From: jmflinuxtx on gitlab.com
These are the changes that we have been running in the kernel for a couple of weeks now to dual sign for secure boot. It is required as people pivot to newer keys while updating to fix the "boothole" CVEs.
From: "Justin M. Forbes" jforbes@fedoraproject.org
As part of the transition for the boothole vulnerability, we are signing the kernel with both new keys and the old keys. These are the spec changes to make that happen. We have actually been building with this for some time, but didn't want to push the changes until it was public.
Signed-off-by: Justin M. Forbes jforbes@fedoraproject.org --- redhat/kernel.spec.template | 62 ++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 22 deletions(-)
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index 82efe84524b9..d47c9cce8a0e 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -584,34 +584,44 @@ Source10: x509.genkey.rhel Source11: x509.genkey.fedora %if %{?released_kernel}
-Source12: securebootca.cer -Source13: secureboot.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer - -%define secureboot_ca %{SOURCE12} +Source12: redhatsecurebootca5.cer +Source13: redhatsecurebootca1.cer +Source14: redhatsecureboot501.cer +Source15: redhatsecureboot301.cer +Source16: secureboot_s390.cer +Source17: secureboot_ppc.cer + +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_ca_0 %{SOURCE13} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot501 +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 +%define secureboot_key_0 %{SOURCE16} +%define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define secureboot_key_0 %{SOURCE17} +%define pesign_name_0 redhatsecureboot303 %endif
# released_kernel %else
-Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source12: redhatsecurebootca4.cer +Source13: redhatsecurebootca2.cer +Source14: redhatsecureboot401.cer +Source15: redhatsecureboot003.cer
-%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_ca_0 %{SOURCE13} +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot401 +%define secureboot_key_0 %{SOURCE15} +%define pesign_name_0 redhatsecureboot003
# released_kernel %endif @@ -1442,11 +1452,13 @@ BuildKernel() { fi
%ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -1849,11 +1861,17 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2583,7 +2601,7 @@ fi /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\ /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\ %ifarch s390x ppc64le\ %if 0%{!?4:1}\ %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
From: "Justin M. Forbes" jforbes@fedoraproject.org
Signed-off-by: Justin M. Forbes jforbes@fedoraproject.org --- redhat/keys/redhatsecureboot301.cer | Bin 0 -> 899 bytes redhat/keys/redhatsecureboot401.cer | Bin 0 -> 978 bytes redhat/keys/redhatsecureboot501.cer | Bin 0 -> 964 bytes redhat/keys/redhatsecurebootca1.cer | Bin 0 -> 977 bytes redhat/keys/redhatsecurebootca4.cer | Bin 0 -> 934 bytes redhat/keys/redhatsecurebootca5.cer | Bin 0 -> 920 bytes 6 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 redhat/keys/redhatsecureboot301.cer create mode 100644 redhat/keys/redhatsecureboot401.cer create mode 100644 redhat/keys/redhatsecureboot501.cer create mode 100644 redhat/keys/redhatsecurebootca1.cer create mode 100644 redhat/keys/redhatsecurebootca4.cer create mode 100644 redhat/keys/redhatsecurebootca5.cer
diff --git a/redhat/keys/redhatsecureboot301.cer b/redhat/keys/redhatsecureboot301.cer new file mode 100644 index 0000000000000000000000000000000000000000..20e660479db920c9af073ef60dfd52cfcd55ef35 GIT binary patch literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&ERoylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C) zic(WD5=-=w^K%X4#CZ)(3=Iv;4Gj!U4NRlNd5z71To3|r4T21H474EDDPy&+I5Ryj zGcTPKJDV7lkbT9-%D~*j$j@NV#K^_e#K_37NxkdnB-fbdAp)7dSWBPZtXrYb5w*C@ z@r&`BZ02)^7x}9-F_f-vdj9zHex2s374i`=>Kunka%XeJpYTcWnYOXcua#Nzv{P2r z{{KfRpNsxBUvPxw_cT2h+pJ?Ab^$YP&OhK@vBdbb{H<AE?$7S)IveG4{NthMn|XI; zuZ~$}9hb8?RNwy6d`WHPPcK7HM6SQ)@0IpFYTa&`doJbY%S^-$TDZTkzjLIcd>gCD zgVUK-5>__PZZU-1nmGUR*MJSDB-cbvx6RHHnXKVwU9@H2#x6FkEt|?~dgtD8aoSb6 z`P$`cNzxNN-!l}2zMhj&w=>05mb+)gq|2XQRV^~E`;)lfwmuUxBLm~&Sc7N-9$?7J z3NtePXJIm6FyIF9_*qz(nb;c)WI-H07BLo)aL4})TlQq;>8I$gIMsYUAgZGz$Uq(> zt;`}}Al4w_Al4%0a?Yxeg@ctn?ZuBpb5eiAAV&Z&Spg$}kwNnVx9_f&sUPlII<6Po zwsYpDLfs|_*M8fGuUk4-m%YAz`?d3h%8P~vysm29RsQ!WK%@63*E<IDDw)7}u3mi> zY;yV?ieH$Xp0GJ~>}cV)`v*$4n0`ogx_k24UDm?Lu%<V?r}j)=!KiSkIWaTTT(E6J zl&5{qJLWl6&n(_{UMpOZB^hw)L4)<lzSK?Je}t;1oIAXyE|xhc$VZjuf<xvW$IzuB z-!E&6{=dE^>T{WiSI>r}MgeY{-MAm@j(GO|_ezzhSNC%m_dopoSNWyMX47EzS*y|} z3cr~?y=&H&a;tfp6<SM;jutGBzV*%9YlTe7k=I)%x5n#*@uYqED=_(L67SN(09G1h A-2eap
literal 0 HcmV?d00001
diff --git a/redhat/keys/redhatsecureboot401.cer b/redhat/keys/redhatsecureboot401.cer new file mode 100644 index 0000000000000000000000000000000000000000..247666cfed1509cec37abc4e3beb0d49a61d5932 GIT binary patch literal 978 zcmXqLVm@ck#I$VzGZP~d6DPw$2luc;8yz1S@Un4gwRyCC=VfH%W@Ru)GZZrrVPg(u z;o{*9N=;GlNG#D&@XSlrGt@9p1Bo;9$V0^yf>V=Ai&7Pw^7Bg+oE;TR6f}}jOA<8= zl?)W%hH^5B2^Xg(C+4IUl{gforeq|R=q2ap8pw(B8W|Xv8CV)vnphf`Mv3zpTNoG` zT0pr5xj5aSZ=efthZ;6_1ZSq_W#*+Tm>3w6;+!T%CFGD`WMyD(V&rEqXkz4IYGPz$ zxOt*a|83fydKaaIGdS`br5@fAZP+Q<vZqMkk#~smie)d-Ce$yLx1TMqQmQrQ#F5^D z>zhyhu3D3pAj_6ey;znb{1R6v4^w+YXL^=W*1wx;c%<Ix_La<<S(!IMKfij#>gl2n z1FI|#IrMK@dh+)3Dy_pm4PSCc-c336;PO0|bXSpc@wT}&yhZEe7doGJIluRemQY-9 z>E+g+U6&MhD5wO+U$`n1=jY89x6d-@+KLkPxuzSYG+ba}OM5Z%&o9=)K~BwwzgNf@ z?|XA@5|7W9YXQG)ztu6hNUoStUgPrO!NOjPf_>YfwIX+Yp4-s>Y6hRL>nC>Ihc{eL zNJV`YIy|vh?I{y8BLm~&3WG8O9$?_h3NtePXJIm6FyI66_(41tW+wIq12GU^6~yN; z;9}#@W@BV!WoKqKkOhhJv52vVtlRiS%*4?Aw^#j3C(#A_R_+YqRyL3aNh`BR7>G59 z1Wi1hdvwOJ&`V2yy=HB`b+~*(y9#pL08=S2ZWtM)xWBlB1V2CJm>yx(W50l_T%xJE z<K_4F0gM`EDIc1(mpx)vYI+@i?mUO#h97)0g*ogO%UFDqNR7|mtl4#d|Ksl6<^A_x z#;EVCx#QK5U2)zZAnD6@GiRlOZ8N1)WFoJ7Z1v^7a?U|{>CXwZujDe@ZqA*V`(3(J z@20n#N4B8^kKT-br`H-MU0~ZMbynoh<=21S#%+z?wUl31=l&i(^)1OW<^}fcTD-~7 zDQ4p0@DnVzpKmM=+SVKs*Ss`W>dP9@3awRV-L9}QnXY(Wu&^Zan((Z*Oj{=ZQR1_G s?puCAQ}bw)-tXvbpZ&fEs8-Dt*<M%Yz$9|zI$xZwae5{5<bW3n0PaR=tN;K2
literal 0 HcmV?d00001
diff --git a/redhat/keys/redhatsecureboot501.cer b/redhat/keys/redhatsecureboot501.cer new file mode 100644 index 0000000000000000000000000000000000000000..dfa7afb4699f9da2610ccf889eac6269b4e368ad GIT binary patch literal 964 zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JW;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;ur#$aF^m%DHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1<({MvOa}7?qIy&dAEZ+{DPwV9><K#ni;e$guu=$oGnW ze{{oo4vWd1n!$3g^ztl!_Wv4lt|gVP^V*bb`N;0x-qaiSXHHkmzWs6U{Jid~uVjQg zS|4oqT*Lc+uD;qaYn_Hg^JFa_EuSZy?0Iy83a6;$&5WqJujk4gL%(Y6nYHpy@FtO- zI~y5)_8s6+n=H%YpD8crt=~7@zh0G9QRPZ<dz0De%SPtcf3$e--Fk_&Kdvn~A$+=Z zjOU^6zn^^Wte#r5CaJDwO8j%(=sWDELl$$aKKNU>?_b=fyaz_nMgbCq_4}%h&s@!! ze1+-H$r$aU3#Wbib#?#k&uh{GYUM6Zj@vtn;gxywxjzdyRhQhFw_E3gr&3h2=~R{1 zj&**wnV1<F7#CL<lo{{<LtR#wk?}tZlL3PPABe{f;;}F@u{Riqf%vK*K92zx8;3R< zBP%OAGqZs#NSu#Fj75a)p2Xa}PuW-5*w#BgITbU_UEMAhoR(yjStJa^8br?IFMY0& zvCGqM^6b4C+!I~OX3g(MjvHXQ1jY>`gIDK=C)Q=HpH6<5w#musUBRX5*FRT%+S?q^ zlC!X|$Tr`#TvsL{<Y0K?+I^?zUePz-=pFj8T<x94=a+xmVxuemx>aXYvlkoIbiCkx z5_D~Q*@8!%rFvVIJk+SN&YvaV#ohSi<j#kdYU%ve0*xzt6Mo$i_FKQ0FZk`5lqSjS zx-&8V_J9BMIr_kdrLkp>!kzD4u!L^;lrQW*W7-1#!tQ%Ev()B&_RmzfDxh^SOyp9_ zQ{CMgMRQYpd7N(ray<%vF*_r`|Ig1qJ?keW%w>8X>p8K%ckRW_k5{=r91h)XDEdQO n!11<!7-Rf#_4ogJ(r+uSeDnC`u02t&`}F@;ywy&4ViW)XFOYW9
literal 0 HcmV?d00001
diff --git a/redhat/keys/redhatsecurebootca1.cer b/redhat/keys/redhatsecurebootca1.cer new file mode 100644 index 0000000000000000000000000000000000000000..b2354007b9668258683b99a68fa5bdd3067c31b1 GIT binary patch literal 977 zcmXqLVm@oo#I$t*GZP~d6DPykKFO2}lmD>>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq zXkz4IYGPz$nC+~<?2{)QQnbB!-tOilfvp!W+5DVoSG#L+<>vi6EDouC4!V-;tv&JA zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV` z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0- zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK z6&c%&T=rzVyKuJ1S>c?R<K#PxtGGq~?cMg~=gYe$SJ$!S^;`(O<ep~wX+Qso!rIJ( zZL23GL@b?{ZqYAz@%i~&roT+gj0}v68`m2&t}&1W#<DCQix`WDgIJ50%Q>q?77kYS zv==`X%}M<cV^9l{R%R(PC~3f|U}4}Ae=0{`6H>C|0a-81!fL?G$oL;QPJxLO7^jR3 zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<<d&TsQv+iB;vWxkm>i|1QMhsQHT z<L>4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw> zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6 NnfI|Q%N6m!6aeL$dME$@
literal 0 HcmV?d00001
diff --git a/redhat/keys/redhatsecurebootca4.cer b/redhat/keys/redhatsecurebootca4.cer new file mode 100644 index 0000000000000000000000000000000000000000..8cb32e68cb5e279e06ed153d983a12a48ee83e69 GIT binary patch literal 934 zcmXqLVqRp>#MHHbnTe5!iIZWneUz&}74u&MUN%mxHjlRNyo`+8tPBQehGGUHY|No7 zTs*u%sVNE`i6uG;o_Wc7h8hNHAaQ0Md8oKTaB6aCQL2JdetwC9v!jBEf<{tmNus8q zl7Rx;P)<fM;o{Wf#GKTk5{IJHl#Ij@z2y8{137VCBLf3714{!7LvureC~;n63j;$# z3n-Uv?r36ELJk5(RtDxKMt%l^CPpr%CPqevMcvAhZ2z_$Vb|D~;$L%Qv)W24)!2In z&$e>4E1mup%v<JM&Hk9%?d2VzeKC2P?@T*(_xR@x%WUR0De`@<744g4@%-!7ZI6W? zeweIQeQ3{y4wH55*ZAM;?Cd+ZiFJARo+BOe4sJiR`Q079brrLXoH;_BRr|lEPRVBJ z`#tMJmJMUMz$7XD@OeJ71%6i)Etn#7V0H1tcLFAl6>~LqI?UCcc=F1xU9(Qz*dH3< z;xHxUlIxTQ{ygpVd=rH~FFnQb>+-oruP@!dBke7{vF-ZPlZB2e=dUgcxmJJ2;N4?8 z-4nZd($*<OuiAV>cB6K~mXozc)fJJ!w-XH*toh{boDbz&qrFC*iJ6gsadEIgpn)tf z_GS54#8^avCZ5hcI^$UArKP`Kvo_y4T)v@Q#Xue;t;`}}Al86g0Y6BAFeBrC7FGjh zAcY+4z?26Jc18wq-K|VFZ)9&jCOzfw)7xIR|DN6(sveoyrSIwy=(VDStyZGkXW7Fq zr_9$_Z@9k4ed2_x{W_)og{Q=)pY3}+!LMso!6M!M-Q9jw8TYCf<^Eht`Q75PCTnt0 z*Q2#+LDel=ch-yl=v`JcOZ)1ad_8fi1V1O;hle&Zd2X7NQLoakC6snm@X>{EmWfUA z4Dy<@Z#+>cbuE_Dn*TCUYt1``-D%CcL#4~iy)P|zsULOCx7+O#FT3*{VR1*Uv?rTC z*xBjEo{m_t@p+n=VCDI^1(Tv5uIKeW@7Kw#{qOjp;Ez2YXSNrgV=Q^}NFg-*#+^-p ZB8NQ%Pc6IJ;<0bymc(4{X&?Uo0s!(NaBctq
literal 0 HcmV?d00001
diff --git a/redhat/keys/redhatsecurebootca5.cer b/redhat/keys/redhatsecurebootca5.cer new file mode 100644 index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f GIT binary patch literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?} zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8< zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-# z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!% zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A; z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z
literal 0 HcmV?d00001
On Thu, Jul 30, 2020 at 04:18:39PM -0000, GitLab Bridge on behalf of jmflinuxtx wrote:
From: jmflinuxtx on gitlab.com
These are the changes that we have been running in the kernel for a couple of weeks now to dual sign for secure boot. It is required as people pivot to newer keys while updating to fix the "boothole" CVEs.
Acked-by: Don Zickus dzickus@redhat.com
kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
On Thu, Jul 30, 2020 at 04:18:39PM -0000, GitLab Bridge on behalf of jmflinuxtx wrote:
From: jmflinuxtx on gitlab.com
These are the changes that we have been running in the kernel for a couple of weeks now to dual sign for secure boot. It is required as people pivot to newer keys while updating to fix the "boothole" CVEs.
BTW, probably Fedora later wants do make kernel-keys directory VR to be owned by kernel-core as in RHEL, which would avoid have to do this change:
%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\
This was done in RHEL:
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ -%ifarch s390x ppc64le\ -%if 0%{!?4:1}\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \ -%endif\ -%endif\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\
to prevent a bug with "empty /usr/share/doc/kernel-keys/VR directory is left after executing an 'rpm -e kernel-core-VR'." (quote from Prarit's commit)
Prarit, we are missing "[redhat] kernel.spec: Remove kernel-keys directory on rpm erase" on Fedora it seems, would you be able to check/submit it?
This can be fixed later, so for patchset posted here:
Acked-by: Herton R. Krzesinski herton@redhat.com
On 7/30/20 12:18 PM, GitLab Bridge on behalf of jmflinuxtx wrote:
From: jmflinuxtx on gitlab.com
These are the changes that we have been running in the kernel for a couple of weeks now to dual sign for secure boot. It is required as people pivot to newer keys while updating to fix the "boothole" CVEs.
Acked-by: Prarit Bhargava prarit@redhat.com
P.
kernel@lists.fedoraproject.org
-
Don Zickus -
GitLab Bridge on behalf of jmflinuxtx -
Herton R. Krzesinski -
Prarit Bhargava