Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-122615

Revert UKI signing cert to Red Hat Secure Boot Signing 504 [rhel10]

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • redhat-release
    • None
    • None
    • rhel-arr-emerging
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      SecureBoot signing certs were recently updated to "800 series" certs but it turned out the move was premature and we had to revert back to "Red Hat Secure Boot Signing 504" for the RHEL UKI:

      https://issues.redhat.com/browse/RHEL-122226

      Updating the cert which is used for UKI signing is not easy as PCR7 measurements are used for root volume key sealing.

      The revert has already landed in kernel and because of the urgency, the kernel now carries its own copy of "Red Hat Secure Boot Signing 504". The cert which redhat-sb-certs package has is, however, still "Red Hat  Secure Boot Signing 804" which is wrong.

      While there's no extreme urgency now, we still need to get things back in order so the suggestion is to revert to "Red Hat  Secure Boot Signing 504" in redhat-sb-certs. This needs to happen in 10.2 as well as 10.1.z.

              tdawson@redhat.com Troy Dawson
              vkuznets@redhat.com Vitaly Kuznetsov
              Troy Dawson Troy Dawson
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: