[OS-BUILD PATCH] redhat: add secureboot CA certificate to trusted kernel keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Bruno Meneguele <bmeneg@xxxxxxxxxx>

redhat: add secureboot CA certificate to trusted kernel keyring

This patch is a forward-port from what we already have in RHEL-8 kernels and
should also be done in RHEL-9 to avoid unexpected failures on customers.

Add the secure boot key certificate to the trusted kernel keyring
(.builtin_trusted_keys) to allow the placement of the kernel signing key
(shipped with the distro) in other kernel trusted keyrings, i.e. .ima
trusted keyring.

The need for adding the secure boot CA cert in the trusted kernel keyring
exists only for arches without UEFI support which don't support adding certs
to .platform_keyring and, consequently, can't add our own kernel image
signing key to trusted keyrings.

The biggest usage of that is for loading signed kernel images during
kexec/kdump process in arches that depends on the IMA infrastructure to
check the signatures, which has the ability to verify appended signatures
instead of the UEFI PE format. Said arches are PowerPC and S390X.

Cc: Justin M. Forbes <jforbes@xxxxxxxxxxxxxxxxx>
Cc: Herton R. Krzesinski <herton@xxxxxxxxxx>
Cc: Patrick Talbert <ptalbert@xxxxxxxxxx>
Signed-off-by: Bruno Meneguele <bmeneg@xxxxxxxxxx>

diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -1422,6 +1422,10 @@ done
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
+%ifarch s390x ppc64le
+openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
+cat secureboot.pem >> ../certs/rhel.pem
+%endif
 for i in *.config; do
   sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
 done

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1235
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux