From: Jan Stancek <jstancek@xxxxxxxxxx> redhat: add IMA certificates Forward port c9s commit: 7ff63254426d ("redhat: add IMA certificates") Starting with RHEL9.0, installed package files will have IMA signatures if users choose so. The IMA subsystem will search for the certificate in the .ima keyring to verify a file signature thus to make sure this file hasn't been tampered with. To be able to add the IMA code-signing certificate to the .ima keyring, this certificate needs to be signed by a CA certificate in the system keyrings. This patch builds the IMA CA certificate into the .builtin_trusted_keys keyring and installs the IMA code-signing certificate to /usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like dracut to add it the .ima keyring. Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx> Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx> diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -918,6 +918,17 @@ Source87: flavors Source100: rheldup3.x509 Source101: rhelkpatch1.x509 Source102: nvidiagpuoot001.x509 +Source103: rhelimaca1.x509 +Source104: rhelima.x509 +Source105: rhelima_centos.x509 + +%if 0%{?centos} +%define ima_signing_cert %{SOURCE105} +%else +%define ima_signing_cert %{SOURCE104} +%endif + +%define ima_cert_name ima.cer Source200: check-kabi @@ -1893,7 +1904,8 @@ done openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem -cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem +openssl x509 -inform der -in %{SOURCE103} -out rhelimaca1.pem +cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem rhelimaca1.pem > ../certs/rhel.pem %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem @@ -2712,6 +2724,11 @@ BuildKernel() { %endif %endif +%if 0%{?rhel} + # Red Hat IMA code-signing cert, which is used to authenticate package files + install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} +%endif + %if %{signmodules} if [ $DoModules -eq 1 ]; then # Save the signing keys so we can sign the modules in __modsign_install_post diff --git a/redhat/keys/rhelima.x509 b/redhat/keys/rhelima.x509 new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/rhelima.x509 Binary files /dev/null and b/redhat/keys/rhelima.x509 differ diff --git a/redhat/keys/rhelima_centos.x509 b/redhat/keys/rhelima_centos.x509 new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/rhelima_centos.x509 Binary files /dev/null and b/redhat/keys/rhelima_centos.x509 differ diff --git a/redhat/keys/rhelimaca1.x509 b/redhat/keys/rhelimaca1.x509 new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/keys/rhelimaca1.x509 Binary files /dev/null and b/redhat/keys/rhelimaca1.x509 differ -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3094 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue