rpms
/
kernel
21
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modified to use MSVSphere Secure Boot certificates

Browse Source
i8
Arkady L. Shane 1 year ago
parent aa15b16032
commit 95e7e57992
Signed by: tigro
GPG Key ID: 1EC08A25C9DB2503
2 changed files with 21 additions and 46 deletions
Show Stats Download Patch File Download Diff File

6
SOURCES/x509.genkey
Unescape View File

@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts x509_extensions = myexts
[ req_distinguished_name ] [ req_distinguished_name ]
O = Red Hat O = NCSD LLC
CN = Red Hat Enterprise Linux kernel signing key CN = MSVSphere kernel signing key
emailAddress = secalert@redhat.com emailAddress = security@msvsphere.ru
[ myexts ] [ myexts ]
basicConstraints=critical,CA:FALSE basicConstraints=critical,CA:FALSE

61
SPECS/kernel.spec
Unescape View File

@ -447,37 +447,9 @@ Source9: x509.genkey
%define signing_key_filename kernel-signing-s390.cer %define signing_key_filename kernel-signing-s390.cer
%endif %endif
Source10: redhatsecurebootca3.cer %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
Source11: centossecurebootca2.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
Source12: centossecureboot201.cer %define pesign_name_0 spheresecureboot001
Source13: redhatsecureboot501.cer
Source14: redhatsecureboot302.cer
Source15: redhatsecureboot303.cer
Source16: redhatsecurebootca7.cer
%if 0%{?centos}
%define secureboot_ca_0 %{SOURCE11}
%define secureboot_key_0 %{SOURCE12}
%define pesign_name_0 centossecureboot201
%else
%ifarch x86_64 aarch64
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 redhatsecureboot501
%endif
%ifarch s390x
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
%define secureboot_ca_0 %{SOURCE16}
%define secureboot_key_0 %{SOURCE15}
%define pesign_name_0 redhatsecureboot701
%endif
%endif
Source17: mod-blacklist.sh Source17: mod-blacklist.sh
Source18: mod-sign.sh Source18: mod-sign.sh
@ -506,8 +478,8 @@ Source43: generate_bls_conf.sh
Source44: mod-internal.list Source44: mod-internal.list
Source100: rheldup3.x509 Source100: msvspheredup1.x509
Source101: rhelkpatch1.x509 Source101: msvspherepatch1.x509
%if %{with_kabichk} %if %{with_kabichk}
Source200: check-kabi Source200: check-kabi
@ -550,8 +522,8 @@ Patch999999: linux-kernel-test.patch
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
%description %description
This is the package which provides the Linux %{name} for Red Hat Enterprise This is the package which provides the Linux %{name} for MSVSphere.
Linux. It is based on upstream Linux at version %{version} and maintains kABI It is based on upstream Linux at version %{version} and maintains kABI
compatibility of a set of approved symbols, however it is heavily modified with compatibility of a set of approved symbols, however it is heavily modified with
backports and fixes pulled from newer upstream Linux %{name} releases. This means backports and fixes pulled from newer upstream Linux %{name} releases. This means
this is not a %{version} kernel anymore: it includes several components which come this is not a %{version} kernel anymore: it includes several components which come
@ -559,7 +531,7 @@ from newer upstream linux versions, while maintaining a well tested and stable
core. Some of the components/backports that may be pulled in are: changes like core. Some of the components/backports that may be pulled in are: changes like
updates to the core kernel (eg.: scheduler, cgroups, memory management, security updates to the core kernel (eg.: scheduler, cgroups, memory management, security
fixes and features), updates to block layer, supported filesystems, major driver fixes and features), updates to block layer, supported filesystems, major driver
updates for supported hardware in Red Hat Enterprise Linux, enhancements for updates for supported hardware in MSVSphere, enhancements for
enterprise customers, etc. enterprise customers, etc.
# #
@ -807,14 +779,14 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
%endif %endif
%package -n %{name}-abi-stablelists %package -n %{name}-abi-stablelists
Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists Summary: The MSVSphere kernel ABI symbol stablelists
Group: System Environment/Kernel Group: System Environment/Kernel
AutoReqProv: no AutoReqProv: no
Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release} Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release}
Provides: %{name}-abi-whitelists Provides: %{name}-abi-whitelists
%description -n %{name}-abi-stablelists %description -n %{name}-abi-stablelists
The kABI package contains information pertaining to the Red Hat Enterprise The kABI package contains information pertaining to the MSVSphere
Linux kernel ABI, including lists of kernel symbols that are needed by kernel ABI, including lists of kernel symbols that are needed by
external Linux kernel modules, and a yum plugin to aid enforcement. external Linux kernel modules, and a yum plugin to aid enforcement.
%if %{with_kabidw_base} %if %{with_kabidw_base}
@ -823,8 +795,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
Group: System Environment/Kernel Group: System Environment/Kernel
AutoReqProv: no AutoReqProv: no
%description kernel-kabidw-base-internal %description kernel-kabidw-base-internal
The package contains data describing the current ABI of the Red Hat Enterprise The package contains data describing the current ABI of the MSVSphere
Linux kernel, suitable for the kabi-dw tool. kernel, suitable for the kabi-dw tool.
%endif %endif
# #
@ -898,7 +870,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
AutoReq: no\ AutoReq: no\
AutoProv: yes\ AutoProv: yes\
%description %{?1:%{1}-}modules-internal\ %description %{?1:%{1}-}modules-internal\
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ This package provides kernel modules for the %{?2:%{2} }kernel package for MSVSphere internal usage.\
%{nil} %{nil}
# #
@ -1750,7 +1722,7 @@ BuildKernel() {
# build a BLS config for this kernel # build a BLS config for this kernel
%{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}"
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel # MSVSphere UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%ifarch s390x ppc64le %ifarch s390x ppc64le
@ -2696,6 +2668,9 @@ fi
# #
# #
%changelog %changelog
* Fri Nov 17 2023 Arkady L. Shane <tigro@msvsphere-os.ru> [4.18.0-513.9.1.el8_9]
- Modified to use MSVSphere Secure Boot certificates
* Thu Nov 16 2023 Patrick Talbert <ptalbert@redhat.com> [4.18.0-513.9.1.el8_9] * Thu Nov 16 2023 Patrick Talbert <ptalbert@redhat.com> [4.18.0-513.9.1.el8_9]
- ice: reset first in crash dump kernels (Petr Oros) [2244625 2139761] - ice: reset first in crash dump kernels (Petr Oros) [2244625 2139761]
- nvmet-tcp: Fix a possible UAF in queue intialization setup (John Meneghini) [RHEL-11507 RHEL-11509] {CVE-2023-5178} - nvmet-tcp: Fix a possible UAF in queue intialization setup (John Meneghini) [RHEL-11507 RHEL-11509] {CVE-2023-5178}

Write Preview
Loading…
Cancel
Save