From f2ae0ff58e35ff5bed880c788d767af26da4ce3b Mon Sep 17 00:00:00 2001 From: Eduard Abdullin <55892454+eabdullin1@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:10:27 +0300 Subject: [PATCH 1/2] Import OL kernel-5.14.0-362.24.1.el9_3 --- .gitignore | 6 +- .kernel.metadata | 6 +- SOURCES/1000-debrand-some-messages.patch | 58 ++++ SOURCES/Makefile.rhelver | 2 +- ...34729535-change-certified-hw-message.patch | 19 + SOURCES/x509.genkey.rhel | 6 +- SPECS/kernel.spec | 327 +++++++++++++++--- 7 files changed, 375 insertions(+), 49 deletions(-) create mode 100644 SOURCES/1000-debrand-some-messages.patch create mode 100644 SOURCES/bug34729535-change-certified-hw-message.patch diff --git a/.gitignore b/.gitignore index 4ea8105..83434f9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ -SOURCES/kernel-abi-stablelists-5.14.0-362.18.1.el9_3.tar.bz2 -SOURCES/kernel-kabi-dw-5.14.0-362.18.1.el9_3.tar.bz2 -SOURCES/linux-5.14.0-362.18.1.el9_3.tar.xz +SOURCES/kernel-abi-stablelists-5.14.0-362.24.1.el9_3.tar.bz2 +SOURCES/kernel-kabi-dw-5.14.0-362.24.1.el9_3.tar.bz2 +SOURCES/linux-5.14.0-362.24.1.el9_3.tar.xz SOURCES/rheldup3.x509 SOURCES/rhelima.x509 SOURCES/rhelima_centos.x509 diff --git a/.kernel.metadata b/.kernel.metadata index a441e4c..c1d35b2 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,6 +1,6 @@ -f823c58b7a797113dec1a2863f3efb9b13a5db01 SOURCES/kernel-abi-stablelists-5.14.0-362.18.1.el9_3.tar.bz2 -b1d3fe4cf0e3d6db2cb96fc8dc3ccf21cf29b12d SOURCES/kernel-kabi-dw-5.14.0-362.18.1.el9_3.tar.bz2 -4c7324ab3eed522ca5d7e0fcee0bfa891ef73328 SOURCES/linux-5.14.0-362.18.1.el9_3.tar.xz +6b3b73a0e5ee8afc75ff184e7579cf193d12e333 SOURCES/kernel-abi-stablelists-5.14.0-362.24.1.el9_3.tar.bz2 +2dbea40d3654901f0bdc4bb48351f07d4590c1c4 SOURCES/kernel-kabi-dw-5.14.0-362.24.1.el9_3.tar.bz2 +aa929675bd46443ba8d0036b9247514be09efc00 SOURCES/linux-5.14.0-362.24.1.el9_3.tar.xz 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509 61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/rhelima_centos.x509 diff --git a/SOURCES/1000-debrand-some-messages.patch b/SOURCES/1000-debrand-some-messages.patch new file mode 100644 index 0000000..48fbd53 --- /dev/null +++ b/SOURCES/1000-debrand-some-messages.patch @@ -0,0 +1,58 @@ +From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001 +From: Louis Abel +Date: Wed, 20 Sep 2023 14:16:05 -0700 +Subject: [PATCH] debrand some messages + +Modified-by: Alex Burmashev +--- + kernel/rh_shadowman.c | 55 ++++++++++++++++++++++--------------------- + 4 files changed, 34 insertions(+), 33 deletions(-) + +diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c +index 018d5c633..d05ea0790 100644 +--- a/kernel/rh_shadowman.c ++++ b/kernel/rh_shadowman.c +@@ -1,39 +1 @@ +-#include +-#include +-#include +- +-/* Display a shadowman logo on the console screen */ +-static int __init rh_shadowman(char *str) +-{ +- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n"); +- pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n"); +- pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRR. .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRR~ .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n"); +- pr_info("R,```` RRR8 .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RR ORRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRR ,HHtaa HRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRO. .RRRRO. . .RRRRRRR\n"); +- pr_info("RRRRRR ,RRHh, :RRRRRRRR\n"); +- pr_info("RRRRRRRR HRR :RRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRr .. ,RRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRt . .HRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRr. =RRRRRRRRRRRRRRRRRRRR\n"); +- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); +- pr_info(" "); +- pr_info(" Long Live Shadowman!"); +- pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273"); +- pr_info(" "); +- return 1; +-} +- +-__setup("shadowman", rh_shadowman); ++// This file has been intentionally left blank +-- +2.41.0 + diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver index c7ea6d5..6ded206 100644 --- a/SOURCES/Makefile.rhelver +++ b/SOURCES/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 3 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 362.18.1 +RHEL_RELEASE = 362.24.1 # # ZSTREAM diff --git a/SOURCES/bug34729535-change-certified-hw-message.patch b/SOURCES/bug34729535-change-certified-hw-message.patch new file mode 100644 index 0000000..db0b136 --- /dev/null +++ b/SOURCES/bug34729535-change-certified-hw-message.patch @@ -0,0 +1,19 @@ +Update message about certified hardware list. + +Orabug: 34729535 + +Signed-off-by: Kevin Lyons +Reviewed-by: Laurence Rochfort +--- +diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c +--- linux-5.14.0-160.el8.x86_64.orig/init/main.c 2022-08-25 13:57:06.000000000 -0700 ++++ linux-5.14.0-160.el8.x86_64/init/main.c 2022-10-26 13:15:39.700724777 -0700 +@@ -936,7 +936,7 @@ + boot_cpu_init(); + page_address_init(); + pr_notice("%s", linux_banner); +- pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n"); ++ pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n"); + early_security_init(); + setup_arch(&command_line); + setup_boot_config(); diff --git a/SOURCES/x509.genkey.rhel b/SOURCES/x509.genkey.rhel index b1bbe38..5b7056d 100644 --- a/SOURCES/x509.genkey.rhel +++ b/SOURCES/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Red Hat -CN = Red Hat Enterprise Linux kernel signing key -emailAddress = secalert@redhat.com +O = Oracle America, Inc.,c=US +CN = Oracle CA Server +emailAddress = support@oracle.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 9c156f8..af35785 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -104,7 +104,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 aarch64 s390x ppc64le +%define secure_boot_arch x86_64 s390x ppc64le %endif # Signing for secure boot authentication @@ -124,11 +124,11 @@ Summary: The Linux kernel %global zipmodules 1 %endif -%ifarch x86_64 -%global efiuki 1 -%else +#%ifarch x86_64 +#%global efiuki 1 +#%else %global efiuki 0 -%endif +#%endif %if %{zipmodules} %global zipsed -e 's/\.ko$/\.ko.xz/' @@ -161,15 +161,15 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 362.18.1 +%define pkgrelease 362.24.1 %define kversion 5 -%define tarfile_release 5.14.0-362.18.1.el9_3 +%define tarfile_release 5.14.0-362.24.1.el9_3 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 362.18.1%{?buildid}%{?dist} +%define specrelease 362.24.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 5.14.0-362.18.1.el9_3 +%define kabiversion 5.14.0-362.24.1.el9_3 # # End of genspec.sh variables @@ -643,6 +643,9 @@ Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) %endif +Provides: oracle(kernel-sig-key) == 202204 +Conflicts: shim-ia32 <= 15.3-1.0.5.el9 +Conflicts: shim-x64 <= 15.3-1.0.5.el9 # # List the packages used during the kernel build @@ -799,30 +802,10 @@ Source1: Makefile.rhelver %if %{signkernel} -# Name of the packaged file containing signing key -%ifarch ppc64le -%define signing_key_filename kernel-signing-ppc.cer -%endif -%ifarch s390x -%define signing_key_filename kernel-signing-s390.cer -%endif - %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%if 0%{?centos} -%define pesign_name_0 centossecureboot201 -%else -%ifarch x86_64 aarch64 -%define pesign_name_0 redhatsecureboot501 -%endif -%ifarch s390x -%define pesign_name_0 redhatsecureboot302 -%endif -%ifarch ppc64le -%define pesign_name_0 redhatsecureboot701 -%endif -%endif +%define pesign_name_0 OracleSecureBootkernelsigningkey2 # signkernel %endif @@ -906,19 +889,26 @@ Source101: rhelkpatch1.x509 Source102: rhelimaca1.x509 Source103: rhelima.x509 Source104: rhelima_centos.x509 +# Oracle Linux IMA CA certificate +Source105: olimaca1.x509 +# Oracle Linux IMA signing certificate +Source106: olima1.x509 %if 0%{?centos} %define ima_signing_cert %{SOURCE104} %else %define ima_signing_cert %{SOURCE103} +%define ima_signing_cert_ol %{SOURCE106} %endif + %define ima_cert_name ima.cer +%define ima_cert_name_ol ima_ol.cer Source150: dracut-virt.conf # Remove this when https://bugzilla.redhat.com/show_bug.cgi?id=2225009 gets resolved -Source151: uki-sb-cert-x86_64-centos.crt -Source152: uki-sb-cert-x86_64-rhel.crt +#Source151: uki-sb-cert-x86_64-centos.crt +#Source152: uki-sb-cert-x86_64-rhel.crt Source200: check-kabi @@ -953,6 +943,9 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml +# Oracle Linux RHCK Module Signing Key +Source5001: olkmod_signing_key.pem + ## Patches needed for building this package %if !%{nopatches} @@ -960,8 +953,12 @@ Source4002: gating.yaml Patch1: patch-%{patchversion}-redhat.patch %endif +# Oracle patches +Patch1000: bug34729535-change-certified-hw-message.patch + # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch +Patch1000000: 1000-debrand-some-messages.patch # END OF PATCH DEFINITIONS @@ -1114,10 +1111,10 @@ This package provides debug information for the libperf package. Summary: Assortment of tools for the Linux kernel License: GPLv2 %ifarch %{cpupowerarchs} -Provides: cpupowerutils = 1:009-0.6.p1 +Provides: cpupowerutils = 1:009-0.6.p1 Obsoletes: cpupowerutils < 1:009-0.6.p1 -Provides: cpufreq-utils = 1:009-0.6.p1 -Provides: cpufrequtils = 1:009-0.6.p1 +Provides: cpufreq-utils = 1:009-0.6.p1 +Provides: cpufrequtils = 1:009-0.6.p1 Obsoletes: cpufreq-utils < 1:009-0.6.p1 Obsoletes: cpufrequtils < 1:009-0.6.p1 Obsoletes: cpuspeed < 1:1.5-16 @@ -1140,7 +1137,7 @@ Summary: Assortment of tools for the Linux kernel License: GPLv2 Requires: kernel-tools = %{version}-%{release} %ifarch %{cpupowerarchs} -Provides: cpupowerutils-devel = 1:009-0.6.p1 +Provides: cpupowerutils-devel = 1:009-0.6.p1 Obsoletes: cpupowerutils-devel < 1:009-0.6.p1 %endif Requires: kernel-tools-libs = %{version}-%{release} @@ -1222,7 +1219,7 @@ This package provides debug information for the bpftool package. %package selftests-internal Summary: Kernel samples and selftests License: GPLv2 -Requires: binutils, bpftool, iproute-tc, nmap-ncat, python3, fuse-libs, keyutils +Requires: binutils, bpftool, iproute-tc, python3, fuse-libs, keyutils %description selftests-internal Kernel sample programs and selftests. @@ -1697,7 +1694,9 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif +ApplyPatch bug34729535-change-certified-hw-message.patch ApplyOptionalPatch linux-kernel-test.patch +ApplyOptionalPatch 1000-debrand-some-messages.patch # END OF PATCH APPLICATIONS @@ -1775,6 +1774,11 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem > ../certs/rhel.pem +# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list +openssl x509 -inform der -in %{SOURCE105} -out olimaca1.pem +cat olimaca1.pem >> ../certs/rhel.pem +# Add olkmod_signing_key.pem to the kernel trusted certificates list +cat %{SOURCE5001} >> ../certs/rhel.pem %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem @@ -2575,7 +2579,7 @@ BuildKernel() { # prune junk from kernel-devel find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete - # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer @@ -2589,6 +2593,8 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} + # Oracle Linux IMA signing cert + install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -3754,6 +3760,249 @@ fi # # %changelog +* Fri Mar 15 2024 Craig Guiller - [5.14.0-362.24.1.el9_3.OL9] +- Update Oracle Linux certificates (Kevin Lyons) +- Disable signing for aarch64 (Ilya Okomin) +- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] +- Update x509.genkey [Orabug: 24817676] +- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 +- Remove nmap references from kernel (Mridula Shastry) [Orabug: 34313944] +- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] +- Disable unified kernel image package build +- Add Oracle Linux IMA certificates + +* Thu Feb 15 2024 Jan Stancek [5.14.0-362.24.1.el9_3] +- RDMA/mlx5: Fix assigning access flags to cache mkeys (Mohammad Kabat) [RHEL-25242 RHEL-882] +- drm/amdgpu: Fix potential fence use-after-free v2 (Jan Stancek) [RHEL-24501 RHEL-24504 RHEL-22506 RHEL-22507] {CVE-2023-51042} +- ceph: defer stopping mdsc delayed_work (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: never send metrics if disable_send_metrics is set (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: don't let check_caps skip sending responses for revoke msgs (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: issue a cap release immediately if no cap exists (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: trigger to flush the buffer when making snapshot (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: fix blindly expanding the readahead windows (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: add a dedicated private data for netfs rreq (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: voluntarily drop Xx caps for requests those touch parent mtime (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: try to dump the msgs when decoding fails (Xiubo Li) [RHEL-22256 RHEL-16415] +- ceph: only send metrics when the MDS rank is ready (Xiubo Li) [RHEL-22256 RHEL-16415] +- x86/boot: Ignore NMIs during very early boot (Derek Barbosa) [RHEL-24449 RHEL-9380] +- Documentation, mm/unaccepted: document accept_memory kernel parameter (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- proc/kcore: do not try to access unaccepted memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/unaccepted: do not let /proc/vmcore try to access unaccepted memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/traps: Fix load_unaligned_zeropad() handling for shared TDX memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/unaccepted: Fix off-by-one when checking for overlapping ranges (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/kvm: Do not try to disable kvmclock if it was not enabled (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Mark TSC reliable (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- RHEL: kABI fixup for struct zone (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- RHEL: introduce NR_VM_ZONE_STAT_ITEMS_ACTUAL for kABI-preserving zone stats (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- RHEL: 9.3 kABI fixup for struct efi (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/mm: Fix enc_status_change_finish_noop() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/mm: Allow guest.enc_status_change_prepare() to fail (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/coco: Mark cc_platform_has() and descendants noinstr (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- virt: sevguest: Add CONFIG_CRYPTO dependency (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- mm/page_alloc: make deferred page init free pages in MAX_ORDER blocks (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- mm/page_alloc: fix obsolete comment in deferred_pfn_valid() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/sev: Change npages to unsigned long in snp_accept_memory() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/unaccepted: Fix soft lockups caused by parallel memory acceptance (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/unaccepted: Make sure unaccepted table is mapped (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/efi: Safely enable unaccepted memory in UEFI (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/sev: Add SNP-specific unaccepted memory support (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/sev: Use large PSC requests if applicable (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/sev: Allow for use of the early boot GHCB for PSC requests (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/sev: Put PSC struct on the stack in prep for unaccepted memory support (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/sev: Fix calculation of end address based on number of pages (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Wrap exit reason with hcall_func() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Add unaccepted memory support (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Refactor try_accept_one() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/unaccepted: Avoid load_unaligned_zeropad() stepping into unaccepted memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: Add unaccepted memory support (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/boot/compressed: Handle unaccepted memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/unaccepted: Use ACPI reclaim memory for unaccepted memory table (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/libstub: Implement support for unaccepted memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/x86: Get full memory map in allocate_e820() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- memblock tests: Fix compilation errors. (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- mm: Add support for unaccepted memory (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/boot: Centralize __pa()/__va() definitions (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/boot: Add an efi.h header for the decompressor (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Make _tdx_hypercall() and __tdx_module_call() available in boot stub (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Drop flags from __tdx_hypercall() (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Disable NOTIFY_ENABLES (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Relax SEPT_VE_DISABLE check for debug TD (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Use ReportFatalError to report missing SEPT_VE_DISABLE (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- cpuidle, tdx: Make TDX code noinstr clean (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- x86/tdx: Remove TDX_HCALL_ISSUE_STI (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- mm: add pageblock_aligned() macro (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: memmap: Disregard bogus entries instead of returning them (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: memmap: Move manipulation routines into x86 arch tree (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: memmap: Move EFI fake memmap support into x86 arch tree (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: install boot-time memory map as config table (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: remove DT dependency from generic stub (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: unify initrd loading between architectures (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: remove pointless goto kludge (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: simplify efi_get_memory_map() and struct efi_boot_memmap (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: avoid efi_get_memory_map() for allocating the virt map (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: libstub: drop pointless get_memory_map() call (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/libstub: move efi_system_table global var into separate object (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi/x86: libstub: remove unused variable (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- efi: Correct comment on efi_memmap_alloc (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- drivers: fix typo in firmware/efi/memmap.c (Paolo Bonzini) [RHEL-20808 RHEL-10059] +- netfilter: nf_tables: skip set commit for deleted/destroyed sets (Phil Sutter) [RHEL-20683 RHEL-20686 RHEL-20214 RHEL-20217] {CVE-2024-0193} +- redhat: add missing -rt JIRAs (Jan Stancek) + +* Thu Feb 08 2024 Jan Stancek [5.14.0-362.23.1.el9_3] +- iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range (Jerry Snitselaar) [RHEL-19382 RHEL-11590] +- arm64/smmu: use TLBI ASID when invalidating entire range (Jerry Snitselaar) [RHEL-19382 RHEL-11590] +- netfilter: nft_set_pipapo: skip inactive elements during set walk (Florian Westphal) [RHEL-20701 RHEL-20709 RHEL-19722 RHEL-19961] {CVE-2023-6817} +- netfilter: nf_tables: split async and sync catchall in two functions (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: remove catchall element in GC sync path (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: expose opaque set element as struct nft_elem_priv (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: set backend .flush always succeeds (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_pipapo: no need to call pipapo_deactivate() from flush (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: work around newrule after chain binding (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix memleak when more than 255 elements expired (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: disable toggling dormant table state more than once (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: disallow element removal on anonymous sets (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: disallow rule removal from chain binding (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: defer gc run if previous batch is still pending (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix out of memory error handling (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: use correct lock to protect gc_list (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: GC transaction race with abort path (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: flush pending destroy work before netlink notifier (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_dynset: disallow object maps (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: GC transaction race with netns dismantle (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: don't fail inserts if duplicate has expired (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: deactivate catchall elements in next generation (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix kdoc warnings after gc rework (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix false-positive lockdep splat (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: remove busy mark and gc batch API (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_hash: mark set element as dead when deleting from packet path (Florian Westphal) [RHEL-22131 RHEL-22134 RHEL-1720 RHEL-1721] {CVE-2023-4244} +- netfilter: nf_tables: adapt set backend to use GC transaction API (Florian Westphal) [RHEL-22131 RHEL-22134 RHEL-1720 RHEL-1721] {CVE-2023-4244} +- netfilter: nft_set_rbtree: fix overlap expiration walk (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: GC transaction API to avoid race with control plane (Florian Westphal) [RHEL-22131 RHEL-22134 RHEL-1720 RHEL-1721] {CVE-2023-4244} +- netfilter: nf_tables: don't skip expired elements during walk (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: skip bound chain in netns release path (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix spurious set element insertion failure (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: report use refcount overflow (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix underflow in chain reference counter (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: disallow timeout for anonymous sets (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: disallow updates of anonymous sets (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: reject unbound chain set before commit phase (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: reject unbound anonymous set before commit phase (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: disallow element updates of bound anonymous sets (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: fix underflow in object reference counter (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: drop map element references from preparation phase (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: validate variable length element extension (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nft_set_pipapo: .walk does not deal with generations (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: relax set/map validation checks (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: integrate pipapo into commit protocol (Florian Westphal) [RHEL-22131 RHEL-1720] +- netfilter: nf_tables: upfront validation of data via nft_data_init() (Florian Westphal) [RHEL-22131 RHEL-1720] +- rbd: don't move requests to the running list on errors (Ilya Dryomov) [RHEL-23863 RHEL-21939] +- ASoC: SOF: intel: hda: Clean up link DMA for IPC3 during stop (Jaroslav Kysela) [RHEL-24033 RHEL-13724] +- platform/x86/intel-uncore-freq: Return error on write frequency (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-freq: Add client processors (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-freq: add Emerald Rapids support (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-freq: Use sysfs_emit() to instead of scnprintf() (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-freq: Prevent driver loading in guests (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-freq: fix uncore_freq_common_init() error codes (David Arcari) [RHEL-15751 2177013] +- Documentation: admin-guide: pm: Document uncore frequency scaling (David Arcari) [RHEL-15751 2177013] +- platform/x86/intel-uncore-freq: Split common and enumeration part (David Arcari) [RHEL-15751 2177013] +- platform/x86/intel/uncore-freq: Display uncore current frequency (David Arcari) [RHEL-15751 2177013] +- platform/x86/intel/uncore-freq: Use sysfs API to create attributes (David Arcari) [RHEL-15751 2177013] +- platform/x86/intel/uncore-freq: Move to uncore-frequency folder (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-frequency: use default_groups in kobj_type (David Arcari) [RHEL-15751 2177013] +- platform/x86: intel-uncore-frequency: Move to intel sub-directory (David Arcari) [RHEL-15751 2177013] +- Revert "platform/x86: intel-uncore-freq: add Emerald Rapids support" (David Arcari) [RHEL-15751 2177013] +- iommu/iova: Manage the depot list size (Jay Shin) [RHEL-21517 RHEL-11148] +- iommu/iova: Make the rcache depot scale better (Jay Shin) [RHEL-21517 RHEL-11148] +- drm/amd/pm: Fix error of MACO flag setting code (Michel Dänzer) [RHEL-16741 RHEL-16742 RHEL-14571 RHEL-15927] +- drm/amd: Fix detection of _PR3 on the PCIe root port (Michel Dänzer) [RHEL-16741 RHEL-16742 RHEL-14571 RHEL-15927] + +* Thu Feb 01 2024 Jan Stancek [5.14.0-362.22.1.el9_3] +- usb: typec: ucsi: Use GET_CAPABILITY attributes data to set power supply scope (Desnes Nunes) [RHEL-21838 RHEL-14573] +- KVM: SVM: Do not use user return MSR support for virtualized TSC_AUX (Paolo Bonzini) [RHEL-20415 RHEL-16384] +- KVM: SVM: Fix TSC_AUX virtualization setup (Paolo Bonzini) [RHEL-20415 RHEL-16384] +- KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway (Paolo Bonzini) [RHEL-20415 RHEL-16384] +- net: tls, update curr on splice as well (Sabrina Dubroca) [RHEL-22094 RHEL-22097 RHEL-19066 RHEL-19067] {CVE-2024-0646} +- smb: client: fix OOB in smbCalcSize() (Scott Mayhew) [RHEL-21664 RHEL-21669 RHEL-18992 RHEL-18993] {CVE-2023-6606} +- NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server (Jeffrey Layton) [RHEL-22284 RHEL-7936] +- NFSv4.1: fix zero value filehandle in post open getattr (Jeffrey Layton) [RHEL-22284 RHEL-7936] +- NFSv4.1: fix pnfs MDS=DS session trunking (Jeffrey Layton) [RHEL-22284 RHEL-7936] +- NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server (Jeffrey Layton) [RHEL-22284 RHEL-7936] +- nvmet-tcp: Fix the H2C expected PDU len calculation (Maurizio Lombardi) [RHEL-22290 RHEL-22292 RHEL-22627 RHEL-22629 RHEL-22632 RHEL-22636 RHEL-19150 RHEL-19153 RHEL-19156 RHEL-19159 RHEL-19162 RHEL-19165] {CVE-2023-6356 CVE-2023-6535 CVE-2023-6536} +- nvmet-tcp: remove boilerplate code (Maurizio Lombardi) [RHEL-22290 RHEL-22292 RHEL-22627 RHEL-22629 RHEL-22632 RHEL-22636 RHEL-19150 RHEL-19153 RHEL-19156 RHEL-19159 RHEL-19162 RHEL-19165] {CVE-2023-6356 CVE-2023-6535 CVE-2023-6536} +- nvmet-tcp: fix a crash in nvmet_req_complete() (Maurizio Lombardi) [RHEL-22290 RHEL-22292 RHEL-22627 RHEL-22629 RHEL-22632 RHEL-22636 RHEL-19150 RHEL-19153 RHEL-19156 RHEL-19159 RHEL-19162 RHEL-19165] {CVE-2023-6356 CVE-2023-6535 CVE-2023-6536} +- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length (Maurizio Lombardi) [RHEL-22290 RHEL-22292 RHEL-22627 RHEL-22629 RHEL-22632 RHEL-22636 RHEL-19150 RHEL-19153 RHEL-19156 RHEL-19159 RHEL-19162 RHEL-19165] {CVE-2023-6356 CVE-2023-6535 CVE-2023-6536} +- ice: dpll: fix phase offset value (Petr Oros) [RHEL-17652 RHEL-15789] +- dpll: netlink/core: change pin frequency set behavior (Petr Oros) [RHEL-17652 RHEL-15789] +- ice: dpll: implement phase related callbacks (Petr Oros) [RHEL-17652 RHEL-15789] +- dpll: netlink/core: add support for pin-dpll signal phase offset/adjust (Petr Oros) [RHEL-17652 RHEL-15789] +- dpll: spec: add support for pin-dpll signal phase offset/adjust (Petr Oros) [RHEL-17652 RHEL-15789] +- dpll: docs: add support for pin signal phase offset/adjust (Petr Oros) [RHEL-17652 RHEL-15789] +- netlink: specs: remove redundant type keys from attributes in subsets (Petr Oros) [RHEL-17652 RHEL-15789] +- md/raid6: use valid sector values to determine if an I/O should wait on the reshape (Nigel Croxon) [RHEL-20933 RHEL-17276] + +* Thu Jan 25 2024 Jan Stancek [5.14.0-362.21.1.el9_3] +- x86/microcode: do not cache microcode if it will not be used (Paolo Bonzini) [RHEL-21567 RHEL-16225] +- x86/hyperv: Move the code in ivm.c around to avoid unnecessary ifdef's (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Remove hv_isolation_type_en_snp (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Use TDX GHCI to access some MSRs in a TDX VM with the paravisor (Vitaly Kuznetsov) [RHEL-21441 2176350] +- Drivers: hv: vmbus: Bring the post_msg_page back for TDX VMs with the paravisor (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Introduce a global variable hyperv_paravisor_present (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Add missing 'inline' to hv_snp_boot_ap() stub (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Mark hv_ghcb_terminate() as noreturn (Vitaly Kuznetsov) [RHEL-21441 2176350] +- Drivers: hv: vmbus: Support >64 VPs for a fully enlightened TDX/SNP VM (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Fix serial console interrupts for fully enlightened TDX guests (Vitaly Kuznetsov) [RHEL-21441 2176350] +- Drivers: hv: vmbus: Support fully enlightened TDX guests (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Support hypercalls for fully enlightened TDX guests (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Add hv_isolation_type_tdx() to detect TDX guests (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Fix undefined reference to isolation_type_en_snp without CONFIG_HYPERV (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Add hyperv-specific handling for VMMCALL under SEV-ES (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Add smp support for SEV-SNP guest (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Add VTL specific structs and hypercalls (Vitaly Kuznetsov) [RHEL-21441 2176350] +- clocksource: hyper-v: Mark hyperv tsc page unencrypted in sev-snp enlightened guest (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Use vmmcall to implement Hyper-V hypercall in sev-snp enlightened guest (Vitaly Kuznetsov) [RHEL-21441 2176350] +- drivers: hv: Mark percpu hvcall input arg page unencrypted in SEV-SNP enlightened guest (Vitaly Kuznetsov) [RHEL-21441 2176350] +- Drivers: hv: vmbus: Remove the per-CPU post_msg_page (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Mark Hyper-V vp assist page unencrypted in SEV-SNP enlightened guest (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Set Virtual Trust Level in VMBus init message (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/hyperv: Add sev-snp enlightened guest static key (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/tdx: Do not corrupt frame-pointer in __tdx_hypercall() (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/tdx: Expand __tdx_hypercall() to handle more arguments (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/tdx: Refactor __tdx_hypercall() to allow pass down more arguments (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/tdx: Add more registers to struct tdx_hypercall_args (Vitaly Kuznetsov) [RHEL-21441 2176350] +- x86/tdx: Fix typo in comment in __tdx_hypercall() (Vitaly Kuznetsov) [RHEL-21441 2176350] +- blk-mq: don't count completed flush data request as inflight in case of quiesce (Ming Lei) [RHEL-19105 RHEL-18054] +- NFS: Use parent's objective cred in nfs_access_login_time() (Jay Shin) [RHEL-22147 RHEL-16024] +- s390/qeth: Don't call dev_close/dev_open (DOWN/UP) (Tobias Huschle) [RHEL-17887 RHEL-2412] +- smb: client: fix potential OOB in smb2_dump_detail() (Scott Mayhew) [RHEL-19146 RHEL-21679 RHEL-19147 RHEL-21677] {CVE-2023-6610} +- smb: client: fix potential OOB in cifs_dump_detail() (Scott Mayhew) [RHEL-19146 RHEL-21679 RHEL-19147 RHEL-21677] {CVE-2023-6610} +- x86/sev: Do not handle #VC for DR7 read/write (Paolo Bonzini) [RHEL-21885 RHEL-15069] +- x86/sev: Use the GHCB protocol when available for SNP CPUID requests (Paolo Bonzini) [RHEL-21885 RHEL-15069] + +* Thu Jan 18 2024 Jan Stancek [5.14.0-362.20.1.el9_3] +- s390/dasd: print copy pair message only for the correct error (Tobias Huschle) [RHEL-11980 RHEL-2833] +- x86/microcode/AMD: Rip out static buffers (David Arcari) [RHEL-14590 RHEL-10030] +- x86/microcode/AMD: Load late on both threads too (David Arcari) [RHEL-14590 RHEL-10030] +- x86/microcode/amd: Remove unneeded pointer arithmetic (David Arcari) [RHEL-14590 RHEL-10030] +- x86/microcode/AMD: Get rid of __find_equiv_id() (David Arcari) [RHEL-14590 RHEL-10030] +- docs: move x86 documentation into Documentation/arch/ (David Arcari) [RHEL-14590 RHEL-10030] +- x86/microcode/AMD: Handle multiple glued containers properly (David Arcari) [RHEL-14590 RHEL-10030] +- mm: Fix copy_from_user_nofault(). (Waiman Long) [RHEL-18946 RHEL-18440] +- redhat: rewrite genlog and support Y- tags (Jan Stancek) + +* Wed Jan 10 2024 Jan Stancek [5.14.0-362.19.1.el9_3] +- redhat: fix kernel changelog entry for RHEL-16560 (Jan Stancek) +- perf/core: Fix potential NULL deref (Wander Lairson Costa) [RHEL-18087 RHEL-18088 RHEL-14984 RHEL-14985] {CVE-2023-5717} +- perf: Disallow mis-matched inherited group reads (Wander Lairson Costa) [RHEL-18087 RHEL-18088 RHEL-14984 RHEL-14985] {CVE-2023-5717} + * Wed Jan 03 2024 Jan Stancek [5.14.0-362.18.1.el9_3] - nfp: fix use-after-free in area_cache_get() (Ricardo Robaina) [RHEL-19456 RHEL-19536 RHEL-6566 RHEL-7241] {CVE-2022-3545} - rtla: Fix uninitialized variable found (John Kacur) [RHEL-18360 RHEL-10079] @@ -3848,7 +4097,7 @@ fi - Revert "drm/vmwgfx: Fix Legacy Display Unit atomic drm support" (Jocelyn Falempe) [RHEL-14511 RHEL-14515 RHEL-14512 RHEL-14516] {CVE-2023-5633} * Thu Dec 07 2023 Jan Stancek [5.14.0-362.15.1.el9_3] -- drm/mgag200: Flush the cache to improve latency (Jocelyn Falempe) [RHEL-16560] +- drm/mgag200: Flush the cache to improve latency (Jocelyn Falempe) [RHEL-16560 RHEL-16556] - sched/fair: Make the BW replenish timer expire in hardirq context for PREEMPT_RT (Valentin Schneider) [RHEL-16842 RHEL-7232] - net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve (Davide Caratti) [RHEL-16893 RHEL-16894 RHEL-14233 RHEL-16617] {CVE-2023-4623} - net/sched: sch_hfsc: Ensure inner classes have fsc curve (Davide Caratti) [RHEL-16893 RHEL-16894 RHEL-14233 RHEL-16617] {CVE-2023-4623} From f231af178e1414e9d62dde59852c26c7d7d11912 Mon Sep 17 00:00:00 2001 From: Eduard Abdullin <55892454+eabdullin1@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:13:42 +0300 Subject: [PATCH 2/2] Revert OL changes --- SOURCES/1000-debrand-some-messages.patch | 58 ------------- ...34729535-change-certified-hw-message.patch | 19 ----- SOURCES/x509.genkey.rhel | 6 +- SPECS/kernel.spec | 85 ++++++++----------- 4 files changed, 37 insertions(+), 131 deletions(-) delete mode 100644 SOURCES/1000-debrand-some-messages.patch delete mode 100644 SOURCES/bug34729535-change-certified-hw-message.patch diff --git a/SOURCES/1000-debrand-some-messages.patch b/SOURCES/1000-debrand-some-messages.patch deleted file mode 100644 index 48fbd53..0000000 --- a/SOURCES/1000-debrand-some-messages.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 6ca79c451f7508fc1916113fd0cdba2140c14818 Mon Sep 17 00:00:00 2001 -From: Louis Abel -Date: Wed, 20 Sep 2023 14:16:05 -0700 -Subject: [PATCH] debrand some messages - -Modified-by: Alex Burmashev ---- - kernel/rh_shadowman.c | 55 ++++++++++++++++++++++--------------------- - 4 files changed, 34 insertions(+), 33 deletions(-) - -diff --git a/kernel/rh_shadowman.c b/kernel/rh_shadowman.c -index 018d5c633..d05ea0790 100644 ---- a/kernel/rh_shadowman.c -+++ b/kernel/rh_shadowman.c -@@ -1,39 +1 @@ --#include --#include --#include -- --/* Display a shadowman logo on the console screen */ --static int __init rh_shadowman(char *str) --{ -- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRRRRRRrrrrrrrrrrrrrrrORHRrrHRRRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRRRRHrr8rrrrrrrrrrrrrrrrrrrrhRRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRHRRRRRRRRRRRrrHRHRRRHHHrrrrrrrrrrrrrHRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRRRHrrrrrHrrrrrrrrrrrrrrrrrrrrRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRHh88hhRHrrrrrrrrrrrrrrrrrrrrrrrrrrHRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRrrrrrrrrrRHRH8rrrrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRH8rrrrrrrrrrRHRRRRRRRRRHrrrrrrrrrrrrrrrrRrhHRHRRRRRRRRRR\n"); -- pr_info("RRRRRROrrrrrrrrrrrORRRRRRRRRRRrrrrrrrrrrrrrHrrrrrrhRRRRRRRRR\n"); -- pr_info("RRRRRRRROrrrrrrrrrrrrrrr8RRRRHRrrrrrrrrrrrrrrrrrrrrrHRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRHhrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRH. .HHHrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRR. .RRhRRHH8rrrrrrrrrrrrrrrrrrrrr8RRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRR~ .RRRRRRRRRHHh8OOOOO8HRRHRRRRRRRRRRRRRRR\n"); -- pr_info("R,```` RRR8 .hHRRRh\\hHH:=HRh.RRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RR ORRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRR ,HHtaa HRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRO. .RRRRO. . .RRRRRRR\n"); -- pr_info("RRRRRR ,RRHh, :RRRRRRRR\n"); -- pr_info("RRRRRRRR HRR :RRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRr .. ,RRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRt . .HRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRRRRRr. =RRRRRRRRRRRRRRRRRRRR\n"); -- pr_info("RRRRRRRRRRRRRRRRRRRRRRRRHHr: .:tRhRRRRRRRRRRRRRRRRRRRRRRRRRR\n"); -- pr_info(" "); -- pr_info(" Long Live Shadowman!"); -- pr_info("576527726520686972696e6721a68747470733a2f2f7777772e7265646861742e636f6d2f6a6f6273"); -- pr_info(" "); -- return 1; --} -- --__setup("shadowman", rh_shadowman); -+// This file has been intentionally left blank --- -2.41.0 - diff --git a/SOURCES/bug34729535-change-certified-hw-message.patch b/SOURCES/bug34729535-change-certified-hw-message.patch deleted file mode 100644 index db0b136..0000000 --- a/SOURCES/bug34729535-change-certified-hw-message.patch +++ /dev/null @@ -1,19 +0,0 @@ -Update message about certified hardware list. - -Orabug: 34729535 - -Signed-off-by: Kevin Lyons -Reviewed-by: Laurence Rochfort ---- -diff -ruN linux-5.14.0-160.el8.x86_64.orig/init/main.c linux-5.14.0-160.el8.x86_64/init/main.c ---- linux-5.14.0-160.el8.x86_64.orig/init/main.c 2022-08-25 13:57:06.000000000 -0700 -+++ linux-5.14.0-160.el8.x86_64/init/main.c 2022-10-26 13:15:39.700724777 -0700 -@@ -936,7 +936,7 @@ - boot_cpu_init(); - page_address_init(); - pr_notice("%s", linux_banner); -- pr_notice("The list of certified hardware and cloud instances for Red Hat Enterprise Linux 9 can be viewed at the Red Hat Ecosystem Catalog, https://catalog.redhat.com.\n"); -+ pr_notice("The list of certified hardware for Oracle Linux 9 can be viewed at the Oracle Linux Certification List https://linux.oracle.com/hardware-certifications\n"); - early_security_init(); - setup_arch(&command_line); - setup_boot_config(); diff --git a/SOURCES/x509.genkey.rhel b/SOURCES/x509.genkey.rhel index 5b7056d..b1bbe38 100644 --- a/SOURCES/x509.genkey.rhel +++ b/SOURCES/x509.genkey.rhel @@ -5,9 +5,9 @@ prompt = no x509_extensions = myexts [ req_distinguished_name ] -O = Oracle America, Inc.,c=US -CN = Oracle CA Server -emailAddress = support@oracle.com +O = Red Hat +CN = Red Hat Enterprise Linux kernel signing key +emailAddress = secalert@redhat.com [ myexts ] basicConstraints=critical,CA:FALSE diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index af35785..ed5bdaa 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -104,7 +104,7 @@ Summary: The Linux kernel %if 0%{?fedora} %define secure_boot_arch x86_64 %else -%define secure_boot_arch x86_64 s390x ppc64le +%define secure_boot_arch x86_64 aarch64 s390x ppc64le %endif # Signing for secure boot authentication @@ -124,11 +124,11 @@ Summary: The Linux kernel %global zipmodules 1 %endif -#%ifarch x86_64 -#%global efiuki 1 -#%else +%ifarch x86_64 +%global efiuki 1 +%else %global efiuki 0 -#%endif +%endif %if %{zipmodules} %global zipsed -e 's/\.ko$/\.ko.xz/' @@ -643,9 +643,6 @@ Requires: kernel-modules-core-uname-r = %{KVERREL} Provides: installonlypkg(kernel) %endif -Provides: oracle(kernel-sig-key) == 202204 -Conflicts: shim-ia32 <= 15.3-1.0.5.el9 -Conflicts: shim-x64 <= 15.3-1.0.5.el9 # # List the packages used during the kernel build @@ -802,10 +799,30 @@ Source1: Makefile.rhelver %if %{signkernel} +# Name of the packaged file containing signing key +%ifarch ppc64le +%define signing_key_filename kernel-signing-ppc.cer +%endif +%ifarch s390x +%define signing_key_filename kernel-signing-s390.cer +%endif + %define secureboot_ca_0 %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer %define secureboot_key_0 %{_datadir}/pki/sb-certs/secureboot-kernel-%{_arch}.cer -%define pesign_name_0 OracleSecureBootkernelsigningkey2 +%if 0%{?centos} +%define pesign_name_0 centossecureboot201 +%else +%ifarch x86_64 aarch64 +%define pesign_name_0 redhatsecureboot501 +%endif +%ifarch s390x +%define pesign_name_0 redhatsecureboot302 +%endif +%ifarch ppc64le +%define pesign_name_0 redhatsecureboot701 +%endif +%endif # signkernel %endif @@ -889,26 +906,19 @@ Source101: rhelkpatch1.x509 Source102: rhelimaca1.x509 Source103: rhelima.x509 Source104: rhelima_centos.x509 -# Oracle Linux IMA CA certificate -Source105: olimaca1.x509 -# Oracle Linux IMA signing certificate -Source106: olima1.x509 %if 0%{?centos} %define ima_signing_cert %{SOURCE104} %else %define ima_signing_cert %{SOURCE103} -%define ima_signing_cert_ol %{SOURCE106} %endif - %define ima_cert_name ima.cer -%define ima_cert_name_ol ima_ol.cer Source150: dracut-virt.conf # Remove this when https://bugzilla.redhat.com/show_bug.cgi?id=2225009 gets resolved -#Source151: uki-sb-cert-x86_64-centos.crt -#Source152: uki-sb-cert-x86_64-rhel.crt +Source151: uki-sb-cert-x86_64-centos.crt +Source152: uki-sb-cert-x86_64-rhel.crt Source200: check-kabi @@ -943,9 +953,6 @@ Source4000: README.rst Source4001: rpminspect.yaml Source4002: gating.yaml -# Oracle Linux RHCK Module Signing Key -Source5001: olkmod_signing_key.pem - ## Patches needed for building this package %if !%{nopatches} @@ -953,12 +960,8 @@ Source5001: olkmod_signing_key.pem Patch1: patch-%{patchversion}-redhat.patch %endif -# Oracle patches -Patch1000: bug34729535-change-certified-hw-message.patch - # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch -Patch1000000: 1000-debrand-some-messages.patch # END OF PATCH DEFINITIONS @@ -1111,10 +1114,10 @@ This package provides debug information for the libperf package. Summary: Assortment of tools for the Linux kernel License: GPLv2 %ifarch %{cpupowerarchs} -Provides: cpupowerutils = 1:009-0.6.p1 +Provides: cpupowerutils = 1:009-0.6.p1 Obsoletes: cpupowerutils < 1:009-0.6.p1 -Provides: cpufreq-utils = 1:009-0.6.p1 -Provides: cpufrequtils = 1:009-0.6.p1 +Provides: cpufreq-utils = 1:009-0.6.p1 +Provides: cpufrequtils = 1:009-0.6.p1 Obsoletes: cpufreq-utils < 1:009-0.6.p1 Obsoletes: cpufrequtils < 1:009-0.6.p1 Obsoletes: cpuspeed < 1:1.5-16 @@ -1137,7 +1140,7 @@ Summary: Assortment of tools for the Linux kernel License: GPLv2 Requires: kernel-tools = %{version}-%{release} %ifarch %{cpupowerarchs} -Provides: cpupowerutils-devel = 1:009-0.6.p1 +Provides: cpupowerutils-devel = 1:009-0.6.p1 Obsoletes: cpupowerutils-devel < 1:009-0.6.p1 %endif Requires: kernel-tools-libs = %{version}-%{release} @@ -1219,7 +1222,7 @@ This package provides debug information for the bpftool package. %package selftests-internal Summary: Kernel samples and selftests License: GPLv2 -Requires: binutils, bpftool, iproute-tc, python3, fuse-libs, keyutils +Requires: binutils, bpftool, iproute-tc, nmap-ncat, python3, fuse-libs, keyutils %description selftests-internal Kernel sample programs and selftests. @@ -1694,9 +1697,7 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif -ApplyPatch bug34729535-change-certified-hw-message.patch ApplyOptionalPatch linux-kernel-test.patch -ApplyOptionalPatch 1000-debrand-some-messages.patch # END OF PATCH APPLICATIONS @@ -1774,11 +1775,6 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem openssl x509 -inform der -in %{SOURCE102} -out rhelimaca1.pem cat rheldup3.pem rhelkpatch1.pem rhelimaca1.pem > ../certs/rhel.pem -# Add Oracle Linux IMA CA certificate to the kernel trusted certificates list -openssl x509 -inform der -in %{SOURCE105} -out olimaca1.pem -cat olimaca1.pem >> ../certs/rhel.pem -# Add olkmod_signing_key.pem to the kernel trusted certificates list -cat %{SOURCE5001} >> ../certs/rhel.pem %if %{signkernel} %ifarch s390x ppc64le openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem @@ -2579,7 +2575,7 @@ BuildKernel() { # prune junk from kernel-devel find $RPM_BUILD_ROOT/usr/src/kernels -name ".*.cmd" -delete - # UEFI Secure Boot CA cert, which can be used to authenticate the kernel + # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer %if %{signkernel} install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer @@ -2593,8 +2589,6 @@ BuildKernel() { %if 0%{?rhel} # Red Hat IMA code-signing cert, which is used to authenticate package files install -m 0644 %{ima_signing_cert} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name} - # Oracle Linux IMA signing cert - install -m 0644 %{ima_signing_cert_ol} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/%{ima_cert_name_ol} %endif %if %{signmodules} @@ -3760,17 +3754,6 @@ fi # # %changelog -* Fri Mar 15 2024 Craig Guiller - [5.14.0-362.24.1.el9_3.OL9] -- Update Oracle Linux certificates (Kevin Lyons) -- Disable signing for aarch64 (Ilya Okomin) -- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] -- Update x509.genkey [Orabug: 24817676] -- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5.el9 -- Remove nmap references from kernel (Mridula Shastry) [Orabug: 34313944] -- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] -- Disable unified kernel image package build -- Add Oracle Linux IMA certificates - * Thu Feb 15 2024 Jan Stancek [5.14.0-362.24.1.el9_3] - RDMA/mlx5: Fix assigning access flags to cache mkeys (Mohammad Kabat) [RHEL-25242 RHEL-882] - drm/amdgpu: Fix potential fence use-after-free v2 (Jan Stancek) [RHEL-24501 RHEL-24504 RHEL-22506 RHEL-22507] {CVE-2023-51042}