Allow multiple signing certs

build-tests/s390/tumbleweed/test-image-MicroOS/appliance.kiwi

@@ -52,6 +52,8 @@
                     <hkd_cert name="/var/lib/se-certs/HKD-8562-024B878.crt"/>
                     <hkd_ca_cert name="/var/lib/se-certs/DigiCertCA.crt"/>
                     <hkd_sign_cert name="/var/lib/se-certs/ibm-z-host-key-signing-gen2.crt"/>
+                    <hkd_sign_cert name="/var/lib/se-certs/ibm-z-host-key-signing.crt"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key.crl"/>
                     <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key-gen2.crl"/>
                     <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
                     <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>

kiwi/bootloader/config/grub2.py

@@ -823,7 +823,7 @@ def _setup_default_grub(self):
             grub_default_entries['SUSE_S390_SE_HOST_KEY'] = \
                 ','.join(self.host_key_certificates['hkd_cert'])
             grub_default_entries['SUSE_S390_SE_HOST_KEY_SIGNING_KEY'] = \
-                self.host_key_certificates['hkd_sign_cert'][0]
+                ','.join(self.host_key_certificates['hkd_sign_cert'])
             grub_default_entries['SUSE_S390_SE_CA_CERT'] = \
                 self.host_key_certificates['hkd_ca_cert'][0]
             if self.host_key_certificates.get('hkd_revocation_list'):

kiwi/bootloader/config/zipl.py

@@ -90,9 +90,11 @@ def setup_loader(self, target: str) -> None:
                 '-i', self.custom_args['kernel'],
                 '-r', self.custom_args['initrd'],
                 '-p', hkd_parm_file.name.replace(root_dir, ''),
-                '--cert', host_key_certificates['hkd_sign_cert'][0],
                 '--cert', host_key_certificates['hkd_ca_cert'][0]
             ]
+            for sign_key in host_key_certificates.get('hkd_sign_cert'):
+                genprotimg.append('--cert')
+                genprotimg.append(sign_key)
             for host_key in host_key_certificates.get('hkd_cert'):
                 genprotimg.append('-k')
                 genprotimg.append(host_key)

kiwi/schema/kiwi.rnc

@@ -3266,7 +3266,7 @@ div {
             k.securelinux.attlist &
             k.hkd_cert+ &
             k.hkd_ca_cert &
-            k.hkd_sign_cert &
+            k.hkd_sign_cert+ &
             k.hkd_revocation_list*
         }
         >> sch:pattern [

kiwi/schema/kiwi.rng

@@ -4888,7 +4888,9 @@ of the bootloader process</a:documentation>
             <ref name="k.hkd_cert"/>
           </oneOrMore>
           <ref name="k.hkd_ca_cert"/>
-          <ref name="k.hkd_sign_cert"/>
+          <oneOrMore>
+            <ref name="k.hkd_sign_cert"/>
+          </oneOrMore>
           <zeroOrMore>
             <ref name="k.hkd_revocation_list"/>
           </zeroOrMore>

test/unit/bootloader/config/zipl_test.py

@@ -125,8 +125,8 @@ def test_setup_loader(
                     '-i', 'bootpath/kernel-filename',
                     '-r', 'bootpath/initrd-name',
                     '-p', temporary.name.replace('system_root_mount', ''),
-                    '--cert', '/path/to/ibm-z-host-key-signing.crt',
                     '--cert', '/path/to/DigiCertCA.crt',
+                    '--cert', '/path/to/ibm-z-host-key-signing.crt',
                     '-k', '/path/to/host.crt',
                     '--crl', '/path/to/revocation-list.crl'
                 ]