From: Jan Stancek <jstancek@xxxxxxxxxx> redhat: drop certificates that were deprecated after GRUB's BootHole flaw Forward-port of c9s commit 9cb4544a5b4c ("redhat: drop certificates that were deprecated after GRUB's BootHole flaw") Conflicts: update also UKI signing hunk, since this patch is introduced out of order updated for commit a4ce7662668c ("Flip secureboot signature order") Since newer RHEL should already have newer enough grub versions, we don't need anymore to keep signing the kernel for secure boot with older keys for compatibility with older grub. The second signature also causes problems because the upstream kernel so far does not support checking more than one signature as reported on bug above, where kexec signature checking can fail in a secure boot enabled environment. More than one signature requires that we patch the kernel for it to work, but we don't need that now since we can drop the second signature. Signed-off-by: Herton R. Krzesinski <herton@xxxxxxxxxx> Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx> diff --git a/redhat/Makefile b/redhat/Makefile index blahblah..blahblah 100644 --- a/redhat/Makefile +++ b/redhat/Makefile @@ -709,9 +709,9 @@ sources-rh: $(TARBALL) $(KABI_TARBALL) $(KABIDW_TARBALL) generate-testpatch-tmp @cat $$(ls -1 $(SPECPACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \ > $(SOURCES)/kernel.changelog @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \ - cp keys/redhatsecureboot{301,302,303,501,ca5,ca3}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{302,303,501,ca5,ca3}.cer $(SOURCES)/; \ else \ - cp keys/redhatsecureboot{003,401,ca2,ca4}.cer $(SOURCES)/; \ + cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \ fi @for KABIARCH in $(ARCH_LIST); do \ cp kabi/Module.kabi_$$KABIARCH $(SOURCES)/; \ diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -817,24 +817,22 @@ Source2: kernel.changelog Source10: redhatsecurebootca5.cer Source11: redhatsecurebootca3.cer Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: redhatsecureboot302.cer -Source15: redhatsecureboot303.cer +Source13: redhatsecureboot302.cer +Source14: redhatsecureboot303.cer -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_ca_1 %{SOURCE11} %ifarch x86_64 aarch64 +%define secureboot_ca_0 %{SOURCE10} %define secureboot_key_0 %{SOURCE12} %define pesign_name_0 redhatsecureboot501 -%define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key_0 %{SOURCE14} +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_key_0 %{SOURCE13} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key_0 %{SOURCE15} +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot303 %endif @@ -842,16 +840,11 @@ Source15: redhatsecureboot303.cer %else Source10: redhatsecurebootca4.cer -Source11: redhatsecurebootca2.cer -Source12: redhatsecureboot401.cer -Source13: redhatsecureboot003.cer +Source11: redhatsecureboot401.cer %define secureboot_ca_0 %{SOURCE10} -%define secureboot_ca_1 %{SOURCE11} -%define secureboot_key_0 %{SOURCE12} +%define secureboot_key_0 %{SOURCE11} %define pesign_name_0 redhatsecureboot401 -%define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 redhatsecureboot003 # released_kernel %endif @@ -2157,9 +2150,7 @@ BuildKernel() { %ifarch x86_64 aarch64 %{log_msg "Sign kernel image"} - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then @@ -2632,9 +2623,7 @@ BuildKernel() { %if %{signkernel} %{log_msg "Sign the EFI UKI kernel"} - %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i $KernelUnifiedImage.tmp -o $KernelUnifiedImage.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm -f $KernelUnifiedImage.tmp + %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} if [ ! -s $KernelUnifiedImage.signed ]; then %{log_msg "pesigning failed"} @@ -2738,13 +2727,7 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel %{log_msg "Install certs"} mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %else - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %endif + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then diff --git a/redhat/keys/redhatsecureboot003.cer b/redhat/keys/redhatsecureboot003.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot003.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot003.cer and /dev/null differ diff --git a/redhat/keys/redhatsecureboot301.cer b/redhat/keys/redhatsecureboot301.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecureboot301.cer +++ /dev/null Binary files a/redhat/keys/redhatsecureboot301.cer and /dev/null differ diff --git a/redhat/keys/redhatsecurebootca2.cer b/redhat/keys/redhatsecurebootca2.cer deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/keys/redhatsecurebootca2.cer +++ /dev/null Binary files a/redhat/keys/redhatsecurebootca2.cer and /dev/null differ -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2849 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue