From cff3af76b4aa14f70170d3cd900c2d343569e342 Mon Sep 17 00:00:00 2001 From: Carl George Date: Sep 12 2020 16:43:21 +0000 Subject: CentOS secureboot --- diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der new file mode 100644 index 0000000..44a2563 Binary files /dev/null and b/SOURCES/centos-ca-secureboot.der differ diff --git a/SOURCES/centos.pem b/SOURCES/centos.pem new file mode 100644 index 0000000..82ad817 --- /dev/null +++ b/SOURCES/centos.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDgTCCAmmgAwIBAgIJALYWFXFy+zGAMA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV +BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB +FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjA0MFoXDTM4MDEwMTE0 +MjA0MFowVTEvMC0GA1UEAwwmQ2VudE9TIExpbnV4IERyaXZlciB1cGRhdGUgc2ln +bmluZyBrZXkxIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5ECuosQ4HKRRf+Kxfm+BcICBK +PGqB+E/qalqQ3CCM3LWezq0ns/GZTD0CtSAzmOObqJb3gJ9S5gcbaMVBc3JxLlQ+ +RwVy0oNy91uy9TKhYQ3lpHDyujxiFmXPSJLMKOYbOBNObJ7qF6+ptnmDWMu7GWDc +4UGdBdU/evt92LIxsi9ZQCEoZIqdyKBE/Y3V9gBZIZa/4oXMHfW9dWxhy9UszmR9 +hT7ZdgLFpWMFmJW+SS5QEWtp5CpRlcui4QJZl42bMp5JOrVWc+BlKPIsLdY8TqLp +9FdhQ5Ih4auT7zn2V89YgYpq6VMZnPsn/v5piB6i6RK8Falr6SP5SV0cwV/jAgMB +AAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQpvUwN +BtLpkRBEtdyXMwkTm1HW1TAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q6 +8zANBgkqhkiG9w0BAQsFAAOCAQEAK+f4c4aP9TQDiQM4TDyw8iDapr7eBc+Yr0M5 +ELkWEQu55/OwLQrgCA5bdD86diaAXQAlUOXCtFRrbUQHQACEL77/32YdooHfVZZ7 +04CeE+JWxF/cQ3M5hhJnkyxaqFKC+B+bn7Z6eloMnYUPsXwfQEOuyxKaKergAJdq +KnC0pEG3NGgwlwvnD0dwUqbbEUUqL3UQh96hCYDidhCUmuap1E2OGoxGex3ekszf +ErCgwVYb46cv91ba2KqXVWl1FoO3c5MyZcxL46ihQgiY0BI975+HDFjpUZ69n+Um +OhSscRUiKeEQKMVtHzyQUp5t+HCeaZBRPy3rFoIjTEqijKZ6tQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDejCCAmKgAwIBAgIJALYWFXFy+zF/MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV +BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB +FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE5MDYwMzE0MjAwMloXDTM4MDEwMTE0 +MjAwMlowTjEoMCYGA1UEAwwfQ2VudE9TIExpbnV4IGtwYXRjaCBzaWduaW5nIGtl +eTEiMCAGCSqGSIb3DQEJARYTc2VjdXJpdHlAY2VudG9zLm9yZzCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAMG+5OclqB0NE5azrGkSitqUFcZjpRk/rS2P +CetB6jwxOn06TrLGzqnhcE9VBKyEs7CXBLy6lfnORcYOybcR2XvrgqGa1txOZggl +hc8zCj9X7ZCMK2UsWglxQCOtbo0m/vdor/VO3SFbrf/W9+PXhvNtcxMP9yjydbP+ +lS1St8uQv952hu7C1TevyOQN3jpvWRD7DSJIU/2uRFcdIo2QCGokuB/xESXeuGJ2 +F2P9w0h74V18AlVTxtGp/RSJqZaQ2Gi5h4Oa7UsRmhmCoLdmdBe7xnYJrJ4GhxKQ +yG0kU1ikEhZW3YjoVPgBJzTsIhCAzFrOUq0d67a1wTVMiyL60fUCAwEAAaNdMFsw +DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFLSfCGIFkJ3E2iz6 +mTdvsZHS8J54MB8GA1UdIwQYMBaAFFTsgYWJPuka2wj3RIhUfo4/dDrzMA0GCSqG +SIb3DQEBCwUAA4IBAQBcDnjWh8Mx6yaS/OvBOYZprYy5Su0tn+YHiN0czpjVw+zl +NUt2YmRSA/g6xks04CYx+UAL/xnvRcxXd17Ni7eWiROxvgQvBo5nScVkFPq2IIP5 +8aj7LoHR1MUeXfiNqf1JoSlgpRV47wv/+jZD0hmbt1rC2NJp0ZU8OHmt2GWk0jmM +MK72D/pyCUfHetBzPpU9M0cNiukjMUdIL+U7+CXDgKsfdFHcQ76ebWyka7vRSXTs +lBMa2g20Atwz2Hj7tEEAZ74ioQ9029RAlUSNipACe31YdT4/BBWIqHPpeDFkp8W0 +9v4jeTX/2kMBXkjzMfKjhpooa+bFFFLogLeX3P4W +-----END CERTIFICATE----- diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der new file mode 100644 index 0000000..e8216b1 Binary files /dev/null and b/SOURCES/centossecureboot001.der differ diff --git a/SOURCES/centossecureboot201.der b/SOURCES/centossecureboot201.der new file mode 100644 index 0000000..ca3c134 Binary files /dev/null and b/SOURCES/centossecureboot201.der differ diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der new file mode 100644 index 0000000..42bdfcf Binary files /dev/null and b/SOURCES/centossecurebootca2.der differ diff --git a/SOURCES/x509.genkey.fedora b/SOURCES/x509.genkey.fedora index 2f90e1b..dbfe9a7 100644 --- a/SOURCES/x509.genkey.fedora +++ b/SOURCES/x509.genkey.fedora @@ -1,13 +1,13 @@ [ req ] -default_bits = 4096 +default_bits = 3072 distinguished_name = req_distinguished_name prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Fedora -CN = Fedora kernel signing key -emailAddress = kernel-team@fedoraproject.org +O = CentOS +CN = CentOS kernel signing key +emailAddress = security@centos.org [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 14b6478..b90dbbb 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -29,7 +29,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 aarch64 s390x ppc64le +%define secure_boot_arch x86_64 aarch64 %endif # Signing for secure boot authentication @@ -664,10 +664,10 @@ Source10: x509.genkey.rhel Source11: x509.genkey.fedora %if %{?released_kernel} -Source12: redhatsecurebootca5.cer -Source13: redhatsecurebootca1.cer -Source14: redhatsecureboot501.cer -Source15: redhatsecureboot301.cer +Source12: centossecurebootca2.der +Source13: centos-ca-secureboot.der +Source14: centossecureboot201.der +Source15: centossecureboot001.der Source16: secureboot_s390.cer Source17: secureboot_ppc.cer @@ -675,33 +675,25 @@ Source17: secureboot_ppc.cer %define secureboot_ca_0 %{SOURCE13} %ifarch x86_64 aarch64 %define secureboot_key_1 %{SOURCE14} -%define pesign_name_1 redhatsecureboot501 +%define pesign_name_1 centossecureboot201 %define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot301 -%endif -%ifarch s390x -%define secureboot_key_0 %{SOURCE16} -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define secureboot_key_0 %{SOURCE17} -%define pesign_name_0 redhatsecureboot303 +%define pesign_name_0 centossecureboot001 %endif # released_kernel %else -Source12: redhatsecurebootca4.cer -Source13: redhatsecurebootca2.cer -Source14: redhatsecureboot401.cer -Source15: redhatsecureboot003.cer +Source12: centossecurebootca2.der +Source13: centos-ca-secureboot.der +Source14: centossecureboot201.der +Source15: centossecureboot001.der %define secureboot_ca_1 %{SOURCE12} %define secureboot_ca_0 %{SOURCE13} %define secureboot_key_1 %{SOURCE14} -%define pesign_name_1 redhatsecureboot401 +%define pesign_name_1 centossecureboot201 %define secureboot_key_0 %{SOURCE15} -%define pesign_name_0 redhatsecureboot003 +%define pesign_name_0 centossecureboot001 # released_kernel %endif @@ -785,6 +777,8 @@ Source213: Module.kabi_dup_x86_64 Source2000: cpupower.service Source2001: cpupower.config +Source9000: centos.pem + ## Patches needed for building this package # Patch1: patch-%{rpmversion}-redhat.patch @@ -1544,6 +1538,7 @@ fi # Now build the fedora kernel tree. cp -al vanilla-%{vanillaversion} linux-%{KVERREL} +cp -v %{SOURCE9000} linux-%{KVERREL}/certs/rhel.pem cd linux-%{KVERREL} if [ ! -d .git ]; then