From 0558bd8493631d0dbbf0e3f9d6f489f287f8e0a4 Mon Sep 17 00:00:00 2001 From: Natalya Naumova Date: Wed, 15 Feb 2017 20:45:20 -0800 Subject: [PATCH] uek-rpm nano: enable ol6 secureboot signing Enable image signing in uek-rpm/ol6-nano/kernel-uek.spec and add certs: uek-rpm/ol6-nano/secureboot.cer uek-rpm/ol6-nano/securebootca.cer Orabug: 25422956 Signed-off-by: Chuck Anderson --- uek-rpm/ol6-nano/kernel-uek.spec | 9 ++++++++- uek-rpm/ol6-nano/secureboot.cer | 22 ++++++++++++++++++++++ uek-rpm/ol6-nano/securebootca.cer | 24 ++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 uek-rpm/ol6-nano/secureboot.cer create mode 100644 uek-rpm/ol6-nano/securebootca.cer diff --git a/uek-rpm/ol6-nano/kernel-uek.spec b/uek-rpm/ol6-nano/kernel-uek.spec index 6c87941cb4556..eceea88e098ab 100644 --- a/uek-rpm/ol6-nano/kernel-uek.spec +++ b/uek-rpm/ol6-nano/kernel-uek.spec @@ -518,7 +518,7 @@ BuildRequires: sparse >= 0.4.1 %if %{signmodules} BuildRequires: openssl BuildRequires: gnupg -#BuildRequires: pesign >= 0.10-4 +BuildRequires: pesign >= 0.10-4 %endif %if %{with_fips} BuildRequires: hmaccalc @@ -543,6 +543,8 @@ Source17: kabitool Source18: check-kabi Source20: x86_energy_perf_policy Source21: turbostat +Source22: securebootca.cer +Source23: secureboot.cer Source1000: config-x86_64 Source1001: config-x86_64-debug @@ -1070,6 +1072,11 @@ BuildKernel() { cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/%{image_install_path}/zImage.stub-$KernelVer || : fi %if %{signmodules} + %ifarch x86_64 + # Sign the image if we're using EFI + %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE22} -c %{SOURCE23} -n oraclesecureboot + mv $KernelImage.signed $KernelImage + %endif # Sign the image if we're using EFI #% pesign -s -i $KernelImage -o vmlinuz.signed # if [ -x /usr/bin/pesign -a "x86_64" == "x86_64" ]; then diff --git a/uek-rpm/ol6-nano/secureboot.cer b/uek-rpm/ol6-nano/secureboot.cer new file mode 100644 index 0000000000000..07741a92da67a --- /dev/null +++ b/uek-rpm/ol6-nano/secureboot.cer @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmzCCAoMCAQEwDQYJKoZIhvcNAQELBQAwgY4xCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRcwFQYDVQQHDA5SZWR3b29kIFNob3JlczEbMBkGA1UE +CgwST3JhY2xlIENvcnBvcmF0aW9uMRUwEwYDVQQLDAxPcmFjbGUgTGludXgxHTAb +BgNVBAMMFE9yYWNsZSBMaW51eCBUZXN0IENBMB4XDTE0MDcwOTIzNTAzN1oXDTE2 +MDcwODIzNTAzN1owgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRcwFQYDVQQHDA5SZWR3b29kIFNob3JlczEbMBkGA1UECgwST3JhY2xlIENvcnBv +cmF0aW9uMRUwEwYDVQQLDAxPcmFjbGUgTGludXgxJjAkBgNVBAMMHU9yYWNsZSBM +aW51eCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAt6ApcdbkIjGOynChsPJ1R0X56mse4Nrx3x/UBCYLMUFzy3xoAghPpg9P +oy1L7pTndq/AG5/4AfPc9PMpd/5fsTHVQpEd7KPWhVKqxDqEl3Hwqq7o3eA0jm08 +EzY+4XPDR1w95WLmyUdg66dfQopZXiOfqtEaMM1cm5uPJj+aSOlCi34aBMqetQvE ++3gALEeQWhL4vDpQV800dC9oHj/mDBtrAfZCJRriAla2nT60B+EnCXJJkWqvQzFK +7C7hSCQAC0enJY9IrIBKFFzYl4Wnh1Ib+E6v4XUzlP6Sbo6YpZv+ZlE/qB68qAV8 +lI1Ws4sXFxRwDmGb6L+4kcTTeTC9CwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAv +gz/A3KCTMrXc7iWyxeqOmC+Y2O1uW3vVqQTfRjg7QoeTr3esz3dnQmPGEmRjNNhs +G5+ayM2i9hXzdZiOPauN/TChmzebAkIp7L+6OQ5OFSaI/VRquo9REg71C+qxBgaq +9HrbRcTSmqnutl4yviUtxkSn8M/9QurwUM+G8AMXbTcRzLEKIzgh4dO1JgnumlPj +xq1yRbltfgqV7jRIsp0Od05A0SkNjBqgiCyCXx+4k01J0ULYDCBubkO6wPO7pLMZ +i4tFe4F6rZYTt7c3YO4cep+03BGHf/DhtWLaSNninXzMmXzzYkDirgJo+yKZ4p/S +CMkkkj4XPvp+rpVBSVwM +-----END CERTIFICATE----- diff --git a/uek-rpm/ol6-nano/securebootca.cer b/uek-rpm/ol6-nano/securebootca.cer new file mode 100644 index 0000000000000..50afd4411be5b --- /dev/null +++ b/uek-rpm/ol6-nano/securebootca.cer @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID8TCCAtmgAwIBAgIJAPX+4S5CjpxUMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBT +aG9yZXMxGzAZBgNVBAoMEk9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3Jh +Y2xlIExpbnV4MR0wGwYDVQQDDBRPcmFjbGUgTGludXggVGVzdCBDQTAeFw0xNDA3 +MDkyMzQ4MDRaFw0xNjA3MDgyMzQ4MDRaMIGOMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOUmVkd29vZCBTaG9yZXMxGzAZBgNVBAoM +Ek9yYWNsZSBDb3Jwb3JhdGlvbjEVMBMGA1UECwwMT3JhY2xlIExpbnV4MR0wGwYD +VQQDDBRPcmFjbGUgTGludXggVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBANRDM0CmbyKR2t6/L237SDk0b9RXaYnm0ISXYTWFLwsAC7ho9p9s +mcgwLbqRSwSIgeabtnR7dV/cuttF+zX3p8DsL8cRqvtyQfEx0RIKAKdoSPmegCAe +dD20guafNbAyJyLL82aVbwCcO03HrRdaNYinpBpJ6YQqK2RuZDB9+RJbn9fOl/V6 +3vyjfo6zLtvEIJKFqFpbgfOkSMW/WSVQiBsPSFdGYMzWgL1ve2mNVMJC7cFGYGi1 +QQIEjWxhU5qJSt4MgN4Z6FKvbXuNuA0V0Zf98vVtvnDYMzgdZPAh2dIpSmOKPMRK +HhL1+H+bGN8D994B6Hr+qSbRWcMPQCEBjrcCAwEAAaNQME4wHQYDVR0OBBYEFOdy +f8p/1DSV07XM2TXRqO4eK7B3MB8GA1UdIwQYMBaAFOdyf8p/1DSV07XM2TXRqO4e +K7B3MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEcwzk/jmsbM6EEe +eqKwhEejAqUvJlLlU/jHBaI3BGs1KijWXYvSTlf9/LG1BjaIvPRXHILHUmV5USvA +wOgtwx02/6Uvw1BFxbPQrpT4EtEy5Mv0HCV8Bld8cFuT2YeTBNyzlkKL3eAoU8Ub +l8j9Z4Xy0QLWMc/6iWueKmhZcJJ84jO3MYIh8k7bMys3rKllPe7M/H0hZxNpHgCM +Xd6x64psNzDVa2awrQnnF2jIA55b6h0NwoK2YwK7z0gwG0BCgJvU0OE/ypTbhcdk +4uH6HUYIYmUqaziN36MY7gp9M7JG+/Xh1WJd0btzDLdSvz2j4oD4sSQHaRwoZ0Bg +A2IE8vw= +-----END CERTIFICATE----- -- 2.50.1