diff --git a/.gitignore b/.gitignore
index bd6f9f3..f4b665f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/linux-4.18.0-193.13.2.rt13.65.el8_2.tar.xz
+SOURCES/linux-4.18.0-193.14.3.rt13.67.el8_2.tar.xz
diff --git a/.kernel-rt.metadata b/.kernel-rt.metadata
index 36edd90..fb11ad8 100644
--- a/.kernel-rt.metadata
+++ b/.kernel-rt.metadata
@@ -1 +1 @@
-6995bb4ccc97f3fd43d4b5b68f8787d222174687 SOURCES/linux-4.18.0-193.13.2.rt13.65.el8_2.tar.xz
+7d175a53e97e1a2449eec92560e29eeeca45489a SOURCES/linux-4.18.0-193.14.3.rt13.67.el8_2.tar.xz
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
new file mode 100644
index 0000000..20e6604
Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ
diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer
new file mode 100644
index 0000000..dfa7afb
Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ
diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
new file mode 100644
index 0000000..b235400
Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer
deleted file mode 100644
index 20e6604..0000000
Binary files a/SOURCES/secureboot.cer and /dev/null differ
diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer
deleted file mode 100644
index b235400..0000000
Binary files a/SOURCES/securebootca.cer and /dev/null differ
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 44ab1df..8a75d76 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -42,10 +42,10 @@
# define buildid .local
%define rpmversion 4.18.0
-%define pkgrelease 193.13.2.rt13.65.el8_2
+%define pkgrelease 193.14.3.rt13.67.el8_2
# allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 193.13.2.rt13.65%{?dist}
+%define specrelease 193.14.3.rt13.67%{?dist}
%define pkg_release %{specrelease}%{?buildid}
@@ -149,7 +149,7 @@
# The preempt RT patch level
%global rttag .rt13
# realtimeN
-%global rtbuild .65
+%global rtbuild .67
%define with_doc 0
%define with_headers 0
%define with_cross_headers 0
@@ -409,7 +409,7 @@ BuildRequires: asciidoc
Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
-Source11: x509.genkey
+Source9: x509.genkey
# Name of the packaged file containing signing key
%ifarch ppc64le
@@ -421,34 +421,44 @@ Source11: x509.genkey
%if %{?released_kernel}
-Source12: securebootca.cer
-Source13: secureboot.cer
+Source10: redhatsecurebootca5.cer
+Source11: redhatsecurebootca3.cer
+Source12: redhatsecureboot501.cer
+Source13: redhatsecureboot301.cer
Source14: secureboot_s390.cer
Source15: secureboot_ppc.cer
-%define secureboot_ca %{SOURCE12}
+%define secureboot_ca_0 %{SOURCE11}
+%define secureboot_ca_1 %{SOURCE10}
%ifarch x86_64 aarch64
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot301
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 redhatsecureboot301
+%define secureboot_key_1 %{SOURCE12}
+%define pesign_name_1 redhatsecureboot501
%endif
%ifarch s390x
-%define secureboot_key %{SOURCE14}
-%define pesign_name redhatsecureboot302
+%define secureboot_key_0 %{SOURCE14}
+%define pesign_name_0 redhatsecureboot302
%endif
%ifarch ppc64le
-%define secureboot_key %{SOURCE15}
-%define pesign_name redhatsecureboot303
+%define secureboot_key_0 %{SOURCE15}
+%define pesign_name_0 redhatsecureboot303
%endif
# released_kernel
%else
+Source11: redhatsecurebootca4.cer
Source12: redhatsecurebootca2.cer
-Source13: redhatsecureboot003.cer
+Source13: redhatsecureboot401.cer
+Source14: redhatsecureboot003.cer
-%define secureboot_ca %{SOURCE12}
-%define secureboot_key %{SOURCE13}
-%define pesign_name redhatsecureboot003
+%define secureboot_ca_0 %{SOURCE11}
+%define secureboot_ca_1 %{SOURCE12}
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 redhatsecureboot401
+%define secureboot_key_1 %{SOURCE14}
+%define pesign_name_1 redhatsecureboot003
# released_kernel
%endif
@@ -1179,7 +1189,7 @@ BuildKernel() {
cp configs/$Config .config
%if %{signkernel}%{signmodules}
- cp %{SOURCE11} certs/.
+ cp %{SOURCE9} certs/.
%endif
Arch=`head -1 .config | cut -b 3-`
@@ -1245,11 +1255,13 @@ BuildKernel() {
fi
%ifarch x86_64 aarch64
- %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name}
+ %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+ %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
+ rm vmlinuz.tmp
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
- rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed
+ rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed
elif [ $DoModules -eq 1 ]; then
chmod +x scripts/sign-file
./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed
@@ -1645,11 +1657,17 @@ BuildKernel() {
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
- install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %ifarch x86_64 aarch64
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
+ install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
+ ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %else
+ install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+ %endif
%ifarch s390x ppc64le
if [ $DoModules -eq 1 ]; then
if [ -x /usr/bin/rpm-sign ]; then
- install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
+ install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
else
install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename}
@@ -2404,12 +2422,7 @@ fi
/lib/modules/%{KVERREL}%{?3:+%{3}}/updates\
/lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\
/lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
-%ifarch s390x ppc64le\
-%if 0%{!?4:1}\
-%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
-%endif\
-%endif\
+%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\
%if %{1}\
/lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\
/etc/ld.so.conf.d/%{name}-%{KVERREL}%{?3:+%{3}}.conf\
@@ -2465,6 +2478,31 @@ fi
#
#
%changelog
+* Sun Jul 19 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.14.3.rt13.67.el8_2]
+- Reverse keys order for dual-signing (Frantisek Hrbata) [1837433 1837434] {CVE-2020-10713}
+
+* Sun Jul 19 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.14.2.rt13.66.el8_2]
+- [kernel] Move to dual-signing to split signing keys up better (pjones) [1837433 1837434] {CVE-2020-10713}
+- [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837433 1837434] {CVE-2020-10713}
+- [acpi] ACPI: configfs: Disallow loading ACPI tables when locked down (Lenny Szubowicz) [1852968 1852969] {CVE-2020-15780}
+- [firmware] efi: Restrict efivar_ssdt_load when the kernel is locked down (Lenny Szubowicz) [1852948 1852949] {CVE-2019-20908}
+
+* Mon Jul 13 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.14.1.rt13.65.el8_2]
+- [md] dm mpath: add DM device name to Failing/Reinstating path log messages (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: enhance queue_if_no_path debugging (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: restrict queue_if_no_path state machine (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: simplify __must_push_back (Mike Snitzer) [1852050 1822975]
+- [md] dm: use DMDEBUG macros now that they use pr_debug variants (Mike Snitzer) [1852050 1822975]
+- [include] dm: use dynamic debug instead of compile-time config option (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: switch paths in dm_blk_ioctl() code path (Mike Snitzer) [1852050 1822975]
+- [md] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath (Mike Snitzer) [1852050 1822975]
+- [md] dm: bump version of core and various targets (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: Add timeout mechanism for queue_if_no_path (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: use true_false for bool variable (Mike Snitzer) [1852050 1822975]
+- [md] dm mpath: remove harmful bio-based optimization (Mike Snitzer) [1852050 1822975]
+- [scsi] scsi: libiscsi: fall back to sendmsg for slab pages (Maurizio Lombardi) [1852048 1825775]
+- [s390] s390/mm: fix panic in gup_fast on large pud (Philipp Rudo) [1853336 1816980]
+
* Tue Jul 07 2020 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-193.13.1.rt13.64.el8_2]
- [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005]