kernel-4.18.0-479.el8

* Sat Mar 18 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
- redhat: add centos signing certs (Denys Vlasenko)
- redhat: fix "make rh-brew" not choosing _scratch_ build (Denys Vlasenko)
- mfd: intel-lpss: Add Intel Meteor Lake-P PCI IDs (Prarit Bhargava) [2156843]
Resolves: rhbz#2156843, rhbz#2153936, rhbz#2179095

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
This commit is contained in:
Denys Vlasenko 2023-03-18 18:15:21 +01:00
parent 9eca8a6d9f
commit 9f46c15088
4 changed files with 29 additions and 8 deletions

BIN
centossecureboot201.cer Normal file

Binary file not shown.

BIN
centossecurebootca2.cer Normal file

Binary file not shown.

View File

@ -446,15 +446,26 @@ Source9: x509.genkey
%define signing_key_filename kernel-signing-s390.cer %define signing_key_filename kernel-signing-s390.cer
%endif %endif
%if 0%{?centos}
Source10: centossecurebootca2.cer
Source13: centossecureboot201.cer
%define secureboot_ca_0 %{SOURCE10}
%define secureboot_key_0 %{SOURCE13}
%define pesign_name_0 centossecureboot201
%else
Source10: redhatsecurebootca3.cer Source10: redhatsecurebootca3.cer
Source11: redhatsecurebootca5.cer #UNUSED, delete file after confirming it works:
#Source11: redhatsecurebootca5.cer
Source13: redhatsecureboot501.cer Source13: redhatsecureboot501.cer
Source14: redhatsecureboot302.cer Source14: redhatsecureboot302.cer
Source15: redhatsecureboot303.cer Source15: redhatsecureboot303.cer
Source16: redhatsecurebootca7.cer Source16: redhatsecurebootca7.cer
%define secureboot_ca_0 %{SOURCE10} %define secureboot_ca_0 %{SOURCE10}
%define secureboot_ca_1 %{SOURCE11} # TODO: secureboot_ca_2 is only for ppc64le on rhel -
# why doesn't it just define secureboot_ca_0 differently
# instead of using this separate _ca_2 variable?
# This would simplify some really nasty "if" blocks
%define secureboot_ca_2 %{SOURCE16} %define secureboot_ca_2 %{SOURCE16}
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
@ -471,6 +482,7 @@ Source16: redhatsecurebootca7.cer
%define secureboot_key_0 %{SOURCE15} %define secureboot_key_0 %{SOURCE15}
%define pesign_name_0 redhatsecureboot701 %define pesign_name_0 redhatsecureboot701
%endif %endif
%endif
Source17: mod-blacklist.sh Source17: mod-blacklist.sh
Source18: mod-sign.sh Source18: mod-sign.sh
@ -1158,6 +1170,7 @@ done
%endif %endif
# Add DUP and kpatch certificates to system trusted keys for RHEL # Add DUP and kpatch certificates to system trusted keys for RHEL
%if 0%{?rhel}
%if %{signkernel}%{signmodules} %if %{signkernel}%{signmodules}
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
@ -1170,6 +1183,7 @@ for i in *.config; do
sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
done done
%endif %endif
%endif
cp %{SOURCE42} . cp %{SOURCE42} .
./process_configs.sh -w -c %{name} %{rpmversion} %{?cross_opts} ./process_configs.sh -w -c %{name} %{rpmversion} %{?cross_opts}
@ -1740,11 +1754,15 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
%if 0%{?rhel}
%ifarch ppc64le %ifarch ppc64le
install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%else %else
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%endif %endif
%else
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%endif
%ifarch s390x ppc64le %ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then if [ -x /usr/bin/rpm-sign ]; then
@ -2688,7 +2706,10 @@ fi
# #
# #
%changelog %changelog
* Fri Mar 17 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8] * Sat Mar 18 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
- redhat: add centos signing certs (Denys Vlasenko)
- redhat: fix "make rh-brew" not choosing _scratch_ build (Denys Vlasenko)
- mfd: intel-lpss: Add Intel Meteor Lake-P PCI IDs (Prarit Bhargava) [2156843]
- x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936] - x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936]
- redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095] - redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095]
- redhat: delete unused script and file (Denys Vlasenko) [2179095] - redhat: delete unused script and file (Denys Vlasenko) [2179095]

View File

@ -1,3 +1,3 @@
SHA512 (linux-4.18.0-479.el8.tar.xz) = 869dedc389501dc314ff6a50c3550956e29bbb205b4db33c0c19f9fdc044aaaf2f9e71a8cec30de32487ff55a37f9de2cd188b44d53f19ec1f9fbae15864ded2 SHA512 (linux-4.18.0-479.el8.tar.xz) = 3f1cd8c8c2b2a48bf7509fbf137f66e0685e5e911b8775b4588f77aaa825a456fbbf568e261c3802a193fee70b2f063cce384ceb6ba54d051960c44d3570631b
SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = dba639a523d927e581d1df43b0b94024a42692f2be79a5e827b3ab971395ac25e7738eba848dc537baec3b7eabdec707ab3fbed9e01e262ecb47bcf544fa4f66 SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = 6696893e336830ea1c7108e69f72704dc884507a355f87a545e03ac0ad6046490f264d7a1c1ab159fad2b4714f04b81817a1794064c52cca2265aadfb381b729
SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e91527cddef81a7b0e90403b890ca444975ff0f59aae5b99e93ffc187b3e8031e4e09cacaed4d667d25eaa149919b08580f9132e5684229f15d03e21b988439a SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e4acc8a0d2babc3874870a8ff95917dc5741b897f32a9e4b6475430d5da3c1a8f75b194961d1c3054ae9a0dff7751e5f25ea4c6228d69a0ae604f5283cfd9ca6