Modified to use MSVSphere Secure Boot certificates

7 months ago · 8ca6594625
parent 5a18e87a7e
commit 8ca6594625
3 changed files with 24 additions and 46 deletions
--- a/.kernel.metadata
+++ b/.kernel.metadata
@ -10,3 +10,5 @@ cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
 905d91a282727c7f5ad433a49ac42a0772311c6a SOURCES/redhatsecurebootca7.cer
 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
 d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
+6fd8d9d4fd8cd8a9c40cc9d3d24a2d2501369869 SOURCES/msvspheredup1.x509
+ec8fefbe48fe852ade37c1c0683b1796605ba19f SOURCES/msvspherepatch1.x509
--- a/SOURCES/x509.genkey
+++ b/SOURCES/x509.genkey
@ -5,9 +5,9 @@ prompt = no
 x509_extensions = myexts

 [ req_distinguished_name ]
-O = Red Hat
-CN = Red Hat Enterprise Linux kernel signing key
-emailAddress = secalert@redhat.com
+O = NCSD LLC
+CN = MSVSphere kernel signing key
+emailAddress = security@msvsphere.ru

 [ myexts ]
 basicConstraints=critical,CA:FALSE
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@ -414,6 +414,7 @@ BuildRequires: kabi-dw
 %if %{signkernel}%{signmodules}
 BuildRequires: openssl openssl-devel
 %if %{signkernel}
+BuildRequires: system-sb-certs
 %ifarch x86_64 aarch64
 BuildRequires: nss-tools
 BuildRequires: pesign >= 0.10-4
@ -446,37 +447,9 @@ Source9: x509.genkey
 %define signing_key_filename kernel-signing-s390.cer
 %endif

-Source10: redhatsecurebootca3.cer
-Source11: centossecurebootca2.cer
-Source12: centossecureboot201.cer
-Source13: redhatsecureboot501.cer
-Source14: redhatsecureboot302.cer
-Source15: redhatsecureboot303.cer
-Source16: redhatsecurebootca7.cer
-%if 0%{?centos}
-%define secureboot_ca_0  %{SOURCE11}
-%define secureboot_key_0 %{SOURCE12}
-%define pesign_name_0 centossecureboot201
-%else
-
-%ifarch x86_64 aarch64
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot501
-%endif
-
-%ifarch s390x
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE14}
-%define pesign_name_0 redhatsecureboot302
-%endif
-
-%ifarch ppc64le
-%define secureboot_ca_0 %{SOURCE16}
-%define secureboot_key_0 %{SOURCE15}
-%define pesign_name_0 redhatsecureboot701
-%endif
-%endif
+%define secureboot_ca_0  %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
+%define pesign_name_0 spheresecureboot001

 Source17: mod-blacklist.sh
 Source18: mod-sign.sh
@ -505,8 +478,8 @@ Source43: generate_bls_conf.sh

 Source44: mod-internal.list

-Source100: rheldup3.x509
-Source101: rhelkpatch1.x509
+Source100: msvspheredup1.x509
+Source101: msvspherepatch1.x509

 %if %{with_kabichk}
 Source200: check-kabi
@ -549,8 +522,8 @@ Patch999999: linux-kernel-test.patch
 BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root

 %description
-This is the package which provides the Linux %{name} for Red Hat Enterprise
-Linux. It is based on upstream Linux at version %{version} and maintains kABI
+This is the package which provides the Linux %{name} for MSVSphere.
+It is based on upstream Linux at version %{version} and maintains kABI
 compatibility of a set of approved symbols, however it is heavily modified with
 backports and fixes pulled from newer upstream Linux %{name} releases. This means
 this is not a %{version} kernel anymore: it includes several components which come
@ -558,7 +531,7 @@ from newer upstream linux versions, while maintaining a well tested and stable
 core. Some of the components/backports that may be pulled in are: changes like
 updates to the core kernel (eg.: scheduler, cgroups, memory management, security
 fixes and features), updates to block layer, supported filesystems, major driver
-updates for supported hardware in Red Hat Enterprise Linux, enhancements for
+updates for supported hardware in MSVSphere, enhancements for
 enterprise customers, etc.

 #
@ -806,14 +779,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
 %endif

 %package -n %{name}-abi-stablelists
-Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
+Summary: The MSVSphere Linux kernel ABI symbol stablelists
 Group: System Environment/Kernel
 AutoReqProv: no
 Obsoletes: %{name}-abi-whitelists < %{specversion}-%{pkg_release}
 Provides: %{name}-abi-whitelists
 %description -n %{name}-abi-stablelists
-The kABI package contains information pertaining to the Red Hat Enterprise
-Linux kernel ABI, including lists of kernel symbols that are needed by
+The kABI package contains information pertaining to the MSVSphere
+kernel ABI, including lists of kernel symbols that are needed by
 external Linux kernel modules, and a yum plugin to aid enforcement.

 %if %{with_kabidw_base}
@ -822,8 +795,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
 Group: System Environment/Kernel
 AutoReqProv: no
 %description kernel-kabidw-base-internal
-The package contains data describing the current ABI of the Red Hat Enterprise
-Linux kernel, suitable for the kabi-dw tool.
+The package contains data describing the current ABI of the MSVSphere
+kernel, suitable for the kabi-dw tool.
 %endif

 #
@ -897,7 +870,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
 AutoReq: no\
 AutoProv: yes\
 %description %{?1:%{1}-}modules-internal\
-This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
+This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\
 %{nil}

 #
@ -1749,7 +1722,7 @@ BuildKernel() {
    # build a BLS config for this kernel
    %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}"

-    # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
+    # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel
    mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
    %ifarch s390x ppc64le
@ -2695,6 +2668,9 @@ fi
 #
 #
 %changelog
+* Mon Apr 15 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - [4.18.0-544.el8]
+- Modified to use MSVSphere Secure Boot certificates
+
 * Fri Mar 29 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 4.18.0-544
 - Rebuilt for MSVSphere 8.10 beta