61 lines
2.2 KiB
Diff
61 lines
2.2 KiB
Diff
|
From 67f8052f553191686b1224b5598d00ff33d38608 Mon Sep 17 00:00:00 2001
|
||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||
|
Date: Sat, 13 May 2023 16:39:50 +0200
|
||
|
Subject: [PATCH] Use a custom key and certificate for Secure Boot signing
|
||
|
|
||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||
|
---
|
||
|
redhat/kernel.spec.template | 15 +++++++++------
|
||
|
1 file changed, 9 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
|
||
|
index 51f43b21b018..76d1ad8e2818 100644
|
||
|
--- a/redhat/kernel.spec.template
|
||
|
+++ b/redhat/kernel.spec.template
|
||
|
@@ -703,6 +703,7 @@ BuildRequires: system-sb-certs
|
||
|
%ifarch x86_64 aarch64
|
||
|
BuildRequires: nss-tools
|
||
|
BuildRequires: pesign >= 0.10-4
|
||
|
+BuildRequires: sbsigntools
|
||
|
%endif
|
||
|
%endif
|
||
|
%endif
|
||
|
@@ -762,6 +763,13 @@ Source1: Makefile.rhelver
|
||
|
%define signing_key_filename kernel-signing-s390.cer
|
||
|
%endif
|
||
|
|
||
|
+%ifarch x86_64 aarch64
|
||
|
+
|
||
|
+Source7001: MOK.key
|
||
|
+Source7002: MOK.crt
|
||
|
+
|
||
|
+%endif
|
||
|
+
|
||
|
%if %{?released_kernel}
|
||
|
|
||
|
Source10: redhatsecurebootca5.cer
|
||
|
@@ -1860,9 +1868,7 @@ BuildKernel() {
|
||
|
fi
|
||
|
|
||
|
%ifarch x86_64 aarch64
|
||
|
- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||
|
- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
||
|
- rm vmlinuz.tmp
|
||
|
+ sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage
|
||
|
%endif
|
||
|
%ifarch s390x ppc64le
|
||
|
if [ -x /usr/bin/rpm-sign ]; then
|
||
|
@@ -2393,9 +2399,6 @@ BuildKernel() {
|
||
|
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||
|
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||
|
%ifarch x86_64 aarch64
|
||
|
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
||
|
- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
||
|
- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||
|
%else
|
||
|
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||
|
%endif
|
||
|
--
|
||
|
2.40.1
|
||
|
|