From e47d112754d7779034dae64a08ba5b0a5f1e5092 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 8 Dec 2025 13:49:10 +0300 Subject: [PATCH] Import OL kernel-6.12.0-124.16.1.el10_1 --- .gitignore | 6 +- Makefile.rhelver | 2 +- kernel.changelog | 25 ++++++++ kernel.spec | 126 ++++++++++++++++++++++++++-------------- olima1.x509 | Bin 0 -> 1465 bytes olimaca1.x509 | Bin 0 -> 1470 bytes olkmod_signing_key.pem | 24 ++++++++ olkmod_signing_key1.pem | 35 +++++++++++ sources | 6 +- x509.genkey.rhel | 6 +- 10 files changed, 178 insertions(+), 52 deletions(-) create mode 100644 olima1.x509 create mode 100644 olimaca1.x509 create mode 100644 olkmod_signing_key.pem create mode 100644 olkmod_signing_key1.pem diff --git a/.gitignore b/.gitignore index 0a8bc8853..b54ead673 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,7 @@ fedoraimaca.x509 -kernel-abi-stablelists-6.12.0-124.13.1.el10_1.tar.xz -kernel-kabi-dw-6.12.0-124.13.1.el10_1.tar.xz -linux-6.12.0-124.13.1.el10_1.tar.xz +kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz +kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz +linux-6.12.0-124.16.1.el10_1.tar.xz nvidiagpuoot001.x509 redhatsecureboot501.cer redhatsecureboot504.cer diff --git a/Makefile.rhelver b/Makefile.rhelver index 8e589ff8e..4d1bff452 100644 --- a/Makefile.rhelver +++ b/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 1 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 124.13.1 +RHEL_RELEASE = 124.16.1 # # RHEL_REBASE_NUM diff --git a/kernel.changelog b/kernel.changelog index d580b1189..ca10061f6 100644 --- a/kernel.changelog +++ b/kernel.changelog @@ -1,3 +1,28 @@ +* Sat Nov 22 2025 CKI KWF Bot [6.12.0-124.16.1.el10_1] +- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759] +- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883} +Resolves: RHEL-119161, RHEL-125759 + +* Thu Nov 20 2025 CKI KWF Bot [6.12.0-124.15.1.el10_1] +- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (CKI Backport Bot) [RHEL-125623] {CVE-2025-38724} +- wifi: mt76: free pending offchannel tx frames on wcid cleanup (Jose Ignacio Tornos Martinez) [RHEL-123070] +- wifi: mt76: do not add non-sta wcid entries to the poll list (Jose Ignacio Tornos Martinez) [RHEL-123070] +- wifi: mt76: fix linked list corruption (Jose Ignacio Tornos Martinez) [RHEL-123070] {CVE-2025-39918} +Resolves: RHEL-123070, RHEL-125623 + +* Wed Nov 19 2025 CKI KWF Bot [6.12.0-124.14.1.el10_1] +- ublk: make sure ubq->canceling is set when queue is frozen (Ming Lei) [RHEL-99436] {CVE-2025-22068} +- e1000e: fix heap overflow in e1000_set_eeprom (Corinna Vinschen) [RHEL-123127] {CVE-2025-39898} +- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123811] +- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123811] {CVE-2025-39968} +- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123811] {CVE-2025-39969} +- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123811] {CVE-2025-39970} +- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123811] {CVE-2025-39971} +- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123811] {CVE-2025-39972} +- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123811] {CVE-2025-39973} +- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123689] +Resolves: RHEL-123127, RHEL-123689, RHEL-123811, RHEL-99436 + * Thu Nov 13 2025 CKI KWF Bot [6.12.0-124.13.1.el10_1] - NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-127623] - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-127623] diff --git a/kernel.spec b/kernel.spec index 47c7223c5..ea1e2f6b0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -98,7 +98,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 aarch64 s390x ppc64le +%define secure_boot_arch x86_64 s390x ppc64le %endif # Signing for secure boot authentication @@ -176,15 +176,15 @@ Summary: The Linux kernel %define specrpmversion 6.12.0 %define specversion 6.12.0 %define patchversion 6.12 -%define pkgrelease 124.13.1 +%define pkgrelease 124.16.1 %define kversion 6 -%define tarfile_release 6.12.0-124.13.1.el10_1 +%define tarfile_release 6.12.0-124.16.1.el10_1 # This is needed to do merge window version magic %define patchlevel 12 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 124.13.1%{?buildid}%{?dist} +%define specrelease 124.16.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 6.12.0-124.13.1.el10_1 +%define kabiversion 6.12.0-124.16.1.el10_1 # If this variable is set to 1, a bpf selftests build failure will cause a # fatal kernel package build error @@ -717,6 +717,8 @@ Requires: ((%{name}-modules-extra-uname-r = %{KVERREL}) if %{name}-modules-extra Provides: installonlypkg(kernel) %endif +Provides: oracle(kernel-sig-key) == 202502 +Conflicts: shim-x64 < 15.8-1.0.6 # # List the packages used during the kernel build @@ -881,8 +883,6 @@ BuildRequires: tpm2-tools %if 0%{?rhel}%{?centos} && !0%{?eln} %if 0%{?centos} BuildRequires: centos-sb-certs >= 9.0-23 -%else -BuildRequires: redhat-sb-certs >= 9.4-0.1 %endif %endif %endif @@ -902,42 +902,11 @@ Source10: redhatsecurebootca5.cer Source13: redhatsecureboot501.cer %if %{signkernel} -# Name of the packaged file containing signing key -%ifarch ppc64le -%define signing_key_filename kernel-signing-ppc.cer -%endif -%ifarch s390x -%define signing_key_filename kernel-signing-s390.cer -%endif -# Fedora/ELN pesign macro expects to see these cert file names, see: -# https://github.com/rhboot/pesign/blob/main/src/pesign-rpmbuild-helper.in#L216 -%if 0%{?fedora}%{?eln} -%define pesign_name_0 redhatsecureboot501 -%define secureboot_ca_0 %{SOURCE10} -%define secureboot_key_0 %{SOURCE13} -%endif - -# RHEL/centos certs come from system-sb-certs -%if 0%{?rhel} && !0%{?eln} %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%if 0%{?centos} -%define pesign_name_0 centossecureboot201 -%else -%ifarch x86_64 aarch64 -%define pesign_name_0 redhatsecureboot801 -%endif -%ifarch s390x -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define pesign_name_0 redhatsecureboot701 -%endif -%endif -# rhel && !eln -%endif +%define pesign_name_0 OracleLinuxSecureBootKey3 # signkernel %endif @@ -1018,7 +987,10 @@ Source102: nvidiagpuoot001.x509 Source103: rhelimaca1.x509 Source104: rhelima.x509 Source105: rhelima_centos.x509 -Source106: fedoraimaca.x509 +# Oracle Linux IMA CA certificate +Source106: olimaca1.x509 +# Oracle Linux IMA signing certificate +Source107: olima1.x509 %if 0%{?fedora}%{?eln} %define ima_ca_cert %{SOURCE106} @@ -1033,9 +1005,11 @@ Source106: fedoraimaca.x509 %define ima_signing_cert %{SOURCE105} %else %define ima_signing_cert %{SOURCE104} +%define ima_signing_cert_ol %{SOURCE107} %endif %define ima_cert_name ima.cer +%define ima_cert_name_ol ima_ol.cer Source200: check-kabi @@ -1106,6 +1080,10 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml +# Oracle Linux RHCK Module Signing Key +Source5001: olkmod_signing_key.pem +Source5002: olkmod_signing_key1.pem + ## Patches needed for building this package %if !%{nopatches} @@ -1953,6 +1931,8 @@ ApplyOptionalPatch() mv linux-%{tarfile_release} linux-%{KVERREL} cd linux-%{KVERREL} +#removal of git history +rm -rf .git cp -a %{SOURCE1} . %{log_msg "Start of patch applications"} @@ -2079,6 +2059,13 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem +# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list +openssl x509 -inform der -in %{SOURCE106} -out olimaca1.pem +cat olimaca1.pem >> ../certs/rhel.pem +# Add olkmod_signing_key.pem to the kernel trusted certificates list +cat %{SOURCE5001} >> ../certs/rhel.pem +# Add olkmod_signing_key1.pem to the kernel trusted certificates list +cat %{SOURCE5002} >> ../certs/rhel.pem # rhelkeys %endif %if %{signkernel} @@ -2103,7 +2090,7 @@ done %if 0%{?rhel} %{log_msg "Adjust FIPS module name for RHEL"} for i in *.config; do - sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux %{rhel} - Kernel Cryptographic API"/' $i + sed -i 's/CONFIG_CRYPTO_FIPS_NAME=.*/CONFIG_CRYPTO_FIPS_NAME="Oracle Linux 10 Kernel Crypto API Cryptographic Module"/' $i done %endif @@ -2756,6 +2743,22 @@ BuildKernel() { SBATsuffix="rhel" %endif %endif + SBAT=$(cat <<- EOF + linux,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com + linux.$SBATsuffix,1,Red Hat,linux,$KernelVer,mailto:secalert@redhat.com + linux.ol,1,Oracle Linux,linux,$KernelVer,mailto:secalert_us@oracle.com + kernel-uki-virt.$SBATsuffix,1,Red Hat,kernel-uki-virt,$KernelVer,mailto:secalert@redhat.com + kernel-uki-virt.ol,1,Oracle Linux,kernel-uki-virt,$KernelVer,mailto:secalert_us@oracle.com + EOF + ) + + ADDONS_SBAT=$(cat <<- EOF + sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md + kernel-uki-virt-addons.$SBATsuffix,1,Red Hat,kernel-uki-virt-addons,$KernelVer,mailto:secalert@redhat.com + EOF + ) + KernelUnifiedImageDir="$RPM_BUILD_ROOT/lib/modules/$KernelVer" KernelUnifiedImage="$KernelUnifiedImageDir/$InstallName-virt.efi" KernelUnifiedInitrd="$KernelUnifiedImageDir/$InstallName-virt.img" @@ -2782,6 +2785,7 @@ BuildKernel() { python3 %{SOURCE151} %{SOURCE152} $KernelAddonsDirOut virt %{primary_target} %{_target_cpu} @uki-addons.sbat %if %{signkernel} +%if ! %{?oraclelinux} %{log_msg "Sign the EFI UKI kernel"} %if 0%{?fedora}%{?eln} %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} @@ -2813,6 +2817,7 @@ BuildKernel() { cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer # signkernel +%endif %endif # hmac sign the UKI for FIPS @@ -2979,7 +2984,7 @@ BuildKernel() { # prune junk from kernel-debuginfo find $RPM_BUILD_ROOT/usr/src/kernels -name "*.mod.c" -delete - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # UEFI Secure Boot CA cert, which can be used to authenticate the kernel %{log_msg "Install certs"} mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} @@ -2994,6 +2999,8 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} + # Oracle Linux IMA signing cert + install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -4349,6 +4356,41 @@ fi\ # # %changelog +* Mon Dec 01 2025 Craig Guiller [6.12.0-124.16.1.el10_1.OL10] +- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782] +- Disable UKI signing [Orabug: 36571828] +- Update Oracle Linux certificates (Kevin Lyons) +- Disable signing for aarch64 (Ilya Okomin) +- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] +- Update x509.genkey [Orabug: 24817676] +- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 +- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] +- Add Oracle Linux IMA certificates +- Update module name for cryptographic module [Orabug: 37400433] +- Clean git history at setup stage + +* Sat Nov 22 2025 CKI KWF Bot [6.12.0-124.16.1.el10_1] +- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759] +- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883} + +* Thu Nov 20 2025 CKI KWF Bot [6.12.0-124.15.1.el10_1] +- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (CKI Backport Bot) [RHEL-125623] {CVE-2025-38724} +- wifi: mt76: free pending offchannel tx frames on wcid cleanup (Jose Ignacio Tornos Martinez) [RHEL-123070] +- wifi: mt76: do not add non-sta wcid entries to the poll list (Jose Ignacio Tornos Martinez) [RHEL-123070] +- wifi: mt76: fix linked list corruption (Jose Ignacio Tornos Martinez) [RHEL-123070] {CVE-2025-39918} + +* Wed Nov 19 2025 CKI KWF Bot [6.12.0-124.14.1.el10_1] +- ublk: make sure ubq->canceling is set when queue is frozen (Ming Lei) [RHEL-99436] {CVE-2025-22068} +- e1000e: fix heap overflow in e1000_set_eeprom (Corinna Vinschen) [RHEL-123127] {CVE-2025-39898} +- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123811] +- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123811] {CVE-2025-39968} +- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123811] {CVE-2025-39969} +- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123811] {CVE-2025-39970} +- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123811] {CVE-2025-39971} +- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123811] {CVE-2025-39972} +- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123811] {CVE-2025-39973} +- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123689] + * Thu Nov 13 2025 CKI KWF Bot [6.12.0-124.13.1.el10_1] - NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-127623] - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-127623] diff --git a/olima1.x509 b/olima1.x509 new file mode 100644 index 0000000000000000000000000000000000000000..6c018b4f2cd493161d452ff3ed153aec4f229e1f GIT binary patch literal 1465 zcmXqLV%=)c#5{KaGZP~dlOV%g^NeTzbG*|Csn~QH?=4;IZ;Q!GcQ@sP|iRGB+bkt3YGTsbyO(MOwY^A zOIL7qG*mTEhMUOAC?-~%nw*%ET2vBWTI`SyHc&4)Ki5D`oY%bPExS?u^V|b*Q6bI6kK7gN*zDPpc(n!n3Jx!rR~wo8w`P*; zqLrmV=TffcS=(NJ#9RK|?}GI8wNq`*Sk7B=S5(_RATsNAs^PwKA@ZH23G->X|3%xJ&?{Z#lDKz=8!R5oG&-1QoGX8AO)Xr3x_4o>#awvPLV^!Sc zn8132qZ__)_Fp+>y87+HW2NUeNB>jWb9BcM8QDFDFDM*wpW*v(9%FYd_ujghSCmb^ zP8I3zGwZb1kT2R~QERt;)3@n?os~^zD>1U&ZlhUH-2yW7Xx=yVFj|GCKI2`1r|(t-iqd%7e`5Z42d( zH@a3_`RM&JOzo1oPMuAZ@yjRq8GCPv^VJ^xx`(?x+T&?oi=AtnMIoOuXYyrYW@KPo9BUA5zynNgvcimv|5=y}7!0^UJbo4yW+wIqa8i`zV-aH! zk*pGrzS^(FZ5nj)(|v&>2WBa)J82*fQmf1&VIbBZvglK1*@DOxrv6$fPnLBeFP>yP z4Ma|Wz)T2CfQ$^*mS4Re`2Dr^@RgRE5~lzAkkiRS&0b0>|F?_vO->0d)A-dL5x6-xB%qOI)?b)D7Hi$7dg0v7#pQa&=?%ejUzDt3&q9IvEgk zO1XW8JO7r%^rm$(vol_rB=;`aWuFo@qjl2zrST`34HMQSIWEcHq`T^g>w@>^BDmc@ zuzLkKiJm>zbo71R%v#$A|98H4y?v7H+3(Y1tzv#~eCfT`{@HXMr>OeO|Hm$M-1=<6 zlT)&5+LX4&l>JGv2Kw2H7(aGdd!0<0E&jtbV$PG--ko=MW>|@tbLEAr%i1?4?%1;L z)`Z>af(}P@WF~d0OGHWKFZ)pDcjt6VubStwkSDw^v}U%d9dLMZ=}+N~Kj{-ypSM2x zWtwwvV%d3F?z=xC1pOYaxpz1yS82s$!JFOA+m%@ud?wI!hTI$8CRMBKF+z8qeW|0Kel44#+-8c=^eyW7V@-r~IdHwuIcAWx-Og zMj`I|(@$$9p6EL3Y&y4~W5H>$6Px+xMt+?4Rh>uS!nA235{Jc7MOXUfPO(|=@Rn@j z)Q)u-5;eh$m0V0`_pW-kUt{k1MIU~PJve*&Z0m)G_dWhR3+K9^QGWL9yp+ujlX4Gm l7;(RzfBxajDu*9+cSKWoRZXmqU3T8d>b|0FPprwxe*mEjZ}b2F literal 0 HcmV?d00001 diff --git a/olimaca1.x509 b/olimaca1.x509 new file mode 100644 index 0000000000000000000000000000000000000000..ac2034f2da7922a3e7971ff4c5c9642df8e37b7f GIT binary patch literal 1470 zcmXqLV%=rX#Jp$$GZP~dlOV%g^NeTzbG*|Csn~QH?=4;IZ;Q!GcQ@sP|iRGB+bkt3YGTsbyO(MOwY^A zOIL7qG*mTEhMUOAC?-~%nw*%ET2vBWTI`SyHc&4)Ki5D`oY%g%RRn+9k&p8eGnmxc7RGnBwK#Zs>J;NOVpQdy_%EK`(~ML;n%})SEg<8+F3t2iTh#Gx*gn?WVsgpTY7#| z16RF8>PP>oANk!+*3EQdXZ|qVZ{l{TbQqdQY4L$$C9H@@!5k* zGIMt%mMk#8JgL@af~sJ!>f@IGS2w($G3|}Q$pxP+?0??-WtDy~$<#af7xOKV2diDP z7$)p>nf;&tXmLdUl9-P543`!gskg9qEouIjPMK`+b*(_?(mn~Uwaqn@KlM+WCznSu1cjqg%;QNMEt3-9rI)8j$ zFFf1e!qL2^Q^*uRQO{%O8K4m>C%u z7bhDe8t?;?y{s@J<9`-b17;v)zy}iG2MMqMGZ&kIEQrs?BE}-J=u>Ceg2)!8{#q$d zmUSX8o@6`?G>`{LE3-%#h&5nWfSMD5$&ituSSZS~btRdtz=J zMh)+7-JG}JYT$-r{|>D_;mUYUC`q$u!n2mePVyzwzDWwjo7Nqu-niWVSrh-U|4a?s zMGXS2OeM3Q9j`fZ=hC_p-wrL&x0!rn{wq1hd6#W>9KP?%B(8SDJb97R`D7vXpPmeg zDz9Gt)~?+1H2F=S#FXg|BX#QXY}0Rk{P!xPKH0Lw?#Wr3ub~%?t@ZHG@eU7K^KW&n zS6tn_wcW>}{{H>!`jc^1bE~wEPyO4Y9C!bC4rAgrj&R;!injy*ZQ=g6Z&`Or<6=m#_ zcOT2n_i$y%Jj{OM?BTXw49AwL>HIfvvzW`#68Js%Dd)RWZybNPuZXG8?>Sfp07Rx| AYybcN literal 0 HcmV?d00001 diff --git a/olkmod_signing_key.pem b/olkmod_signing_key.pem new file mode 100644 index 000000000..7a51daf16 --- /dev/null +++ b/olkmod_signing_key.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEETCCAvmgAwIBAgIJANw8y5k9b7SaMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT +aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh +Y2xlIExpbnV4MS0wKwYDVQQDDCRPcmFjbGUgTGludXggUkhDSyBNb2R1bGUgU2ln +bmluZyBLZXkwHhcNMTYwNTA5MjMzNjA4WhcNMjYwNTA3MjMzNjA4WjCBnjELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFzAVBgNVBAcMDlJlZHdvb2Qg +U2hvcmVzMRswGQYDVQQKDBJPcmFjbGUgQ29ycG9yYXRpb24xFTATBgNVBAsMDE9y +YWNsZSBMaW51eDEtMCsGA1UEAwwkT3JhY2xlIExpbnV4IFJIQ0sgTW9kdWxlIFNp +Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6bUDNNZ +jIqgsqgspwBIQ18keDxQeGnWgubZZhHrQU3GpeSRPM4lNTHc+UjMjNXrv/CENZdv +4cETRsxT1VFhGG3CvkbQdzc8v4JOQvWSSJqmViPa1eC+yGaMRnGcFXzKsHiTLA4y +WMjpJnVowFkwTzscRBlN0AysUg/hT/74DE0oqVnlCJNynqccNWpx8MtNRD55ay9A +73yJinYES14rXcU3QbJoO0ZxtRz83ZACDUGX0GORT3+NbB0RK0sttogzA3eLvxKw +umWsWZAHmTuHdWgUjSqqZr34VNLPVcsTHAW8X4bq6rRVcB2lMJ3kJfDP8BJyTn99 +37UmA+/ld47cnwIDAQABo1AwTjAdBgNVHQ4EFgQU3ZlbFVwZs6fD73cHuWniX5Y5 +Zm4wHwYDVR0jBBgwFoAU3ZlbFVwZs6fD73cHuWniX5Y5Zm4wDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAF7nfhWfsk4uEDquLj7nJE0wPlVvllVDugzOk +R15pnQ7P+HTyz3sLaLJE4N5oWt6pFzDGDYEtPeoMCn1l447tX179Nf5SMZba9ut8 +3Vxbe7jAn9sQO7ArQR1swf1r101Me4+1oHq7rxPRizOOXrKeEvf5NSAUbSzzXfz6 +TEp21KTIQO7MjqpsKshRQbpPeiReaYy3A6gJftun5xekP04QTLZVBR4dL7tvZf0S +y9SjVg158lONXHfjBekyYTzSFBn/7v+AS8S+cAGRfYteE0Syxl7zJt3GUoEWau/e +kXHT+hd/hkdSQKZZWZo1380M1pVZZAvntLRBU6IN9SswafhiVg== +-----END CERTIFICATE----- diff --git a/olkmod_signing_key1.pem b/olkmod_signing_key1.pem new file mode 100644 index 000000000..b99afba7a --- /dev/null +++ b/olkmod_signing_key1.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGBjCCA+6gAwIBAgIUf99zHRXkhhuQepjkXdIfz1kNGiwwDQYJKoZIhvcNAQEL +BQAwgZ4xKTAnBgNVBAMMIE9yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyBDQSAx +MQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRswGQYDVQQKDBJP +cmFjbGUgQ29ycG9yYXRpb24xGzAZBgNVBAsMEk9yYWNsZSBDb3Jwb3JhdGlvbjET +MBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yNTA1MDIwOTIzNDFaFw0zNjA0MTIyMTEw +MjlaMGcxLDAqBgNVBAMMI09yYWNsZSBMaW51eCBEcml2ZXIgU2lnbmluZyAoa2V5 +IDEpMQswCQYDVQQGEwJ1czEVMBMGA1UEBwwMUmVkd29vZCBDaXR5MRMwEQYDVQQI +DApDYWxpZm9ybmlhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5dMQ +z4EwgCYLrxJCYTn0H5yncdJREDgAgkne3nQAmtJjfcoKNqRxieK5j1KjloF3Qvjt +c5gITvjpne1UrHTodPF9qpJrFieDPb9+CMUGg/R/gk20PofKa5+DhTMyeIEpBOa7 +P6/OdCGiwaGI85Js6JMnNX2YKerehKB44zVfiNmddn7T/3y2QFFNj3VH62tC4XNt +wZLCHnnO0JzOcZht5KA1JsITSLkT6/o//SZLpaNSAQkkanymdvszV5b0PDu4A0Fi +5Ch41Akset2kAlpRoRBaVVdNhqKDyzsGRFyzHD57EyyY4M6H3yh2T6SPPOTUOKgn +tcBfnFuijl2K/d87cnky1v1XzrvZqLzRz11ksLmZrUHZZ3PWfq2EndG8OiO4PdcF +sF4nd20yuUywW4nj5iZT5h6f8P06C62ILe+dJWNzpGm6JgyYvTnHoUXjoQR+TLs/ +WY1l1N2uf3lc5rkof4g+Ckh/6uI1k5XfyHIzw8Z9wEOliUvHXq/8TVZ653IMmfC8 +gIrIMNOXONMdG7ReTnsr9z7ckv/dYKbW1gWtyY8o92N3dLuYb8MpfvCHkVF5ItUR +52ay2wOQ1tDlfLUiU21yiglyW4rKanH6mrLd4mM8cphnPvRpZ9SM0qykwHrNqKOA +m9p0AwIf1zmUL6boX/Xd+6zM2HAXOPMS1EGjA6MCAwEAAaNyMHAwDAYDVR0TAQH/ +BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYE +FDUwOWM0ZjZkYmZjMGUyODhjOGM4MB8GA1UdIwQYMBaAFGM2NDkzM2I4OWUzNTYw +ZmVhNWQzMA0GCSqGSIb3DQEBCwUAA4ICAQAmZbUs5P2HGRHt4W/QhGyfxxa/Go8K +6a1VZlh71OURsbQ42ZDCfrYgw8LtDPqx7ySlUlkjDcc7ZvRh6RzLyn+ARIohhKNH +PpEzIpOGm5P4zqY9R36STRSgCDl9iCNlk8pGKzqEIT+aCaZUWF+7NcFgePFDuN9W +FX5tXhxEqqn8rmvGMQ3ZtodxIJb6ksKz6j/JWnuvcD4EgI1ykyc8MAtIm2/qVmPQ +IofwXo6yL6ygT5K7cMsrte4EbzrHvuhuz89RHDmwmgB6XmZCWBOGYrO7lza2Yx0C +/m4LcUHPW6XgrtkvIcLST90Ng9fp8EQl7Rp3med0K83kdwKUt7Ju9aPze049tuTQ +QoHsIHDgsExK4wXUayHNgNNr8lMFm42gTB2DqP9F/Ihq7YhIdfXbOsVdS38Il9+Y +8RWI87H+0mAxsv2RnaNkEbmd+2vY9j1ebHyblN59mxDEY+h3W7v402ay01Ia2Lnw +szOAPq6AKZdfi0nan6zunurwEGKGeF4+Gr42RlA0Pcu1ZltBQVuMhvkO1wKZ5vO6 +MNR7swI0fH6VsyUms8wQbR85MCJg0MhpzRKw0g0Ka+c4nF1c4EmU4GaIbCNfzJy+ +68wdJDHhX+sbD7+AJBQ9i6TmtbPIGKNDHh9cMIXs+jMRtia/ZCYEsOOO5B+xrawF +JuZ4rgQv9ghmhQ== +-----END CERTIFICATE----- diff --git a/sources b/sources index b9f84f4b4..4cfc8c13c 100644 --- a/sources +++ b/sources @@ -1,7 +1,7 @@ SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e -SHA512 (kernel-abi-stablelists-6.12.0-124.13.1.el10_1.tar.xz) = b2c34f15b031eed04293dcd89835e0746f2bbeeceda04b586208400a7bab7d064d4e20926b6942d2a69a6bb632f96a2a21a2cd4b8748aa7a960df463cdf5b5c4 -SHA512 (kernel-kabi-dw-6.12.0-124.13.1.el10_1.tar.xz) = b38176c673e473a06debdef9941242f2017d0503a08e74d7d8608f0dab5b6fe6b577d4009db5d6b5e8425e4aa55c961b01eb8fb72409729c8a578b7381e15b92 -SHA512 (linux-6.12.0-124.13.1.el10_1.tar.xz) = 47bc53b098c71cc54de781f01213c1c3b35c331f4b3da678ff7377938a761ea124eb980748f16df83b10bc083307ca405ac27d48924da269b1090a80b56d8958 +SHA512 (kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz) = 54e465b309293c077574d471cd8d90f940acb310259487fa5eb5fd17805db402d38b5bf807d5a63b663c4db7425aec1009cc322c1114ef8f75073305b31b529a +SHA512 (kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz) = 3a0f5bdc5d4da217879ad9130dfe2820a120d3e6c80581e50db08f5213a5de6ee475be126bdac827d76afafcb8ff4d0648539d0a5bfba5a098dbeb8825bf265f +SHA512 (linux-6.12.0-124.16.1.el10_1.tar.xz) = c960227a79319864f9934f28072dcfee635b50e7e0a85c634e117ff5772d99fc44a0f4a872bf97d0f37c6b60fb2ca71ad662e12c60b93bf6c0b9142f29d9a8e690a80b56d8958 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308 SHA512 (redhatsecureboot504.cer) = d6e9b54c378769bb934ead996c1003b495bde48a17d02c8880124f36a529ef799f1e3a97202f9536c71c0d2cefe20a3532053ab73ce798ba550934eedce23ff9 diff --git a/x509.genkey.rhel b/x509.genkey.rhel index b1bbe387f..5b7056d65 100644 --- a/x509.genkey.rhel +++ b/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = Oracle America, Inc.,c=US +CN = Oracle CA Server +emailAddress = support@oracle.com [ myexts ] basicConstraints=critical,CA:FALSE