From 3b69f50844b7a9b0a44e45312acf289abe6f2491 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Mon, 9 Oct 2023 18:00:58 +0300
Subject: [PATCH] Modified to use MSVSphere Secure Boot certificates

---
 SOURCES/msvspheredup1.x509   | Bin 0 -> 1149 bytes
 SOURCES/msvspherepatch1.x509 | Bin 0 -> 1142 bytes
 SOURCES/x509.genkey.centos   |   6 ++--
 SOURCES/x509.genkey.rhel     |   6 ++--
 SPECS/kernel.spec            |  59 +++++++++++------------------------
 5 files changed, 25 insertions(+), 46 deletions(-)
 create mode 100644 SOURCES/msvspheredup1.x509
 create mode 100644 SOURCES/msvspherepatch1.x509

diff --git a/SOURCES/msvspheredup1.x509 b/SOURCES/msvspheredup1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..3919acb041abb7f64ffcf5f430c1ececc41f1278
GIT binary patch
literal 1149
zcmXqLVyQG}VoqGZ%*4pVB*<{hQvCVTEccKdVV_>RXa6{Cz{|#|)#lOmotKf3o0Y+!
zal4_Gfd(6MC=0i+qHl0ma6v|DQL2J-YEemMT4r)$NoIbYf@5h(Mt)IdNu{BRff8Il
zC!?5XacXiYNWvkvxU3kgRj;VjkRNCZ&_s4&HsAc><ot4&00&%v+kg|Kf=!qyDAZ8U
zfFH!+66Wx84t7!S@o_d(G>``gF$+r|+!PG5D^<ZMKfgr5+0j5joY%<Mz}U#h(9Fch
z)FeuR-^joeS-_z2(4h32j)4}$Z^{V2xfErVr4}ia7NjJWq$(6=rsrkmr7L8o0^^cV
z2|3OfSs9p{82K51;#^EkjEoGsIM2#9%wdR}#(qvdbJ6u~O}z}^{C20f|4tE-8%sCs
zS|8hDUJ}4}H%iv^)5iz1w|<^;b%kcs*`C%e;VTI{gVvt>$K(HRJ%{R><;S!h|4-Yo
zp))h;-^LXgUH2;GGM=vxVLag)&BqWj!^pua_PIppxxIVJZKqhQx&0!p@Y22~773O=
z9?p6v)pB3N_}sbMN5W5>zi3yq^7YobfbfNZY**RmJPMbRN$c6gx+>t#Bgv~Qe^=~n
zeqF#O+4y0#mi?QvpZU+dD{XI|EY0Wg@aL|l!4uze=G{o{%Vfwimz~f&(_Z<w@%44W
zr%(JUyAi9lb$(QwgwjT<qb)h<3Xh9suroO~hcYoUGB7SKG{^_17+GZ&2?MbP5zol<
zt-?7c?$@R4RC>J9G$4Cw%T<U1RgeNU4sA9@R#tXqW;QM$i-mC#hX5m!0S_=<WQ7?S
z|FbX|Fc`>!czi5kEFubm7S`+JUZmdB%sWy&q2AX*{q;TMNC9RfV5BfIG-<lpf2n-5
z^@`VGB{{Lu3=0>xL|&hgGqr+WAKgB@cvn1g`P6ylJBl)1y<7Q-bLBPm>#piKzZULL
zDF3bWF;cDImyf<o-k&#Kq7x5IxYoHNVBWE?$MRl}6rN7t6l+-2xpKmaPv$T3G;hpG
zG`ys(rL3PRRWrXn?ZISC`S{rt+;2*vBaHL+B+Z-AK6{<T*0=tjw|S_D-I6HcT(FVx
z-SxaDTMob8!4_|kS#e^wL+<gemra?!Zfk_-_8e&T@xR``^zVXc+g~2vSn-^*=y{U4
zOS*mV4j*yx6D#E3ERENa@U>kf^|kh}c(l_ljf@{=YqK=6SFBvMuW6d#3cil53PA^z
HSBU}u309yy

literal 0
HcmV?d00001

diff --git a/SOURCES/msvspherepatch1.x509 b/SOURCES/msvspherepatch1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..375fe9be16057692828acaa2a9419f7dc8a5580e
GIT binary patch
literal 1142
zcmXqLVkt6cVvbtC%*4pVB*^gD@lvhcPAAr_y|XO0thjsLfR~L^tIebBJ1-+6H!Fid
z<90(W0}VFjP!?`sMc?4C;DU_QqErRv)S{Biw9MqhlFa-(1;^5ojQpa^l1f7r10}eA
zPDU}&;?(3)kc2~Saal1~t6ov5AwSR-po#3lY`*!$$@%3l0S>qTw*e<e1)DHaP^h7x
z0Y8YtCCuUH9PFat<Kt|oXdn*~ViuM_xG5N9SE_<jetwC9v!j86IIoehfw7U1p_z%1
zsY#Rszmb6{vVcM3?m_7{RRd*+-((Pe%PvSPNzPCx&P>nC%u83uPOUU(VpKwoEJjua
z<|amd2B0_>QxhX2!^7V4e>KThS1>DFKKEgoR*UqU$Nh}o7nB|T@lM=D;0$lX{nTO|
zgNjh$hM)7-ceH!IpK+G$f0Fr6-E%T=wJ$fU@#E(xaQ(k{$&DXZQr}8VUcJX~*}YeD
z8oxb@J|1(?z4wv7?Mv|!b|=yTeOKHU`5_;A-%#hvg5SNC)|KCF{m#Tc4U5bw=h^@I
zPfP8q=s=S{d;F^Q)h=FN`Cz`L=bf*DCv4|gcB<}94zE$(@ZiUrYM;}4PEPv$p}${v
z!>;($jEb*$cOHh@1{|2O(J@*1Kl{mpT8}fPoOD_e<S&2s!K|A{CKm6~(^N@+F=vup
zliQ8Yq8uMv*~L%%oV{yK`&<5t9d`;@nV1<F7#9~B<b#untTKy)fmnlxXJq<T;hYoq
z>r!?qJzi-VkUh2KDnx-QNC6v%HX9==D?2kY8yAqp!Z?XTfRV|72N)r;!i<dnS(pqM
z3}it(J{B<+kq5U{G)DjbbY^kzPq#<LkDjm5dhiQ5Qh+%K7%7YlbyF|s`#;NmHhb-+
zB}IOFKc37`K6}j2bhU}-p|`#7`I|m>35kg{t-Kkvb%w&Wua{JUBM$F;Q|WMOi&yoW
zlAUteE7M{&hr4~6F?*V_$0C33wrPtDc(?ceZk}qTIZdVEvT_CM%6IwepT!g;`isWu
zlq#)Inw5XPEr^l1_*_q0`UIP=76B}g1s_yRZ<(C2YkBTJ*@w~C#5U*os~d93&azn>
z_cKZ>tWdw7G;e*)-k_=f*79U5mD=zpa>LI978~L>+0?!<vRYIed}3nVY3tMVt@m!k
zew@_sEU`BCaQ}<t=R}MzDIKi)w)$Xc&*6f*tN$K(d3&DJ?iof?w8O4HG@RKIcgz<6
Dx(%-@

literal 0
HcmV?d00001

diff --git a/SOURCES/x509.genkey.centos b/SOURCES/x509.genkey.centos
index c91af3b..b1d1678 100644
--- a/SOURCES/x509.genkey.centos
+++ b/SOURCES/x509.genkey.centos
@@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 
 [ req_distinguished_name ]
-O = The CentOS Project
-CN = CentOS Stream kernel signing key
-emailAddress = security@centos.org
+O = NCSD LLC
+CN = MSVSphere kernel signing key
+emailAddress = security@msvsphere.ru
 
 [ myexts ]
 basicConstraints=critical,CA:FALSE
diff --git a/SOURCES/x509.genkey.rhel b/SOURCES/x509.genkey.rhel
index b1bbe38..b1d1678 100644
--- a/SOURCES/x509.genkey.rhel
+++ b/SOURCES/x509.genkey.rhel
@@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts
 
 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = NCSD LLC
+CN = MSVSphere kernel signing key
+emailAddress = security@msvsphere.ru
 
 [ myexts ]
 basicConstraints=critical,CA:FALSE
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index a6bc574..4334772 100755
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -812,19 +812,7 @@ Source1: Makefile.rhelver
 %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
 %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
 
-%if 0%{?centos}
-%define pesign_name_0 centossecureboot201
-%else
-%ifarch x86_64 aarch64
-%define pesign_name_0 redhatsecureboot501
-%endif
-%ifarch s390x
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
+%define pesign_name_0 spheresecureboot001
 
 # signkernel
 %endif
@@ -903,8 +891,8 @@ Source84: mod-internal.list
 Source85: mod-partner.list
 Source86: mod-kvm.list
 
-Source100: rheldup3.x509
-Source101: rhelkpatch1.x509
+Source100: msvspheredup1.x509
+Source101: msvspherepatch1.x509
 Source102: rhelimaca1.x509
 Source103: rhelima.x509
 Source104: rhelima_centos.x509
@@ -1247,11 +1235,11 @@ Summary: gcov graph and source files for coverage data collection.\
 %{nil}
 
 %package -n kernel-abi-stablelists
-Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
+Summary: The MSVSphere kernel ABI symbol stablelists
 AutoReqProv: no
 %description -n kernel-abi-stablelists
-The kABI package contains information pertaining to the Red Hat Enterprise
-Linux kernel ABI, including lists of kernel symbols that are needed by
+The kABI package contains information pertaining to the MSVSphere
+kernel ABI, including lists of kernel symbols that are needed by
 external Linux kernel modules, and a yum plugin to aid enforcement.
 
 %if %{with_kabidw_base}
@@ -1260,8 +1248,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
 Group: System Environment/Kernel
 AutoReqProv: no
 %description kernel-kabidw-base-internal
-The package contains data describing the current ABI of the Red Hat Enterprise
-Linux kernel, suitable for the kabi-dw tool.
+The package contains data describing the current ABI of the MSVSphere
+kernel, suitable for the kabi-dw tool.
 %endif
 
 #
@@ -1360,7 +1348,7 @@ Requires: kernel%{?1:-%{1}}-modules-core-uname-r = %{KVERREL}%{uname_suffix %{?1
 AutoReq: no\
 AutoProv: yes\
 %description %{?1:%{1}-}modules-internal\
-This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
+This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\
 %{nil}
 
 %if %{with_realtime}
@@ -1533,7 +1521,7 @@ Requires: kernel%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{uname_suffix %{?1:%{1}
 AutoReq: no\
 AutoProv: yes\
 %description %{?1:%{1}-}modules-partner\
-This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat partners usage.\
+This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere partners usage.\
 %{nil}
 
 # Now, each variant package.
@@ -1792,7 +1780,7 @@ done
 # Adjust FIPS module name for RHEL
 %if 0%{?rhel}
 for i in *.config; do
-  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i
+  sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="MSVSphere %{rhel} - Kernel Cryptographic API"/' $i
 done
 %endif
 
@@ -1811,18 +1799,6 @@ RHJOBS=$RPM_BUILD_NCPUS PACKAGE_NAME=kernel ./process_configs.sh $OPTS ${specver
 cp %{SOURCE82} .
 RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh %{primary_target}
 
-# We may want to override files from the primary target in case of building
-# against a flavour of it (eg. centos not rhel), thus override it here if
-# necessary
-if [ "%{primary_target}" == "rhel" ]; then
-%if 0%{?centos}
-  echo "Updating scripts/sources to centos version"
-  RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh centos
-%else
-  echo "Not updating scripts/sources to centos version"
-%endif
-fi
-
 # end of kernel config
 %endif
 
@@ -2458,9 +2434,9 @@ BuildKernel() {
 %else
         SBATsuffix="rhel"
 %endif
-        echo "linux,1,Red Hat,linux,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat
-        echo "linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat
-        echo "kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,https://bugzilla.redhat.com/" >> $KernelUnifiedImage.sbat
+        echo "linux,1,MSVSphere,linux,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat
+        echo "linux.$SBATsuffix,1,MSVSphere,linux,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat
+        echo "kernel-uki-virt.$SBATsuffix,1,MSVSphere,kernel-uki-virt,$KernelVer,https://bugs.msvsphere-os.ru/" >> $KernelUnifiedImage.sbat
         # Remove the original .sbat section
         objcopy --remove-section .sbat $KernelUnifiedImage
         # Get the end of the last section
@@ -2577,7 +2553,7 @@ BuildKernel() {
     # prune junk from kernel-devel
     find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete
 
-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
 %if %{signkernel}
     install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
@@ -2589,7 +2565,7 @@ BuildKernel() {
 %endif
 
 %if 0%{?rhel}
-    # Red Hat IMA code-signing cert, which is used to authenticate package files
+    # MSVSphere IMA code-signing cert, which is used to authenticate package files
     install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
 %endif
 
@@ -3756,6 +3732,9 @@ fi
 #
 #
 %changelog
+* Mon Oct  9 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - [5.14.0-362.2.1.el9_3]
+- Modified to use MSVSphere Secure Boot certificates
+
 * Fri Sep 08 2023 Jan Stancek <jstancek@redhat.com> [5.14.0-362.2.1.el9_3]
 - PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation (Vitaly Kuznetsov) [2211797]
 - rhel: Re-add can-dev features that were removed accidentally (Radu Rendec) [2213891]