Fix secure boot signing

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
Justin M. Forbes 2020-07-16 13:04:04 -05:00
parent d09e44ea79
commit fbc93f939b
7 changed files with 38 additions and 20 deletions

View File

@ -584,34 +584,44 @@ Source10: x509.genkey.rhel
Source11: x509.genkey.fedora
%if %{?released_kernel}
Source12: securebootca.cer
Source13: secureboot.cer
Source14: secureboot_s390.cer
Source15: secureboot_ppc.cer
Source12: redhatsecurebootca5.cer
Source13: redhatsecurebootca1.cer
Source14: redhatsecureboot501.cer
Source15: redhatsecureboot301.cer
Source16: secureboot_s390.cer
Source17: secureboot_ppc.cer
%define secureboot_ca %{SOURCE12}
%define secureboot_ca_0 %{SOURCE12}
%define secureboot_ca_1 %{SOURCE13}
%ifarch x86_64 aarch64
%define secureboot_key %{SOURCE13}
%define pesign_name redhatsecureboot301
%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot501
%define secureboot_key_1 %{SOURCE15}
%define pesign_name_1 redhatsecureboot301
%endif
%ifarch s390x
%define secureboot_key %{SOURCE14}
%define pesign_name redhatsecureboot302
%define secureboot_key_0 %{SOURCE16}
%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
%define secureboot_key %{SOURCE15}
%define pesign_name redhatsecureboot303
%define secureboot_key_0 %{SOURCE17}
%define pesign_name_0 redhatsecureboot303
%endif
# released_kernel
%else
Source12: redhatsecurebootca2.cer
Source13: redhatsecureboot003.cer
Source12: redhatsecurebootca4.cer
Source13: redhatsecurebootca2.cer
Source14: redhatsecureboot401.cer
Source15: redhatsecureboot003.cer
%define secureboot_ca %{SOURCE12}
%define secureboot_key %{SOURCE13}
%define pesign_name redhatsecureboot003
%define secureboot_ca_0 %{SOURCE12}
%define secureboot_ca_1 %{SOURCE13}
%define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot401
%define secureboot_key_1 %{SOURCE15}
%define pesign_name_1 redhatsecureboot003
# released_kernel
%endif
@ -1638,11 +1648,13 @@ BuildKernel() {
fi
%ifarch x86_64 aarch64
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
rm vmlinuz.tmp
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
elif [ $DoModules -eq 1 ]; then
chmod +x scripts/sign-file
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@ -2045,11 +2057,17 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%ifarch x86_64 aarch64
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%else
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%endif
%ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then
install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
else
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}

BIN
redhatsecureboot301.cer Normal file

Binary file not shown.

BIN
redhatsecureboot401.cer Normal file

Binary file not shown.

BIN
redhatsecureboot501.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca1.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca4.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca5.cer Normal file

Binary file not shown.