kernel-6.9.0-0.rc6.20240502git0106679839f7.55
* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.55] - redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek) - redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek) - redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) - redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) - redhat: correct file name of redhatsecurebootca1 (Jan Stancek) - redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) Resolves: Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
Justin M. Forbes
parent
14090a5785
commit
89494f1123
@ -12,7 +12,7 @@ RHEL_MINOR = 99
|
||||
#
|
||||
# Use this spot to avoid future merge conflicts.
|
||||
# Do not trim this comment.
|
||||
RHEL_RELEASE = 53
|
||||
RHEL_RELEASE = 55
|
||||
|
||||
#
|
||||
# RHEL_REBASE_NUM
|
||||
|
||||
@ -1,3 +1,16 @@
|
||||
* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.55]
|
||||
- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek)
|
||||
- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek)
|
||||
- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek)
|
||||
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek)
|
||||
- redhat: correct file name of redhatsecurebootca1 (Jan Stancek)
|
||||
- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek)
|
||||
Resolves:
|
||||
|
||||
* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.54]
|
||||
- Linux v6.9.0-0.rc6.0106679839f7
|
||||
Resolves:
|
||||
|
||||
* Wed May 01 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.18daea77cca6.53]
|
||||
- redhat/configs: Enable CONFIG_DM_VDO in RHEL (Benjamin Marzinski)
|
||||
- redhat/configs: Enable DRM_NOUVEAU_GSP_DEFAULT everywhere (Neal Gompa)
|
||||
|
||||
133
kernel.spec
133
kernel.spec
@ -163,13 +163,13 @@ Summary: The Linux kernel
|
||||
%define specrpmversion 6.9.0
|
||||
%define specversion 6.9.0
|
||||
%define patchversion 6.9
|
||||
%define pkgrelease 0.rc6.20240501git18daea77cca6.53
|
||||
%define pkgrelease 0.rc6.20240502git0106679839f7.55
|
||||
%define kversion 6
|
||||
%define tarfile_release 6.9-rc6-46-g18daea77cca6
|
||||
%define tarfile_release 6.9-rc6-53-g0106679839f7
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 9
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 0.rc6.20240501git18daea77cca6.53%{?buildid}%{?dist}
|
||||
%define specrelease 0.rc6.20240502git0106679839f7.55%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 6.9.0
|
||||
|
||||
@ -810,6 +810,10 @@ Source0: linux-%{tarfile_release}.tar.xz
|
||||
Source1: Makefile.rhelver
|
||||
Source2: kernel.changelog
|
||||
|
||||
Source10: redhatsecurebootca5.cer
|
||||
Source13: redhatsecureboot501.cer
|
||||
|
||||
%if %{signkernel}
|
||||
# Name of the packaged file containing signing key
|
||||
%ifarch ppc64le
|
||||
%define signing_key_filename kernel-signing-ppc.cer
|
||||
@ -818,48 +822,36 @@ Source2: kernel.changelog
|
||||
%define signing_key_filename kernel-signing-s390.cer
|
||||
%endif
|
||||
|
||||
%if %{?released_kernel}
|
||||
|
||||
Source10: redhatsecurebootca5.cer
|
||||
Source11: redhatsecurebootca1.cer
|
||||
Source12: redhatsecureboot501.cer
|
||||
Source13: redhatsecureboot301.cer
|
||||
Source14: secureboot_s390.cer
|
||||
Source15: secureboot_ppc.cer
|
||||
|
||||
%define secureboot_ca_0 %{SOURCE10}
|
||||
%define secureboot_ca_1 %{SOURCE11}
|
||||
%ifarch x86_64 aarch64
|
||||
%define secureboot_key_0 %{SOURCE12}
|
||||
# Fedora/ELN pesign macro expects to see these cert file names, see:
|
||||
# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216
|
||||
%if 0%{?fedora}%{?eln}
|
||||
%define pesign_name_0 redhatsecureboot501
|
||||
%define secureboot_ca_0 %{SOURCE10}
|
||||
%define secureboot_key_0 %{SOURCE13}
|
||||
%endif
|
||||
|
||||
# RHEL/centos certs come from system-sb-certs
|
||||
%if 0%{?rhel} && !0%{?eln}
|
||||
%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
|
||||
%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
|
||||
|
||||
%if 0%{?centos}
|
||||
%define pesign_name_0 centossecureboot201
|
||||
%else
|
||||
%ifarch x86_64 aarch64
|
||||
%define pesign_name_0 redhatsecureboot501
|
||||
%define secureboot_key_1 %{SOURCE13}
|
||||
%define pesign_name_1 redhatsecureboot301
|
||||
%endif
|
||||
%ifarch s390x
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot302
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%define secureboot_key_0 %{SOURCE15}
|
||||
%define pesign_name_0 redhatsecureboot303
|
||||
%define pesign_name_0 redhatsecureboot701
|
||||
%endif
|
||||
%endif
|
||||
# rhel && !eln
|
||||
%endif
|
||||
|
||||
# released_kernel
|
||||
%else
|
||||
|
||||
Source10: redhatsecurebootca4.cer
|
||||
Source11: redhatsecurebootca2.cer
|
||||
Source12: redhatsecureboot401.cer
|
||||
Source13: redhatsecureboot003.cer
|
||||
|
||||
%define secureboot_ca_0 %{SOURCE10}
|
||||
%define secureboot_ca_1 %{SOURCE11}
|
||||
%define secureboot_key_0 %{SOURCE12}
|
||||
%define pesign_name_0 redhatsecureboot401
|
||||
%define secureboot_key_1 %{SOURCE13}
|
||||
%define pesign_name_1 redhatsecureboot003
|
||||
|
||||
# released_kernel
|
||||
# signkernel
|
||||
%endif
|
||||
|
||||
Source20: mod-denylist.sh
|
||||
@ -1902,10 +1894,12 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
|
||||
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
|
||||
openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
|
||||
cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
|
||||
%if %{signkernel}
|
||||
%ifarch s390x ppc64le
|
||||
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
|
||||
cat secureboot.pem >> ../certs/rhel.pem
|
||||
%endif
|
||||
%endif
|
||||
for i in *.config; do
|
||||
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
|
||||
done
|
||||
@ -2149,14 +2143,12 @@ BuildKernel() {
|
||||
|
||||
%ifarch x86_64 aarch64
|
||||
%{log_msg "Sign kernel image"}
|
||||
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||
rm vmlinuz.tmp
|
||||
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
elif [ $DoModules -eq 1 ]; then
|
||||
elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then
|
||||
chmod +x scripts/sign-file
|
||||
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
|
||||
else
|
||||
@ -2557,9 +2549,7 @@ BuildKernel() {
|
||||
|
||||
%if %{signkernel}
|
||||
%{log_msg "Sign the EFI UKI kernel"}
|
||||
%pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
%pesign -s -i $KernelUnifiedImage.tmp -o $KernelUnifiedImage.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||
rm -f $KernelUnifiedImage.tmp
|
||||
%pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
|
||||
if [ ! -s $KernelUnifiedImage.signed ]; then
|
||||
%{log_msg "pesigning failed"}
|
||||
@ -2681,15 +2671,6 @@ BuildKernel() {
|
||||
%{log_msg "Remove depmod files"}
|
||||
remove_depmod_files
|
||||
|
||||
%if %{signmodules}
|
||||
if [ $DoModules -eq 1 ]; then
|
||||
%{log_msg "Save the signing keys for modules"}
|
||||
# Save the signing keys so we can sign the modules in __modsign_install_post
|
||||
cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
|
||||
cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
|
||||
fi
|
||||
%endif
|
||||
|
||||
# Move the devel headers out of the root file system
|
||||
%{log_msg "Move the devel headers to RPM_BUILD_ROOT"}
|
||||
mkdir -p $RPM_BUILD_ROOT/usr/src/kernels
|
||||
@ -2722,24 +2703,29 @@ BuildKernel() {
|
||||
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||
%{log_msg "Install certs"}
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||
%ifarch x86_64 aarch64
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||||
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||||
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%else
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%endif
|
||||
%if %{signkernel}
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%ifarch s390x ppc64le
|
||||
if [ $DoModules -eq 1 ]; then
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
else
|
||||
install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
fi
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
fi
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if %{signmodules}
|
||||
if [ $DoModules -eq 1 ]; then
|
||||
# Save the signing keys so we can sign the modules in __modsign_install_post
|
||||
cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
|
||||
cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
|
||||
%ifarch s390x ppc64le
|
||||
if [ ! -x /usr/bin/rpm-sign ]; then
|
||||
install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
fi
|
||||
%endif
|
||||
fi
|
||||
%endif
|
||||
|
||||
%if %{with_ipaclones}
|
||||
%{log_msg "install IPA clones"}
|
||||
@ -3950,6 +3936,17 @@ fi\
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.55]
|
||||
- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek)
|
||||
- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek)
|
||||
- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek)
|
||||
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek)
|
||||
- redhat: correct file name of redhatsecurebootca1 (Jan Stancek)
|
||||
- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek)
|
||||
|
||||
* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.54]
|
||||
- Linux v6.9.0-0.rc6.0106679839f7
|
||||
|
||||
* Wed May 01 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.18daea77cca6.53]
|
||||
- redhat/configs: Enable CONFIG_DM_VDO in RHEL (Benjamin Marzinski)
|
||||
- redhat/configs: Enable DRM_NOUVEAU_GSP_DEFAULT everywhere (Neal Gompa)
|
||||
|
||||
Binary file not shown.
Binary file not shown.
BIN
redhatsecureboot501.cer
Normal file
BIN
redhatsecureboot501.cer
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
redhatsecurebootca5.cer
Normal file
BIN
redhatsecurebootca5.cer
Normal file
Binary file not shown.
6
sources
6
sources
@ -1,5 +1,5 @@
|
||||
SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 4f917598056dee5e23814621ec96ff2e4a411c8c4ba9d56ecb01b23cb96431825bedbecfcbaac9338efbf5cb21694d85497fa0bf43e7c80d9cd10bc6dd144dbd
|
||||
SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 19308cd976031d05e18ef7f5d093218acdb89446418bab0cd956ff12cf66369915b9e64bb66fa9f20939428a60e81884fec5be3529c6c7461738d6540d3cc5c6
|
||||
SHA512 (linux-6.9-rc6-46-g18daea77cca6.tar.xz) = 28182f5751197bd8c4f8864ef23751192c87ab74aeb67ce27a9ff46d18c5c44356dbcb18a96b1718a86bb81e5b75a01c7a231fc4110d28b4ef7255417dbc0de5
|
||||
SHA512 (kernel-abi-stablelists-6.9.0.tar.xz) = d946eea829385d66d7b7d230b9e10fd58f3c64c114bde938f6dd8c2c75162f9381ae34dd63e3f0c8ef54362a339943f5a980da8f6af995a8a766a40b4384886f
|
||||
SHA512 (kernel-kabi-dw-6.9.0.tar.xz) = 6c5c5a2476ebb9bd97901ec8d00c3dba574add657b7b8ad674cb78864e59ec03559ac44efd5c2c90bb710030b6f3768d4619429528730d52385279fbd95d57a3
|
||||
SHA512 (linux-6.9-rc6-53-g0106679839f7.tar.xz) = 0798fdc7320c948bc46d8643672e0eb5b5a80265732275df9c357f8f5e3d58a39f12a301f93012ddf8899278e489408cbe43745fd9c8505a29b8290c946eb633
|
||||
SHA512 (kernel-abi-stablelists-6.9.0.tar.xz) = eaa72b7a4ac8f73ffac589f68e52ba70c57adc9ba67ae03a7596c5d368d1143f40398e940fdd5d0e5e5ff64d89e4b2bbb5957e2def2a9cf6a8a8f54c577b19a8
|
||||
SHA512 (kernel-kabi-dw-6.9.0.tar.xz) = 1efc24c0f85efa363308ae6c1ca76cc58686478386a73f31df7c08b6c1a7caa067e0afc1d0fedd52d8764c6115d0b4c4f54ea16550bba77da69fdcae3671b097
|
||||
|
||||
Loading…
Reference in New Issue
Block a user