From d4bbfbfee98f8b117885cf88a48f686ac889d73e Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 22 Jul 2023 10:45:33 +0200 Subject: [PATCH] Use a custom key and certificate for Secure Boot signing Signed-off-by: Dorian Stoll --- redhat/kernel.spec.template | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index 0fb19cc23041..d7bd6013423c 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -762,6 +762,7 @@ BuildRequires: system-sb-certs %ifarch x86_64 aarch64 BuildRequires: nss-tools BuildRequires: pesign >= 0.10-4 +BuildRequires: sbsigntools %endif %endif %endif @@ -821,6 +822,13 @@ Source2: kernel.changelog %define signing_key_filename kernel-signing-s390.cer %endif +%ifarch x86_64 aarch64 + +Source7001: MOK.key +Source7002: MOK.crt + +%endif + %if %{?released_kernel} Source10: redhatsecurebootca5.cer @@ -2201,9 +2209,7 @@ BuildKernel() { %ifarch x86_64 aarch64 %{log_msg "Sign kernel image"} - %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} - %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} - rm vmlinuz.tmp + sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then @@ -2783,9 +2789,6 @@ BuildKernel() { %{log_msg "Install certs"} mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %ifarch x86_64 aarch64 - install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer - install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer - ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %else install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %endif -- 2.44.0