: x509.genkey %define signing_key_filename kernel-signing-s390.cer %endif -Source10: redhatsecurebootca3.cer -Source11: centossecurebootca2.cer -Source12: centossecureboot201.cer -Source13: redhatsecureboot501.cer -Source14: redhatsecureboot302.cer -Source15: redhatsecureboot303.cer -Source16: redhatsecurebootca7.cer -%if 0%{?centos} -%define secureboot_ca_0 %{SOURCE11} -%define secureboot_key_0 %{SOURCE12} -%define pesign_name_0 centossecureboot201 -%else - -%ifarch x86_64 aarch64 -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE13} -%define pesign_name_0 redhatsecureboot501 -%endif - -%ifarch s390x -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE14} -%define pesign_name_0 redhatsecureboot302 -%endif - -%ifarch ppc64le -%define secureboot_ca_0 %{SOURCE16} -%define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot701 -%endif -%endif +%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer +%define pesign_name_0 spheresecureboot001 Source17: mod-blacklist.sh Source18: mod-sign.sh @@ -506,8 +478,8 @@ Source43: generate_bls_conf.sh Source44: mod-internal.list -Source100: rheldup3.x509 -Source101: rhelkpatch1.x509 +Source100: msvspheredup1.x509 +Source101: msvspherepatch1.x509 %if %{with_kabichk} Source200: check-kabi @@ -550,8 +522,8 @@ Patch999999: linux-kernel-test.patch BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for Red Hat Enterprise -Linux. It is based on upstream Linux at version %{version} and maintains kABI +This is the package which provides the Linux %{name} for MSVSphere. +It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means this is not a %{version} kernel anymore: it includes several components which come @@ -559,7 +531,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in Red Hat Enterprise Linux, enhancements for +updates for supported hardware in MSVSphere, enhancements for enterprise customers, etc. # @@ -807,14 +779,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-stablelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists +Summary: The MSVSphere kernel ABI symbol stablelists Group: System Environment/Kernel AutoReqProv: no Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release} Provides: %{name}-abi-whitelists %description -n %{name}-abi-stablelists -The kABI package contains information pertaining to the Red Hat Enterprise -Linux kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the MSVSphere +kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -823,8 +795,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise -Linux kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the MSVSphere +kernel, suitable for the kabi-dw tool. %endif # @@ -898,7 +870,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\ %{nil} # @@ -1750,7 +1722,7 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le @@ -2696,6 +2668,9 @@ fi # # %changelog +* Fri Nov 17 2023 Arkady L. Shane [4.18.0-513.9.1.el8_9] +- Modified to use MSVSphere Secure Boot certificates + * Thu Nov 16 2023 Patrick Talbert [4.18.0-513.9.1.el8_9] - ice: reset first in crash dump kernels (Petr Oros) [2244625 2139761] - nvmet-tcp: Fix a possible UAF in queue intialization setup (John Meneghini) [RHEL-11507 RHEL-11509] {CVE-2023-5178}