diff --git a/SOURCES/centossecureboot201.crt b/SOURCES/centossecureboot201.crt new file mode 100644 index 0000000..f9d9675 --- /dev/null +++ b/SOURCES/centossecureboot201.crt @@ -0,0 +1,84 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 93:c2:04:d8:bd:77:6b:11 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org + Validity + Not Before: Jun 9 10:04:20 2020 GMT + Not After : Jan 18 10:04:20 2038 GMT + Subject: CN=CentOS Secure Boot Signing 201/emailAddress=security@centos.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9e:ef:fe:76:1c:9f:9b:3e:f2:e4:c5:29:bd:19: + 32:01:59:f3:e6:99:fa:eb:b5:f8:94:0c:95:3a:65: + 5e:b1:72:d0:50:3e:70:64:8a:1a:d1:f6:4d:af:6d: + 57:ee:40:71:40:09:dd:30:0c:81:a1:8b:26:63:12: + 07:bf:e1:d1:45:9f:9b:09:a6:57:98:9e:ef:97:e9: + bd:68:38:ea:aa:63:92:2e:0d:2f:8e:fb:be:88:40: + 9b:59:e3:bc:b7:6f:e3:bb:6b:1e:6e:9e:ee:57:b8: + 28:c6:d5:d6:bf:47:a6:e9:38:a9:8f:08:73:98:49: + a8:58:d2:62:73:f1:1e:44:d4:88:3d:f9:aa:43:e2: + 72:2e:d7:43:3e:1d:b6:65:f6:d1:2e:ef:31:cb:9f: + 5e:e3:d4:ea:3c:23:9a:07:af:f9:4a:ee:43:9a:75: + 06:ed:9a:54:2c:ed:5b:ca:85:a5:10:16:cd:30:64: + ea:d5:27:7e:23:f6:fc:ec:69:a9:43:2f:78:73:6b: + 33:78:8b:f8:54:db:3f:ce:95:a4:5a:04:9a:15:49: + 98:cd:34:7c:c7:8c:a9:8a:32:82:ae:c0:d6:34:93: + e7:d2:54:82:45:ee:eb:54:9a:96:d4:da:4b:24:f8: + 09:56:d8:cd:7f:ec:7b:f3:bd:db:9b:8c:b6:18:87: + fa:07 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Key Usage: critical + Digital Signature + X509v3 Extended Key Usage: critical + Code Signing + X509v3 Subject Key Identifier: + 5D:4B:64:F2:FA:63:1E:5E:5F:DB:AA:DC:14:67:C6:6C:99:21:7A:22 + X509v3 Authority Key Identifier: + keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA + + Signature Algorithm: sha256WithRSAEncryption + 39:4b:b5:cc:37:3f:cd:db:84:0f:63:7c:c4:e4:53:fb:5e:fd: + db:12:19:23:6f:0a:50:14:fd:4f:7c:f9:87:3d:f9:6d:5b:af: + 07:a5:94:34:1b:84:07:f4:f1:a0:de:cc:73:87:99:31:c3:93: + 66:c0:bc:f2:0f:b2:69:65:8e:da:b9:1a:8e:ae:38:56:f3:7c: + 5a:8d:29:0d:3d:ad:84:e7:86:31:a2:8e:2a:a8:f8:f8:f7:87: + 32:65:5d:81:47:53:b8:40:c5:1b:a7:46:1f:b0:60:a7:b4:97: + 89:51:26:3c:de:46:b9:14:d5:a0:7d:99:cc:a7:7e:ed:89:18: + 02:ce:e6:07:45:49:e2:04:7d:5b:03:65:ec:e6:c3:86:0d:82: + 31:24:45:51:ec:15:ad:31:83:a8:1c:6e:52:4d:b8:0f:5d:0b: + e4:7b:51:49:39:46:8a:0b:fd:0c:46:af:b4:19:65:0f:12:f1: + fc:ee:fd:6b:4f:df:9a:73:7c:e0:c8:3d:c3:d5:b5:ab:4a:86: + 36:97:e8:89:fb:af:f4:f1:c2:05:5d:17:fb:b6:df:a5:0e:45: + 89:db:89:99:93:ce:f0:4e:e9:9c:f4:4a:03:b0:6e:be:a2:69: + ab:b1:f3:3b:ed:c7:97:f4:0e:0a:53:27:5a:7e:70:9a:35:ea: + 7a:76:d1:bc +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sRMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV +BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 +cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMDQyMFoXDTM4MDExODEwMDQyMFow +TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAxMSIwIAYJ +KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAnu/+dhyfmz7y5MUpvRkyAVnz5pn667X4lAyVOmVesXLQ +UD5wZIoa0fZNr21X7kBxQAndMAyBoYsmYxIHv+HRRZ+bCaZXmJ7vl+m9aDjqqmOS +Lg0vjvu+iECbWeO8t2/ju2sebp7uV7goxtXWv0em6TipjwhzmEmoWNJic/EeRNSI +PfmqQ+JyLtdDPh22ZfbRLu8xy59e49TqPCOaB6/5Su5DmnUG7ZpULO1byoWlEBbN +MGTq1Sd+I/b87GmpQy94c2szeIv4VNs/zpWkWgSaFUmYzTR8x4ypijKCrsDWNJPn +0lSCRe7rVJqW1NpLJPgJVtjNf+x7873bm4y2GIf6BwIDAQABo3gwdjAMBgNVHRMB +Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd +BgNVHQ4EFgQUXUtk8vpjHl5f26rcFGfGbJkheiIwHwYDVR0jBBgwFoAUcAB/mSCc +EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBADlLtcw3P83bhA9jfMTk +U/te/dsSGSNvClAU/U98+Yc9+W1brwellDQbhAf08aDezHOHmTHDk2bAvPIPsmll +jtq5Go6uOFbzfFqNKQ09rYTnhjGijiqo+Pj3hzJlXYFHU7hAxRunRh+wYKe0l4lR +JjzeRrkU1aB9mcynfu2JGALO5gdFSeIEfVsDZezmw4YNgjEkRVHsFa0xg6gcblJN +uA9dC+R7UUk5RooL/QxGr7QZZQ8S8fzu/WtP35pzfODIPcPVtatKhjaX6In7r/Tx +wgVdF/u236UORYnbiZmTzvBO6Zz0SgOwbr6iaaux8zvtx5f0DgpTJ1p+cJo16np2 +0bw= +-----END CERTIFICATE----- diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der new file mode 100644 index 0000000..42bdfcf Binary files /dev/null and b/SOURCES/centossecurebootca2.der differ diff --git a/SPECS/kernel-plus.spec b/SPECS/kernel-plus.spec index d592d6e..63131b2 100644 --- a/SPECS/kernel-plus.spec +++ b/SPECS/kernel-plus.spec @@ -43,10 +43,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 193.13.2.el8_2 +%define pkgrelease 193.14.2.el8_2 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 193.13.2%{?dist} +%define specrelease 193.14.2%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -416,7 +416,7 @@ BuildRequires: asciidoc Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz -Source11: x509.genkey +Source9: x509.genkey # Name of the packaged file containing signing key %ifarch ppc64le @@ -428,24 +428,41 @@ Source11: x509.genkey %if %{?released_kernel} -Source12: centos-ca-secureboot.der +#Source10: redhatsecurebootca5.cer +Source10: centossecurebootca2.der +#Source11: redhatsecurebootca3.cer +Source11: centos-ca-secureboot.der +#Source12: redhatsecureboot501.cer +Source12: centossecureboot201.crt +#Source13: redhatsecureboot301.cer Source13: centossecureboot001.crt -%define secureboot_ca %{SOURCE12} +%define secureboot_ca_0 %{SOURCE10} +%define secureboot_ca_1 %{SOURCE11} %ifarch x86_64 aarch64 -%define secureboot_key %{SOURCE13} -%define pesign_name centossecureboot001 +%define secureboot_key_0 %{SOURCE12} +%define pesign_name_0 centossecureboot201 +%define secureboot_key_1 %{SOURCE13} +%define pesign_name_1 centossecureboot001 %endif # released_kernel %else -Source12: centos-ca-secureboot.der +#Source11: redhatsecurebootca3.cer +Source11: centos-ca-secureboot.der +#Source12: redhatsecureboot501.cer +Source12: centossecureboot201.crt +#Source13: redhatsecureboot301.cer Source13: centossecureboot001.crt +Source14: secureboot_s390.cer -%define secureboot_ca %{SOURCE12} -%define secureboot_key %{SOURCE13} -%define pesign_name centossecureboot001 +%define secureboot_ca_0 %{SOURCE11} +%define secureboot_ca_1 %{SOURCE12} +%define secureboot_key_0 %{SOURCE13} +%define pesign_name_0 redhatsecureboot401 +%define secureboot_key_1 %{SOURCE14} +%define pesign_name_1 redhatsecureboot003 # released_kernel %endif @@ -1115,6 +1132,9 @@ ApplyOptionalPatch() } %setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c + +cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem + mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} @@ -1272,7 +1292,7 @@ BuildKernel() { cp configs/$Config .config %if %{signkernel}%{signmodules} - cp %{SOURCE11} certs/. + cp %{SOURCE9} certs/. %endif Arch=`head -1 .config | cut -b 3-` @@ -1338,11 +1358,13 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} + %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0} + %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1} + rm vmlinuz.tmp %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then - rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed + rpm-sign --key "%{pesign_name_0}" --lkmsign $SignImage --output vmlinuz.signed elif [ $DoModules -eq 1 ]; then chmod +x scripts/sign-file ./scripts/sign-file -p sha256 certs/signing_key.pem certs/signing_key.x509 $SignImage vmlinuz.signed @@ -1738,11 +1760,17 @@ BuildKernel() { # CentOS UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer - install -m 0644 %{secureboot_ca} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %ifarch x86_64 aarch64 + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer + install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer + ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %else + install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer + %endif %ifarch s390x ppc64le if [ $DoModules -eq 1 ]; then if [ -x /usr/bin/rpm-sign ]; then - install -m 0644 %{secureboot_key} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} + install -m 0644 %{secureboot_key_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} else install -m 0644 certs/signing_key.x509.sign${Flav} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer openssl x509 -in certs/signing_key.pem.sign${Flav} -outform der -out $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{signing_key_filename} @@ -2508,12 +2536,7 @@ fi /lib/modules/%{KVERREL}%{?3:+%{3}}/updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/weak-updates\ /lib/modules/%{KVERREL}%{?3:+%{3}}/bls.conf\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\ -%ifarch s390x ppc64le\ -%if 0%{!?4:1}\ -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \ -%endif\ -%endif\ +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\ %if %{1}\ /lib/modules/%{KVERREL}%{?3:+%{3}}/vdso\ /etc/ld.so.conf.d/%{name}-%{KVERREL}%{?3:+%{3}}.conf\ @@ -2567,7 +2590,7 @@ fi # # %changelog -* Tue Jul 21 2020 Akemi Yagi [4.18.0-193.13.2.el8_2.centos.plus] +* Wed Jul 29 2020 Akemi Yagi [4.18.0-193.14.2.el8_2.centos.plus] - Apply debranding changes - Modify config file for x86_64 with extra features turned on including some network adapters, some SCSI adapters, ReiserFS, TOMOYO @@ -2578,8 +2601,27 @@ fi - Added a triggerin scriptlet to rebuild the initramfs image when the system microcode package is updated [bug#17562] -* Mon Jul 13 2020 Bruno Meneguele [4.18.0-193.13.2.el8_2] -- Rebuild to get kernel image properly signed (Bruno Meneguele) +* Sun Jul 19 2020 Bruno Meneguele [4.18.0-193.14.2.el8_2] +- [kernel] Move to dual-signing to split signing keys up better (pjones) [1837433 1837434] {CVE-2020-10713} +- [crypto] pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1837433 1837434] {CVE-2020-10713} +- [acpi] ACPI: configfs: Disallow loading ACPI tables when locked down (Lenny Szubowicz) [1852968 1852969] {CVE-2020-15780} +- [firmware] efi: Restrict efivar_ssdt_load when the kernel is locked down (Lenny Szubowicz) [1852948 1852949] {CVE-2019-20908} + +* Mon Jul 13 2020 Bruno Meneguele [4.18.0-193.14.1.el8_2] +- [md] dm mpath: add DM device name to Failing/Reinstating path log messages (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: enhance queue_if_no_path debugging (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: restrict queue_if_no_path state machine (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: simplify __must_push_back (Mike Snitzer) [1852050 1822975] +- [md] dm: use DMDEBUG macros now that they use pr_debug variants (Mike Snitzer) [1852050 1822975] +- [include] dm: use dynamic debug instead of compile-time config option (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: switch paths in dm_blk_ioctl() code path (Mike Snitzer) [1852050 1822975] +- [md] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath (Mike Snitzer) [1852050 1822975] +- [md] dm: bump version of core and various targets (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: Add timeout mechanism for queue_if_no_path (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: use true_false for bool variable (Mike Snitzer) [1852050 1822975] +- [md] dm mpath: remove harmful bio-based optimization (Mike Snitzer) [1852050 1822975] +- [scsi] scsi: libiscsi: fall back to sendmsg for slab pages (Maurizio Lombardi) [1852048 1825775] +- [s390] s390/mm: fix panic in gup_fast on large pud (Philipp Rudo) [1853336 1816980] * Tue Jul 07 2020 Bruno Meneguele [4.18.0-193.13.1.el8_2] - [x86] x86/efi: Allocate e820 buffer before calling efi_exit_boot_service (Lenny Szubowicz) [1846180 1824005]