Re: [OS-BUILD PATCH 0/2] Kernel secure boot dual signing changes

[Herton R. Krzesinski]

On Thu, Jul 30, 2020 at 04:18:39PM -0000, GitLab Bridge on behalf of jmflinuxtx 
wrote:
> From: jmflinuxtx on gitlab.com
> 
> These are the changes that we have been running in the kernel for a
> couple of weeks now to dual sign for secure boot. It is required as
> people pivot to newer keys while updating to fix the "boothole" CVEs.

BTW, probably Fedora later wants do make kernel-keys directory VR to be owned by
kernel-core as in RHEL, which would avoid have to do this change:

 %{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
 +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca*.cer\

This was done in RHEL:

 -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/kernel-signing-ca.cer\
 -%ifarch s390x ppc64le\
 -%if 0%{!?4:1}\
 -%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}/%{signing_key_filename} \
 -%endif\
 -%endif\
 +%{_datadir}/doc/kernel-keys/%{KVERREL}%{?3:+%{3}}\

to prevent a bug with "empty /usr/share/doc/kernel-keys/VR directory is left
after executing an 'rpm -e kernel-core-VR'." (quote from Prarit's commit)

Prarit, we are missing "[redhat] kernel.spec: Remove kernel-keys directory on
rpm erase" on Fedora it seems, would you be able to check/submit it?

This can be fixed later, so for patchset posted here:

Acked-by: Herton R. Krzesinski <her...@redhat.com>

-- 
[]'s
Herton
_______________________________________________
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org