[OS-BUILD PATCH] redhat: add IMA certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Jan Stancek <jstancek@xxxxxxxxxx>

redhat: add IMA certificates

Forward port c9s commit:
7ff63254426d ("redhat: add IMA certificates")

Starting with RHEL9.0, installed package files will have IMA signatures
if users choose so. The IMA subsystem will search for the certificate in
the .ima keyring to verify a file signature thus to make sure this file
hasn't been tampered with. To be able to add the IMA code-signing
certificate to the .ima keyring, this certificate needs to be signed by
a CA certificate in the system keyrings.

This patch builds the IMA CA certificate into the .builtin_trusted_keys
keyring and installs the IMA code-signing certificate to
/usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like
dracut to add it the .ima keyring.

Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx>

diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -918,6 +918,17 @@ Source87: flavors
 Source100: rheldup3.x509
 Source101: rhelkpatch1.x509
 Source102: nvidiagpuoot001.x509
+Source103: rhelimaca1.x509
+Source104: rhelima.x509
+Source105: rhelima_centos.x509
+
+%if 0%{?centos}
+%define ima_signing_cert %{SOURCE105}
+%else
+%define ima_signing_cert %{SOURCE104}
+%endif
+
+%define ima_cert_name ima.cer
 
 Source200: check-kabi
 
@@ -1893,7 +1904,8 @@ done
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+openssl x509 -inform der -in %{SOURCE103} -out rhelimaca1.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem rhelimaca1.pem > ../certs/rhel.pem
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@@ -2712,6 +2724,11 @@ BuildKernel() {
     %endif
 %endif
 
+%if 0%{?rhel}
+    # Red Hat IMA code-signing cert, which is used to authenticate package files
+    install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+%endif
+
 %if %{signmodules}
     if [ $DoModules -eq 1 ]; then
         # Save the signing keys so we can sign the modules in __modsign_install_post
diff --git a/redhat/keys/rhelima.x509 b/redhat/keys/rhelima.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima.x509
Binary files /dev/null and b/redhat/keys/rhelima.x509 differ
diff --git a/redhat/keys/rhelima_centos.x509 b/redhat/keys/rhelima_centos.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima_centos.x509
Binary files /dev/null and b/redhat/keys/rhelima_centos.x509 differ
diff --git a/redhat/keys/rhelimaca1.x509 b/redhat/keys/rhelimaca1.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelimaca1.x509
Binary files /dev/null and b/redhat/keys/rhelimaca1.x509 differ

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3094
--
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux