Fix secure boot signing
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
Justin M. Forbes
parent
d09e44ea79
commit
fbc93f939b
58
kernel.spec
58
kernel.spec
|
|
@ -584,34 +584,44 @@ Source10: x509.genkey.rhel
|
|||
Source11: x509.genkey.fedora
|
||||
%if %{?released_kernel}
|
||||
|
||||
Source12: securebootca.cer
|
||||
Source13: secureboot.cer
|
||||
Source14: secureboot_s390.cer
|
||||
Source15: secureboot_ppc.cer
|
||||
Source12: redhatsecurebootca5.cer
|
||||
Source13: redhatsecurebootca1.cer
|
||||
Source14: redhatsecureboot501.cer
|
||||
Source15: redhatsecureboot301.cer
|
||||
Source16: secureboot_s390.cer
|
||||
Source17: secureboot_ppc.cer
|
||||
|
||||
%define secureboot_ca %{SOURCE12}
|
||||
%define secureboot_ca_0 %{SOURCE12}
|
||||
%define secureboot_ca_1 %{SOURCE13}
|
||||
%ifarch x86_64 aarch64
|
||||
%define secureboot_key %{SOURCE13}
|
||||
%define pesign_name redhatsecureboot301
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot501
|
||||
%define secureboot_key_1 %{SOURCE15}
|
||||
%define pesign_name_1 redhatsecureboot301
|
||||
%endif
|
||||
%ifarch s390x
|
||||
%define secureboot_key %{SOURCE14}
|
||||
%define pesign_name redhatsecureboot302
|
||||
%define secureboot_key_0 %{SOURCE16}
|
||||
%define pesign_name_0 redhatsecureboot302
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%define secureboot_key %{SOURCE15}
|
||||
%define pesign_name redhatsecureboot303
|
||||
%define secureboot_key_0 %{SOURCE17}
|
||||
%define pesign_name_0 redhatsecureboot303
|
||||
%endif
|
||||
|
||||
# released_kernel
|
||||
%else
|
||||
|
||||
Source12: redhatsecurebootca2.cer
|
||||
Source13: redhatsecureboot003.cer
|
||||
Source12: redhatsecurebootca4.cer
|
||||
Source13: redhatsecurebootca2.cer
|
||||
Source14: redhatsecureboot401.cer
|
||||
Source15: redhatsecureboot003.cer
|
||||
|
||||
%define secureboot_ca %{SOURCE12}
|
||||
%define secureboot_key %{SOURCE13}
|
||||
%define pesign_name redhatsecureboot003
|
||||
%define secureboot_ca_0 %{SOURCE12}
|
||||
%define secureboot_ca_1 %{SOURCE13}
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot401
|
||||
%define secureboot_key_1 %{SOURCE15}
|
||||
%define pesign_name_1 redhatsecureboot003
|
||||
|
||||
# released_kernel
|
||||
%endif
|
||||
|
|
@ -1638,11 +1648,13 @@ BuildKernel() {
|
|||
fi
|
||||
|
||||
%ifarch x86_64 aarch64
|
||||
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
|
||||
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||
rm vmlinuz.tmp
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
elif [ $DoModules -eq 1 ]; then
|
||||
chmod +x scripts/sign-file
|
||||
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
|
||||
|
|
@ -2045,11 +2057,17 @@ BuildKernel() {
|
|||
|
||||
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||
install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%ifarch x86_64 aarch64
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||||
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||||
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%else
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ $DoModules -eq 1 ]; then
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
else
|
||||
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
|
|
|
|||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue