Limit chain of signing to z16 only

schaefi · schaefi · commit 2b7380f73824 · 2024-11-18T12:50:11.000+01:00
genprotimg currently only allows one signing key
diff --git a/build-tests/s390/tumbleweed/test-image-MicroOS/appliance.kiwi b/build-tests/s390/tumbleweed/test-image-MicroOS/appliance.kiwi
@@ -44,15 +44,18 @@
             </oemconfig>
             <bootloader name="zipl" timeout="10">
                 <securelinux>
+                    <!-- gen2 z16 certificates -->
                     <hkd_cert name="/var/lib/se-certs/HKD-3932-02967D8.crt"/>
                     <hkd_cert name="/var/lib/se-certs/HKD-3932-02967F8.crt"/>
                     <hkd_cert name="/var/lib/se-certs/HKD-3932-0296878.crt"/>
+                    <hkd_sign_cert name="/var/lib/se-certs/ibm-z-host-key-signing-gen2.crt"/>
+                    <!-- gen1 z15 certificates
                     <hkd_cert name="/var/lib/se-certs/HKD-8562-024B858.crt"/>
                     <hkd_cert name="/var/lib/se-certs/HKD-8562-024B868.crt"/>
                     <hkd_cert name="/var/lib/se-certs/HKD-8562-024B878.crt"/>
-                    <hkd_ca_cert name="/var/lib/se-certs/DigiCertCA.crt"/>
-                    <hkd_sign_cert name="/var/lib/se-certs/ibm-z-host-key-signing-gen2.crt"/>
                     <hkd_sign_cert name="/var/lib/se-certs/ibm-z-host-key-signing.crt"/>
+                    -->
+                    <hkd_ca_cert name="/var/lib/se-certs/DigiCertCA.crt"/>
                     <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key.crl"/>
                     <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key-gen2.crl"/>
                     <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
