redhat: Switch UKI to using its own SecureBoot cert (!2861) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Vitaly Kuznetsov requested to merge vkuznets/centos-stream-9:bug2225529 into main Jul 28, 2023

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225529

Switch UKI to using dedicated SecureBoot certificates (redhatsecureboot504/centossecureboot204) and temporarily carry them with kernel until 'redhat-sb-certs' package is updated.

To support the change, add RHEL specific SBAT section to the UKI, this allows to revoke vulnerable binaries in the future without the need to extend UEFI DBX with all 'bad' hashes or the need to change the signing key.

Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com

Admin message

redhat: Switch UKI to using its own SecureBoot cert

Merge request reports