Fix secure boot signing
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
Justin M. Forbes
parent
d09e44ea79
commit
fbc93f939b
58
kernel.spec
58
kernel.spec
@ -584,34 +584,44 @@ Source10: x509.genkey.rhel
|
||||
Source11: x509.genkey.fedora
|
||||
%if %{?released_kernel}
|
||||
|
||||
Source12: securebootca.cer
|
||||
Source13: secureboot.cer
|
||||
Source14: secureboot_s390.cer
|
||||
Source15: secureboot_ppc.cer
|
||||
Source12: redhatsecurebootca5.cer
|
||||
Source13: redhatsecurebootca1.cer
|
||||
Source14: redhatsecureboot501.cer
|
||||
Source15: redhatsecureboot301.cer
|
||||
Source16: secureboot_s390.cer
|
||||
Source17: secureboot_ppc.cer
|
||||
|
||||
%define secureboot_ca %{SOURCE12}
|
||||
%define secureboot_ca_0 %{SOURCE12}
|
||||
%define secureboot_ca_1 %{SOURCE13}
|
||||
%ifarch x86_64 aarch64
|
||||
%define secureboot_key %{SOURCE13}
|
||||
%define pesign_name redhatsecureboot301
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot501
|
||||
%define secureboot_key_1 %{SOURCE15}
|
||||
%define pesign_name_1 redhatsecureboot301
|
||||
%endif
|
||||
%ifarch s390x
|
||||
%define secureboot_key %{SOURCE14}
|
||||
%define pesign_name redhatsecureboot302
|
||||
%define secureboot_key_0 %{SOURCE16}
|
||||
%define pesign_name_0 redhatsecureboot302
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%define secureboot_key %{SOURCE15}
|
||||
%define pesign_name redhatsecureboot303
|
||||
%define secureboot_key_0 %{SOURCE17}
|
||||
%define pesign_name_0 redhatsecureboot303
|
||||
%endif
|
||||
|
||||
# released_kernel
|
||||
%else
|
||||
|
||||
Source12: redhatsecurebootca2.cer
|
||||
Source13: redhatsecureboot003.cer
|
||||
Source12: redhatsecurebootca4.cer
|
||||
Source13: redhatsecurebootca2.cer
|
||||
Source14: redhatsecureboot401.cer
|
||||
Source15: redhatsecureboot003.cer
|
||||
|
||||
%define secureboot_ca %{SOURCE12}
|
||||
%define secureboot_key %{SOURCE13}
|
||||
%define pesign_name redhatsecureboot003
|
||||
%define secureboot_ca_0 %{SOURCE12}
|
||||
%define secureboot_ca_1 %{SOURCE13}
|
||||
%define secureboot_key_0 %{SOURCE14}
|
||||
%define pesign_name_0 redhatsecureboot401
|
||||
%define secureboot_key_1 %{SOURCE15}
|
||||
%define pesign_name_1 redhatsecureboot003
|
||||
|
||||
# released_kernel
|
||||
%endif
|
||||
@ -1638,11 +1648,13 @@ BuildKernel() {
|
||||
fi
|
||||
|
||||
%ifarch x86_64 aarch64
|
||||
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
|
||||
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||||
rm vmlinuz.tmp
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
|
||||
elif [ $DoModules -eq 1 ]; then
|
||||
chmod +x scripts/sign-file
|
||||
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
|
||||
@ -2045,11 +2057,17 @@ BuildKernel() {
|
||||
|
||||
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||
install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%ifarch x86_64 aarch64
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||||
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||||
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%else
|
||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
%endif
|
||||
%ifarch s390x ppc64le
|
||||
if [ $DoModules -eq 1 ]; then
|
||||
if [ -x /usr/bin/rpm-sign ]; then
|
||||
install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
else
|
||||
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
|
||||
|
||||
BIN
redhatsecureboot301.cer
Normal file
BIN
redhatsecureboot301.cer
Normal file
Binary file not shown.
BIN
redhatsecureboot401.cer
Normal file
BIN
redhatsecureboot401.cer
Normal file
Binary file not shown.
BIN
redhatsecureboot501.cer
Normal file
BIN
redhatsecureboot501.cer
Normal file
Binary file not shown.
BIN
redhatsecurebootca1.cer
Normal file
BIN
redhatsecurebootca1.cer
Normal file
Binary file not shown.
BIN
redhatsecurebootca4.cer
Normal file
BIN
redhatsecurebootca4.cer
Normal file
Binary file not shown.
BIN
redhatsecurebootca5.cer
Normal file
BIN
redhatsecurebootca5.cer
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user