From 4802edae623c414301174b650173d2cfdc46c5cc Mon Sep 17 00:00:00 2001 From: Chris Co Date: Mon, 4 Nov 2024 22:52:51 -0800 Subject: [PATCH 1/5] enable kexec signature verification Signed-off-by: Chris Co --- SPECS/kernel/config | 3 ++- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 6a0f77cb2b2..731458f88af 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -296,7 +296,8 @@ CONFIG_KEXEC_CORE=y CONFIG_HAVE_IMA_KEXEC=y # CONFIG_KEXEC is not set CONFIG_KEXEC_FILE=y -# CONFIG_KEXEC_SIG is not set +CONFIG_KEXEC_SIG=y +# CONFIG_KEXEC_SIG_FORCE is not set CONFIG_CRASH_DUMP=y CONFIG_CRASH_HOTPLUG=y CONFIG_CRASH_MAX_MEMORY_RANGES=8192 diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 30464ea0b1d..3fa4689ab11 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -275,7 +275,7 @@ CONFIG_KEXEC_CORE=y CONFIG_HAVE_IMA_KEXEC=y # CONFIG_KEXEC is not set CONFIG_KEXEC_FILE=y -# CONFIG_KEXEC_SIG is not set +CONFIG_KEXEC_SIG=y CONFIG_CRASH_DUMP=y # end of Kexec and crash features # end of General setup diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 33f130add80..dd1cba64798 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "5636a263f1802641e806b6971303eb28f77167ef42ece09782b4638c75bf03b5", - "config_aarch64": "bac4a99b57ce11f25ef8bce844ed6285932aa29139b85ccde850acaabafdcffd", + "config": "bda4af43566ed8548a6f2b163b964ffb9a6a86a56387881bf8b3fdf9d1257612", + "config_aarch64": "232cdf07de3cad971bc9c0f4f1f002154b1859058bcb751ee27090f52080468c", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", From 2f295744b5c8310d11623882f59064387964f62b Mon Sep 17 00:00:00 2001 From: Chris Co Date: Mon, 4 Nov 2024 22:53:34 -0800 Subject: [PATCH 2/5] chore: bump kernel related specs Signed-off-by: Chris Co --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/kernel-uki.spec | 5 ++++- SPECS/kernel/kernel.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 9 files changed, 25 insertions(+), 10 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 4c89f2b0442..478fd8df5ac 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Tue Nov 05 2024 Chris Co - 6.6.57.1-3 +- Bump release to match kernel + * Wed Oct 30 2024 Thien Trung Vuong - 6.6.57.1-2 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 551d54afac4..d61a7498a41 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Tue Nov 05 2024 Chris Co - 6.6.57.1-3 +- Bump release to match kernel + * Wed Oct 30 2024 Thien Trung Vuong - 6.6.57.1-2 - Bump release to match kernel diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 91f40200ba2..49887b2d0c9 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Tue Nov 05 2024 Chris Co - 6.6.57.1-3 +- Bump release to match kernel + * Wed Oct 30 2024 Thien Trung Vuong - 6.6.57.1-2 - Bump release to match kernel diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 77d9dc52774..a70782a7a72 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Tue Nov 05 2024 Chris Co - 6.6.57.1-3 +- Bump release to match kernel + * Wed Oct 30 2024 Thien Trung Vuong - 6.6.57.1-2 - Remove noxsaves parameter from cmdline diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index f57b02d6367..e6253a0863c 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -30,7 +30,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -407,6 +407,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Nov 05 2024 Chris Co - 6.6.57.1-3 +- Enable kexec signature verification + * Wed Oct 30 2024 Thien Trung Vuong - 6.6.57.1-2 - UKI: remove noxsaves parameter from cmdline diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9d525530102..d8a449e47db 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.57.1-2.azl3.noarch.rpm +kernel-headers-6.6.57.1-3.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 2cc91b471c6..d373178affc 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.57.1-2.azl3.noarch.rpm +kernel-headers-6.6.57.1-3.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index d6aad71ae70..e437435a820 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.57.1-2.azl3.noarch.rpm +kernel-headers-6.6.57.1-3.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index aacd1792796..84990ae7612 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -161,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.57.1-2.azl3.noarch.rpm -kernel-headers-6.6.57.1-2.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-3.azl3.noarch.rpm +kernel-headers-6.6.57.1-3.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm From cb253a7c4cb177df6bb48178b63c85852774e1ba Mon Sep 17 00:00:00 2001 From: Chris Co Date: Thu, 7 Nov 2024 00:35:31 -0800 Subject: [PATCH 3/5] include support for verifying PE images Signed-off-by: Chris Co --- SPECS/kernel/config | 3 ++- SPECS/kernel/config_aarch64 | 3 ++- SPECS/kernel/kernel.signatures.json | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 731458f88af..47e02319e2e 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -298,6 +298,7 @@ CONFIG_HAVE_IMA_KEXEC=y CONFIG_KEXEC_FILE=y CONFIG_KEXEC_SIG=y # CONFIG_KEXEC_SIG_FORCE is not set +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y CONFIG_CRASH_HOTPLUG=y CONFIG_CRASH_MAX_MEMORY_RANGES=8192 @@ -7698,7 +7699,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set -# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_FIPS_SIGNATURE_SELFTEST is not set # diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 3fa4689ab11..af0065ce796 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -276,6 +276,7 @@ CONFIG_HAVE_IMA_KEXEC=y # CONFIG_KEXEC is not set CONFIG_KEXEC_FILE=y CONFIG_KEXEC_SIG=y +CONFIG_KEXEC_IMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y # end of Kexec and crash features # end of General setup @@ -10791,7 +10792,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set -# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_FIPS_SIGNATURE_SELFTEST is not set # diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index dd1cba64798..7e3d7dfed09 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "bda4af43566ed8548a6f2b163b964ffb9a6a86a56387881bf8b3fdf9d1257612", - "config_aarch64": "232cdf07de3cad971bc9c0f4f1f002154b1859058bcb751ee27090f52080468c", + "config": "00c9071da520dd42e8465fd8d9f36945a4f6127798c16a45f5200cfd7256ed1e", + "config_aarch64": "e0d92980c9388de35b7dde65a385865ef3207f4c50b0e9988f90394e8d627c77", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", From 1a3a0af6e67bbb878dcb070742192d406c7f61b8 Mon Sep 17 00:00:00 2001 From: Chris Co Date: Thu, 7 Nov 2024 22:16:11 -0800 Subject: [PATCH 4/5] update trusted keys to use azurelinux CA We still leave in the older certificate for the time being, until we switch fully to the new azurelinux CA Signed-off-by: Chris Co --- .../azurelinux-ca-20211013-20230216.pem | 67 +++++++++++++++++++ SPECS/kernel/cbl-mariner-ca-20211013.pem | 29 -------- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 2 +- 4 files changed, 69 insertions(+), 31 deletions(-) create mode 100644 SPECS/kernel/azurelinux-ca-20211013-20230216.pem delete mode 100644 SPECS/kernel/cbl-mariner-ca-20211013.pem diff --git a/SPECS/kernel/azurelinux-ca-20211013-20230216.pem b/SPECS/kernel/azurelinux-ca-20211013-20230216.pem new file mode 100644 index 00000000000..18f1f833333 --- /dev/null +++ b/SPECS/kernel/azurelinux-ca-20211013-20230216.pem @@ -0,0 +1,67 @@ +-----BEGIN CERTIFICATE----- +MIIFBjCCA+6gAwIBAgITMwAABO5/lN6NQyelHwABAAAE7jANBgkqhkiG9w0BAQsF +ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH +UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD +ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTEwMTQxNzI4MDVaFw0y +MjEwMTMxNzI4MDVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv +bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 +aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln +bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF45hTHPQAA7yc +6g3iVuqcQKF51ylCynjUySYqqQha2sQzE7tbJ2egVkW4cfY1UbJsm65i2/VGI1OL +Zia4sRwXRN7toRK5aElYfpsghMgGEaCSPs6915BVqO4WX0jxXswqRZ2CPH+evNCC +hQnOqtjvFCqp7aeQ44b/DpZmaMicL/DwbI4925HWGSYa+/Mp1Fs3yGhP5X75+c9v +w4gJ5KoxcOFRmQEt0c7lOclOi5Np5jys7lrrdmPPbjoALERBatiXj8w72LUZu4+I +970/6jqNEkHeGxqVSPRRNIEZubjvRIfg8uULr8k/Kj8TbznCWoGuaT/9yoVbHhqU +KQMJxxFrAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E +FgQUtC1rnigJt7kJfP+emwGUuG6Av5UwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT +FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2ODU5NzAf +BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN +hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl +MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG +CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz +L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB +Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCybuv6kmhT2y97FOLRljLCLvQlBL/E +dxKPDYNFhHCKIUd550yUoUW8XIxSYa+Dmx/1+NYS4Nxql7ecuR4g9+4i0DOmNjYO +NY8epPspIpjUd9OAiKNKJSs2303i2TQojXQcZVeTO89bK3pX+spoACGuEVEuWSdL +q+oPDYZwNTKyobj9wHYO6WXJfcdLPlYZghDjR/WNO5bzvzpi2nn/c4OYvMihLNq0 +5uNO0IB/zquyAaCKbi15v/PqYos1BsT+Yft4zf8ry17yFVBIqJMa2An6Gex7SNWj +jj1S7uBga3oZcTHvR8xv3fmbwfQMIrZRmZrq8xkySxQV7xea0sE7X/pJ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGtjCCBJ6gAwIBAgITMwAAAAJjlHB6Ftnx2gAAAAAAAjANBgkqhkiG9w0BAQ0F +ADBaMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u +MSswKQYDVQQDEyJNaWNyb3NvZnQgTWFyaW5lciBSU0EgUm9vdCBDQSAyMDIzMB4X +DTIzMDIxNjE5MzkwMloXDTM4MDIwOTIxMjU1M1owYDELMAkGA1UEBhMCVVMxHjAc +BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjExMC8GA1UEAxMoTWFyaW5lciBU +cnVzdGVkIEJhc2UgUlNBIENvZGUgU2lnbmluZyBDQTCCAiIwDQYJKoZIhvcNAQEB +BQADggIPADCCAgoCggIBAL+8TFnwSX6pE1J6Eb4fdVJy0pLmFrY1G8oqxfPqY0l0 +rezoei1p8hZrPAsk1l/lp+BIDrYl/0TiZOSkVBMod569/JDntohvjycZtCKK+9PY +MophsyD5XvsK7xNaRixxTTOLJ561iKQqny29bJNgO/N909s9pXFa1chQKWm3Ib8I +SiZwj0CixWTwfGmTqa9pR1mwQydUK8HS4uO5i2WqB065b1R48rEGmC0m4WYX37Od +EFU7ZzorMrdG8tYFL+rCfZExkBoqcUD6So3Zsz/KQenxTNKyv3UIV3szTP7W8gLG ++3KTr4YS6U+6zztTp+at3DlH0GFBIoGMNnxns/7tZoUL2Ee9CL91gX5FEQ1iyc53 +szYhQ82LjwQ+MRVRppbsDTduTCrl49xp+Ofd7vQusNw8t2mDA4bdoXgPOrHHv+0A +kR4yXDwxdhWMMQ7prUKO9lYGDJL97b44B0rlyBPpqMYZshgZCGGYhzw+UXcOQ1hz +M+gAKcSX/iMl12RGGeqd41SeeysXXefQLfJlyVsjr4Tx7RjemWfiwJiL5RrM3MXf +UmRhZJPPDd0QTM+7LCohuPh3C142FctB3DSszHN5OWxcHGLVFsw73UtD+jLhZ2WD +43Yqb+iHKafjY3hTBULQdozk14jVLTe2xfTlr8TTUilIoAdoE02LiVtL5VUqZq9x +AgMBAAGjggFtMIIBaTAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAw +HQYDVR0OBBYEFHVUsV99cPzwjbkPqmp1wb60in5cMBkGCSsGAQQBgjcUAgQMHgoA +UwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU7bP/DNX8DLvF +HUX1cl9wFfnIxqYwZQYDVR0fBF4wXDBaoFigVoZUaHR0cDovL3d3dy5taWNyb3Nv +ZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwTWFyaW5lciUyMFJTQSUyMFJv +b3QlMjBDQSUyMDIwMjMuY3JsMHIGCCsGAQUFBwEBBGYwZDBiBggrBgEFBQcwAoZW +aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQl +MjBNYXJpbmVyJTIwUlNBJTIwUm9vdCUyMENBJTIwMjAyMy5jcnQwDQYJKoZIhvcN +AQENBQADggIBAGCiLo+kLmHETBNIjwNBCpRyamuzfXjG54bMYrS0kPjAWD8vaxA4 +GzaXyM/yk2q50xmEbRdDlhfdk/PkmYOFTvI+4Dd33kltMCy2/lwf1Ci8XIlYAH/e +IiO4lKqIk2Dbfn2eMCMeFFx0BQ0zvxHJYUMWz/kqdTxR57LZclBUGPn+Q/2pDZYf +uXGsS1rQqFBV6yxSgDLAAO9AuBvz32rwlGyichrufHEM1+YfjP8w6wpi0u/JHTeq +A6zFshkXxXQYL7R8IjlCUVWIG9vBA0YgdcaYXY5MT1WctMcWCCu12gWtU3fOC86X +rf+A++UtCYXAL1h4g0YOpZIL6LRh7CiR5Kh7cw9ylYv93+YESQHY2VAwCs+j/xRe +xkv5oWRGkzAqESSv0iJfZg7DzvyE+9XbIYKGoS2NrPyGCStZsXl7B3QpA4dAvj0o +ye5YZXbFtIgHS4uGyUYvEYYedNC4/ujZ7tcBvxKB3BzKJry7MkLtUJhfqQnVDFkY +8wpy24yem9IDR0n2Ua1a9/kbmxDT+lJ4q7fMxPJf2QnTkdQXSuNejz6N4yUqiX22 +2HLmkDFdheq2hMY0oi5PkivsnYn7b4sDclyuen04BFBIwfy0RwRSWEfzwTfdrGT6 +V/XT/3n9twDIFZyK8oRjUlwo0GAiq8r0uwPOKnLQPpKJpWC4ICs1LjkB +-----END CERTIFICATE----- diff --git a/SPECS/kernel/cbl-mariner-ca-20211013.pem b/SPECS/kernel/cbl-mariner-ca-20211013.pem deleted file mode 100644 index 76865b9a68e..00000000000 --- a/SPECS/kernel/cbl-mariner-ca-20211013.pem +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFBjCCA+6gAwIBAgITMwAABO5/lN6NQyelHwABAAAE7jANBgkqhkiG9w0BAQsF -ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH -UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD -ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTEwMTQxNzI4MDVaFw0y -MjEwMTMxNzI4MDVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv -bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 -aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln -bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF45hTHPQAA7yc -6g3iVuqcQKF51ylCynjUySYqqQha2sQzE7tbJ2egVkW4cfY1UbJsm65i2/VGI1OL -Zia4sRwXRN7toRK5aElYfpsghMgGEaCSPs6915BVqO4WX0jxXswqRZ2CPH+evNCC -hQnOqtjvFCqp7aeQ44b/DpZmaMicL/DwbI4925HWGSYa+/Mp1Fs3yGhP5X75+c9v -w4gJ5KoxcOFRmQEt0c7lOclOi5Np5jys7lrrdmPPbjoALERBatiXj8w72LUZu4+I -970/6jqNEkHeGxqVSPRRNIEZubjvRIfg8uULr8k/Kj8TbznCWoGuaT/9yoVbHhqU -KQMJxxFrAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E -FgQUtC1rnigJt7kJfP+emwGUuG6Av5UwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT -FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2ODU5NzAf -BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN -hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl -MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG -CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz -L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB -Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCybuv6kmhT2y97FOLRljLCLvQlBL/E -dxKPDYNFhHCKIUd550yUoUW8XIxSYa+Dmx/1+NYS4Nxql7ecuR4g9+4i0DOmNjYO -NY8epPspIpjUd9OAiKNKJSs2303i2TQojXQcZVeTO89bK3pX+spoACGuEVEuWSdL -q+oPDYZwNTKyobj9wHYO6WXJfcdLPlYZghDjR/WNO5bzvzpi2nn/c4OYvMihLNq0 -5uNO0IB/zquyAaCKbi15v/PqYos1BsT+Yft4zf8ry17yFVBIqJMa2An6Gex7SNWj -jj1S7uBga3oZcTHvR8xv3fmbwfQMIrZRmZrq8xkySxQV7xea0sE7X/pJ ------END CERTIFICATE----- diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 7e3d7dfed09..78a16e87162 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", + "azurelinux-ca-20211013-20230216.pem": "228046d92ccb7d268cf4f195425c0f990afa00a968cc940fb1df4629fb7a6765", "config": "00c9071da520dd42e8465fd8d9f36945a4f6127798c16a45f5200cfd7256ed1e", "config_aarch64": "e0d92980c9388de35b7dde65a385865ef3207f4c50b0e9988f90394e8d627c77", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index e6253a0863c..2fac5e2d90c 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -40,7 +40,7 @@ Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/ro Source1: config Source2: config_aarch64 Source3: sha512hmac-openssl.sh -Source4: cbl-mariner-ca-20211013.pem +Source4: azurelinux-ca-20211013-20230216.pem Source5: cpupower Source6: cpupower.service Patch0: 0001-add-mstflint-kernel-%{mstflintver}.patch From 1c1727cfc229a00e72644ab2882937c8ef8d6c1f Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Tue, 19 Nov 2024 19:55:29 +0000 Subject: [PATCH 5/5] Remove kernel key ca-20211013 entirely Remove the old CBL-Mariner Secureboot .pem in favor of only having the new azurelinux-ca-20230216.pem. This new key should appear as "Microsoft Corporation: Mariner Trusted Base RSA Code Signing CA" in the keyring. --- ...0230216.pem => azurelinux-ca-20230216.pem} | 29 ------------------- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 3 +- 3 files changed, 3 insertions(+), 31 deletions(-) rename SPECS/kernel/{azurelinux-ca-20211013-20230216.pem => azurelinux-ca-20230216.pem} (56%) diff --git a/SPECS/kernel/azurelinux-ca-20211013-20230216.pem b/SPECS/kernel/azurelinux-ca-20230216.pem similarity index 56% rename from SPECS/kernel/azurelinux-ca-20211013-20230216.pem rename to SPECS/kernel/azurelinux-ca-20230216.pem index 18f1f833333..04204bb1b6a 100644 --- a/SPECS/kernel/azurelinux-ca-20211013-20230216.pem +++ b/SPECS/kernel/azurelinux-ca-20230216.pem @@ -1,32 +1,3 @@ ------BEGIN CERTIFICATE----- -MIIFBjCCA+6gAwIBAgITMwAABO5/lN6NQyelHwABAAAE7jANBgkqhkiG9w0BAQsF -ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH -UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD -ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTEwMTQxNzI4MDVaFw0y -MjEwMTMxNzI4MDVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv -bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 -aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln -bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF45hTHPQAA7yc -6g3iVuqcQKF51ylCynjUySYqqQha2sQzE7tbJ2egVkW4cfY1UbJsm65i2/VGI1OL -Zia4sRwXRN7toRK5aElYfpsghMgGEaCSPs6915BVqO4WX0jxXswqRZ2CPH+evNCC -hQnOqtjvFCqp7aeQ44b/DpZmaMicL/DwbI4925HWGSYa+/Mp1Fs3yGhP5X75+c9v -w4gJ5KoxcOFRmQEt0c7lOclOi5Np5jys7lrrdmPPbjoALERBatiXj8w72LUZu4+I -970/6jqNEkHeGxqVSPRRNIEZubjvRIfg8uULr8k/Kj8TbznCWoGuaT/9yoVbHhqU -KQMJxxFrAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E -FgQUtC1rnigJt7kJfP+emwGUuG6Av5UwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT -FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2ODU5NzAf -BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN -hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl -MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG -CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz -L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB -Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCybuv6kmhT2y97FOLRljLCLvQlBL/E -dxKPDYNFhHCKIUd550yUoUW8XIxSYa+Dmx/1+NYS4Nxql7ecuR4g9+4i0DOmNjYO -NY8epPspIpjUd9OAiKNKJSs2303i2TQojXQcZVeTO89bK3pX+spoACGuEVEuWSdL -q+oPDYZwNTKyobj9wHYO6WXJfcdLPlYZghDjR/WNO5bzvzpi2nn/c4OYvMihLNq0 -5uNO0IB/zquyAaCKbi15v/PqYos1BsT+Yft4zf8ry17yFVBIqJMa2An6Gex7SNWj -jj1S7uBga3oZcTHvR8xv3fmbwfQMIrZRmZrq8xkySxQV7xea0sE7X/pJ ------END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGtjCCBJ6gAwIBAgITMwAAAAJjlHB6Ftnx2gAAAAAAAjANBgkqhkiG9w0BAQ0F ADBaMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 78a16e87162..f79c2b59222 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "azurelinux-ca-20211013-20230216.pem": "228046d92ccb7d268cf4f195425c0f990afa00a968cc940fb1df4629fb7a6765", + "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", "config": "00c9071da520dd42e8465fd8d9f36945a4f6127798c16a45f5200cfd7256ed1e", "config_aarch64": "e0d92980c9388de35b7dde65a385865ef3207f4c50b0e9988f90394e8d627c77", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 2fac5e2d90c..9f0ea161920 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -40,7 +40,7 @@ Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/ro Source1: config Source2: config_aarch64 Source3: sha512hmac-openssl.sh -Source4: azurelinux-ca-20211013-20230216.pem +Source4: azurelinux-ca-20230216.pem Source5: cpupower Source6: cpupower.service Patch0: 0001-add-mstflint-kernel-%{mstflintver}.patch @@ -409,6 +409,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 %changelog * Tue Nov 05 2024 Chris Co - 6.6.57.1-3 - Enable kexec signature verification +- Introduce new azurelinux-ca-20230216.pem * Wed Oct 30 2024 Thien Trung Vuong - 6.6.57.1-2 - UKI: remove noxsaves parameter from cmdline