From: Shawn Doherty on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3715 JIRA: https://issues.redhat.com/browse/RHEL-78812 Upstream Status: RHEL-only Enable the configuration to add an extra certificate to the kernel\ keyring later. This is intended for atomic images (e.g, ostree), that\ are target specific, to sign their modules when composing an image for\ that target using an existing kernel RPM. Disable kernel signing, as the signature would be invalidated by adding\ extra certificates at image composition. The build generated key used to sign the modules will be in the keyring,\ so images using packages can still use: `dnf install _kernel-or-module-rpm`\ and enforce signature verification. Atomic images signing their modules\ at composition will add an extra certificate, re-sign the modules and\ potentially wipe or invalidate the existing build key. Signed-off-by: Shawn Doherty sdoherty@xxxxxxxxxx --- redhat/configs/rhel/automotive/generic/CONFIG_MODULE_SIG_ALL | 1 + redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE | 1 + redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE | 1 + redhat/kernel.spec.template | 25 ++++++---- 4 files changed, 18 insertions(+), 10 deletions(-) -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
