From: Jan Stancek <jstancek(a)redhat.com>
redhat: add IMA certificates
Forward port c9s commit:
7ff63254426d ("redhat: add IMA certificates")
Starting with RHEL9.0, installed package files will have IMA signatures
if users choose so. The IMA subsystem will search for the certificate in
the .ima keyring to verify a file signature thus to make sure this file
hasn't been tampered with. To be able to add the IMA code-signing
certificate to the .ima keyring, this certificate needs to be signed by
a CA certificate in the system keyrings.
This patch builds the IMA CA certificate into the .builtin_trusted_keys
keyring and installs the IMA code-signing certificate to
/usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like
dracut to add it the .ima keyring.
Signed-off-by: Coiby Xu <coxu(a)redhat.com>
Signed-off-by: Jan Stancek <jstancek(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -918,6 +918,17 @@ Source87: flavors
Source100: rheldup3.x509
Source101: rhelkpatch1.x509
Source102: nvidiagpuoot001.x509
+Source103: rhelimaca1.x509
+Source104: rhelima.x509
+Source105: rhelima_centos.x509
+
+%if 0%{?centos}
+%define ima_signing_cert %{SOURCE105}
+%else
+%define ima_signing_cert %{SOURCE104}
+%endif
+
+%define ima_cert_name ima.cer
Source200: check-kabi
@@ -1893,7 +1904,8 @@ done
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+openssl x509 -inform der -in %{SOURCE103} -out rhelimaca1.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem rhelimaca1.pem > ../certs/rhel.pem
%if %{signkernel}
%ifarch s390x ppc64le
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@@ -2712,6 +2724,11 @@ BuildKernel() {
%endif
%endif
+%if 0%{?rhel}
+ # Red Hat IMA code-signing cert, which is used to authenticate package files
+ install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name}
+%endif
+
%if %{signmodules}
if [ $DoModules -eq 1 ]; then
# Save the signing keys so we can sign the modules in __modsign_install_post
diff --git a/redhat/keys/rhelima.x509 b/redhat/keys/rhelima.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima.x509
Binary files /dev/null and b/redhat/keys/rhelima.x509 differ
diff --git a/redhat/keys/rhelima_centos.x509 b/redhat/keys/rhelima_centos.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelima_centos.x509
Binary files /dev/null and b/redhat/keys/rhelima_centos.x509 differ
diff --git a/redhat/keys/rhelimaca1.x509 b/redhat/keys/rhelimaca1.x509
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/keys/rhelimaca1.x509
Binary files /dev/null and b/redhat/keys/rhelimaca1.x509 differ
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3094
From: Michal Schmidt <mschmidt(a)redhat.com>
redhat/configs: enable CONFIG_LEDS_TRIGGER_NETDEV also for RHEL
JIRA: https://issues.redhat.com/browse/RHEL-32110
The igc NIC driver exposes sysfs-controllable LEDs since
commit ea578703b03d ("igc: Add support for LEDs on i225/i226").
It makes sense to use the netdev trigger to control them.
CONFIG_LEDS_TRIGGER_NETDEV is already enabled for Fedora. Enable it also
for RHEL.
Signed-off-by: Michal Schmidt <mschmidt(a)redhat.com>
diff --git a/redhat/configs/fedora/generic/CONFIG_LEDS_TRIGGER_NETDEV b/redhat/configs/common/generic/CONFIG_LEDS_TRIGGER_NETDEV
rename from redhat/configs/fedora/generic/CONFIG_LEDS_TRIGGER_NETDEV
rename to redhat/configs/common/generic/CONFIG_LEDS_TRIGGER_NETDEV
index blahblah..blahblah 100644
--- a/redhat/configs/fedora/generic/CONFIG_LEDS_TRIGGER_NETDEV
+++ b/redhat/configs/common/generic/CONFIG_LEDS_TRIGGER_NETDEV
diff --git a/redhat/configs/rhel/generic/CONFIG_LEDS_TRIGGER_NETDEV b/redhat/configs/rhel/generic/CONFIG_LEDS_TRIGGER_NETDEV
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/rhel/generic/CONFIG_LEDS_TRIGGER_NETDEV
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_LEDS_TRIGGER_NETDEV is not set
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3092
From: Emanuele Giuseppe Esposito on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2917
We want to enable kernel.spec to optionally ship UKI addons defined in a
common config file in redhat folder.
The folder redhat/uki_addons will contain all addons configs specifying the
UKI kernel cmdline addons to be created in the next build. An addon
config is simply a .addon plain text file, where any line
is taken as kernel cmdline, except for the ones starting with '#',
which will be automatically ignored.
redhat/scripts/uki_addons.py will take care of parsing all configs and
folders in redhat/uki_addons and call 'ukify' to create the actual addons.
The output addon filename will be a concatenation of all folders in
redhat/uki_addons that are part of the addon config path.
The folder hierarchy inside of redhat/uki_addons is similar to
redhat/configs: $distro/$UKI_NAME/%arch.
It is also possible to add .sbat to all the generated addons, by
populating redhat/addons/$distro/$UKI_NAME/%arch/sbat/sbat.conf.
Syntax is same as the addons config.
At build time, Makefile will create a tar.gz archive (uki_addons.tar.gz)
containing all the files in redhat/uki_addons. It will then passed to the
kernel specfile that will extract the addons from it and generate the
UKI kernel cmdline addons.
As an example of this feature, add the fips addon to optionally enable fips
(https://issues.redhat.com/browse/RHEL-23049).
---
redhat/scripts/uki_addons.py | 162 +++++++++++++++++++++++++++++++
redhat/uki_addons/virt/common/fips.addon | 1 +
redhat/Makefile | 3 +
redhat/kernel.spec.template | 44 ++++++++
4 files changed, 210 insertions(+), 0 deletions(-)
From: Jan Stancek <jstancek(a)redhat.com>
redhat/kernel.spec.template: avoid process substitution
Wang Yugui reports that the process substitution construct doesn't work
in old environments (e.g. rhel7 + devtoolsets-8):
/var/tmp/rpm-tmp.mVZU4h: line 696: syntax error near unexpected token `<'
while read -r kmod; do
local target_file="$RPM_BUILD_ROOT/lib/modules/$KernelVer/$subdir_name/$kmod"
local target_dir="${target_file%/*}"
mkdir -p "$target_dir"
mv "$RPM_BUILD_ROOT/lib/modules/$KernelVer/kernel/$kmod" "$target_dir"
L696: done < <(sed -e 's|^kernel/||' "$module_list")
set -x
Simplify it using a temp file.
Fixes: ad0b8a853077 ("spec: rework filter-mods and mod-denylist")
Reported-by: Wang Yugui <wangyugui(a)e16-tech.com>
Signed-off-by: Jan Stancek <jstancek(a)redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -2581,16 +2581,19 @@ BuildKernel() {
{
local module_list="$1"
local subdir_name="$2"
+ local tmpfile=$(mktemp)
mkdir -p "$RPM_BUILD_ROOT/lib/modules/$KernelVer/$subdirname"
+ sed -e 's|^kernel/||' "$module_list" > $tmpfile
set +x
while read -r kmod; do
local target_file="$RPM_BUILD_ROOT/lib/modules/$KernelVer/$subdir_name/$kmod"
local target_dir="${target_file%/*}"
mkdir -p "$target_dir"
mv "$RPM_BUILD_ROOT/lib/modules/$KernelVer/kernel/$kmod" "$target_dir"
- done < <(sed -e 's|^kernel/||' "$module_list")
+ done < $tmpfile
+ rm -f $tmpfile
set -x
}
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3087