From fbc93f939b1c352dd45543f475358d9434bd7a13 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 16 Jul 2020 13:04:04 -0500 Subject: [PATCH] Fix secure boot signing Signed-off-by: Justin M. Forbes --- kernel.spec | 58 ++++++++++++++++++++++++++-------------- redhatsecureboot301.cer | Bin 0 -> 899 bytes redhatsecureboot401.cer | Bin 0 -> 978 bytes redhatsecureboot501.cer | Bin 0 -> 964 bytes redhatsecurebootca1.cer | Bin 0 -> 977 bytes redhatsecurebootca4.cer | Bin 0 -> 934 bytes redhatsecurebootca5.cer | Bin 0 -> 920 bytes 7 files changed, 38 insertions(+), 20 deletions(-) create mode 100644 redhatsecureboot301.cer create mode 100644 redhatsecureboot401.cer create mode 100644 redhatsecureboot501.cer create mode 100644 redhatsecurebootca1.cer create mode 100644 redhatsecurebootca4.cer create mode 100644 redhatsecurebootca5.cer diff --git a/kernel.spec b/kernel.spec index 004ac6c94..91d1ea541 100644 --- a/kernel.spec +++ b/kernel.spec @@ -584,34 +584,44 @@ Source10: x509.genkey.rhel Source11: x509.genkey.fedora %if %{?released_kernel} -Source12: securebootca.cer -Source13: secureboot.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer +Source12: redhatsecurebootca5.cer +Source13: redhatsecurebootca1.cer +Source14: redhatsecureboot501.cer +Source15: redhatsecureboot301.cer +Source16: secureboot_s390.cer +Source17: secureboot_ppc.cer -%define secureboot_ca %{SOURCE12} +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_ca_1 %{SOURCE13} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot501 +%define secureboot_key_1 %{SOURCE15} +%define pesign_name_1 redhatsecureboot301 %endif %ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 +%define secureboot_key_0 %{SOURCE16} +%define pesign_name_0 redhatsecureboot302 %endif %ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define secureboot_key_0 %{SOURCE17} +%define pesign_name_0 redhatsecureboot303 %endif # released_kernel %else -Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source12: redhatsecurebootca4.cer +Source13: redhatsecurebootca2.cer +Source14: redhatsecureboot401.cer +Source15: redhatsecureboot003.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define secureboot_ca_0 %{SOURCE12} +%define secureboot_ca_1 %{SOURCE13} +%define secureboot_key_0 %{SOURCE14} +%define pesign_name_0 redhatsecureboot401 +%define secureboot_key_1 %{SOURCE15} +%define pesign_name_1 redhatsecureboot003 # released_kernel %endif @@ -1638,11 +1648,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -2045,11 +2057,17 @@ BuildKernel() { # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer new file mode 100644 index 0000000000000000000000000000000000000000..20e660479db920c9af073ef60dfd52cfcd55ef35 GIT binary patch literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&ERoylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(3=Iv;4Gj!U4NRlNd5z71To3|r4T21H474EDDPy&+I5Ryj zGcTPKJDV7lkbT9-%D~*j$j@NV#K^_e#K_37NxkdnB-fbdAp)7dSWBPZtXrYb5w*C@ z@r&`BZ02)^7x}9-F_f-vdj9zHex2s374i`=>Kunka%XeJpYTcWnYOXcua#Nzv{P2r z{{KfRpNsxBUvPxw_cT2h+pJ?Ab^$YP&OhK@vBdbb{HgCD zgVUK-5>__PZZU-1nmGUR*MJSDB-cbvx6RHHnXKVwU9@H2#x6FkEt|?~dgtD8aoSb6 z`P$`cNzxNN-!l}2zMhj&w=>05mb+)gq|2XQRV^~E`;)lfwmuUxBLm~&Sc7N-9$?7J z3NtePXJIm6FyIF9_*qz(nb;c)WI-H07BLo)aL4})TlQq;>8I$gIMsYUAgZGz$Uq(> zt;`}}Al4w_Al4%0a?Yxeg@ctn?ZuBpb5eiAAV&Z&Spg$}kwNnVx9_f&sUPlII<6Po zwsYpDLfs|_*M8fGuUk4-m%YAz`?d3h%8P~vysm29RsQ!WK%@63*E zY;yV?ieH$Xp0GJ~>}cV)`v*$4n0`ogx_k24UDm?Lu%T{WiSI>r}MgeY{-MAm@j(GO|_ezzhSNC%m_dopoSNWyMX47EzS*y|} z3cr~?y=&H&a;tfp6V=Ai&7Pw^7Bg+oE;TR6f}}jOA<8= zl?)W%hH^5B2^Xg(C+4IUl{gforeq|R=q2ap8pw(B8W|Xv8CV)vnphf`Mv3zpTNoG` zT0pr5xj5aSZ=efthZ;6_1ZSq_W#*+Tm>3w6;+!T%CFGD`WMyD(V&rEqXkz4IYGPz$ zxOt*a|83fydKaaIGdS`br5@fAZP+Qzhyhu3D3pAj_6ey;znb{1R6v4^w+YXL^=W*1wx;c%gl2n z1FI|#IrMK@dh+)3Dy_pm4PSCc-c336;PO0|bXSpc@wT}&yhZEe7doGJIluRemQY-9 z>E+g+U6&MhD5wO+U$`n1=jY89x6d-@+KLkPxuzSYG+ba}OM5Z%&o9=)K~BwwzgNf@ z?|XA@5|7W9YXQG)ztu6hNUoStUgPrO!NOjPf_>YfwIX+Yp4-s>Y6hRL>nC>Ihc{eL zNJV`YIy|vh?I{y8BLm~&3WG8O9$?_h3NtePXJIm6FyI66_(41tW+wIq12GU^6~yN; z;9}#@W@BV!WoKqKkOhhJv52vVtlRiS%*4?Aw^#j3C(#A_R_+YqRyL3aNh`BR7>G59 z1Wi1hdvwOJ&`V2yy=HB`b+~*(y9#pL08=S2ZWtM)xWBlB1V2CJm>yx(W50l_T%xJE zCXwZujDe@ZqA*V`(3(J z@20n#N4B8^kKT-br`H-MU0~ZMbynoh<=21S#%+z?wUl31=l&i(^)1OW<^}fcTD-~7 zDQ4p0@DnVzpKmM=+SVKs*Ss`W>dP9@3awRV-L9}QnXY(Wu&^Zan((Z*Oj{=ZQR1_G s?puCAQ}bw)-tXvbpZ&fEs8-Dt*!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;ur#$aF^m%DHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1<({MvOa}7?qIy&dAEZ+{DPwV9>?_b=fyaz_nMgbCq_4}%h&s@!! ze1+-H$r$aU3#Wbib#?#k&uh{GYUM6Zj@vtn;gxywxjzdyRhQhFw_E3gr&3h2=~R{1 zj&**wnV1`gIDK=C)Q=HpH6<5w#musUBRX5*FRT%+S?q^ zlC!X|$Tr`#TvsL{aXYvlkoIbiCkx z5_D~Q*@8!%rFvVIJk+SN&YvaV#ohSi!kzD4u!L^;lrQW*W7-1#!tQ%Ev()B&_RmzfDxh^SOyp9_ zQ{CMgMRQYpd7N(ray<%vF*_r`|Ig1qJ?keW%w>8X>p8K%ckRW_k5{=r91h)XDEdQO n!11>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq zXkz4IYGPz$nC+~vi6EDouC4!V-;tv&JA zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV` z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0- zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK z6&c%&T=rzVyKuJ1S>c?Rq?77kYS zv==`X%}MC|0a-81!fL?G$oL;QPJxLO7^jR3 zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<i|1QMhsQHT z4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw> zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6 NnfI|Q%N6m!6aeL$dME$@ literal 0 HcmV?d00001 diff --git a/redhatsecurebootca4.cer b/redhatsecurebootca4.cer new file mode 100644 index 0000000000000000000000000000000000000000..8cb32e68cb5e279e06ed153d983a12a48ee83e69 GIT binary patch literal 934 zcmXqLVqRp>#MHHbnTe5!iIZWneUz&}74u&MUN%mxHjlRNyo`+8tPBQehGGUHY|No7 zTs*u%sVNE`i6uG;o_Wc7h8hNHAaQ0Md8oKTaB6aCQL2JdetwC9v!jBEf<{tmNus8q zl7Rx;P)4E1mup%v~LqI?UCcc=F1xU9(Qz*dH3< z;xHxUlIxTQ{ygpVd=rH~FFnQb>+-oruP@!dBke7{vF-ZPlZB2e=dUgcxmJJ2;N4?8 z-4nZd($*cB6K~mXozc)fJJ!w-XH*toh{boDbz&qrFC*iJ6gsadEIgpn)tf z_GS54#8^avCZ5hcI^$UArKP`Kvo_y4T)v@Q#Xue;t;`}}Al86g0Y6BAFeBrC7FGjh zAcY+4z?26Jc18wq-K|VFZ)9&jCOzfw)7xIR|DN6(sveoyrSIwy=(VDStyZGkXW7Fq zr_9$_Z@9k4ed2_x{W_)og{Q=)pY3}+!LMso!6M!M-Q9jw8TYCf<^Eht`Q75PCTnt0 z*Q2#+LDel=ch-yl=v`JcOZ)1ad_8fi1V1O;hle&Zd2X7NQLoakC6snm@X>{EmWfUA z4Dy<@Z#+>cbuE_Dn*TCUYt1``-D%CcL#4~iy)P|zsULOCx7+O#FT3*{VR1*Uv?rTC z*xBjEo{m_t@p+n=VCDI^1(Tv5uIKeW@7Kw#{qOjp;Ez2YXSNrgV=Q^}NFg-*#+^-p ZB8NQ%Pc6IJ;<0bymc(4{X&?Uo0s!(NaBctq literal 0 HcmV?d00001 diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer new file mode 100644 index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f GIT binary patch literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z literal 0 HcmV?d00001