From 1ee03d7941b72178f82de9ec47efa9974d6c888d Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Tue, 11 Nov 2025 11:23:12 +0000
Subject: [PATCH] Update for 5.14.0-611.5.1.el9_7

---
 config.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/config.yaml b/config.yaml
index 5e2f0ab..1062fed 100644
--- a/config.yaml
+++ b/config.yaml
@@ -84,7 +84,7 @@ actions:
               %define pesign_name_0 centossecureboot201
               %else
               %ifarch x86_64 aarch64
-              %define pesign_name_0 redhatsecureboot501
+              %define pesign_name_0 redhatsecureboot801
               %endif
               %ifarch s390x
               %define pesign_name_0 redhatsecureboot302
@@ -181,6 +181,10 @@ actions:
         find: "UKI_secureboot_name=redhatsecureboot504"
         replace: "UKI_secureboot_name=alsecureboot001"
         count: 1
+      - target: "spec"
+        find: "UKI_secureboot_cert=%{SOURCE153}"
+        replace: "UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer"
+        count: 1
       - target: "spec"
         find: "# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel"
         replace: "# AlmaLinux UEFI Secure Boot CA cert, which can be used to authenticate the kernel"
@@ -434,6 +438,9 @@ actions:
                 if [ "$KernelExtension" == "gz" ]; then
                     gzip -f9 $SignImage
                 fi
+          - |
+            # Temporary use redhatsecureboot504 for x86 UKI, see RHEL-122230
+            Source153: redhatsecureboot504.cer
 
   - run_script:
       - script: "copy_ppc64le_config.sh"