Fix secure boot signing

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
Justin M. Forbes 2020-07-16 13:04:04 -05:00
parent d09e44ea79
commit fbc93f939b
7 changed files with 38 additions and 20 deletions

View File

@ -584,34 +584,44 @@ Source10: x509.genkey.rhel
Source11: x509.genkey.fedora Source11: x509.genkey.fedora
%if %{?released_kernel} %if %{?released_kernel}
Source12: securebootca.cer Source12: redhatsecurebootca5.cer
Source13: secureboot.cer Source13: redhatsecurebootca1.cer
Source14: secureboot_s390.cer Source14: redhatsecureboot501.cer
Source15: secureboot_ppc.cer Source15: redhatsecureboot301.cer
Source16: secureboot_s390.cer
Source17: secureboot_ppc.cer
%define secureboot_ca %{SOURCE12} %define secureboot_ca_0 %{SOURCE12}
%define secureboot_ca_1 %{SOURCE13}
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
%define secureboot_key %{SOURCE13} %define secureboot_key_0 %{SOURCE14}
%define pesign_name redhatsecureboot301 %define pesign_name_0 redhatsecureboot501
%define secureboot_key_1 %{SOURCE15}
%define pesign_name_1 redhatsecureboot301
%endif %endif
%ifarch s390x %ifarch s390x
%define secureboot_key %{SOURCE14} %define secureboot_key_0 %{SOURCE16}
%define pesign_name redhatsecureboot302 %define pesign_name_0 redhatsecureboot302
%endif %endif
%ifarch ppc64le %ifarch ppc64le
%define secureboot_key %{SOURCE15} %define secureboot_key_0 %{SOURCE17}
%define pesign_name redhatsecureboot303 %define pesign_name_0 redhatsecureboot303
%endif %endif
# released_kernel # released_kernel
%else %else
Source12: redhatsecurebootca2.cer Source12: redhatsecurebootca4.cer
Source13: redhatsecureboot003.cer Source13: redhatsecurebootca2.cer
Source14: redhatsecureboot401.cer
Source15: redhatsecureboot003.cer
%define secureboot_ca %{SOURCE12} %define secureboot_ca_0 %{SOURCE12}
%define secureboot_key %{SOURCE13} %define secureboot_ca_1 %{SOURCE13}
%define pesign_name redhatsecureboot003 %define secureboot_key_0 %{SOURCE14}
%define pesign_name_0 redhatsecureboot401
%define secureboot_key_1 %{SOURCE15}
%define pesign_name_1 redhatsecureboot003
# released_kernel # released_kernel
%endif %endif
@ -1638,11 +1648,13 @@ BuildKernel() {
fi fi
%ifarch x86_64 aarch64 %ifarch x86_64 aarch64
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
rm vmlinuz.tmp
%endif %endif
%ifarch s390x ppc64le %ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then if [ -x /usr/bin/rpm-sign ]; then
rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
elif [ $DoModules -eq 1 ]; then elif [ $DoModules -eq 1 ]; then
chmod +x scripts/sign-file chmod +x scripts/sign-file
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@ -2045,11 +2057,17 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch x86_64 aarch64
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%else
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%endif
%ifarch s390x ppc64le %ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then if [ -x /usr/bin/rpm-sign ]; then
install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
else else
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}

BIN
redhatsecureboot301.cer Normal file

Binary file not shown.

BIN
redhatsecureboot401.cer Normal file

Binary file not shown.

BIN
redhatsecureboot501.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca1.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca4.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca5.cer Normal file

Binary file not shown.