Merge: redhat: automotive: logic to defer signing at image composition

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/1213

JIRA: https://issues.redhat.com/browse/RHEL-78808

Amend the automotive configuration to allow certificate insertion in the kernel
binary and amend the kernel.spec template to skip redundant signing and remove
persistent trusted certificates from the keyring.

This is intended to be used with atomic images only where the module signing is
done at image composition, the trusted certificate is inserted into the system
keyring and the kernel is then signed/measured. The result is an image
containing a kernel only able to load a subset of the available modules in the
kernel RPM set, based on the image configuration.

The build-time signature of the modules is still done for debugging on
non-atomic images where RPMs might be installed on their own in an already
deployed rootfs.

Signed-off-by: Eric Chanudet <echanude@redhat.com>

Approved-by: Jared Kangas <jkangas@redhat.com>
Approved-by: Jan Stancek <jstancek@redhat.com>
Approved-by: Rafael Aquini <raquini@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>

Author: CKI KWF Bot

redhat/configs/rhel/automotive/generic/CONFIG_MODULE_SIG_ALL

@@ -0,0 +1 @@
+# CONFIG_MODULE_SIG_ALL is not set

redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE

@@ -0,0 +1 @@
+CONFIG_SYSTEM_EXTRA_CERTIFICATE=y

redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE

@@ -0,0 +1 @@
+CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

redhat/kernel.spec.template

@@ -111,6 +111,9 @@ Summary: The Linux kernel
 # Sign modules on all arches
 %global signmodules 1
 
+# Add additional rhel certificates to system trusted keys.
+%global rhelkeys 1
+
 # Compress modules only for architectures that build modules
 %ifarch noarch
 %global zipmodules 0
@@ -460,6 +463,9 @@ Summary: The Linux kernel
 %define with_kabichk 0
 %define with_kernel_abi_stablelists 0
 %define with_kabidw_base 0
+%define signkernel 0
+%define signmodules 1
+%define rhelkeys 0
 %endif
 
 
@@ -767,9 +773,8 @@ BuildRequires: libnl3-devel
 BuildRequires: python3-pyyaml python3-jsonschema python3-pip python3-setuptools python3-wheel
 %endif
 
-%if %{with_tools} || %{signmodules} || %{signkernel}
 BuildRequires: openssl-devel
-%endif
+
 %if %{with_selftests}
 BuildRequires: clang llvm-devel fuse-devel zlib-devel binutils-devel python3-docutils python3-jsonschema
 %ifarch x86_64 riscv64
@@ -2046,12 +2051,16 @@ done
 %if %{signkernel}%{signmodules}
 
 # Add DUP and kpatch certificates to system trusted keys for RHEL
+truncate -s0 ../certs/rhel.pem
 %if 0%{?rhel}
+%if %{rhelkeys}
 %{log_msg "Add DUP and kpatch certificates to system trusted keys for RHEL"}
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem
+# rhelkeys
+%endif
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem