On Thu, Jul 30, 2020 at 04:18:39PM -0000, GitLab Bridge on behalf of jmflinuxtx wrote:
> From: jmflinuxtx on gitlab.com
>
> These are the changes that we have been running in the kernel for a
> couple of weeks now to dual sign for secure boot. It is required as
> people pivot to newer keys while updating to fix the "boothole" CVEs.
BTW, probably Fedora later wants do make kernel-keys directory VR to be owned by
kernel-core as in RHEL, which would avoid have to do this change:
%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
+%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\
This was done in RHEL:
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
-%ifarch s390x ppc64le\
-%if 0%{!?4:1}\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
-%endif\
-%endif\
+%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\
to prevent a bug with "empty /usr/share/doc/kernel-keys/VR directory is left
after executing an 'rpm -e kernel-core-VR'." (quote from Prarit's commit)
Prarit, we are missing "[redhat] kernel.spec: Remove kernel-keys directory on
rpm erase" on Fedora it seems, would you be able to check/submit it?
This can be fixed later, so for patchset posted here:
Acked-by: Herton R. Krzesinski <herton@xxxxxxxxxx>
--
[]'s
Herton
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
