From: Bruno Meneguele <[email protected]> redhat: add secureboot CA certificate to trusted kernel keyring
This patch is a forward-port from what we already have in RHEL-8 kernels and should also be done in RHEL-9 to avoid unexpected failures on customers. Add the secure boot key certificate to the trusted kernel keyring (.builtin_trusted_keys) to allow the placement of the kernel signing key (shipped with the distro) in other kernel trusted keyrings, i.e. .ima trusted keyring. The need for adding the secure boot CA cert in the trusted kernel keyring exists only for arches without UEFI support which don't support adding certs to .platform_keyring and, consequently, can't add our own kernel image signing key to trusted keyrings. The biggest usage of that is for loading signed kernel images during kexec/kdump process in arches that depends on the IMA infrastructure to check the signatures, which has the ability to verify appended signatures instead of the UEFI PE format. Said arches are PowerPC and S390X. Cc: Justin M. Forbes <[email protected]> Cc: Herton R. Krzesinski <[email protected]> Cc: Patrick Talbert <[email protected]> Signed-off-by: Bruno Meneguele <[email protected]> diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100755 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -1422,6 +1422,10 @@ done openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem +%ifarch s390x ppc64le +openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem +cat secureboot.pem >> ../certs/rhel.pem +%endif for i in *.config; do sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i done -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1235 _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
