Added MSVSphere secureboot certificates

2 years ago · c22c82e25a
parent f0047b7f12
commit c22c82e25a
3 changed files with 51 additions and 1 deletions
--- a/SOURCES/spheresecureboot001.cer
+++ b/SOURCES/spheresecureboot001.cer
--- a/SOURCES/spheresecurebootca.cer
+++ b/SOURCES/spheresecurebootca.cer
--- a/SPECS/sphere-release.spec
+++ b/SPECS/sphere-release.spec
@ -5,7 +5,7 @@

 Name:           sphere-release
 Version:        %{major}.%{minor}
-Release:        1.0%{?dist}
+Release:        1.1%{?dist}
 Summary:        %{distro} release files
 License:        GPLv2
 URL:            https://msvsphere.ru
@ -39,11 +39,30 @@ Source302:      90-default-user.preset
 Source303:      99-default-disable.preset
 Source304:      50-redhat.conf

+# secureboot CA certificate
+Source400:      spheresecurebootca.cer
+# kernel signing certificate
+Source401:      spheresecureboot001.cer
+# grub2 signing certificate
+Source402:      spheresecureboot001.cer
+# Fwupd signing certificate
+Source403:      spheresecureboot001.cer
+

 %description
 %{distro} release files.


+%package -n sphere-sb-certs
+Summary: %{distro} public secureboot certificates
+Group: System Environment/Base
+Provides: system-sb-certs = %{version}-%{release}
+Provides: redhat-sb-certs = %{version}-%{release}
+
+%description -n sphere-sb-certs
+%{distro} secureboot certificates.
+
+
 %package -n sphere-repos
 Summary:        %{distro} package repositories
 Requires:       sphere-release = %{version}-%{release}
@ -137,6 +156,26 @@ install -m 0644 %{SOURCE304} %{buildroot}/%{_prefix}/lib/sysctl.d/
 install -d -m 0755 %{buildroot}%{_sysconfdir}/dnf/vars
 echo "%{major}-stream" > %{buildroot}%{_sysconfdir}/dnf/vars/stream

+# create secureboot certificate directories
+install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/sb-certs/
+install -d -m 0755 %{buildroot}%{_datadir}/pki/sb-certs/
+
+# install x86_64 secureboot certificates
+install -m 644 %{SOURCE400} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer
+install -m 644 %{SOURCE401} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer
+install -m 644 %{SOURCE402} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer
+install -m 644 %{SOURCE403} %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer
+
+# link x86_64 secureboot certificates
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer \
+       %{buildroot}%{_sysconfdir}/pki/sb-certs/secureboot-ca-x86_64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer \
+       %{buildroot}%{_sysconfdir}/pki/sb-certs/secureboot-kernel-x86_64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer \
+       %{buildroot}%{_sysconfdir}/pki/sb-certs/secureboot-grub2-x86_64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer \
+       %{buildroot}%{_sysconfdir}/pki/sb-certs/secureboot-fwupd-x86_64.cer
+
 # copy GPG keys
 install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg
 install -p -m 0644 %{SOURCE100} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
@ -158,6 +197,14 @@ install -p -m 0644 %{SOURCE100} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
 %{_prefix}/lib/systemd/user-preset/*
 %{_prefix}/lib/sysctl.d/50-redhat.conf

+%files -n sphere-sb-certs
+# Note to future packagers:
+# resetting the symlinks in /etc/pki/sb-certs on upgrade is the intended behavior here
+%dir %{_sysconfdir}/pki/sb-certs
+%dir %{_datadir}/pki/sb-certs/
+%{_sysconfdir}/pki/sb-certs/*.cer
+%{_datadir}/pki/sb-certs/*.cer
+
 %files -n sphere-repos
 %config(noreplace) %{_sysconfdir}/dnf/vars/stream

@ -166,5 +213,8 @@ install -p -m 0644 %{SOURCE100} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/


 %changelog
+* Mon Mar 27 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 9.1-1.1
+- Added MSVSphere secureboot certificates
+
 * Fri Feb 17 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 9.1-1.0
 - Initial release for MSVSphere 9.1 beta