Use CONFIG_SYSTEM_TRUSTED_KEYS for propper configuration of trusted keys (currently no keys were trusted)

kernel.spec

@@ -11,7 +11,7 @@
 %define sublevel	11
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		1
+%define rpmrel		2
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -88,6 +88,7 @@
 %define certs_dir_rnd %{src_dir}/certs_%{vendor}_rnd
 %define certs_signing_key_rnd %{certs_dir_rnd}/signing_key.pem
 %define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
+%define certs_public_keys %{certs_dir_rnd}/public.pem
 %define certs_verify_tmp %{certs_dir_rnd}/verify.tmp
 ############################################################################
 
@@ -791,6 +792,9 @@ echo CONFIG_MODULE_SIG_ALL=y >> .config
 echo CONFIG_MODULE_SIG_SHA512=y >> .config
 # Set path to the key that will be generated later by openssl
 echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config
+# Set path to one PEM file with all keys that the kernel must trust
+sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config
+echo CONFIG_SYSTEM_TRUSTED_KEYS="%{certs_public_keys}" >> .config
 
 # Memory wiping
 # Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef
@@ -918,11 +922,16 @@ openssl req -new -nodes -utf8 -batch -x509 \
 	-out "%{certs_signing_key_rnd}" \
 	-keyout "%{certs_signing_key_rnd}"
 
+# Strip public part from the generated PEM
+sed -n \
+	'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' \
+	"%{certs_signing_key_rnd}" > "%{certs_public_keys}"
+
 %if %{with additional_keys}
 # Add additional public keys to the list of trusted keys for kernel modules
 # Build kernel --without additional_keys if you do not want to trust them
 cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
-	>> "%{certs_signing_key_rnd}"
+	>> "%{certs_public_keys}"
 %endif #endif additional_keys
 %endif #endif enhanced_security