Skip to content

KernelCare certwrapper build 2026-06-04 (plus automated scripts)#3

Open
kanner wants to merge 5 commits into
cloudlinux:mainfrom
kanner:main-kernelcare-build-2026
Open

KernelCare certwrapper build 2026-06-04 (plus automated scripts)#3
kanner wants to merge 5 commits into
cloudlinux:mainfrom
kanner:main-kernelcare-build-2026

Conversation

@kanner
Copy link
Copy Markdown

@kanner kanner commented Jun 4, 2026

Looks like everyone is moving to (or at least preparing) shim 16.1:
rhel8 - rhboot/shim-review#546
cl8 - rhboot/shim-review#555

Anyway let's leave the room to use certwrapper for shim 15.8 also, taking in mind that old cert will expire in Jan 13 2027.

  • shim 15.8 - 1st cert only (longterm)
# rpm -qa | grep shim
shim-x64-15.8-2.el9.x86_64
[root@localhost ~]# mokutil --list-enrolled | egrep -i 'SHA1|Issuer'
SHA1 Fingerprint: 0e:2a:bf:72:66:32:95:3a:d2:05:b3:cd:c7:eb:24:15:8b:31:b3:bb
        Issuer: C=US, ST=Delaware, L=Dover, O=Rocky Enterprise Software Foundation, OU=Release engineering team, CN=Rocky Linux Secure Boot Root CA/emailAddress=security@rockylinux.org
SHA1 Fingerprint: 42:15:cb:2f:c3:0e:43:18:c0:0b:c4:27:ca:04:38:60:bf:c2:45:6c
        Issuer: O=Cloud Linux Software, Inc, OU=KernelCare, CN=Kernel Module Signing Key/emailAddress=info@kernelcare.com
  • shim 16.1 - 2 certs imported
# rpm -qa | grep shim
shim-x64-16.1-2.el9.x86_64
# mokutil --list-enrolled | egrep -i 'SHA1|Issuer'
SHA1 Fingerprint: 0e:2a:bf:72:66:32:95:3a:d2:05:b3:cd:c7:eb:24:15:8b:31:b3:bb
        Issuer: C=US, ST=Delaware, L=Dover, O=Rocky Enterprise Software Foundation, OU=Release engineering team, CN=Rocky Linux Secure Boot Root CA/emailAddress=security@rockylinux.org
SHA1 Fingerprint: 42:15:cb:2f:c3:0e:43:18:c0:0b:c4:27:ca:04:38:60:bf:c2:45:6c
        Issuer: O=Cloud Linux Software, Inc, OU=KernelCare, CN=Kernel Module Signing Key/emailAddress=info@kernelcare.com
SHA1 Fingerprint: db:d9:e7:6d:86:c3:20:35:7e:df:ca:d8:b9:6b:d4:d8:64:0e:a4:9e
        Issuer: O=Cloud Linux Software, Inc, OU=KernelCare, CN=Kernel Module Signing Key/emailAddress=info@kernelcare.com

kanner and others added 5 commits June 4, 2026 01:25
@kanner
kernelcare-contrib: add edk2-pytool-extensions submodule
d4c7cbc 
According to KernelCare Security Assessment (2025) from
Anvil Secure the image_validation tool should be used
to produce the final binary. Set the required NX_COMPAT
flag using image validation tool [1][2]:

Link[1]: https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/uefi-ca-memory-mitigation-requirements#if-implemented-pecoff-dll-attestation
Link[2]: https://github.com/tianocore/edk2-pytool-extensions
Signed-off-by: Andrei Kanner <akanner@cloudlinux.com>
@kanner
kernelcare-contrib: attach KernelCare public certs
fc5d06e 
Old one from [1] and the new longterm_2032:
curl -LO https://patches.kernelcare.com/kernelcare_pub.der
curl -LO https://patches.kernelcare.com/kernelcare_pub_longterm_2032.der

Link[1]: https://docs.tuxcare.com/live-patching-services/#uefi-secure-boot-support-1
Signed-off-by: Andrei Kanner <akanner@cloudlinux.com>
@kanner
kernelcare-contrib: add comprehensive build.sh script
fbb6ce2 
Signed-off-by: Andrei Kanner <akanner@cloudlinux.com>
@kanner @claude
kernelcare-contrib: add build-all.sh for dual-arch container builds
dc0ba3c 
build-all.sh builds shim_certificate_kernelcare for x86_64 and aarch64
in almalinux:9 containers (aarch64 via qemu-user-static) and saves each
.efi + .log under kernelcare-result-<date>/.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrei Kanner <akanner@cloudlinux.com>
@kanner
kernelcare-build-2026-06-04: build artifacts for x86_64/aarch64
de2a605 
Signed-off-by: Andrei Kanner <akanner@cloudlinux.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kanner