redhat: conflict with unsupported shim on x86/aarch64

vittyvk · vittyvk · commit bd893fe80598 · 2025-12-10T10:41:35.000+01:00
JIRA: https://issues.redhat.com/browse/RHEL-126425 Upstream Status: RHEL only The kernel has recently switched to using 800-series keys for SecureBoot and this requires shim to have the corresponding CA certificate. The first version which had it was 15.8-1 so in case the new kernel is installed with an older shim, 'Security violation' error is going to prevent booting when SecureBoot=on. Prevent such broken combos by adding an explicit conflict. The problem can easily be observed on x86 by upgrading the kernel to a recent version on an old (RHEL9.2 and below) system. Aarch64 systems are only theoretically affected as SecureBoot was not supported by these old releases. Note: UKI is not affected by the issue as it still uses 504 key. Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
@@ -975,6 +975,9 @@ Recommends: linux-firmware\
 Requires(preun): systemd >= 200\
 Conflicts: xfsprogs < 4.3.0-1\
 Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
+%ifarch x86_64 aarch64\
+Conflicts: shim < 15.8-1\
+%endif\
 %{expand:%%{?kernel%{?1:_%{1}}_conflicts:Conflicts: %%{kernel%{?1:_%{1}}_conflicts}}}\
 %{expand:%%{?kernel%{?1:_%{1}}_obsoletes:Obsoletes: %%{kernel%{?1:_%{1}}_obsoletes}}}\
 %{expand:%%{?kernel%{?1:_%{1}}_provides:Provides: %%{kernel%{?1:_%{1}}_provides}}}\
