redhat: add secureboot CA certificate to trusted kernel keyring

Bruno Meneguelerequested to merge
bmeneg/kernel-ark:redhat-secboot-ca into os-build

This patch is a forward-port from what we already have in RHEL-8 kernels and
should also be done in RHEL-9 to avoid unexpected failures on customers.

Add the secure boot key certificate to the trusted kernel keyring
(.builtin_trusted_keys) to allow the placement of the kernel signing key
(shipped with the distro) in other kernel trusted keyrings, i.e. .ima
trusted keyring.

The need for adding the secure boot CA cert in the trusted kernel keyring
exists only for arches without UEFI support which don't support adding certs
to .platform_keyring and, consequently, can't add our own kernel image
signing key to trusted keyrings.

The biggest usage of that is for loading signed kernel images during
kexec/kdump process in arches that depends on the IMA infrastructure to
check the signatures, which has the ability to verify appended signatures
instead of the UEFI PE format. Said arches are PowerPC and S390X.

Cc: Justin M. Forbes jforbes@fedoraproject.org
Cc: Herton R. Krzesinski herton@redhat.com
Cc: Patrick Talbert ptalbert@redhat.com
Signed-off-by: Bruno Meneguele bmeneg@redhat.com

Merge request reports