redhat: revert to using redhatsecureboot504 for RHEL UKI

JIRA: https://issues.redhat.com/browse/RHEL-122230
Upstream Status: RHEL only

Azure CVM instances use Full Disk Encryption with the volume key
sealed to PCR7, updating the certificate requires additional action.
Restore the status quo for now.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>

Author: vittyvk

redhat/Makefile

@@ -644,6 +644,7 @@ sources-rh: $(TARBALL) generate-testpatch-tmp setup-source dist-configs-check
 		README.rst \
 		kernel-local \
 		dracut-virt.conf \
+		keys/redhatsecureboot504.cer \
 		$(SOURCES)/
 	@cat $$(ls -1 $(PACKAGE_NAME).changelog-* | sort -t '.' -k 3 -n -r) \
 		> $(SOURCES)/kernel.changelog

redhat/kernel.spec.template

@@ -902,6 +902,9 @@ Source150: dracut-virt.conf
 Source151: uki_create_addons.py
 Source152: uki_addons.json
 
+# Temporary use redhatsecureboot504 for x86 UKI, see RHEL-122230
+Source153: redhatsecureboot504.cer
+
 Source200: check-kabi
 
 Source201: Module.kabi_aarch64
@@ -2417,10 +2420,12 @@ BuildKernel() {
 
 %if 0%{?centos}
 	UKI_secureboot_name=centossecureboot204
+	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
 %else
-	UKI_secureboot_name=redhatsecureboot804
+	# RHEL only builds UKI for x86
+	UKI_secureboot_name=redhatsecureboot504
+	UKI_secureboot_cert=%{SOURCE153}
 %endif
-	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
 
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
         if [ ! -s $KernelUnifiedImage.signed ]; then
@@ -2435,6 +2440,9 @@ BuildKernel() {
         mv $addon.signed $addon
       done
 
+      mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
+      cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer
+
 # signkernel
 %endif