From: Shawn Doherty <sdoherty@xxxxxxxxxx> redhat: spec: conditionally trust RHEL keys JIRA: https://issues.redhat.com/browse/RHEL-78808 commit 7a1a30adcf4af88c0d67d6132c5b845373110f0d Author: Eric Chanudet <echanude@xxxxxxxxxx> Date: Wed Aug 7 10:57:20 2024 -0400 redhat: spec: conditionally trust RHEL keys JIRA: https://issues.redhat.com/browse/RHEL-53349 Upstream Status: RHEL-only One of the reasons to not sign the modules at compile time was to remove keys from the keyring to automatically revoke any signature not tied to a given image. Add a condition to trust the RHEL persistent ones. Persistent keys being added to the trusted keyring is independent from signing the modules at build time, update the test with the new variable now reflecting that choice. Signed-off-by: Eric Chanudet <echanude@xxxxxxxxxx> Signed-off-by: Shawn Doherty <sdoherty@xxxxxxxxxx> diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -111,6 +111,9 @@ Summary: The Linux kernel # Sign modules on all arches %global signmodules 1 +# Add rhel module signing keys to keyring. +%global rhelkeys 1 + # Compress modules only for architectures that build modules %ifarch noarch %global zipmodules 0 @@ -471,6 +474,7 @@ Summary: The Linux kernel %define with_ipaclones 0 %define signkernel 0 %define signmodules 1 +%define rhelkeys 0 %endif @@ -2016,24 +2020,23 @@ do done %endif -%if %{signkernel}%{signmodules} - # Add DUP and kpatch certificates to system trusted keys for RHEL %if 0%{?rhel} %{log_msg "Add DUP and kpatch certificates to system trusted keys for RHEL"} +truncate -s0 ../certs/rhel.pem +%if %{rhelkeys} openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem -cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem +cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem +for i in *.config; do + sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i +done +%endif %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem cat secureboot.pem >> ../certs/rhel.pem -%endif -%endif - -# rhel -%endif openssl x509 -inform der -in %{ima_ca_cert} -out imaca.pem cat imaca.pem >> ../certs/rhel.pem @@ -2042,6 +2045,8 @@ for i in *.config; do sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i done %endif +%endif +%endif # Adjust FIPS module name for RHEL %if 0%{?rhel} -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3715 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
