From 89494f1123eeea4ad14df49d66cffbdb79a80d68 Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Thu, 2 May 2024 08:49:45 -0500
Subject: [PATCH] kernel-6.9.0-0.rc6.20240502git0106679839f7.55

* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.55]
- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek)
- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek)
- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek)
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek)
- redhat: correct file name of redhatsecurebootca1 (Jan Stancek)
- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek)
Resolves:

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 Makefile.rhelver        |   2 +-
 kernel.changelog        |  13 ++++
 kernel.spec             | 133 ++++++++++++++++++++--------------------
 redhatsecureboot003.cer | Bin 829 -> 0 bytes
 redhatsecureboot401.cer | Bin 978 -> 0 bytes
 redhatsecureboot501.cer | Bin 0 -> 964 bytes
 redhatsecurebootca2.cer | Bin 872 -> 0 bytes
 redhatsecurebootca4.cer | Bin 934 -> 0 bytes
 redhatsecurebootca5.cer | Bin 0 -> 920 bytes
 sources                 |   6 +-
 10 files changed, 82 insertions(+), 72 deletions(-)
 delete mode 100644 redhatsecureboot003.cer
 delete mode 100644 redhatsecureboot401.cer
 create mode 100644 redhatsecureboot501.cer
 delete mode 100644 redhatsecurebootca2.cer
 delete mode 100644 redhatsecurebootca4.cer
 create mode 100644 redhatsecurebootca5.cer

diff --git a/Makefile.rhelver b/Makefile.rhelver
index 045195d74..913f12fc1 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 99
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 53
+RHEL_RELEASE = 55
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel.changelog b/kernel.changelog
index 25dc9b441..3d49edfaa 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,16 @@
+* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.55]
+- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek)
+- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek)
+- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek)
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek)
+- redhat: correct file name of redhatsecurebootca1 (Jan Stancek)
+- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek)
+Resolves: 
+
+* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.54]
+- Linux v6.9.0-0.rc6.0106679839f7
+Resolves: 
+
 * Wed May 01 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.18daea77cca6.53]
 - redhat/configs: Enable CONFIG_DM_VDO in RHEL (Benjamin Marzinski)
 - redhat/configs: Enable DRM_NOUVEAU_GSP_DEFAULT everywhere (Neal Gompa)
diff --git a/kernel.spec b/kernel.spec
index 8b5e54c50..e62f6a266 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -163,13 +163,13 @@ Summary: The Linux kernel
 %define specrpmversion 6.9.0
 %define specversion 6.9.0
 %define patchversion 6.9
-%define pkgrelease 0.rc6.20240501git18daea77cca6.53
+%define pkgrelease 0.rc6.20240502git0106679839f7.55
 %define kversion 6
-%define tarfile_release 6.9-rc6-46-g18daea77cca6
+%define tarfile_release 6.9-rc6-53-g0106679839f7
 # This is needed to do merge window version magic
 %define patchlevel 9
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 0.rc6.20240501git18daea77cca6.53%{?buildid}%{?dist}
+%define specrelease 0.rc6.20240502git0106679839f7.55%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 6.9.0
 
@@ -810,6 +810,10 @@ Source0: linux-%{tarfile_release}.tar.xz
 Source1: Makefile.rhelver
 Source2: kernel.changelog
 
+Source10: redhatsecurebootca5.cer
+Source13: redhatsecureboot501.cer
+
+%if %{signkernel}
 # Name of the packaged file containing signing key
 %ifarch ppc64le
 %define signing_key_filename kernel-signing-ppc.cer
@@ -818,48 +822,36 @@ Source2: kernel.changelog
 %define signing_key_filename kernel-signing-s390.cer
 %endif
 
-%if %{?released_kernel}
-
-Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_ca_1 %{SOURCE11}
-%ifarch x86_64 aarch64
-%define secureboot_key_0 %{SOURCE12}
+# Fedora/ELN pesign macro expects to see these cert file names, see:
+# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216
+%if 0%{?fedora}%{?eln}
+%define pesign_name_0 redhatsecureboot501
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE13}
+%endif
+
+# RHEL/centos certs come from system-sb-certs
+%if 0%{?rhel} && !0%{?eln}
+%define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer
+
+%if 0%{?centos}
+%define pesign_name_0 centossecureboot201
+%else
+%ifarch x86_64 aarch64
 %define pesign_name_0 redhatsecureboot501
-%define secureboot_key_1 %{SOURCE13}
-%define pesign_name_1 redhatsecureboot301
 %endif
 %ifarch s390x
-%define secureboot_key_0 %{SOURCE14}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_key_0 %{SOURCE15}
-%define pesign_name_0 redhatsecureboot303
+%define pesign_name_0 redhatsecureboot701
+%endif
+%endif
+# rhel && !eln
 %endif
 
-# released_kernel
-%else
-
-Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
-
-%define secureboot_ca_0 %{SOURCE10}
-%define secureboot_ca_1 %{SOURCE11}
-%define secureboot_key_0 %{SOURCE12}
-%define pesign_name_0 redhatsecureboot401
-%define secureboot_key_1 %{SOURCE13}
-%define pesign_name_1 redhatsecureboot003
-
-# released_kernel
+# signkernel
 %endif
 
 Source20: mod-denylist.sh
@@ -1902,10 +1894,12 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
 cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+%if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
 cat secureboot.pem >> ../certs/rhel.pem
 %endif
+%endif
 for i in *.config; do
   sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
 done
@@ -2149,14 +2143,12 @@ BuildKernel() {
 
     %ifarch x86_64 aarch64
     %{log_msg "Sign kernel image"}
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
 	rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
-    elif [ $DoModules -eq 1 ]; then
+    elif [ "$DoModules" == "1" -a "%{signmodules}" == "1" ]; then
 	chmod +x scripts/sign-file
 	./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
     else
@@ -2557,9 +2549,7 @@ BuildKernel() {
 
 %if %{signkernel}
 	%{log_msg "Sign the EFI UKI kernel"}
-	%pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    	%pesign -s -i $KernelUnifiedImage.tmp -o $KernelUnifiedImage.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    	rm -f $KernelUnifiedImage.tmp
+	%pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
 
     	if [ ! -s $KernelUnifiedImage.signed ]; then
 	   %{log_msg "pesigning failed"}
@@ -2681,15 +2671,6 @@ BuildKernel() {
     %{log_msg "Remove depmod files"}
     remove_depmod_files
 
-%if %{signmodules}
-    if [ $DoModules -eq 1 ]; then
-	%{log_msg "Save the signing keys for modules"}
-	# Save the signing keys so we can sign the modules in __modsign_install_post
-	cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
-	cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
-    fi
-%endif
-
     # Move the devel headers out of the root file system
     %{log_msg "Move the devel headers to RPM_BUILD_ROOT"}
     mkdir -p $RPM_BUILD_ROOT/usr/src/kernels
@@ -2722,24 +2703,29 @@ BuildKernel() {
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     %{log_msg "Install certs"}
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-       install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-       ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %else
-       install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %endif
+%if %{signkernel}
+    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %ifarch s390x ppc64le
-    if [ $DoModules -eq 1 ]; then
-	if [ -x /usr/bin/rpm-sign ]; then
-	    install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
-	else
-	    install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-	    openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
-	    chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
-	fi
+    if [ -x /usr/bin/rpm-sign ]; then
+        install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
     fi
     %endif
+%endif
+
+%if %{signmodules}
+    if [ $DoModules -eq 1 ]; then
+        # Save the signing keys so we can sign the modules in __modsign_install_post
+        cp certs/signing_key.pem certs/signing_key.pem.sign${Variant:++${Variant}}
+        cp certs/signing_key.x509 certs/signing_key.x509.sign${Variant:++${Variant}}
+        %ifarch s390x ppc64le
+        if [ ! -x /usr/bin/rpm-sign ]; then
+            install -m 0644 certs/signing_key.x509.sign${Variant:++${Variant}} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+            openssl x509 -in certs/signing_key.pem.sign${Variant:++${Variant}} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+            chmod 0644 $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+        fi
+        %endif
+    fi
+%endif
 
 %if %{with_ipaclones}
     %{log_msg "install IPA clones"}
@@ -3950,6 +3936,17 @@ fi\
 #
 #
 %changelog
+* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.55]
+- redhat: Use redhatsecureboot701 for ppc64le (Jan Stancek)
+- redhat: switch the kernel package to use certs from system-sb-certs (Jan Stancek)
+- redhat: replace redhatsecureboot303 signing key with redhatsecureboot601 (Jan Stancek)
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Jan Stancek)
+- redhat: correct file name of redhatsecurebootca1 (Jan Stancek)
+- redhat: align file names with names of signing keys for ppc and s390 (Jan Stancek)
+
+* Thu May 02 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.0106679839f7.54]
+- Linux v6.9.0-0.rc6.0106679839f7
+
 * Wed May 01 2024 Fedora Kernel Team <kernel-team@fedoraproject.org> [6.9.0-0.rc6.18daea77cca6.53]
 - redhat/configs: Enable CONFIG_DM_VDO in RHEL (Benjamin Marzinski)
 - redhat/configs: Enable DRM_NOUVEAU_GSP_DEFAULT everywhere (Neal Gompa)
diff --git a/redhatsecureboot003.cer b/redhatsecureboot003.cer
deleted file mode 100644
index 439b75bf3ae770d62b82116e68f58758e21f2444..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 829
zcmXqLVzxABVp3ed%*4pV#K~~)o6?a_AKRD=c-c6$+C196^D;7WvoaWH8EP1)u`!3T
zFbm5ErKTu&B$g-yrzV#cr7Ae(=a(orJ1Q6{Xe6bUBx)MSiSrto7#bKG0!d3F<0x@n
zV{=0TBU32XK;KZ;KpSF~3O2KXGt=`j^U@WJVForaDj~avk(GhDiIJbdpox)-sfm%1
zVehSlZ+rVhV}3A}dw3;G`>Fox(Z)>vK*^xGBPM+hXU|!(G3Hw1jEa9NpK>$onv+s@
z{7litVsAnApbrYux@TJ6yZy`7_0f!K9>*s<TVp4cSWbI5efq++dS@<3`_A2Kx6-Wd
z%<=fFTFW@@-cwJSUs}hsxnJ2;J40>ZmlqSV`9Eg&JYLjbGwmbSwzLD@iQh}kUaszo
zv%ED^!FclJ5A|zJUv~7)*`NB+o#|)ITlILaRGahhd>vCu?){#pH*vPB`H9y5j~xsC
zU475jq{Ok^+Qsfpbp5XV&m!hB<(2Lacyr!<=|rwakvfN;vogQ<l&{5-G0V`XpT+d7
zyvZ5=%BY#Wb7Q_TF*7nSE{-*bHsApUtE@01<9`+=0|o<b5RadQg_()H!9W(o;bReF
z5lKC|@6@x%tiL&hN0!exrrKMb&U(Q>9we>IB4HrbAkz5boqLSk+u!Gww(PsU?)K%{
zl+9Ym5dcgOzzASuNRzXb4K}{#cl^kg`?n+{yH@^xl&rn)Q)2R?Z*SeD3Yp$$z3(i4
z{I@Ohqdo7>yr0%<)!es#;$5q}INkbm?mTAxJ(<PxuPo)y|FPQF?Bat5u?o%;j-)0|
ze#9Rb$@RUXAbcmwN~7>Oo5L--``k_#<!t#pt={`X$Itplg%7(QiG1`{W$=)xd)k|-
z`?|<~lFR334=&tqT_NoCd*&$-o#_pe)h{dj$ko))*;)Q-WAfhG;J;o;DcmzwtP}i`
z*PDDrH1wEH$=CP=J9TttRki1Rh*N$0=f)8eW23c<SG+v~53$!z$bI$I$FVTwwY=tH
a`IJR+eEAF0XZFsJ*%3U~Kz5x`*d+j8DOXGY

diff --git a/redhatsecureboot401.cer b/redhatsecureboot401.cer
deleted file mode 100644
index 247666cfed1509cec37abc4e3beb0d49a61d5932..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 978
zcmXqLVm@ck#I$VzGZP~d6DPw$2luc;8yz1S@Un4gwRyCC=VfH%W@Ru)GZZrrVPg(u
z;o{*9N=;GlNG#D&@XSlrGt@9p1Bo;9$V0^yf>V=Ai&7Pw^7Bg+oE;TR6f}}jOA<8=
zl?)W%hH^5B2^Xg(C+4IUl{gforeq|R=q2ap8pw(B8W|Xv8CV)vnphf`Mv3zpTNoG`
zT0pr5xj5aSZ=efthZ;6_1ZSq_W#*+Tm>3w6;+!T%CFGD`WMyD(V&rEqXkz4IYGPz$
zxOt*a|83fydKaaIGdS`br5@fAZP+Q<vZqMkk#~smie)d-Ce$yLx1TMqQmQrQ#F5^D
z>zhyhu3D3pAj_6ey;znb{1R6v4^w+YXL^=W*1wx;c%<Ix_La<<S(!IMKfij#>gl2n
z1FI|#IrMK@dh+)3Dy_pm4PSCc-c336;PO0|bXSpc@wT}&yhZEe7doGJIluRemQY-9
z>E+g+U6&MhD5wO+U$`n1=jY89x6d-@+KLkPxuzSYG+ba}OM5Z%&o9=)K~BwwzgNf@
z?|XA@5|7W9YXQG)ztu6hNUoStUgPrO!NOjPf_>YfwIX+Yp4-s>Y6hRL>nC>Ihc{eL
zNJV`YIy|vh?I{y8BLm~&3WG8O9$?_h3NtePXJIm6FyI66_(41tW+wIq12GU^6~yN;
z;9}#@W@BV!WoKqKkOhhJv52vVtlRiS%*4?Aw^#j3C(#A_R_+YqRyL3aNh`BR7>G59
z1Wi1hdvwOJ&`V2yy=HB`b+~*(y9#pL08=S2ZWtM)xWBlB1V2CJm>yx(W50l_T%xJE
z<K_4F0gM`EDIc1(mpx)vYI+@i?mUO#h97)0g*ogO%UFDqNR7|mtl4#d|Ksl6<^A_x
z#;EVCx#QK5U2)zZAnD6@GiRlOZ8N1)WFoJ7Z1v^7a?U|{>CXwZujDe@ZqA*V`(3(J
z@20n#N4B8^kKT-br`H-MU0~ZMbynoh<=21S#%+z?wUl31=l&i(^)1OW<^}fcTD-~7
zDQ4p0@DnVzpKmM=+SVKs*Ss`W>dP9@3awRV-L9}QnXY(Wu&^Zan((Z*Oj{=ZQR1_G
s?puCAQ}bw)-tXvbpZ&fEs8-Dt*<M%Yz$9|zI$xZwae5{5<bW3n0PaR=tN;K2

diff --git a/redhatsecureboot501.cer b/redhatsecureboot501.cer
new file mode 100644
index 0000000000000000000000000000000000000000..dfa7afb4699f9da2610ccf889eac6269b4e368ad
GIT binary patch
literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JW;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;ur#$aF^m%DHMTG?G_-(n4bpHr
zK*K-{;sAMU4hYUn&&$k9S1<({MvOa}7?qIy&dAEZ+{DPwV9><K#ni;e$guu=$oGnW
ze{{oo4vWd1n!$3g^ztl!_Wv4lt|gVP^V*bb`N;0x-qaiSXHHkmzWs6U{Jid~uVjQg
zS|4oqT*Lc+uD;qaYn_Hg^JFa_EuSZy?0Iy83a6;$&5WqJujk4gL%(Y6nYHpy@FtO-
zI~y5)_8s6+n=H%YpD8crt=~7@zh0G9QRPZ<dz0De%SPtcf3$e--Fk_&Kdvn~A$+=Z
zjOU^6zn^^Wte#r5CaJDwO8j%(=sWDELl$$aKKNU>?_b=fyaz_nMgbCq_4}%h&s@!!
ze1+-H$r$aU3#Wbib#?#k&uh{GYUM6Zj@vtn;gxywxjzdyRhQhFw_E3gr&3h2=~R{1
zj&**wnV1<F7#CL<lo{{<LtR#wk?}tZlL3PPABe{f;;}F@u{Riqf%vK*K92zx8;3R<
zBP%OAGqZs#NSu#Fj75a)p2Xa}PuW-5*w#BgITbU_UEMAhoR(yjStJa^8br?IFMY0&
zvCGqM^6b4C+!I~OX3g(MjvHXQ1jY>`gIDK=C)Q=HpH6<5w#musUBRX5*FRT%+S?q^
zlC!X|$Tr`#TvsL{<Y0K?+I^?zUePz-=pFj8T<x94=a+xmVxuemx>aXYvlkoIbiCkx
z5_D~Q*@8!%rFvVIJk+SN&YvaV#ohSi<j#kdYU%ve0*xzt6Mo$i_FKQ0FZk`5lqSjS
zx-&8V_J9BMIr_kdrLkp>!kzD4u!L^;lrQW*W7-1#!tQ%Ev()B&_RmzfDxh^SOyp9_
zQ{CMgMRQYpd7N(ray<%vF*_r`|Ig1qJ?keW%w>8X>p8K%ckRW_k5{=r91h)XDEdQO
n!11<!7-Rf#_4ogJ(r+uSeDnC`u02t&`}F@;ywy&4ViW)XFOYW9

literal 0
HcmV?d00001

diff --git a/redhatsecurebootca2.cer b/redhatsecurebootca2.cer
deleted file mode 100644
index 43502d6bce455d637e4008d57ac0a46136ed4393..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 872
zcmXqLVoot=V)9wQ%*4pV#L3V;Yf^YfR(_WOFB_*;n@8JsUPeZ4Rt5ttLk$BpHs(+k
zW?}iD)D#7e#1e(z)a25lR0XH}{1OFcM+GAVjil6)L`?%Zab81X0}De-14~0ALxU)B
zUSo40*BHtr$*d+uC1j^CvNA9?G4eAQG%<29H8C<W?024X?Bu~cpY%ofBBI>a&33Qa
z+%s9Zc=s~y8qpg(i!y`$cU^MUOcduWDY<;6Y08`RDssi2V>H&cGrfyWlDxyS_leN^
z>+#ICm5X=Z;E8&1s(tIDdtX#F9)8|!T{!hfpd!;Oqa<zt@3n!MFJ>=373Qy1yo*h@
zea8xcL&whC7h?Z^<w(Udxmf$=V<o)Xwg0`*`yFQOIMeuj*3q)x&*H7;WyLdXx1JFp
zVww18!IM3ermpI#m#TgUvt%uObBFt^r%49$+%7J~b^f=a(`+~JT|9V@>xM>;@1>t?
zGu0NFpDlU)nEkYplL5oM;>%t~j%XRUoZBF>Pe;c6R?Ef78}}F=+iK0k%*epFxUt8e
zvC}{n7(cRnEMhDojX&PG$Jo97eQs&XzU%95U#?BrtYr`dl2&F3HVACMs$iks5*<?F
zrU@yv@PNz~W??m8W@P-29AUt;1B@_62LAc8O*?Pi?{sOiDHf49!Rov1^liV^SC1q%
ztzPNJZ(*|gqi2e5$lW*ZPfm4T>Z5Mz9^I)@fAQ%22Td8dJF?m{>Wls{ZQj$kTehHK
z%NHA-;K^Gbgf|7p9bLv(XRxd0x%KP^ds-)G2LFsXwet?=tn>Zdi=Q!zy_Y??<*8xY
zqT7FD-?<)DIh*fh7@KOtl`Iq+&^g(|s<tf6#-A&l|5!@<w|`}#2hOQJ-cfbe@8zZm
zo`N58^u_jn{<7i^hlxnqlY%3UZbV(5(=1l=`)1Dc4XZoc!`Hg-vRt<Jn&xpw?pNFN
nqdSf2xz_|A=5VVFIQYQ#{*sdWm3JE&PE20>t-i4JEXQ8}?2KZ0

diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer
deleted file mode 100644
index 8cb32e68cb5e279e06ed153d983a12a48ee83e69..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 934
zcmXqLVqRp>#MHHbnTe5!iIZWneUz&}74u&MUN%mxHjlRNyo`+8tPBQehGGUHY|No7
zTs*u%sVNE`i6uG;o_Wc7h8hNHAaQ0Md8oKTaB6aCQL2JdetwC9v!jBEf<{tmNus8q
zl7Rx;P)<fM;o{Wf#GKTk5{IJHl#Ij@z2y8{137VCBLf3714{!7LvureC~;n63j;$#
z3n-Uv?r36ELJk5(RtDxKMt%l^CPpr%CPqevMcvAhZ2z_$Vb|D~;$L%Qv)W24)!2In
z&$e>4E1mup%v<JM&Hk9%?d2VzeKC2P?@T*(_xR@x%WUR0De`@<744g4@%-!7ZI6W?
zeweIQeQ3{y4wH55*ZAM;?Cd+ZiFJARo+BOe4sJiR`Q079brrLXoH;_BRr|lEPRVBJ
z`#tMJmJMUMz$7XD@OeJ71%6i)Etn#7V0H1tcLFAl6>~LqI?UCcc=F1xU9(Qz*dH3<
z;xHxUlIxTQ{ygpVd=rH~FFnQb>+-oruP@!dBke7{vF-ZPlZB2e=dUgcxmJJ2;N4?8
z-4nZd($*<OuiAV>cB6K~mXozc)fJJ!w-XH*toh{boDbz&qrFC*iJ6gsadEIgpn)tf
z_GS54#8^avCZ5hcI^$UArKP`Kvo_y4T)v@Q#Xue;t;`}}Al86g0Y6BAFeBrC7FGjh
zAcY+4z?26Jc18wq-K|VFZ)9&jCOzfw)7xIR|DN6(sveoyrSIwy=(VDStyZGkXW7Fq
zr_9$_Z@9k4ed2_x{W_)og{Q=)pY3}+!LMso!6M!M-Q9jw8TYCf<^Eht`Q75PCTnt0
z*Q2#+LDel=ch-yl=v`JcOZ)1ad_8fi1V1O;hle&Zd2X7NQLoakC6snm@X>{EmWfUA
z4Dy<@Z#+>cbuE_Dn*TCUYt1``-D%CcL#4~iy)P|zsULOCx7+O#FT3*{VR1*Uv?rTC
z*xBjEo{m_t@p+n=VCDI^1(Tv5uIKeW@7Kw#{qOjp;Ez2YXSNrgV=Q^}NFg-*#+^-p
ZB8NQ%Pc6IJ;<0bymc(4{X&?Uo0s!(NaBctq

diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
new file mode 100644
index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f
GIT binary patch
literal 920
zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k
zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?}
zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz
zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8<
zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ
zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo
zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-#
z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({
zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!%
zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz
z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*#
z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx
zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A;
z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R
z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw}
Pd!}BnFF!b8N6JS4>O*3Z

literal 0
HcmV?d00001

diff --git a/sources b/sources
index 865571442..53e51ee9f 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,5 @@
 SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 4f917598056dee5e23814621ec96ff2e4a411c8c4ba9d56ecb01b23cb96431825bedbecfcbaac9338efbf5cb21694d85497fa0bf43e7c80d9cd10bc6dd144dbd
 SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 19308cd976031d05e18ef7f5d093218acdb89446418bab0cd956ff12cf66369915b9e64bb66fa9f20939428a60e81884fec5be3529c6c7461738d6540d3cc5c6
-SHA512 (linux-6.9-rc6-46-g18daea77cca6.tar.xz) = 28182f5751197bd8c4f8864ef23751192c87ab74aeb67ce27a9ff46d18c5c44356dbcb18a96b1718a86bb81e5b75a01c7a231fc4110d28b4ef7255417dbc0de5
-SHA512 (kernel-abi-stablelists-6.9.0.tar.xz) = d946eea829385d66d7b7d230b9e10fd58f3c64c114bde938f6dd8c2c75162f9381ae34dd63e3f0c8ef54362a339943f5a980da8f6af995a8a766a40b4384886f
-SHA512 (kernel-kabi-dw-6.9.0.tar.xz) = 6c5c5a2476ebb9bd97901ec8d00c3dba574add657b7b8ad674cb78864e59ec03559ac44efd5c2c90bb710030b6f3768d4619429528730d52385279fbd95d57a3
+SHA512 (linux-6.9-rc6-53-g0106679839f7.tar.xz) = 0798fdc7320c948bc46d8643672e0eb5b5a80265732275df9c357f8f5e3d58a39f12a301f93012ddf8899278e489408cbe43745fd9c8505a29b8290c946eb633
+SHA512 (kernel-abi-stablelists-6.9.0.tar.xz) = eaa72b7a4ac8f73ffac589f68e52ba70c57adc9ba67ae03a7596c5d368d1143f40398e940fdd5d0e5e5ff64d89e4b2bbb5957e2def2a9cf6a8a8f54c577b19a8
+SHA512 (kernel-kabi-dw-6.9.0.tar.xz) = 1efc24c0f85efa363308ae6c1ca76cc58686478386a73f31df7c08b6c1a7caa067e0afc1d0fedd52d8764c6115d0b4c4f54ea16550bba77da69fdcae3671b097