diff --git a/SOURCES/msvspheredup1.x509 b/SOURCES/msvspheredup1.x509 new file mode 100644 index 0000000..3919acb Binary files /dev/null and b/SOURCES/msvspheredup1.x509 differ diff --git a/SOURCES/msvspherepatch1.x509 b/SOURCES/msvspherepatch1.x509 new file mode 100644 index 0000000..375fe9b Binary files /dev/null and b/SOURCES/msvspherepatch1.x509 differ diff --git a/SOURCES/x509.genkey.centos b/SOURCES/x509.genkey.centos index c91af3b..b1d1678 100644 --- a/SOURCES/x509.genkey.centos +++ b/SOURCES/x509.genkey.centos @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = The CentOS Project -CN = CentOS Stream kernel signing key -emailAddress = security@centos.org +O = NCSD LLC +CN = MSVSphere kernel signing key +emailAddress = security@msvsphere.ru [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SOURCES/x509.genkey.rhel b/SOURCES/x509.genkey.rhel index b1bbe38..b1d1678 100644 --- a/SOURCES/x509.genkey.rhel +++ b/SOURCES/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = NCSD LLC +CN = MSVSphere kernel signing key +emailAddress = security@msvsphere.ru [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index a6bc574..4334772 100755 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -812,19 +812,7 @@ Source1: Makefile.rhelver %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%if 0%{?centos} -%define pesign_name_0 centossecureboot201 -%else -%ifarch x86_64 aarch64 -%define pesign_name_0 redhatsecureboot501 -%endif -%ifarch s390x -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define pesign_name_0 redhatsecureboot701 -%endif -%endif +%define pesign_name_0 spheresecureboot001 # signkernel %endif @@ -903,8 +891,8 @@ Source84: mod-internal.list Source85: mod-partner.list Source86: mod-kvm.list -Source100: rheldup3.x509 -Source101: rhelkpatch1.x509 +Source100: msvspheredup1.x509 +Source101: msvspherepatch1.x509 Source102: rhelimaca1.x509 Source103: rhelima.x509 Source104: rhelima_centos.x509 @@ -1247,11 +1235,11 @@ Summary: gcov graph and source files for coverage data collection.\ %{nil} %package -n kernel-abi-stablelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists +Summary: The MSVSphere kernel ABI symbol stablelists AutoReqProv: no %description -n kernel-abi-stablelists -The kABI package contains information pertaining to the Red Hat Enterprise -Linux kernel ABI, including lists of kernel symbols that are needed by +The kABI package contains information pertaining to the MSVSphere +kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. %if %{with_kabidw_base} @@ -1260,8 +1248,8 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise -Linux kernel, suitable for the kabi-dw tool. +The package contains data describing the current ABI of the MSVSphere +kernel, suitable for the kabi-dw tool. %endif # @@ -1360,7 +1348,7 @@ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1 AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\ %{nil} %if %{with_realtime} @@ -1533,7 +1521,7 @@ Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:%{1} AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-partner\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat partners usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere partners usage.\ %{nil} # Now, each variant package. @@ -1792,7 +1780,7 @@ done # Adjust FIPS module name for RHEL %if 0%{?rhel} for i in *.config; do - sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i + sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="MSVSphere %{rhel} - Kernel Cryptographic API"/' $i done %endif @@ -1811,18 +1799,6 @@ RHJOBS=$RPM_BUILD_NCPUS PACKAGE_NAME=kernel ./process_configs.sh $OPTS ${specver cp %{SOURCE82} . RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh %{primary_target} -# We may want to override files from the primary target in case of building -# against a flavour of it (eg. centos not rhel), thus override it here if -# necessary -if [ "%{primary_target}" == "rhel" ]; then -%if 0%{?centos} - echo "Updating scripts/sources to centos version" - RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh centos -%else - echo "Not updating scripts/sources to centos version" -%endif -fi - # end of kernel config %endif @@ -2458,9 +2434,9 @@ BuildKernel() { %else SBATsuffix="rhel" %endif - echo "linux,1,Red Hat,linux,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat - echo "linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat - echo "kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat + echo "linux,1,MSVSphere,linux,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat + echo "linux.$SBATsuffix,1,MSVSphere,linux,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat + echo "kernel-uki-virt.$SBATsuffix,1,MSVSphere,kernel-uki-virt,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat # Remove the original .sbat section objcopy --remove-section .sbat $KernelUnifiedImage # Get the end of the last section @@ -2577,7 +2553,7 @@ BuildKernel() { # prune junk from kernel-devel find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer @@ -2589,7 +2565,7 @@ BuildKernel() { %endif %if 0%{?rhel} - # Red Hat IMA code-signing cert, which is used to authenticate package files + # MSVSphere IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} %endif @@ -3756,6 +3732,9 @@ fi # # %changelog +* Mon Oct 9 2023 Arkady L. Shane - [5.14.0-362.2.1.el9_3] +- Modified to use MSVSphere Secure Boot certificates + * Fri Sep 08 2023 Jan Stancek [5.14.0-362.2.1.el9_3] - PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation (Vitaly Kuznetsov) [2211797] - rhel: Re-add can-dev features that were removed accidentally (Radu Rendec) [2213891]