[OS-BUILD PATCH] redhat: drop certificates that were deprecated after GRUB's BootHole flaw

Herton R. Krzesinski (via Email Bridge) Fri, 20 Aug 2021 12:52:01 -0700

From: Herton R. Krzesinski <[email protected]>

redhat: drop certificates that were deprecated after GRUB's BootHole flaw


Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994849

Since newer RHEL should already have newer enough grub versions, we don't
need anymore to keep signing the kernel for secure boot with older keys for
compatibility with older grub.

The second signature also causes problems because the upstream kernel so
far does not support checking more than one signature as reported on bug
above, where kexec signature checking can fail in a secure boot enabled
environment. More than one signature requires that we patch the kernel
for it to work, but we don't need that now since we can drop the second
signature.

Signed-off-by: Herton R. Krzesinski <[email protected]>

diff --git a/redhat/Makefile b/redhat/Makefile
index blahblah..blahblah 100644
--- a/redhat/Makefile
+++ b/redhat/Makefile
@@ -277,10 +277,10 @@ sources-rh: $(TARBALL) generate-testpatch-tmp 
setup-source dist-configs-check
                README.rst \
                $(SOURCES)/
        @if [ "$(RELEASED_KERNEL)" -ne 0 ]; then \
-               cp keys/redhatsecureboot{301,501,ca5,ca1}.cer $(SOURCES)/; \
+               cp keys/redhatsecureboot{501,ca5}.cer $(SOURCES)/; \
                cp keys/secureboot_{ppc,s390}.cer $(SOURCES)/; \
        else \
-               cp keys/redhatsecureboot{003,401,ca2,ca4}.cer $(SOURCES)/; \
+               cp keys/redhatsecureboot{401,ca4}.cer $(SOURCES)/; \
        fi
        @for KABIARCH in $(ARCH_LIST); do \
                cp kabi/Module.kabi_$$KABIARCH $(SOURCES)/; \
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -690,26 +690,21 @@ Source9: x509.genkey.fedora
 %if %{?released_kernel}
 
 Source10: redhatsecurebootca5.cer
-Source11: redhatsecurebootca1.cer
-Source12: redhatsecureboot501.cer
-Source13: redhatsecureboot301.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
+Source11: redhatsecureboot501.cer
+Source12: secureboot_s390.cer
+Source13: secureboot_ppc.cer
+
+%define secureboot_ca_0 %{SOURCE10}
 %ifarch x86_64 aarch64
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot501
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot301
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot501
 %endif
 %ifarch s390x
-%define secureboot_key_0 %{SOURCE14}
+%define secureboot_key_0 %{SOURCE12}
 %define pesign_name_0 redhatsecureboot302
 %endif
 %ifarch ppc64le
-%define secureboot_key_0 %{SOURCE15}
+%define secureboot_key_0 %{SOURCE13}
 %define pesign_name_0 redhatsecureboot303
 %endif
 
@@ -717,16 +712,11 @@ Source15: secureboot_ppc.cer
 %else
 
 Source10: redhatsecurebootca4.cer
-Source11: redhatsecurebootca2.cer
-Source12: redhatsecureboot401.cer
-Source13: redhatsecureboot003.cer
-
-%define secureboot_ca_1 %{SOURCE10}
-%define secureboot_ca_0 %{SOURCE11}
-%define secureboot_key_1 %{SOURCE12}
-%define pesign_name_1 redhatsecureboot401
-%define secureboot_key_0 %{SOURCE13}
-%define pesign_name_0 redhatsecureboot003
+Source11: redhatsecureboot401.cer
+
+%define secureboot_ca_0 %{SOURCE10}
+%define secureboot_key_0 %{SOURCE11}
+%define pesign_name_0 redhatsecureboot401
 
 # released_kernel
 %endif
@@ -1630,9 +1620,7 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c 
%{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c 
%{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c 
%{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
@@ -2097,13 +2085,7 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the 
kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-       install -m 0644 %{secureboot_ca_0} 
$RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-       install -m 0644 %{secureboot_ca_1} 
$RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-       ln -s kernel-signing-ca-20200609.cer 
$RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %else
-       install -m 0644 %{secureboot_ca_0} 
$RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %endif
+    install -m 0644 %{secureboot_ca_0} 
$RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
        if [ -x /usr/bin/rpm-sign ]; then
diff --git a/redhat/keys/redhatsecureboot003.cer 
b/redhat/keys/redhatsecureboot003.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot003.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot003.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecureboot301.cer 
b/redhat/keys/redhatsecureboot301.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecureboot301.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecureboot301.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecurebootca1.cer 
b/redhat/keys/redhatsecurebootca1.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecurebootca1.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecurebootca1.cer and /dev/null differ
diff --git a/redhat/keys/redhatsecurebootca2.cer 
b/redhat/keys/redhatsecurebootca2.cer
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/keys/redhatsecurebootca2.cer
+++ /dev/null
Binary files a/redhat/keys/redhatsecurebootca2.cer and /dev/null differ

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1321
_______________________________________________
kernel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[OS-BUILD PATCH] redhat: drop certificates that were deprecated after GRUB's BootHole flaw

Reply via email to