[OS-BUILD PATCH 5/6] redhat: switch the kernel package to use certs from system-sb-certs

"Jan Stancek (via Email Bridge)" <cki-gitlab@xxxxxxxxxx> · Mon, 08 Jan 2024 08:42:13 -0000

From: Jan Stancek <jstancek@xxxxxxxxxx>

redhat: switch the kernel package to use certs from system-sb-certs

Forward-port of c9s commit:
    e155f90ed44e ("redhat: switch the kernel package to use certs from system-sb-certs")

Conflicts: fedora and ELN doesn't have system-sb-certs

Both redhat and centos are providing now the public certificates we use
for secure boot signing through the redhat-sb-certs or centos-sb-certs
packages. Those provides the system-sb-certs "virtual" package.

Thus don't carry anymore the copy of the same certificates inside the
kernel sources, instead switch to use the certificates provided by those
packages.

This will enable secure boot signing for centos too, as centos uses a
different set of certificates for signing and we were not using them
in the package yet.

With this change, we also drop the usage of the beta certificates and
the switch to the release certs: they aren't provided in the new scheme
of system-sb-certs and anyway eg. grub2 isn't including/using those
certs for signing. If there are still any switching of keys needed,
ideally this should be done with the package providing system-sb-certs.

While reviewing/doing this change, I also noted some missing signkernel
macro guards were missing in the spec, which I added. Also, in the
install part where we copy files to the kernel-doc package, I
consolidated the logic and added missing signkernel/signmodules guards,
with the existing code things would break if you disabled any of those
options.

v2: change pesign_name_0 for CentOS as reported by Brian Stinson

Signed-off-by: Herton R. Krzesinski <herton@xxxxxxxxxx>
Signed-off-by: Prarit Bhargava <prarit@xxxxxxxxxx>
Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx>

diff --git a/redhat/Makefile b/redhat/Makefile
index blahblah..blahblah 100644
--- a/redhat/Makefile
+++ b/redhat/Makefile
@@ -701,11 +701,6 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check
 		$(SOURCES)/
 	@cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \
 		> $(SOURCES)/kernel.changelog
-	@if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \
-		cp keys/redhatsecureboot{302,501,601,ca3,ca5,ca6}.cer $(SOURCES)/; \
-	else \
-		cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \
-	fi
 	@for KABIARCH in $(ARCH_LIST); do \
 		cp kabi/Module.kabi_$$KABIARCH $(SOURCES)/; \
 		cp kabi/Module.kabi_dup_$$KABIARCH $(SOURCES)/; \
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -801,6 +801,8 @@ Source0: linux-%{tarfile_release}.tar.xz
 Source1: Makefile.rhelver
 Source2: kernel.changelog
 
+
+%if %{signkernel}
 # Name of the packaged file containing signing key
 %ifarch ppc64le
 %define signing_key_filename kernel-signing-ppc.cer
@@ -809,42 +811,28 @@ Source2: kernel.changelog
 %define signing_key_filename kernel-signing-s390.cer
 %endif
 
-%if %{?released_kernel}
-
-Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca3.cer
-Source12: redhatsecurebootca6.cer
-Source13: redhatsecureboot501.cer
-Source14: redhatsecureboot302.cer
-Source15: redhatsecureboot601.cer
+%if 0%{?rhel} && !0%{?eln}
+%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
 
+%if 0%{?centos}
+%define pesign_name_0 centossecureboot201
+%else
 %ifarch x86_64 aarch64
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE13}
 %define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_0 %{SOURCE14}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_ca_0 %{SOURCE12}
-%define secureboot_key_0 %{SOURCE15}
 %define pesign_name_0 redhatsecureboot601
 %endif
+%endif
 
-# released_kernel
-%else
-
-Source10: redhatsecurebootca4.cer
-Source11: redhatsecureboot401.cer
-
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_key_0 %{SOURCE11}
-%define pesign_name_0 redhatsecureboot401
-
-# released_kernel
+%global pesign_rhel_params -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+# rhel && !eln
+%endif
+# signkernel
 %endif
 
 Source20: mod-denylist.sh
@@ -1837,15 +1825,17 @@ done
 %endif
 
 # Add DUP and kpatch certificates to system trusted keys for RHEL
-%if 0%{?rhel}
+%if 0%{?rhel} && !0%{?eln}
 %if %{signkernel}%{signmodules}
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
+%if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
 cat secureboot.pem >> ../certs/rhel.pem
 %endif
+%endif
 for i in *.config; do
   sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
 done
@@ -2063,12 +2053,12 @@ BuildKernel() {
     SignImage=$KernelImage
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+    %pesign -s -i $SignImage -o vmlinuz.signed %{?pesign_rhel_params}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
 	rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
-    elif [ $DoModules -eq 1 ]; then
+    elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then
 	chmod +x scripts/sign-file
 	./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
     else
@@ -2509,7 +2499,7 @@ BuildKernel() {
 
 %if %{signkernel}
 
-	%pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+	%pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed %{?pesign_rhel_params}
 
     	if [ ! -s $KernelUnifiedImage.signed ]; then
       	   echo "pesigning failed"
@@ -2569,14 +2559,6 @@ BuildKernel() {
     	rm -f $RPM_BUILD_ROOT/mod-kvm.list
     fi
 
-%if %{signmodules}
-    if [ $DoModules -eq 1 ]; then
-	# Save the signing keys so we can sign the modules in __modsign_install_post
-	cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
-	cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
-    fi
-%endif
-
     # Move the devel headers out of the root file system
     mkdir -p $RPM_BUILD_ROOT/usr/src/kernels
     mv $RPM_BUILD_ROOT/lib/modules/$KernelVer/build $RPM_BUILD_ROOT/$DevelDir
@@ -2600,18 +2582,31 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
+%if %{signkernel}
+    %if 0%{?secureboot_ca_0:1}
     install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %endif
     %ifarch s390x ppc64le
-    if [ $DoModules -eq 1 ]; then
-	if [ -x /usr/bin/rpm-sign ]; then
-	    install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
-	else
-	    install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-	    openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
-	    chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
-	fi
+    if [ -x /usr/bin/rpm-sign ]; then
+        install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
     fi
     %endif
+%endif
+
+%if %{signmodules}
+    if [ $DoModules -eq 1 ]; then
+        # Save the signing keys so we can sign the modules in __modsign_install_post
+        cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
+        cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
+        %ifarch s390x ppc64le
+        if [ ! -x /usr/bin/rpm-sign ]; then
+            install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+            openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+            chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+        fi
+        %endif
+    fi
+%endif
 
 %if %{with_ipaclones}
     MAXPROCS=$(echo %{?_smp_mflags} | sed -n 's/-j\s*\([0-9]\+\)/\1/p')
diff --git a/redhat/keys/redhatsecureboot302.cer b/redhat/keys/redhatsecureboot302.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot302.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot302.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecureboot401.cer b/redhat/keys/redhatsecureboot401.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot401.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot401.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecureboot501.cer b/redhat/keys/redhatsecureboot501.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot501.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot501.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecureboot601.cer b/redhat/keys/redhatsecureboot601.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot601.cer
+++ /dev/null
diff --git a/redhat/keys/redhatsecurebootca3.cer b/redhat/keys/redhatsecurebootca3.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecurebootca3.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecurebootca3.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecurebootca4.cer b/redhat/keys/redhatsecurebootca4.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecurebootca4.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecurebootca4.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecurebootca5.cer b/redhat/keys/redhatsecurebootca5.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecurebootca5.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecurebootca5.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecurebootca6.cer b/redhat/keys/redhatsecurebootca6.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecurebootca6.cer
+++ /dev/null

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849
--
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue







