CentOS secureboot

26035c5a · Carl George · Pablo Greco · 05f52f9b · 26035c5a · 26035c5a
Commit 26035c5a authored 4 years ago by Carl George Committed by Pablo Greco 3 years ago
--- a/SOURCES/centos-ca-secureboot.der
+++ b/SOURCES/centos-ca-secureboot.der
--- a/SOURCES/centos.pem
+++ b/SOURCES/centos.pem
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIJALYWFXFy+zGAMA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
+BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
+FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjA0MFoXDTM4MDEwMTE0
+MjA0MFowVTEvMC0GA1UEAwwmQ2VudE9TIExpbnV4IERyaXZlciB1cGRhdGUgc2ln
+bmluZyBrZXkxIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5ECuosQ4HKRRf+Kxfm+BcICBK
+PGqB+E/qalqQ3CCM3LWezq0ns/GZTD0CtSAzmOObqJb3gJ9S5gcbaMVBc3JxLlQ+
+RwVy0oNy91uy9TKhYQ3lpHDyujxiFmXPSJLMKOYbOBNObJ7qF6+ptnmDWMu7GWDc
+4UGdBdU/evt92LIxsi9ZQCEoZIqdyKBE/Y3V9gBZIZa/4oXMHfW9dWxhy9UszmR9
+hT7ZdgLFpWMFmJW+SS5QEWtp5CpRlcui4QJZl42bMp5JOrVWc+BlKPIsLdY8TqLp
+9FdhQ5Ih4auT7zn2V89YgYpq6VMZnPsn/v5piB6i6RK8Falr6SP5SV0cwV/jAgMB
+AAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQpvUwN
+BtLpkRBEtdyXMwkTm1HW1TAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q6
+8zANBgkqhkiG9w0BAQsFAAOCAQEAK+f4c4aP9TQDiQM4TDyw8iDapr7eBc+Yr0M5
+ELkWEQu55/OwLQrgCA5bdD86diaAXQAlUOXCtFRrbUQHQACEL77/32YdooHfVZZ7
+04CeE+JWxF/cQ3M5hhJnkyxaqFKC+B+bn7Z6eloMnYUPsXwfQEOuyxKaKergAJdq
+KnC0pEG3NGgwlwvnD0dwUqbbEUUqL3UQh96hCYDidhCUmuap1E2OGoxGex3ekszf
+ErCgwVYb46cv91ba2KqXVWl1FoO3c5MyZcxL46ihQgiY0BI975+HDFjpUZ69n+Um
+OhSscRUiKeEQKMVtHzyQUp5t+HCeaZBRPy3rFoIjTEqijKZ6tQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDejCCAmKgAwIBAgIJALYWFXFy+zF/MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
+BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
+FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjAwMloXDTM4MDEwMTE0
+MjAwMlowTjEoMCYGA1UEAwwfQ2VudE9TIExpbnV4IGtwYXRjaCBzaWduaW5nIGtl
+eTEiMCAGCSqGSIb3DQEJARYTc2VjdXJpdHlAY2VudG9zLm9yZzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMG+5OclqB0NE5azrGkSitqUFcZjpRk/rS2P
+CetB6jwxOn06TrLGzqnhcE9VBKyEs7CXBLy6lfnORcYOybcR2XvrgqGa1txOZggl
+hc8zCj9X7ZCMK2UsWglxQCOtbo0m/vdor/VO3SFbrf/W9+PXhvNtcxMP9yjydbP+
+lS1St8uQv952hu7C1TevyOQN3jpvWRD7DSJIU/2uRFcdIo2QCGokuB/xESXeuGJ2
+F2P9w0h74V18AlVTxtGp/RSJqZaQ2Gi5h4Oa7UsRmhmCoLdmdBe7xnYJrJ4GhxKQ
+yG0kU1ikEhZW3YjoVPgBJzTsIhCAzFrOUq0d67a1wTVMiyL60fUCAwEAAaNdMFsw
+DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFLSfCGIFkJ3E2iz6
+mTdvsZHS8J54MB8GA1UdIwQYMBaAFFTsgYWJPuka2wj3RIhUfo4/dDrzMA0GCSqG
+SIb3DQEBCwUAA4IBAQBcDnjWh8Mx6yaS/OvBOYZprYy5Su0tn+YHiN0czpjVw+zl
+NUt2YmRSA/g6xks04CYx+UAL/xnvRcxXd17Ni7eWiROxvgQvBo5nScVkFPq2IIP5
+8aj7LoHR1MUeXfiNqf1JoSlgpRV47wv/+jZD0hmbt1rC2NJp0ZU8OHmt2GWk0jmM
+MK72D/pyCUfHetBzPpU9M0cNiukjMUdIL+U7+CXDgKsfdFHcQ76ebWyka7vRSXTs
+lBMa2g20Atwz2Hj7tEEAZ74ioQ9029RAlUSNipACe31YdT4/BBWIqHPpeDFkp8W0
+9v4jeTX/2kMBXkjzMfKjhpooa+bFFFLogLeX3P4W
+-----END CERTIFICATE-----
--- a/SOURCES/centossecureboot001.der
+++ b/SOURCES/centossecureboot001.der
--- a/SOURCES/centossecureboot201.der
+++ b/SOURCES/centossecureboot201.der
--- a/SOURCES/centossecurebootca2.der
+++ b/SOURCES/centossecurebootca2.der
--- a/SOURCES/x509.genkey.fedora
+++ b/SOURCES/x509.genkey.fedora
 [ req ]
-default_bits = 4096
+default_bits = 3072
 distinguished_name = req_distinguished_name
 prompt = no
 x509_extensions = myexts

 [ req_distinguished_name ]
-O = Fedora
-CN = Fedora kernel signing key
-emailAddress = kernel-team@fedoraproject.org
+O = CentOS
+CN = CentOS kernel signing key
+emailAddress = security@centos.org

 [ myexts ]
 basicConstraints=critical,CA:FALSE

--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -32,7 +32,7 @@ Summary: The Linux kernel
 %if 0%{?fedora}
 %define secure_boot_arch x86_64
 %else
-%define secure_boot_arch x86_64 aarch64 s390x ppc64le
+%define secure_boot_arch x86_64 aarch64
 %endif

 # Signing for secure boot authentication
@@ -668,10 +668,10 @@ Source10: x509.genkey.rhel
 Source11: x509.genkey.fedora
 %if %{?released_kernel}

-Source12: redhatsecurebootca5.cer
-Source13: redhatsecurebootca1.cer
-Source14: redhatsecureboot501.cer
-Source15: redhatsecureboot301.cer
+Source12: centossecurebootca2.der
+Source13: centos-ca-secureboot.der
+Source14: centossecureboot201.der
+Source15: centossecureboot001.der
 Source16: secureboot_s390.cer
 Source17: secureboot_ppc.cer

@@ -679,33 +679,25 @@ Source17: secureboot_ppc.cer
 %define secureboot_ca_0 %{SOURCE13}
 %ifarch x86_64 aarch64
 %define secureboot_key_1 %{SOURCE14}
-%define pesign_name_1 redhatsecureboot501
+%define pesign_name_1 centossecureboot201
 %define secureboot_key_0 %{SOURCE15}
-%define pesign_name_0 redhatsecureboot301
-%endif
-%ifarch s390x
-%define secureboot_key_0 %{SOURCE16}
-%define pesign_name_0 redhatsecureboot302
-%endif
-%ifarch ppc64le
-%define secureboot_key_0 %{SOURCE17}
-%define pesign_name_0 redhatsecureboot303
+%define pesign_name_0 centossecureboot001
 %endif

 # released_kernel
 %else

-Source12: redhatsecurebootca4.cer
-Source13: redhatsecurebootca2.cer
-Source14: redhatsecureboot401.cer
-Source15: redhatsecureboot003.cer
+Source12: centossecurebootca2.der
+Source13: centos-ca-secureboot.der
+Source14: centossecureboot201.der
+Source15: centossecureboot001.der

 %define secureboot_ca_1 %{SOURCE12}
 %define secureboot_ca_0 %{SOURCE13}
 %define secureboot_key_1 %{SOURCE14}
-%define pesign_name_1 redhatsecureboot401
+%define pesign_name_1 centossecureboot201
 %define secureboot_key_0 %{SOURCE15}
-%define pesign_name_0 redhatsecureboot003
+%define pesign_name_0 centossecureboot001

 # released_kernel
 %endif
@@ -789,6 +781,8 @@ Source213: Module.kabi_dup_x86_64
 Source2000: cpupower.service
 Source2001: cpupower.config

+Source9000: centos.pem
+
 ## Patches needed for building this package

 # Patch1: patch-%{rpmversion}-redhat.patch
@@ -1524,6 +1518,7 @@ fi

 # Now build the fedora kernel tree.
 cp -al vanilla-%{vanillaversion} linux-%{KVERREL}
+cp -v %{SOURCE9000} linux-%{KVERREL}/certs/rhel.pem

 cd linux-%{KVERREL}
 if [ ! -d .git ]; then