diff --git a/Makefile.rhelver b/Makefile.rhelver index 045195d74..913f12fc1 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 99 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 53 +RHEL_RELEASE = 55 # # RHEL_REBASE_NUM diff --git a/kernel.changelog b/kernel.changelog index 25dc9b441..3d49edfaa 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,3 +1,16 @@ +* Thu May 02 2024 Fedora Kernel Team [6.9.0-0.rc6.0106679839f7.55] +- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek) +- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek) +- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) +- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) +- redhat: correct file name of redhatsecurebootca1 (Jan Stancek) +- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) +Resolves: + +* Thu May 02 2024 Fedora Kernel Team [6.9.0-0.rc6.0106679839f7.54] +- Linux v6.9.0-0.rc6.0106679839f7 +Resolves: + * Wed May 01 2024 Fedora Kernel Team [6.9.0-0.rc6.18daea77cca6.53] - redhat/configs: Enable CONFIG_DM_VDO in RHEL (Benjamin Marzinski) - redhat/configs: Enable DRM_NOUVEAU_GSP_DEFAULT everywhere (Neal Gompa) diff --git a/kernel.spec b/kernel.spec index 8b5e54c50..e62f6a266 100644 --- a/kernel.spec +++ b/kernel.spec @@ -163,13 +163,13 @@ Summary: The Linux kernel %define specrpmversion 6.9.0 %define specversion 6.9.0 %define patchversion 6.9 -%define pkgrelease 0.rc6.20240501git18daea77cca6.53 +%define pkgrelease 0.rc6.20240502git0106679839f7.55 %define kversion 6 -%define tarfile_release 6.9-rc6-46-g18daea77cca6 +%define tarfile_release 6.9-rc6-53-g0106679839f7 # This is needed to do merge window version magic %define patchlevel 9 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 0.rc6.20240501git18daea77cca6.53%{?buildid}%{?dist} +%define specrelease 0.rc6.20240502git0106679839f7.55%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 6.9.0 @@ -810,6 +810,10 @@ Source0: linux-%{tarfile_release}.tar.xz Source1: Makefile.rhelver Source2: kernel.changelog +Source10: redhatsecurebootca5.cer +Source13: redhatsecureboot501.cer + +%if %{signkernel} # Name of the packaged file containing signing key %ifarch ppc64le %define signing_key_filename kernel-signing-ppc.cer @@ -818,48 +822,36 @@ Source2: kernel.changelog %define signing_key_filename kernel-signing-s390.cer %endif -%if %{?released_kernel} - -Source10: redhatsecurebootca5.cer -Source11: redhatsecurebootca1.cer -Source12: redhatsecureboot501.cer -Source13: redhatsecureboot301.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer - -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_ca_1 %{SOURCE11} -%ifarch x86_64 aarch64 -%define secureboot_key_0 %{SOURCE12} +# Fedora/ELN pesign macro expects to see these cert file names, see: +# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216 +%if 0%{?fedora}%{?eln} +%define pesign_name_0 redhatsecureboot501 +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_key_0 %{SOURCE13} +%endif + +# RHEL/centos certs come from system-sb-certs +%if 0%{?rhel} && !0%{?eln} +%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer + +%if 0%{?centos} +%define pesign_name_0 centossecureboot201 +%else +%ifarch x86_64 aarch64 %define pesign_name_0 redhatsecureboot501 -%define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key_0 %{SOURCE14} %define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot303 +%define pesign_name_0 redhatsecureboot701 +%endif +%endif +# rhel && !eln %endif -# released_kernel -%else - -Source10: redhatsecurebootca4.cer -Source11: redhatsecurebootca2.cer -Source12: redhatsecureboot401.cer -Source13: redhatsecureboot003.cer - -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_ca_1 %{SOURCE11} -%define secureboot_key_0 %{SOURCE12} -%define pesign_name_0 redhatsecureboot401 -%define secureboot_key_1 %{SOURCE13} -%define pesign_name_1 redhatsecureboot003 - -# released_kernel +# signkernel %endif Source20: mod-denylist.sh @@ -1902,10 +1894,12 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem +%if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem cat secureboot.pem >> ../certs/rhel.pem %endif +%endif for i in *.config; do sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i done @@ -2149,14 +2143,12 @@ BuildKernel() { %ifarch x86_64 aarch64 %{log_msg "Sign kernel image"} - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed - elif [ $DoModules -eq 1 ]; then + elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed else @@ -2557,9 +2549,7 @@ BuildKernel() { %if %{signkernel} %{log_msg "Sign the EFI UKI kernel"} - %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i $KernelUnifiedImage.tmp -o $KernelUnifiedImage.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm -f $KernelUnifiedImage.tmp + %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} if [ ! -s $KernelUnifiedImage.signed ]; then %{log_msg "pesigning failed"} @@ -2681,15 +2671,6 @@ BuildKernel() { %{log_msg "Remove depmod files"} remove_depmod_files -%if %{signmodules} - if [ $DoModules -eq 1 ]; then - %{log_msg "Save the signing keys for modules"} - # Save the signing keys so we can sign the modules in __modsign_install_post - cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}} - cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}} - fi -%endif - # Move the devel headers out of the root file system %{log_msg "Move the devel headers to RPM_BUILD_ROOT"} mkdir -p $RPM_BUILD_ROOT/usr/src/kernels @@ -2722,24 +2703,29 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel %{log_msg "Install certs"} mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %else - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - %endif +%if %{signkernel} + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le - if [ $DoModules -eq 1 ]; then - if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - else - install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer - openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} - fi + if [ -x /usr/bin/rpm-sign ]; then + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} fi %endif +%endif + +%if %{signmodules} + if [ $DoModules -eq 1 ]; then + # Save the signing keys so we can sign the modules in __modsign_install_post + cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}} + cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}} + %ifarch s390x ppc64le + if [ ! -x /usr/bin/rpm-sign ]; then + install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + fi + %endif + fi +%endif %if %{with_ipaclones} %{log_msg "install IPA clones"} @@ -3950,6 +3936,17 @@ fi\ # # %changelog +* Thu May 02 2024 Fedora Kernel Team [6.9.0-0.rc6.0106679839f7.55] +- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek) +- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek) +- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek) +- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek) +- redhat: correct file name of redhatsecurebootca1 (Jan Stancek) +- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek) + +* Thu May 02 2024 Fedora Kernel Team [6.9.0-0.rc6.0106679839f7.54] +- Linux v6.9.0-0.rc6.0106679839f7 + * Wed May 01 2024 Fedora Kernel Team [6.9.0-0.rc6.18daea77cca6.53] - redhat/configs: Enable CONFIG_DM_VDO in RHEL (Benjamin Marzinski) - redhat/configs: Enable DRM_NOUVEAU_GSP_DEFAULT everywhere (Neal Gompa) diff --git a/redhatsecureboot003.cer b/redhatsecureboot003.cer deleted file mode 100644 index 439b75bf3..000000000 Binary files a/redhatsecureboot003.cer and /dev/null differ diff --git a/redhatsecureboot401.cer b/redhatsecureboot401.cer deleted file mode 100644 index 247666cfe..000000000 Binary files a/redhatsecureboot401.cer and /dev/null differ diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer new file mode 100644 index 000000000..dfa7afb46 Binary files /dev/null and b/redhatsecureboot501.cer differ diff --git a/redhatsecurebootca2.cer b/redhatsecurebootca2.cer deleted file mode 100644 index 43502d6bc..000000000 Binary files a/redhatsecurebootca2.cer and /dev/null differ diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer deleted file mode 100644 index 8cb32e68c..000000000 Binary files a/redhatsecurebootca4.cer and /dev/null differ diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer new file mode 100644 index 000000000..dfb028495 Binary files /dev/null and b/redhatsecurebootca5.cer differ diff --git a/sources b/sources index 865571442..53e51ee9f 100644 --- a/sources +++ b/sources @@ -1,5 +1,5 @@ SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 4f917598056dee5e23814621ec96ff2e4a411c8c4ba9d56ecb01b23cb96431825bedbecfcbaac9338efbf5cb21694d85497fa0bf43e7c80d9cd10bc6dd144dbd SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 19308cd976031d05e18ef7f5d093218acdb89446418bab0cd956ff12cf66369915b9e64bb66fa9f20939428a60e81884fec5be3529c6c7461738d6540d3cc5c6 -SHA512 (linux-6.9-rc6-46-g18daea77cca6.tar.xz) = 28182f5751197bd8c4f8864ef23751192c87ab74aeb67ce27a9ff46d18c5c44356dbcb18a96b1718a86bb81e5b75a01c7a231fc4110d28b4ef7255417dbc0de5 -SHA512 (kernel-abi-stablelists-6.9.0.tar.xz) = d946eea829385d66d7b7d230b9e10fd58f3c64c114bde938f6dd8c2c75162f9381ae34dd63e3f0c8ef54362a339943f5a980da8f6af995a8a766a40b4384886f -SHA512 (kernel-kabi-dw-6.9.0.tar.xz) = 6c5c5a2476ebb9bd97901ec8d00c3dba574add657b7b8ad674cb78864e59ec03559ac44efd5c2c90bb710030b6f3768d4619429528730d52385279fbd95d57a3 +SHA512 (linux-6.9-rc6-53-g0106679839f7.tar.xz) = 0798fdc7320c948bc46d8643672e0eb5b5a80265732275df9c357f8f5e3d58a39f12a301f93012ddf8899278e489408cbe43745fd9c8505a29b8290c946eb633 +SHA512 (kernel-abi-stablelists-6.9.0.tar.xz) = eaa72b7a4ac8f73ffac589f68e52ba70c57adc9ba67ae03a7596c5d368d1143f40398e940fdd5d0e5e5ff64d89e4b2bbb5957e2def2a9cf6a8a8f54c577b19a8 +SHA512 (kernel-kabi-dw-6.9.0.tar.xz) = 1efc24c0f85efa363308ae6c1ca76cc58686478386a73f31df7c08b6c1a7caa067e0afc1d0fedd52d8764c6115d0b4c4f54ea16550bba77da69fdcae3671b097