redhat: drop certificates that were deprecated after GRUB's BootHole flaw (!1321) · Merge requests · cki-project / kernel-ark

Herton R. Krzesinski requested to merge hertonrk-rh/kernel-ark:remove-dup-certs into os-build Aug 20, 2021

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994849

Since newer RHEL should already have newer enough grub versions, we don't
need anymore to keep signing the kernel for secure boot with older keys for
compatibility with older grub.

The second signature also causes problems because the upstream kernel so
far does not support checking more than one signature as reported on bug
above, where kexec signature checking can fail in a secure boot enabled
environment. More than one signature requires that we patch the kernel
for it to work, but we don't need that now since we can drop the second
signature.

Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

redhat: drop certificates that were deprecated after GRUB's BootHole flaw

Merge request reports