From 9af314cb4ff398e0812ff973ebaab30395e830c0 Mon Sep 17 00:00:00 2001 From: Johnny Hughes Date: Jun 04 2020 06:07:18 +0000 Subject: Manual CentOS Debranding --- diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey index b1bbe38..d98f8fe 100644 --- a/SOURCES/x509.genkey +++ b/SOURCES/x509.genkey @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = CentOS +CN = CentOS Linux kernel signing key +emailAddress = security@centos.org [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index cead0fe..684f02d 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -19,7 +19,7 @@ %global distro_build 193 # Sign the x86_64 kernel for secure boot authentication -%ifarch x86_64 aarch64 s390x ppc64le +%ifarch x86_64 aarch64 %global signkernel 1 %else %global signkernel 0 @@ -421,34 +421,24 @@ Source11: x509.genkey %if %{?released_kernel} -Source12: securebootca.cer -Source13: secureboot.cer -Source14: secureboot_s390.cer -Source15: secureboot_ppc.cer +Source12: centos-ca-secureboot.der +Source13: centossecureboot001.crt %define secureboot_ca %{SOURCE12} %ifarch x86_64 aarch64 %define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot301 -%endif -%ifarch s390x -%define secureboot_key %{SOURCE14} -%define pesign_name redhatsecureboot302 -%endif -%ifarch ppc64le -%define secureboot_key %{SOURCE15} -%define pesign_name redhatsecureboot303 +%define pesign_name centossecureboot001 %endif # released_kernel %else -Source12: redhatsecurebootca2.cer -Source13: redhatsecureboot003.cer +Source12: centos-ca-secureboot.der +Source13: centossecureboot001.crt %define secureboot_ca %{SOURCE12} %define secureboot_key %{SOURCE13} -%define pesign_name redhatsecureboot003 +%define pesign_name centossecureboot001 # released_kernel %endif @@ -505,6 +495,13 @@ Source400: mod-kvm.list Source2000: cpupower.service Source2001: cpupower.config +# Sources for CentOS debranding +Source9000: centos.pem + +Patch1000: debrand-single-cpu.patch +Patch1001: debrand-rh_taint.patch +#Patch1002: debrand-rh-i686-cpu.patch + ## Patches needed for building this package # empty final patch to facilitate testing of kernel patches @@ -515,7 +512,7 @@ Patch999999: linux-kernel-test.patch BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root %description -This is the package which provides the Linux %{name} for Red Hat Enterprise +This is the package which provides the Linux %{name} for CentOS Linux. It is based on upstream Linux at version %{version} and maintains kABI compatibility of a set of approved symbols, however it is heavily modified with backports and fixes pulled from newer upstream Linux %{name} releases. This means @@ -524,7 +521,7 @@ from newer upstream linux versions, while maintaining a well tested and stable core. Some of the components/backports that may be pulled in are: changes like updates to the core kernel (eg.: scheduler, cgroups, memory management, security fixes and features), updates to block layer, supported filesystems, major driver -updates for supported hardware in Red Hat Enterprise Linux, enhancements for +updates for supported hardware in CentOS Linux, enhancements for enterprise customers, etc. # @@ -757,11 +754,11 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio %endif %package -n %{name}-abi-whitelists -Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists +Summary: The CentOS Linux kernel ABI symbol whitelists Group: System Environment/Kernel AutoReqProv: no %description -n %{name}-abi-whitelists -The kABI package contains information pertaining to the Red Hat Enterprise +The kABI package contains information pertaining to the CentOS Linux kernel ABI, including lists of kernel symbols that are needed by external Linux kernel modules, and a yum plugin to aid enforcement. @@ -771,7 +768,7 @@ Summary: The baseline dataset for kABI verification using DWARF data Group: System Environment/Kernel AutoReqProv: no %description kernel-kabidw-base-internal -The package contains data describing the current ABI of the Red Hat Enterprise +The package contains data describing the current ABI of the CentOS Linux kernel, suitable for the kabi-dw tool. %endif @@ -844,7 +841,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ AutoReq: no\ AutoProv: yes\ %description %{?1:%{1}-}modules-internal\ -This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\ +This package provides kernel modules for the %{?2:%{2} }kernel package for CentOS internal usage.\ %{nil} # @@ -1039,11 +1036,17 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c + +cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem + mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} ApplyOptionalPatch linux-kernel-test.patch +ApplyOptionalPatch debrand-single-cpu.patch +ApplyOptionalPatch debrand-rh_taint.patch +#ApplyOptionalPatch debrand-rh-i686-cpu.patch # END OF PATCH APPLICATIONS @@ -1642,7 +1645,7 @@ BuildKernel() { # build a BLS config for this kernel %{SOURCE43} "$KernelVer" "$RPM_BUILD_ROOT" "%{?variant}" - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # CentOS UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer %ifarch s390x ppc64le