From 9eca8a6d9f4a434bce3786d03e453c1fc6a6476e Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <dvlasenk@redhat.com>
Date: Fri, 17 Mar 2023 17:01:33 +0100
Subject: [PATCH] kernel-4.18.0-479.el8

* Fri Mar 17 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
- x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936]
- redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095]
- redhat: delete unused script and file (Denys Vlasenko) [2179095]
- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Denys Vlasenko) [2179095]
- redhat: align file names with names of signing keys for ppc and s390 (Denys Vlasenko) [2179095]
Resolves: rhbz#2153936, rhbz#2179095

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
 kernel.spec                                   |  41 ++++++++----------
 redhatsecureboot301.cer                       | Bin 899 -> 0 bytes
 ...reboot_s390.cer => redhatsecureboot302.cer | Bin
 secureboot_ppc.cer => redhatsecureboot303.cer | Bin
 sources                                       |   6 +--
 5 files changed, 22 insertions(+), 25 deletions(-)
 mode change 100755 => 100644 kernel.spec
 delete mode 100644 redhatsecureboot301.cer
 rename secureboot_s390.cer => redhatsecureboot302.cer (100%)
 rename secureboot_ppc.cer => redhatsecureboot303.cer (100%)

diff --git a/kernel.spec b/kernel.spec
old mode 100755
new mode 100644
index 7ac958e17..cf13b2d1a
--- a/kernel.spec
+++ b/kernel.spec
@@ -12,7 +12,7 @@
 # change below to w4T.xzdio):
 %define _binary_payload w3T.xzdio
 
-%global distro_build 478
+%global distro_build 479
 
 # Sign the x86_64 kernel for secure boot authentication
 %ifarch x86_64 aarch64 s390x ppc64le
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 478.el8
+%define pkgrelease 479.el8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 478%{?dist}
+%define specrelease 479%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -448,10 +448,9 @@ Source9: x509.genkey
 
 Source10: redhatsecurebootca3.cer
 Source11: redhatsecurebootca5.cer
-Source12: redhatsecureboot301.cer
 Source13: redhatsecureboot501.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
+Source14: redhatsecureboot302.cer
+Source15: redhatsecureboot303.cer
 Source16: redhatsecurebootca7.cer
 
 %define secureboot_ca_0 %{SOURCE10}
@@ -459,10 +458,8 @@ Source16: redhatsecurebootca7.cer
 %define secureboot_ca_2 %{SOURCE16}
 
 %ifarch x86_64 aarch64
-%define secureboot_key_0 %{SOURCE12}
-%define pesign_name_0 redhatsecureboot301
-%define secureboot_key_1 %{SOURCE13}
-%define pesign_name_1 redhatsecureboot501
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 redhatsecureboot501
 %endif
 
 %ifarch s390x
@@ -572,6 +569,7 @@ Provides: %{name}-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
 Requires(pre): %{kernel_prereq}\
 Requires(pre): %{initrd_prereq}\
 Requires(pre): linux-firmware >= 20200619-99.git3890db36\
+Requires(pre): grub2 >= 2.02-99\
 Requires(preun): systemd >= 200\
 Conflicts: xfsprogs < 4.3.0-1\
 Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
@@ -1316,9 +1314,7 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
@@ -1744,16 +1740,10 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-        install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-        ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %ifarch ppc64le
+        install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %else
-        %ifarch ppc64le
-            install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-        %else
-            install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-        %endif
+        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %endif
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
@@ -2698,6 +2688,13 @@ fi
 #
 #
 %changelog
+* Fri Mar 17 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
+- x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936]
+- redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095]
+- redhat: delete unused script and file (Denys Vlasenko) [2179095]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Denys Vlasenko) [2179095]
+- redhat: align file names with names of signing keys for ppc and s390 (Denys Vlasenko) [2179095]
+
 * Thu Mar 16 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-478.el8]
 - net/tunnel: wait until all sk_user_data reader finish before releasing the sock (Hangbin Liu) [2176344]
 - powerpc/pseries: unregister VPA when hot unplugging a CPU (Mamatha Inamdar) [2143007]
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
deleted file mode 100644
index 20e660479db920c9af073ef60dfd52cfcd55ef35..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 899
zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&ERoylk9WZ60mkc^MhGSs4s`4b=@)*_cCF
zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C)
zic(WD5=-=w^K%X4#CZ)(3=Iv;4Gj!U4NRlNd5z71To3|r4T21H474EDDPy&+I5Ryj
zGcTPKJDV7lkbT9-%D~*j$j@NV#K^_e#K_37NxkdnB-fbdAp)7dSWBPZtXrYb5w*C@
z@r&`BZ02)^7x}9-F_f-vdj9zHex2s374i`=>Kunka%XeJpYTcWnYOXcua#Nzv{P2r
z{{KfRpNsxBUvPxw_cT2h+pJ?Ab^$YP&OhK@vBdbb{H<AE?$7S)IveG4{NthMn|XI;
zuZ~$}9hb8?RNwy6d`WHPPcK7HM6SQ)@0IpFYTa&`doJbY%S^-$TDZTkzjLIcd>gCD
zgVUK-5>__PZZU-1nmGUR*MJSDB-cbvx6RHHnXKVwU9@H2#x6FkEt|?~dgtD8aoSb6
z`P$`cNzxNN-!l}2zMhj&w=>05mb+)gq|2XQRV^~E`;)lfwmuUxBLm~&Sc7N-9$?7J
z3NtePXJIm6FyIF9_*qz(nb;c)WI-H07BLo)aL4})TlQq;>8I$gIMsYUAgZGz$Uq(>
zt;`}}Al4w_Al4%0a?Yxeg@ctn?ZuBpb5eiAAV&Z&Spg$}kwNnVx9_f&sUPlII<6Po
zwsYpDLfs|_*M8fGuUk4-m%YAz`?d3h%8P~vysm29RsQ!WK%@63*E<IDDw)7}u3mi>
zY;yV?ieH$Xp0GJ~>}cV)`v*$4n0`ogx_k24UDm?Lu%<V?r}j)=!KiSkIWaTTT(E6J
zl&5{qJLWl6&n(_{UMpOZB^hw)L4)<lzSK?Je}t;1oIAXyE|xhc$VZjuf<xvW$IzuB
z-!E&6{=dE^>T{WiSI>r}MgeY{-MAm@j(GO|_ezzhSNC%m_dopoSNWyMX47EzS*y|}
z3cr~?y=&H&a;tfp6<SM;jutGBzV*%9YlTe7k=I)%x5n#*@uYqED=_(L67SN(09G1h
A-2eap

diff --git a/secureboot_s390.cer b/redhatsecureboot302.cer
similarity index 100%
rename from secureboot_s390.cer
rename to redhatsecureboot302.cer
diff --git a/secureboot_ppc.cer b/redhatsecureboot303.cer
similarity index 100%
rename from secureboot_ppc.cer
rename to redhatsecureboot303.cer
diff --git a/sources b/sources
index b8b21f47c..f3de3c1b7 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-478.el8.tar.xz) = b03724bc29c2b64cca56feba5e4eeeb433d65882c9032e08840fbbe98769289fd9db6a2fc066b06324a4c9c8d1676e5bda829355512882636307717aa33bef9a
-SHA512 (kernel-abi-stablelists-4.18.0-478.tar.bz2) = 20421438c7acdc6ca8a6d35159a681fafad36e20f8979036fedd62e13a4b9389e6e8a77380d8f31adbe2dfc43b08f3afb0ab8adc884395b1f3344504c07cfefb
-SHA512 (kernel-kabi-dw-4.18.0-478.tar.bz2) = e91527cddef81a7b0e90403b890ca444975ff0f59aae5b99e93ffc187b3e8031e4e09cacaed4d667d25eaa149919b08580f9132e5684229f15d03e21b988439a
+SHA512 (linux-4.18.0-479.el8.tar.xz) = 869dedc389501dc314ff6a50c3550956e29bbb205b4db33c0c19f9fdc044aaaf2f9e71a8cec30de32487ff55a37f9de2cd188b44d53f19ec1f9fbae15864ded2
+SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = dba639a523d927e581d1df43b0b94024a42692f2be79a5e827b3ab971395ac25e7738eba848dc537baec3b7eabdec707ab3fbed9e01e262ecb47bcf544fa4f66
+SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e91527cddef81a7b0e90403b890ca444975ff0f59aae5b99e93ffc187b3e8031e4e09cacaed4d667d25eaa149919b08580f9132e5684229f15d03e21b988439a